2008 International Conference on Computer and Electrical Engineering User Authentication using Combination of Behavioral Biometrics over the Touchpad acting like Touch screen of Mobile Device Hataichanok Saevanee Department of Mathematics, Faculty of Science, Chulalongkorn University, Thailand hataichanok.s@student.chula.ac.th Pattarasinee Bhatarakosol Department of Mathematics, Faculty of Science, Chulalongkorn University, Thailand pattarasinee.b@chula.ac.th Abstract Now mobile devices are developed to serve various functions, storing the sensitive information. In order to protect those information and mobile systems from unauthorized users, the authentication system must be installed unavoidably. Additionally, the development of the mobile system is moving forward to the touch screen system for user friendly and quick access mechanism. In this paper, we proposed behavioral manners of users over the touchpad acting like touch screen that is able to detect the finger pressure. These behaviors are keystroke dynamics and the finger pressure. The finding has shown that, the finger pressure gives the discriminative information more than keystroke dynamics with the k-nn analytical method. Moreover, using only the finger pressure produces high accuracy rate of 99%. 1. Introduction Nowadays, Mobile devices, such as cellular phones and Personal Digital Assistants (PDAs), become widespread in excess over 3 billion users [1]. Most of them are operated by touching a display commonly used because the touch screen interface is easy to use and user-friendly operates. Currently, mobile devices are used to not only make or receive a call, take photos, and play video games, but also give the special assistance in the business, such as providing internet access, directing access to e-mail and cooperating data, transferring money, and managing bank account. As a consequence, the authentication of users for mobile devices has become an important issue. According to [2], the authentication on mobile devices can be classified in three fundamental approaches. The first approach is using a PIN (Personal Identification Number) or a password which is a secrete-knowledge based technique. This technique offers a standard level of protection and provide cheap and quick authentication. Unfortunately, it is not enough to the safeguard mobile device and data access through them because passwords have never been completely protected by the owners; sharing passwords with friends or any other systems are unavoidable problems. Moreover, the result of a survey from [3] has shown that most users agree that using PIN is very inconvenient and they do not have confidence in the protection of the PIN facility provides. The second approach is the token-based technique or SIM (Subscriber Identification Module). In this approach, when users do not want to use the mobile, the mobile s SIM must be removed. However, removing SIM is not recommended due to inconvenient manners. The last approach is applying the biometric technique. This technique is based on a unique characteristic of a person that provides an improvement on the current authentication. Biometrics relevance with the identification and verification of individual based on human characteristics. Biometric approaches are typically subdivided into two categories: physiological and behavioral biometrics. Physiological biometric is based on bodily characteristics, such as fingerprint, facial recognition, and iris scanning. Behavioral biometric is based on the way people do things, such as keystroke dynamics, mouse movement, and speech recognition. Using any kind of mobile phones, people cannot avoid interact with keystroke dynamics. However, each person may have different styles to press the key because the typing style is based on user s experience and individual skill which is difficult to imitate. The purpose of this paper is to investigate the behavioral manner of users when dialing the phone number on touchpad acting like touch screen on the mobile touch screen detected force in the future [4]. Using keystroke dynamics and the finger pressure 978-0-7695-3504-3/08 $25.00 2008 IEEE DOI 10.1109/ICCEE.2008.157 82
information are the features to authenticate users to increase the accuracy using the combination of behavioral biometrics. The remaining of this paper is organized in six sections. In the Section II is presented works published in the area. In the Section III, the purpose of methodology is discussed: gathering the data, extracting the features, and data structuring and anglicizing. The results are presented in Section IV and discuss in Section V. Finally, the conclusions and future work are presented in Section VI. 2. Related works A keystroke dynamics is based on the assumption that different people have unique habitual rhythm pattern in the ways they typed. The first study was done in 1980 by Gaines [5] who showed that the keystroke timing is a feasible authentication measure. Researches on user authentication using the keystroke dynamics are still going on and numbers of the researches are increasing. The assessment of keystroke dynamics is based on the traditional statistical analysis or the relatively newer pattern recognition technique. Previous researchers used the pattern recognition approach, such as z-test [5], Bayesian classifiers [6], and neuron network [6], [7]. However, all of these studies focus on the keystroke dynamics input from a standard PC keyboard. A few studies have considered the feasibility of the keystroke dynamics on mobile devices. In 2002, Mantyjarvit et al. [8] has investigated the keystroke recognition for the virtual keyboard that used to interact with the hand held electronic devices, such as PDAs, and Mobile phones. The result showed that the accuracy for keystroke recognition using k-nn classification is nearly 100%. Additionally, Clarke et al. [7] investigated the feasibility of authenticating users based on their typing 4-digits represented PIN number and 11-digits represented telephone number on mobile devices using the neural network method showing the keystroke latency as viable discriminative characteristics for at least some of the participant. Furthermore, they also investigated on the utilization of keystroke analysis as authentication method in device that offers the tactile environment of thumb-based keyboard [9]. The results from both studied showed that from the two traditionally used keystroke characteristics, the interkey gave promising results. According to the research of Grabham [10], the investigation of a biometric based on force and keypress duration of a user entering a PIN on an ATMtype interface coupled with a component-wise verification scheme was determined. The result of this investigation indicated that using force and key press duration can identify users with high accuracy and low error rate. 3. Experiment Procedure This section described the feasibility study to authenticate a user using combination of force sensitive and keystroke dynamics. The experimental device is a notebook touch pad acting like a mobile touch screen; the measurement of force and value of keystroke dynamics is performed when the user enters 10-digit number on the touch pad. Details of the experiment are elaborated as follows. 3.1 Data Gathering The size of the notebook touchpad, Synaptic Touchpad, is 3.6 7 cm2 dividing to the same size of 1.2 1.5cm2 keys, totally 12 keys. The sensitivity of this pad is approximately 1000 dots per inch. Furthermore, all participants will have time to get used to this touch pad before the measurement process. Referring to the research of [7], 10-digit input value has a longer feature set and made it more difficult for an imposter to duplicate. Thus, the sample size of 10 (n=10; female=6, male=4) entered their cell phone numbers, with 10 digits long, times continuously and repeatedly. The measurement values, the finger pressure and finger position on the touch pad, will be recorded every 20 ms. 3.2. Extracting Features The behavior information on the pad that can be detected consists of keystroke dynamics and the finger pressure. Three features extracted from these behaviors. Two features were extracted during the keystroke dynamics: the inter-key and the hold-time. Another one feature is the finger pressure which is the force applied over the finger position. The inter-key is the duration of interval between two successive keys; the hold-time is the duration of interval between the pressing and releasing of a single key. Figure 1 shows the extracted features: hold-time (H) and inter-key (I) of a volunteer performing one time measurement by typing a 10-digit number. Since there are 10 participants entering times of 10-digit numbers, there are 3,000 values of the holdtime, 2,700 values of the inter-key, and 3,000 values of the finger pressure. These values will be constructed as vectors to be analyzed as described in the next section. 83
pressure 60 50 40 20 10 0 0 1000 2000 00 4000 5000 time (ms) H1 H2 H3 H4 H5 H6 H7 H8 H9 H10 I1 I2 I3 I4 I5 I6 I7 I8 I9 Figure 1. Hold-time and Inter-key for a 10-digit number 3.3 Data Structuring Considering the finger pressure value, this value is obtained in different manners from other values mentioned above. Since the pressing area is not a single small point but it consists of multiple points on the pad, therefore, there are multiple pressing values over the pressed pad for each pressed digit. Thus, the average value of these multiple pressing values is used as the representative for one pressing digit, as shown in Figure 2. As same as other vectors, the vector of the finger pressure values is constructed as follows. P i, j FP i = [ Pi, 1, Pi,2,..., Pi, 10] Where denotes the average value of finger pressure values at the round i of digit j. Since this experiment is interested in using both hold-time and inter-key, vectors of each value will be constructed to determine its characteristics before the combination of these two values is determined the action effect of hold-time and inter-key. Considering the hold-time values of each person that presses one time for a 10-digit number, a vector in + + + R R... R (10 terms) when R + is the set of all positive real numbers is created and can be written as follows. p 1 p p 5 p 3 2 p 4 p... p N N N p k k= Pi j = 1, Where digit j. H i, j HT i = [ Hi, 1, H i,2,..., Hi, 10] denotes the hold-time at the round i of As same as the hold-time value, the feature of the inter-key which is the interval duration between the two successive key, will be generated nine values for one time press of 10 digits. Thus, a vector in + + + R R... R (9 terms) when R + is the set of all positive real numbers is created and can be written as follows. Where digit j. I i, j IK i = [ Ii, 1, I i,2,..., Ii, 9 ] denotes the inter-key at the round i of In order to determine the interaction among the hold-time and the inter-key, the concatenation of HT vector i IK and i is performed as follows. Figure 2. Calculation method of the finger pressure value 3.4 Analyzing Features After transforming the data, we investigated the preliminary feasibility of these behavioral biometrics by k-nn classification method that is widely used in data analysis [8] [11]. In k-nn classification the similarity between a validation sample (testing set) vector and reference vectors (training set) are computed using Euclidean distances. The class of feature vector is determined by selecting the class that has majority among the k- nearest neighbors; these are called k-nearest neighbors [8]. Since the total size of a data set is vector values for each person, thus, this set was divided into two groups for in the analytical process; two-third for training set (20 vectors), and one third for testing set (10 vectors). The pattern classification test was performed with one user acting as the valid user, while all others are acting as impostors. ( HT IK) i = [ Hi, 1, H i,2,..., Hi,10, Ii,1, Ii,2,..., Ii, 9] 84
In all biometrics, the measurement values to assess the performance of keystroke dynamics are defined as following: False Acceptance Rate (FAR) refers to the percentage of imposter was accepted by the system. False Rejection Rate (FRR) refers to the percentage of authorized users was rejected from the system. Equal Error Rate (EER) refers to the rate at which both accept and reject errors are equal. Moreover, this value is used to compare the performance of different biometric techniques. 7. Results Equal Error Rate (%) 40 35 25 20 15 10 5 0 35 1 H I P HI HIP HP Features Figure 3. Equal Error Rate of each feature Figure 3 shows the EER values of all biometric measurement: the hold-time (H), the inter-key (I), the finger pressure (P). Additionally, the interactions among these metrics are considered; these are (1) keystroke dynamics which is the interaction between the hold-time and the inter-key (HI), (2) interaction between the hold-time and the finger pressure (HP), and (3) the interaction among three factors (HIP). Consider each main biometric according to Figure 3, the EER value of the hold-time is %, the inter-key is 35%, and the finger pressure has the lowest EER value, 1%. These numbers determine that the accuracy to identify a person can be obtained using the finger pressure value, and the alternative method is to apply the behavior of the hold-time or the inter-key. Referring to Figure 3, the interaction of biometrics is also considered, the results show that the best measurement value is obtained from the interaction between hold-time and finger pressure methods. This method has the EER value as same as the EER value of the finger pressure value, 1%. However, the interaction among three biometrics are also efficient because the EER value is only 9% while using the hold-time and the inter-key behavior does not be a good choice to identify persons since the EER value is 27% 27 9 1 8. Discussion As the fact that the use of mobile devices is rapidly growth and developed, the motivation of stealing is also increased. Therefore, in order to protect the mobile devices, in every type of mobile hardware, the authentication system was implemented. One method to authenticate the mobile users is the use of biometric value, measured from the biometrics methods. The results in this paper that measure the EER values, using k-nn method, from three different behavior measurement values: the hold-time (H), the inter-keys (I), the finger pressure (P) shows that using the finger pressure as the indicator to identify users is the best measurement value although [10] had proposed that the accuracy to identify users can be obtained from the interaction of all three factors (HIP) analyzed by the component-wise verification scheme. Additionally, using the interaction among the hold-time and the finger pressure is also another choice to identify users with high accuracy, in order to protect any forges because the accuracy rate is 99% which is somehow much better than using the keystroke dynamics that analyzed by FF-MLP proposed by [7]. Nevertheless, [8] proposed that the keystroke dynamics can also be applied to identify users with high accuracy, 99%, under the use of the k-nn analytical method. 9. Conclusion Since mobile devices are developed to serve various functions, thus important data may be stored in the mobile memory card. In order to protect those information and mobile system from unauthorized users, the authentication system must be installed unavoidably. Although there are various authenticate methods, using bio data is one of the most interesting area to be applied. Additionally, the development of the mobile system is moving forward to the touch screen system for user friendly and quick access mechanism. Therefore, this paper focuses on the study of implementing the Biometric measurement to identify users. We investigate the potential of each biometrics behavioral by individual and couple, comprise with the hold-time, the inter-key, and the finger pressure. The results have shown that using only the finger pressure with the k-nn analytical method can indicate users with accuracy rate as 99% which is the same as using the combination of the hold-time and the finger pressure. However, the interaction of all three metrics is another alternative method to identify users since the correctness of the identifying mechanism is up to 90%. Therefore, implementing these alternative methods as a 85
part of the authentication system of the mobile devices can assure that the system is well protected and difficult to be broken by any imposters. 10. References [1] GSMWorld.com:WorldCellularSubscribers http://www.gsmworld.com/using/security/advice.shtml [2] S. Nanavati, M. Thieme, and R. Nanavati, Biometrics identity verification in a networked world, John Wiley & Sons, 2002 [3] N.L. Clarke and S.M. Furnell, Authentication of users on mobile telephones A survey of attitudes and practices, Computers & Security, October 2005, Vol.24, pp. 519-527. [4] http://multi-touchscreen.com/iphone.html [5] R. Gaines, W. Lisowski, S. Press and N. Shapiro, Authentication by keystroke timing: some preliminary results. Rand Report R-2560-NSF, Rand Corporation California, 1980. [6] M.S. Obaidat and B. Sadom, Verification of Computer Users Using Keystroke Dynamics, IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics, April 1997, Vol. 27, pp.261-269. [7] N.L. Clarke and S.M. Furnell, Authenticating mobile phone users using keystroke analysis, International Journal of Information Security, Springer-Verlag, Berlin, Heidelberg, December 2006, pp.1-14. [8] J. Mantyiarvi, J. koivumaki and P. Vuori, keystroke recognition for virtual keyboard, Proceeding of international Conference on Multimedia and Expo, November 11, 2002, Vol. 2, pp.429-432. [9] S. Karatzouni and N. Clark, New Approaches for security, Privacy and Trust in Complex Environments, Springer Boston, Vol.32, 2007. [10] N J Grabham and N M White, Use of a Novel Keypad Biometric for Enhanced User Identity Verification, IEEE International Instrumentation and Measurement Technology Conference, Victoria, Vancouver Island, Canada, May 12-15, 2008. [11] S.R. Kulkarni, G. Lugosi, and S. S. Venkatesh, Learning Pattern Classification - Survey, IEEE Transaction on Information Theory, October 1998, Vol.44, pp. 2178-2206. 86