Your Data in Your Hands:Privacy-preserving User Behavior Models for

Context ComputationRahul Murmuria, Angelos Stavrou

KryptowireFairfax, Virginia 22030, USA

{rahul, angelos}@kryptowire.com

Daniel BarbaraGeorge Mason University

Fairfax, Virginia 22030, USAdbarbara@gmu.edu

Vincent SritapanDepartment of Homeland Security

Washington, D.C., USAvincent.sritapan@hq.dhs.gov

Abstract—Modern smartphone applications rely on contextualinformation while providing the users with relevant and timelycontent and services. One way of generating such contextualinformation is by employing learning systems to model userbehavior. Motion-based sensors, such as the accelerometer orgyroscope, have been previously employed for recognizing pre-defined high-level physical activities such as climbing stairs,jogging, or driving. In practice, human activities are highlydiverse and unsupervised methods must be used to expose com-plex behavioral characteristics that are user-centric. This paperproposes a novel machine learning model for user authenticationand trust that is continuously assessing the user activities in aneffort to expose deviations from known training data. The goalis to export this trust score as a contextual input to mobile appsfor detection of unauthorized access, fraudulent transactions, theprogress of a disease, or other behavioral changes such as stagefright, intoxicated behavior, or mood changes. All collected dataand generated models of the user remains on the smartphone, andonly the score needs to be revealed to the apps. As a result, theuser controls the data without the need to share with any remoteentity. The paper presents preliminary performance results ofthis technique.

I. INTRODUCTION

Mobile applications are revolutionizing the way users per-form everyday activities by providing them with contentpredicted to be relevant to the user at any given time. In orderto compute this contextual content, many mobile applicationsare collecting personally identifiable information (PII) andtransmitting them to external processing centers for furtheranalysis. These processing centers could take many formsdepending on the application requirements and can range fromapplication developers, mobile network operators, advertisers,to enterprise device management systems. Of course, theunfettered collection and sharing of PII has given rise to userconcerns about privacy implications. A Pew Research Centerstudy [1], that surveyed 461 people and conducted focusgroups with 80 people, concluded that users share personalinformation in exchange for tangible benefits, but are unhappyabout what happens to that information once third-parties havethem in their possession.

Contextual information is valuable: mobile applicationshave leveraged physical and biometric device sensors to of-

fer situational awareness and trigger context-aware content.For example, banking applications often track geolocation toassess transactions and decide if they are fraudulent. Indeed,a Wall-Street Journal article recently reported that Visa Inc.and Mastercard Inc. offer services to banking applicationsthat use smartphone location-tracking as one of the inputsto their predictive fraud analytics [2]. Similarly, in medicine,the progress of a disease can be tracked using a smartphoneand relevant services can be provided to the user in real-time. Mehta et al. [3] reported the development of a tool thatacquires the high-bandwidth signal from motion sensors todetect the progress of voice disorders in patients. Geolocationtracking and speech recordings are examples of highly per-sonalized information which are shared with remote entitiesin order to compute context, even though in most applicationsof this type, the goal is only to recognize if the user is behavinguncharacteristically.

Thus far, the accelerometer and gyroscope sensors are themost commonly used device sensors for activity recognition.Successful implementations have so far focused on model-ing and recognizing simple human activities such as sitting,standing, jogging, and climbing stairs [4]. The devices areusually placed firmly in a fixed position in the pockets oron the body of the users who are asked to perform the sametasks repeatedly. Once training data is obtained, clearly labeledwith the activities they correspond to, the models are generatedfor each of the activities and used for activity recognition. Inpractice, the issue with this setup is that if the environmentchanges, new behavior models will need to be generated.These environmental changes can be as simple as changing theway the smartphones are mounted. Primo et al. [5] presenteda context-aware authentication scheme where the position ofthe smartphone is taken into consideration. However, real-world environments are far more diverse and people perform awide range of complex activities while seamlessly integratingthe smartphone. Controlling either the environment or theactivities performed by the users can affect their behavior innon-trivial ways. As a result, these methods are not scalable.

In contrast, Murmuria et al. [6] suggested an unsupervisedmodel for solving continuous authentication, using an algo-

First IEEE International Workshop on Behavioral Implications of Contextual Analytics (PerCom Workshops) 2017

978-1-5090-4338-5/17/$31.00 ©2017 IEEE

rithm called Strangeness-based Outlier Detection (StrOUD).We have extended this work by using a local density based al-gorithm called Local Outlier Factor (LOF) [7] which is an out-lier detection method to measure the strangeness of an activity.In comparison to StrOUD, LOF enabled us to produce morestable results. Models prepared using unsupervised methods donot rely on pre-labeled data. There is no previous knowledgeabout how many different activities can be discovered in theuser’s dataset. Therefore, by using unsupervised learning, ourapproach can discover additional and more complex activitieswithout limiting the user’s behavior in any way. Moreover,these activity models are general enough to persist across manyenvironmental changes. In order to discover these activities,only data from the modeled user is required. As a result, thisis an outlier detection problem and not a classification problem(see Section IV-A).

Our analysis presents techniques for data collection, prepro-cessing, feature extraction, and outlier detection, all directedtowards modeling user behavior. These techniques are privacy-preserving because all of the computations are performedlocally on the device without the need to rely on externalprocessing centers. As a consequence, the data do not needto be shared with any third parties. The users remain incontrol of their own data. Our continuous authentication modelis implemented on the device and computes a contextualtrust score that represents the probability that the users areperforming everyday activities the same way as they did atthe time of training the models. This trust score can then beshared with third party applications to drive decisions, suchas blocking transactions when the score is low or reportingunusual changes in a medical disorder to the concerningdoctor.

The rest of this paper is organized as follows: Section II isa description of the privacy-preserving implementation. Sec-tion III and Section IV detail the performance evaluation andfeasibility of the modeling technique, respectively. Section Vis a brief literature review. Section VI and Section VII suggestfurther research directions and conclude the paper.

II. IMPLEMENTATION AND MODELING

In this section, we describe our mathematical model andsoftware implementation. This description includes the designof our on-device context generation tool which collects themotion sensor data, models user behavior, and generates trustscores in real-time. Figure 1 gives an overview of the structureof the application. A proof-of-concept was implemented asan Android application (named KAuth) and has been testedon Android KitKat, Lollipop, and Marshmallow. Privacy ispreserved as a consequence of the choices made at each stepof the implementation, details of which has been discussedwhere applicable in the subsections below.

A. Data Collection

The gyroscope and accelerometer sensor readings wererecorded using the Sensor Event API, which is part of thestandard Android SDK. During a single sensor event the

Fig. 1. Structure of the Context Generation Application (KAuth)

accelerometer and gyroscope return, for the three coordinateaxes of the device, acceleration force data in m/s2 and rateof rotation data in rad/s, respectively. The acceleration mea-surements include all forces applied to the device, includingthe force of gravity. As a result, orientation of the device isinherently part of the accelerometer measurements got fromthe three coordinate axes.

The readings were collected with the fastest available sam-pling period of around 5 milliseconds on Nexus 5 (Model:LG-D820) and around 3 to 10 milliseconds on Samsung S6(Model: SM-G920I). These readings were saved as a CSVfile on the smartphone for later analysis. In addition, thesegmentation, feature extraction, and online model generationalgorithms were running in parallel, such that the collecteddata were transformed and stored in-memory in it’s cleaned,reduced, and processed form.

B. Segmentation

In addition to the sensor readings, the KAuth applicationrecords the timestamp and package name of the top appli-cation being used by the user. This information is retrievedfrom the Activity Manager API and the system permission,GET REAL TASKS, is needed to perform this task.

Users perform different activities on different applications.When a user is playing a game, the digital footprint that theuser leaves behind is significantly different from when theuser is sending text messages. Murmuria et al. [6] proved thatmixing data from different applications can adversely impactthe overall performance of a behavior modeling system.

The activity logger in the KAuth application inserted place-markers in the data whenever the user switched from oneapplication to another. As part of pre-processing the data, onlythose events were extracted, that were generated while usingthe application for which the user profiles are being created. Asa result, multiple datasets were collected on the smartphone,one set for every application used.

First IEEE International Workshop on Behavioral Implications of Contextual Analytics (PerCom Workshops) 2017

C. Feature Extraction

The accelerometer and gyroscope produce readings in theform of a multi-dimensional time-series. Let X, Y, and Zrepresent the readings from a sensor in x, y, and z axes, respec-tively. Then R =

√X2 + Y 2 + Z2 represents the magnitude

resultant of the acceleration or the angular speed, respectively.The recorded events were divided into small windows of 1.6seconds each, where we can measure properties related tothe group of events. The window size was chosen becauseFFT computations require the number of events in the inputto be a power of 2 (see Section II-C2). For the purposes ofthis analysis, the data associated within each window framecan be referred to as one movement gesture. Each of thesemovement gestures loosely represents the smallest constituentunit of any complex activity performed by the user. Statisticaltime-domain and frequency-domain features were extractedto represent each gesture as a multi-dimensional dataset. Thefeatures discussed below were selected from a larger set byperforming an offline analysis on a previously recorded datasetof 110 users using the smartphone for routine tasks spanninga week (see Section III).

1) Time-domain Features: The time-domain features in-clude the mean, standard deviation, skewness, and kurtosis ofeach small window of time. The mean represents the averagemagnitude of the user’s movements, the standard deviationshows the scatter of the data, or in other words, the intensityof the user’s activities. Skewness measures the asymmetryand kurtosis explains whether the source of the variance isinfrequent extreme movements or frequent modestly sizedmovements. The three axes and the resultant together form4 independent time-series and these statistics are computedfor each series separately, thereby resulting in 16 time-seriesfeatures for each hardware sensor.

During feature selection, which was performed offline (seeSection III), it was discovered that the mean values of allthe axes were poor features for accelerometer sensor whereasthey were strong features for the gyroscope sensor. Finally,12 features were selected for accelerometer, including thestandard deviation, skewness, and kurtosis, whereas, 8 featureswere selected for gyroscope, limited to mean and standarddeviation of each of the dimensions.

2) Frequency-domain Features: Kavanagh et al. [8] sug-gested that the Nyquist frequency for physical accelerometrysignal is typically around 10 Hz frequency. For this study,the multi-dimensional data segments from both sensors wereaggregated into 32 readings at 20 Hz frequency (twice ofNyquist frequency). This is achieved by low-pass filtering thetime-series to a cut-off frequency of 20 Hz (sampling rate of 50milliseconds). Events recorded at 50 milliseconds in windowsof size 1.6 seconds leads to 32 readings for every movementgesture. Consequently, applying Fast Fourier Transform (FFT)on this data produces 32 coefficients. Since the resulting powerspectrum is two-sided and one-half mirrors the other, we takethe first 16 coefficients as features after leaving the directcomponent (the first component or direct component of FFT

is the same as the statistical mean, which has already beenrecorded in the time-domain features). After feature selection,the first 4 coefficients in the power spectrum were selected asthe best set of features for both accelerometer and gyroscope.

D. Outlier Detection

The task of user behavior validation is equivalent to deter-mining whether the stream of movement gestures from eitherthe accelerometer or gyroscope follow the same distributionas those previously obtained from the same user of the device.The KAuth application works in two phases, a training phaseto generate the behavior models, and an authentication phasewhere new movement gestures are evaluated and the overalltrust score is revised.

The movement gestures dataset is one with an unboundednumber of classes. There are no pre-defined and labeledmovement gestures such as jogging or driving. In this typeof a dataset, each complex activity performed by the user isloosely represented by a cluster in the dataset. These clustersvary in densities, which stems from the nature of the gestures.Breuning et al. in the paper [7], first presented this notionthat being an outlier is not a binary property and described adensity-based outlier detection technique called Local OutlierFactor (LOF). We leveraged this algorithm to detect outliersin our study. The outlier factor returned by this algorithmcaptures the degree to which a given movement gesture canbe called an outlier. It is the average of the ratio of the localdensity of the movement gesture and those of this gesture’s k-nearest neighbors in the euclidean space. The outlier factoris higher when a movement gesture’s neighborhood of k-neighbors is more densely packed than the gesture itself.Consequently, when the outlier factor is close to 1, the gestureis not an outlier, and when the factor is much higher than apre-selected threshold, then the gesture can be deemed as anoutlier. For all the gestures in the middle which have outlierfactors close to the threshold, a decision need not be madewhether it is an outlier or not, but rather, a cost or penalty canbe assigned, that depends on the degree of outlier-ness. Thisthreshold has been selected experimentally from among a setof handpicked candidates in the same way as was suggestedby Breuning et al. [7].

In the KAuth implementation, during training, once a presetnumber of movement gestures are recorded for a given appli-cation (750 gestures in our proof-of-concept implementationwhich takes 20 minutes to record), every gesture’s localdensity is computed. A portion of these gestures will haveoutlier factor higher than the pre-selected threshold, and thesize of this portion can be configured depending on the valueof the threshold selected. For generating the model, we need toretain the density computations of every gesture in the trainingset along with the training dataset itself. LOF algorithm doesnot employ the use of any rule learned by generalizing fromthe training dataset. It looks for local outliers, and thereforefits well with our motion sensor data where there are no well-defined set of classes each representing user activities.

First IEEE International Workshop on Behavioral Implications of Contextual Analytics (PerCom Workshops) 2017

During authentication phase, new gestures are evaluatedagainst the training dataset and k-nearest neighbors are cal-culated. The LOF algorithm assigns an outlier factor to thenew gesture which depends on the relative densities in theneighborhood. The null hypothesis here is that the new gesturefits into the distribution of gestures in the training set. If theoutlier factor is significantly above the threshold, the alterna-tive hypothesis is accepted that gesture is an outlier. In KAuthimplementation, all outlier factors above the threshold butlower than twice of the threshold are assigned a proportionalreal-valued penalty less than the penalty assigned for a fulloutlier.

E. Continuous Scoring

Penalties and rewards are assigned to each gesture de-pending upon their outlier factor. If the factor is below thethreshold, a reward is assigned and if the factor is abovethe threshold, a penalty is assigned (see Section II-D). Theserewards and penalties are then aggregated to compute a ‘trustscore’ out of 100, which is revised by adding or subtracting thereward or penalty for every new movement gesture performedby the user. This trust score is an assessment of the user’sdeviations from known behavior. In KAuth, the parameterswere limited to a maximum reward of 3 points and a maximumpenalty of 5 points. Murmuria et al. [9] published more detailsabout this technique of computing the trust score from thestream of outlier factors.

III. PERFORMANCE EVALUATION

The user behavior model discussed in this paper was evalu-ated offline by collecting data from 110 users and performing aseries of one verses all tests. The goal was to find features andparameters that improve the clustering of the baseline user’sdata and create greater separation between the baseline userand all other test users.

A. Volunteer Data Collection

Motion sensor data was collected from 110 volunteers thatwere compensated to participate in our study for a periodof one week using the provided phone, Google Nexus 5Model:LG-D820, as their primary device. The user’s SIMcards were switched from their device to the device weprovided them on the day of the sign-up in order to ensure thatthis device was used as their primary mode of communicationfor the entire week. The users were instructed to install all theirfavorite applications and use the device as they would use theirprimary device. Each user was assigned a pseudonym with theconvention Sxxx, where the xxx is a digit between 001 and110. The real names of the users were not retained. We also didnot record any user-generated content outside of the sensorydata. All volunteer participants were University students, andwe did not discriminate who volunteered, beyond requiringthem to have an active GSM-based mobile operator whoseSIM card could be easily switched into our device.

We used the same device model for all users in-order toachieve uniformity in the measurements and avoid introducing

Fig. 2. Application Usage Per User

any device-specific markers into the collected dataset. Werecorded data from all the sensors concerned into files. Thesefiles were stored in the external storage directory of eachsmartphone. Upon completion of a users session, we extractedthat data out from the smartphone into our data store where weperformed offline analysis of the data. Our research requiredbehavioral data of human subjects and necessary approvalswere acquired from the Institutional Review Board (IRB).

Figure 2 confirms that, the mobile device usage is notuniform across all users and all mobile applications. In thefigure, it is observed that 106 users generated actual data, and4 users did not use the allotted device throughout the week.Further, all 106 users have the Launcher (Google Search Boxand Homescreen) application in common, as that is the firstapplication visible when the smartphone is unlocked. Dialer,Chrome, Facebook, and Youtube were used by 106, 105, 99,and 89 users. In terms of the time that the users spent in anyapplication, Whatsapp topped the list among applications usedby at least 15 people, with 57 users spending an average of 290minutes through the week, followed by Viber with 19 usersusing the application for an average of 143 minutes. Facebookwas used for an average of 121 minutes.

B. Analysis

Section II-B described the preprocessing steps, Section II-Cdescribed the features that were formulated, and the outlier de-tection algorithm utilized in this research has been described insection II-D. For mobile applications in which the users spentover 40 minutes totally, baseline models were created using20 minutes of training data. As per the feature constructiontechnique described in section II-C, 20 minutes correspondsto 750 movement gestures. The baselines were generatedusing the LOF algorithm and tested using all users who had20 minutes of data for the corresponding application. Allbaselines contain data only from the modeled user, which is

First IEEE International Workshop on Behavioral Implications of Contextual Analytics (PerCom Workshops) 2017

Fig. 3. Time-domain Features on Gyroscope Sensor Data

the positive class. The tested movement gestures were assignedreward or penalty according to the algorithm discussed insection II-E. The output was a series of 0 to 100 trust scores,for every pair of baseline and test user.

Since the output is not binary, standard metrics such asEqual Error Rate (EER) and/or the Receiver Operating Char-acteristic (ROC) fail to capture the practical implications of thecontinuous series of scores. Figures 3, 4 show the distributionof the scores resulting from the one verses all tests performedwith gyroscope sensor data for the Whatsapp application.Baseline users, when tested against their own baselines arecalled ‘genuine users’, and test users who were tested againstbaselines of other users are considered ‘imposters’ in the plots.

In the presented results, it is possible to determine fromthe plots which feature sets performed better than the others.However, in order to try all subsets of features available andevaluate a range of other input parameters, thousands of suchplots need to be generated, and it gets difficult to compare re-sults. In order to compare the results programmatically using asingle metric, the weighted accept score (WAS) was employed,which was presented by Murmuria et al. in [9]. Using thisscore, we repeated the analysis with various different subsetsof the feature set, and the best feature set and input parameterswere selected (see Section II-C).

Figure 3 and Figure 4 show results obtained when generat-ing user models from gyroscope sensor data while extractingtime-domain and frequency-domain features, respectively. Thex-axis represents the trust scores binned for visual depictionand the y-axis represents the percentage of total events. Theresults follow expectation that genuine users spend most oftheir time in the [80, 100] bin, and the imposters spendmost of their time in the [0, 1] and [1, 50] bins. While notpresented here, Facebook and Youtube applications showedsimilar results for both gyroscope and accelerometer sensors.

IV. DISCUSSION

A. Rationale for using Outlier Detection

As discussed in Section I, the number of activities that canbe found in a user’s dataset is unbounded. As a result, activity

Fig. 4. Frequency-domain Features on Gyroscope Sensor Data

recognition and continuous authentication are an outlier detec-tion problem, and only one user’s data can be used in orderto prepare behavioral models of that user.

Many publications in activity recognition discuss classifica-tion models that depend on creating a 2-class verifier, wherein addition to data from the activity performers, sensory datafrom other users is required (see Section V). Most researchersfail to discuss that, in truth, the number of classes representingthe set of all activities is unbounded. Modeling all activitiesfrom all imposters as a single negative class leads to overfittingand lack of generalization, which results in the eventual poorperformance of the deployed system when new users areintroduced. Researchers who modeled only a pre-selected setof activities and collected data only for those activities haveregularly missed observing this phenomena due to the lack ofdiversity in their datasets.

There will always be a larger set of users with partiallyunique activities who were not available at the time of trainingthe models for the users in the system. Therefore, this problemshould instead be modeled as in this paper, as a semi-supervised outlier detection problem, where only the data fromthe positive class is available and some measure is used todetermine if the new stream of measurements belong in thedistribution of previously recorded readings or not.

B. Feasibility of Generating Trust Score Locally

This paper discussed a technique which enables smart-phones to generate user behavior models entirely on-device.The outlier detection algorithms discussed in this paper arebased on finding fitness of a newly recorded activity into amodel represented only by a sample distribution of activitiesof the modeled user and the fitness is tested via hypothesistesting. As a result, most of the processing time during modelgeneration and testing goes to the execution of the nearestneighbors discovery step. This operation was optimized byreducing the number of distance calculations, employing acommonly used tree-based data structure called KD-tree whichrecursively partitions the dataset along each of the featuredimensions, thereby reducing the complexity from O(n log n)to O(log n). Further, the data collected from the sensors

First IEEE International Workshop on Behavioral Implications of Contextual Analytics (PerCom Workshops) 2017

are preprocessed and after the feature extraction step, the20 minutes of training data occupy only 30 megabytes. Onmodern smartphones, it is easy to retain data of such volumesboth in memory and storage. Therefore, the technique in thispaper is feasible.

V. RELATED WORK

There is a large body of user behavior based research onactivity recognition and continuous authentication systems formobile devices.

Shi et al. [10] discussed a technique to fuse data from mul-tiple sensors to create an authentication score. The researcherscollected a wide range of behavioral information such aslocation, communication, and usage of applications, in orderto create a user profile. Their approach is built on the conceptthat most users are habitual in nature and to build this model,the authors export all highly intrusive data to a remote server inorder to map activities to time of the day and characterize theuser. Similarly, Riva et al. [11] presented an architecture thatutilized face and voice recognition, location familiarity, anddetermining possession by sensing nearby electronic objects assignals to establish the legitimate user’s level of authenticity.Their model is constructed remotely on cloud services and iscomputationally too expensive to fit on any mobile device.

Kwapisz et al. [12] published a system to identify andauthenticate users based on accelerometer data. They used adataset of 36 users, labeled according to activities such aswalking, jogging, and climbing stairs. These labels were usedas context and solved authentication as a 2-class problem.While they concluded based on their results that it is notcritical to know what activity the user is performing, theirdataset was generated by users repeating a limited set of pre-defined activities. In contrast, we present in this paper anunsupervised method that scales to all possible activities thatusers can perform.

For traditional computing devices, Killourhy et al. [13] andShen et al. [14] published comparisons of various anomaly-detection algorithms for keystroke dynamics and mouse dy-namics respectively, limiting the discussion to 1-class veri-fication due to lack of availability of imposter data in thereal-world. In contrast, we present a privacy-preserving im-plementation of such a 1-class verification system on mobiledevices with a trust score model for context generation.

VI. FUTURE WORK

The dataset used in this research is very noisy and as futurework, we would further investigate better data cleaning andfeature evaluation strategies in order to make the resultingbehavioral models more robust and accurate. Further, weevaluated time-domain and frequency-domain features of ac-celerometer and gyroscope separately, but did not attempt anyensemble methods on these models. In addition to ensembletechniques, we would like to investigate using all the featuresin the same model, and compare the performance.

VII. CONCLUSION

We have presented a context-generation technique in theform of a continuously revised trust score that represents theprobability that users are performing activities in the sameway as they normally do. In this model, no personal dataneeds to be shared with any remote server or third partyapplication, and the score is generated entirely on the devicein real-time. Further, we presented performance results of thissystem by analyzing data collected from 110 participants.Results show that this system is feasible and third partyapps can benefit from the trust score without the burden ofmodeling the user behavior. This score can enable apps toblock fraudulent financial transactions, monitor progress ofa disease, or detect unauthorized access of a device withoutcollecting any personally identifiable data from the users.

ACKNOWLEDGMENTS

This research was funded by Department of HomelandSecurity contract D15PC00154.

REFERENCES

[1] L. Rainie and M. Duggan, “Privacy and information sharing,” PewResearch Center, Jan, vol. 14, 2016.

[2] R. Sidel, “Why Your Bank Wants to Track Your Phone,” Wall StreetJournal, 2016-03-04T10:30:00.000Z.

[3] D. D. Mehta, M. Zanartu, S. W. Feng, H. A. Cheyne II, and R. E. Hill-man, “Mobile voice health monitoring using a wearable accelerometersensor and a smartphone platform,” IEEE Transactions on BiomedicalEngineering, vol. 59, no. 11, pp. 3090–3096, 2012.

[4] P. Siirtola and J. Roning, “Recognizing human activities user-independently on smartphones based on accelerometer data,” IJIMAI,vol. 1, no. 5, pp. 38–45, 2012.

[5] A. Primo, V. V. Phoha, R. Kumar, and A. Serwadda, “Context-Aware Ac-tive Authentication Using Smartphone Accelerometer Measurements,” inComputer Vision and Pattern Recognition Workshops (CVPRW), 2014IEEE Conference on. IEEE, 2014, pp. 98–105.

[6] R. Murmuria, A. Stavrou, D. Barbara, and D. Fleck, “ContinuousAuthentication on Mobile Devices Using Power Consumption, TouchGestures and Physical Movement of Users,” in Research in Attacks,Intrusions, and Defenses. Springer, 2015, pp. 405–424.

[7] M. M. Breunig, H.-P. Kriegel, R. T. Ng, and J. Sander, “LOF: Identifyingdensity-based local outliers,” in ACM Sigmod Record, vol. 29. ACM,2000, pp. 93–104.

[8] J. J. Kavanagh and H. B. Menz, “Accelerometry: A technique forquantifying movement patterns during walking,” Gait & posture, vol. 28,no. 1, pp. 1–15, 2008.

[9] R. Murmuria and A. Stavrou, “Authentication Feature and ModelSelection using Penalty Algorithms,” in Symposium on Usable Privacyand Security (SOUPS), 2016.

[10] E. Shi, Y. Niu, M. Jakobsson, and R. Chow, “Implicit authenticationthrough learning user behavior,” in Information Security, ser. LectureNotes in Computer Science. Springer, 2011, no. 6531, pp. 99–113.

[11] O. Riva, C. Qin, K. Strauss, and D. Lymberopoulos, “Progressiveauthentication: Deciding when to authenticate on mobile phones,” inProceedings of the 21st USENIX Security Symposium, 2012.

[12] J. R. Kwapisz, G. M. Weiss, and S. A. Moore, “Cell phone-based bio-metric identification,” in Biometrics: Theory Applications and Systems(BTAS), 2010 Fourth IEEE International Conference on. IEEE, 2010,pp. 1–7.

[13] K. S. Killourhy and R. A. Maxion, “Comparing anomaly-detectionalgorithms for keystroke dynamics,” in Dependable Systems & Networks,2009. DSN’09. IEEE/IFIP International Conference on. IEEE, 2009,pp. 125–134.

[14] C. Shen, Z. Cai, R. Maxion, G. Xiang, and X. Guan, “Comparingclassification algorithm for mouse dynamics based user identification,”in 2012 IEEE Fifth International Conference on Biometrics: Theory,Applications and Systems (BTAS), Sep. 2012, pp. 61–66.

First IEEE International Workshop on Behavioral Implications of Contextual Analytics (PerCom Workshops) 2017