darpa’s active authentication - connectid · darpa’s active authentication ... • expand...
TRANSCRIPT
Approved for Public Release, Distribution Unlimited
DARPA’s Active Authentication
Moving Beyond Passwords
Program Overview Briefing
March 17, 2014
How many passwords do we really use?
3/26/2014 3 Approved for Public Release, Distribution Unlimited
DoD IT Asset Type
DARPA Reference System
NIPRnet Windows DMSS
Laptop Encryption Guardian Edge
DARPA VPN Nortel
PDA Blackberry/iPhone
SIPRnet Windows DSN
JWICS Windows DJN
Source Selection TFIMs, I2O BAA Tool
Contract Management GSA Advantage, SPS
Contract Invoicing Wide Area Workflow
Payroll MyPay
Benefits Benefeds.com
HR hr.dla.mil
Training DAU
Collaboration Defense Connect Online
Financial System, Local Momentum
Financial System, Agency DFAS
Credit Union PFCU, NCU, etc.
Non-DoD IT Asset Type
American Honda Motor Co.
Bank of America
Carnegie Mellon University
Citigroup
Clarkson University
Countrywide Financial Corp.
Fidelity Investments
Heartland Payment Systems
IBM
Johns Hopkins Hospital
SAIC
Sony
Stanford University
TD Ameritrade Holding Corp.
Texas A&M University
TJMax Stores
U.S. Depart. of Veteran Affairs
U.S. Marine Corp – PSU research
Visa, MasterCard, and American Express
Hacked on
Credentials lost
27-Dec-10 4.9m
25-May-11 1.2m
8-Oct-07 19k
27-Jul-10 30m
10-Sep-08 245
2-Aug-08 17m
24-Sep-07 8.7m
20-Jan-09 130m
15-May-07 2k
22-Oct-10 152k
7-May-08 630k
27-Apr-11 12m
6-Jun-08 82k
14-Sep-07 6.5m
9-Nov-08 13k
17-Jan-07 100m
14-May-07 103m
26-Jul-07 208k
27-Dec-10 4.9m
Source: www.privacyrights.org/data-breach
Patterns will always be hackable
3/26/2014 4 Approved for Public Release, Distribution Unlimited
Num
ber
of
pass
word
s cr
ack
ed
by c
onte
st w
inner
Defcon 2010 Contest on Password Hacking of 53,000 passwords
Updated the dictionary word to include locally relevant words (vegas, defcon) in guessing algorithm
Add cracked passwords as dictionary words to guessing algorithm
Start with normal dictionary attack against 6 character passwords
Add special characters or numbers to beginning or end of dictionary
words in guessing algorithm
Date/Time (2 hour increments over 48 hours)
Source: http://contest.korelogic.com/
Why will passwords always be a problem?
3/26/2014 5 Approved for Public Release, Distribution Unlimited
6tFcVbNh^TfCvBn
R%t6Y&u8I(o0P-[
#QWqEwReTrYtUyI Source: Visualizing Keyboard Pattern Passwords, US AF Academy 11 Oct, 2009
*Keyboard
*Keyboard
*Keyboard
How do we move from proxies for you to the actual you?
3/26/2014 6 Approved for Public Release, Distribution Unlimited
The Active Authentication Program
3/26/2014 7 Approved for Public Release, Distribution Unlimited
A continuous authentication solution that takes the data available on a DoD computer system and makes an informed decision on the identity of the user of the computer
Computational linguistics (How you use language)
Structural semantic analysis (how you construct sentences); Forensic authorship
Keystroke pattern; Mouse movement
Fingerprint; Iris pattern; Vein pattern; Facial geometry; DNA; Eye movement
Non-cooperative behavioral biometrics allow the validation of identity simply by the user acting normally,
not requiring interruption of the user
You
Traditional Range of Biometrics
Untapped Range of Behavioral Biometrics
The Active Authentication Program Plan
3/26/2014 8 Approved for Public Release, Distribution Unlimited
Research new modalities and validate on human subjects
Transition to CERDEC/I2WD
Develop a Platform that can interconnect biometrics
• Phase 1 (started summer 2012): • Expand research in new biometric modalities (contracts June 2012-June 2013)
• Focus on new types of biometric modalities that do not require additional sensors
Research new modalities and validate on human subjects
Transition Develop a Platform that can
interconnect biometrics
• Phase 2 (Kick-off Sept 2013): • Expand research in new biometric modalities for mobile devices
Images © Microsoft ClipArt
Performer Research Area Functional Area
Allure Security Technology, Inc
User Search behavior characteristics verified by decoys placed on the file system to detect masqueraders
How you look for information
Behaviosec Keystroke and mouse dynamics in context of applications
How you type in the context of applications you use
Coveros User behavior patterns as seen from the operating system
How you interact with programs on your computer
Drexel University Stylometry augmented by author classification and verification
How your construct thoughts in writing, as well as personal attributes of the writer
Iowa State Stylometry focused on thought processing time The time you take to think while typing
Naval Post Graduate School
Behavioral manifestations of human thought processes How you make decisions
New York Institute of Technology
Stylometry focused on how a user types without regard to the actual words
How you compose writing
Naval Research Labs Identification of users through Web browsing behavior Where you surf on the web (and when)
SWRI Use covert games disguised as computer anomalies How you deal with computer interruptions
University of Maryland
Information processing from computer screens How you visually process information
Phase 1 Performers Research Focus
3/26/2014 10 Approved for Public Release, Distribution Unlimited
What are we working on in the Active Authentication Program?
User Search Patterns – Allure Security Technology, Inc.
Using the user’s patterns of application use and searching for information on the computer, verified by decoys placed on the file system to detect masqueraders .
Stylometry focused on Cognitive Processing Time –Iowa State University
Using stylometric methods to validate the user based on natural pauses in the way they type.
Stylometry focused on keystroke dynamics, cogni-linguistic features, and demographic classification – Louisiana Tech University
Develop a collection of keystroke-based algorithms that analyze free-text input to capture unique aspects of -- how a user types, how the user composes text and uses language, and the demographic classifications to which the user belongs.
Approved for Public Release, Distribution Unlimited
Solutions using desktops
Performer Research Area Functional Area
Allure Security Technology, Inc*
User Search behavior characteristics verified by decoys placed on the file system to detect masqueraders (D) incorporating additional modalities (eg. voice, image) (M)
How you look for information
AMI Research Fast Pattern Recognition Applied to Kinematic Gestures and Finger Images authentication (M)
Fingerprint identification from swipes
BAE Systems Mobile perpetual authentication (M) How your phone moves when you move
BehavioSec* Type and swipe authentication (M) How you type/swipe in the context of applications you use
Drexel University*
Stylometry integrated with eye tracking (M) How your construct thoughts (and where you focus)
Iowa State University*
Stylometry focused on Cognitive Processing Time (D) (M) The time you take to think while typing/swiping
JPL Detection of Heartbeat through wave changed in signals emitted from your mobile device (M)
Your heartbeat
Kryptowire Power, touch, and movement authentication (M) How the device changes during usage
Li Creative Tech Human voice authentication using text dependent verification for point authentication and text independent verification for continuous authentication (M)
How you talk (static and continuous)
Phase 2 Performers Research Focus, page 1 of 2
3/26/2014 12
(D) = Desktop solution (M) = mobile solution * = expansion on Phase 1 research
Approved for Public Release, Distribution Unlimited
Performer Research Area Functional Area
Louisiana Tech University*
Stylometry focused on keystroke dynamics, cogni-linguistic features, and demographic classification (D) Context aware kinetic authentication (M)
How your construct thoughts (and personal attributes)
SWRI* Use covert games disguised as computer anomalies (M) How you deal with computer interruptions
SRI International Joint Physiological and Behavioral authentication mechanism extracting fine-grained anthropometric & behavioral signatures from the motion induced on the mobile (M)
How your phones moves when it is in use
University of Maryland*
“Visual fingerprint” through visual images of the operator acquired through the front camera, the back camera, and the screen recorder respectively. (M)
Passive facial recognition
New York Institute of Technology*
Spatial-temporal hand micro-movements and oscillations (hand movement, device orientation, and grasping patterns) during two modes of user interaction with the touch screen: (1) touch-burst and (2) cognitive-pause. (M)
The movements that occur when you are writing/swiping
SRI International Continuous authentication through natural speech and language activity performed by the user (spoken and written inputs) on mobile devices (M)
How your thought processes show up in your language use
Phase 2 Performers Research Focus, page 2 of 2
3/26/2014 13
(D) = Desktop solution (M) = mobile solution * = expansion on Phase 1 research
Approved for Public Release, Distribution Unlimited
www.darpa.mil
Approved for Public Release, Distribution Unlimited 14 3/26/2014
Mr. Richard Guidorizzi Program Manager
DARPA, I2O
Debbie Waung Director
Novetta Solutions
15
Active Authentication Performer Overview and Status
Allure Security Technology and Accenture Federal Systems
Team Members Principal Investigator: Salvatore J Stolfo, Allure Security, New York, NY • Malek Ben Salem (Co-PI), Accenture, Arlington, VA • Jonathan Voris (co-PI), Allure Security, New York, NY • Yingbo Song (Researcher), Allure Security, New York, NY • Shlomo Hershkop (Researcher), Allure Security, New York, NY
PERFORMER OVERVIEW AND STATUS
User search behavior characteristics, how a user searches their own files and directories for information they seek. Decoy files are used to detect adversarial information gathering activities.
User app behavior characteristics, how a user runs their apps. Decoy apps are used to detect masqueraders and to gather attacker information.
Key Objectives
• Establish statistics-based biometrics for User search and app behavior modeling
• Capture host OS event features on desktop related to: file, window, process, network manipulation. Capture app events on mobile.
• Develop learning statistical model the evolves over time and tracks change in User behavior.
• Quantify the characteristics of unique User behavior as a measurement of these features and design new statistical models that encapsulate these measurements.
• Develop mitigation strategies in response to a failed re-authentication.
• Decoy document and decoy app implants for intrusion trip-wiring, data leakage tracking, and information gathering about attacker:
• Automatically generated decoy docs, and decoy Android app
• Automatically implanted in Volunteer Human Subject’s file system or mobile home screen
• Decoys are believable, enticing, non-interfering, stealthy
• Abnormal Volunteer Human Subject behavior and unusual decoy app touches indicates a masquerader with very high accuracy
Status
Host sensor for desktop Windows and MacOS operational and under incremental development of new features
Decoy app development underway with prototype to explore alternative implementation strategies
Approved for Public Release, Distribution Unlimited
© Allure Security in association with Accenture
USER SEARCH & App BEHAVIOR BIOMETRIC FOR ACTIVE AUTHENTICATION
Phase 2 Effort – expansion of Phase 1
16
Active Authentication Performer Overview and Status
Iowa State University
Team Members Principal Investigator: Morris Chang, Iowa State University •Sun-Yuan Kung, Princeton University
PERFORMER OVERVIEW AND STATUS
Evaluate the effectiveness of mouse dynamics.
Gestures and virtual keyboards as biometrics, accounting for swiping, multi-touch zooming, tapping, scrolling, and cognitive processing time.
Key Objectives
• Mouse dynamics (TA1a)
• We study mouse dynamics including the pause-to-click time (the pause time between pointing to an object and actually clicking on it) which has to do with thought processing time of a decision
• Gestures (TA1b)
• We study touch gestures including the timing between the end of each scrolling (swiping or multitouch zooming) and the beginning of next action (e.g. tapping or another scrolling)
• Virtual Keyboards (TA1b)
• Combine current keystroke dynamics with new features, such as pressure, area and exact coordinate from touch screen)
• Large scale experiments
• We plan to develop mobile Apps for iOS and Android platforms as testbed to sample gestures and virtual keyboard activities of individuals in large-scale testing of 1000 participants at Iowa State University.
• Final integration of biometric modalities
• We plan to exploit the attributes of biometric modalities and couple with customized fusion methods to improve the effectiveness of the final integration of biometric modalities
Status
Developing the system which can collect data from different platforms with 1000 users simultaneously
Designing the experiments that can capture biometrics from users
Approved for Public Release, Distribution Unlimited
Capturing Cognitive Fingerprints for Active Authentication
Active Authentication Performer Overview and Status
Louisiana Tech University
Team Members Principal Investigator: Vir V. Phoha, Louisiana Tech University • Mike O’Neal (Co-PI), Louisiana Tech University • Kiran S. Balagani (Co-PI), New York Institute of Technology • Andrew Rosenberg (Co-PI), City University of New York • Craig Spohn (Co-PI), Cyber Innovation Center • Md Enamul Karim (Researcher), Louisiana Tech University • Aaron Elliot (Researcher), Cyber Innovation Center • Abdul Serwadda (Researcher), Louisiana Tech University
PERFORMER OVERVIEW AND STATUS
Atomic keystroke latencies enhanced with word context, Cogni-linguistic features, Demographic features;
Typing behavior, Swiping behavior, Body movements
Key Objectives
• (Desktop) Develop a collection of effective keyboard-based biometric algorithms that analyze free text input in a variety of ways in order to capture
• the unique mechanics of how a user types (atomic keystroke dynamics) and how they vary within a “word” context,
• the unique aspects of how the user composes text and uses language (cogni-linguistic features), and,
• the demographic classifications (such as handedness, number of fingers used, sex, native language) to which the user belongs.
• (Mobile) Define and extract features for typing behavior, swiping behavior, body movements.
• Build user profiles based on the best features, and design a fusion based framework that integrates different modalities in a context-aware fashion.
• Analyze algorithmic forgeries for robotic attacks (mobile only), non-zero effort attacks and zero effort attacks and design counter-measures.
Status
The following are in place
(Desktop) Host sensors from Phase 1– need adaptation to new requirements; atomic, cogni-linguistic, demographic feature extractors from Phase 1- need enhancements and refinements; datasets used in Phase 1; some atomic keystroke latency based authentication algorithms
(Mobile) Sensors; performance evaluation of initial set of swiping features using an existing dataset; results from initial robotic experiments based on the Lego system-need refinements
Approved for Public Release, Distribution Unlimited
ACTIVE AUTHENTICATION USING KEYSTROKES, TOUCH GESTURES AND BODY
MOVEMENTS
Atomic Keystroke Features (Enhanced)
Cogni-linguistic
Demographic
© Louisiana Tech University
Higher Level Keystroke Features
Sensor Readings
Typing (T)
Swiping (S)
Accelerometer (A)
S + A T + A S + A A A
Desktop Mobile
Behavior Modeling and Fusion
Authentication, Feedback for Template Update