Privacy-Aware Wearable-Assisted Continuous Authentication Framework
The login process for a mobile or desktop device does not guarantee that the person using it is necessarily the intended user. If one is logged in for a long period of time, the user’s identity should be periodically re-verified throughout the session without impacting their experience, something that is not easily achievable with existing login and authentication systems. Hence, continuous authentication, which re-verifies the user without interrupting their browsing session, is essential. However, authentication in such settings is highly intrusive and may expose users’ sensitive information to third parties. To address these concerns, this project develops a novel privacy-aware wearable-assisted continuous authentication (WACA) framework. User-specific data is acquired through built-in sensors on a wearable device. The user data goes through privacy-preserving operations throughout the authentication process. This login procedure can be applied to a wide variety of existing enterprise authentication systems such as university campuses, corporate Information Technology divisions, and government agencies. Prototype deployments at Florida International University (FIU) and Florida Atlantic University (FAU), both of which serve large and diverse student populations, provide valuable feedback for future improvements. Continuous authentication and digital privacy are timely and relevant topics in today’s Internet-centric always-on society.
This project exploits the ubiquitous nature of sensor-based wearables by designing an innovative usable continuous authentication mechanism. By leveraging the expertise of the project team on authentication, privacy-preservation, and machine learning, this project addresses the following problems: 1) Investigation of novel sensory features on wearable smartwatches and identification of an optimal subset of these features along with distance measures and machine-learning algorithms to strike the balance between accuracy and speed; 2) Discovery of novel privacy-preserving mechanisms based on secure noise-tolerant template generation and comparison techniques, multi-party computation, and homomorphic encryption; 3) Trade-offs between privacy and performance to optimize the scheme in terms of accuracy, efficiency, and security; 4) Security of sensor-based keystroke dynamics against some common attacks such as simple zero-effort, imitation, and more complex statistical attacks including, but not limited to, classical keyboard-only keystroke dynamics attacks; and 5) Development, testing, and deployment of the proposed framework with a rich set of users, devices, and usage context in a prototype system. The success of the WACA project will contribute to the growth of knowledge in privacy and authentication domains and to societal understanding of these matters.
WACA is a typing-based continuous authentication system using the accelerometer and gyroscope sensors of a smartwatch. WACA framework is complementary to a first-factor authentication mechanism and it is flexible to work with any first factor, including one of the password-, token-, or biometric-based systems.
WACA is a keystroke-based privacy-aware continuous authentication framework that uses the accelerometer and gyroscope sensors of a smartwatch. WACA will consist of four main stages: Pre-processing, Feature Extraction, User Profiling, and Decision Module.
The overall WACA architecture is shown in Figure 1 and it works as follows: The raw sensor data is acquired from a smartwatch (or a wearable device) (1) through an app installed on the watch. As the collected data might include a certain level of noise in the pre-processing stage, the raw data is cleaned by applying a low-pass filter (2) and transformed into a proper format for next stages. Incoming data is used to extract a set of features (3), the so-called feature vector, which represents characteristics of the current user profile. In the enrollment phase (9), the created user profile goes under a cryptographic transformation and it is securely stored in an authentication server in a trusted center. During the verification phase (4), the questioned user profile is dispatched from the authentication server to the decision module (10)(11) where a similarity score between the returned profile and the provided profile is computed to make a binary decision. Note that similarity scores are computed given cryptographic transformations of the features (also known as secure templates) as input. This assures the security and privacy of users and their data. If the decision is no match (5), then the user access to the terminal is suspended and the user is required to re-authenticate using the primary authentication method. However, when the decision is match (6) then the user access is maintained and current profile is added to the authentication server (7). In this way, the user profile is kept up-to-date over time. Whenever a typing activity is initiated on the keyboard of the computer, the smartwatch is notified (8) again by the terminal to start over the authentication process continuously.
Feature Extraction & User Profiling
In WACA, Feature Extraction (FE) refers to the transformation of the time series raw data into a number of features. In order to create the feature vector, each feature is computed using the data vectors. As an example, the first feature is calculated from a function f, i.e., f1 = f(x_acc, y_acc, z_acc, x_gyro, y_gyro, z_gyro) and the second feature is calculated from another function g, i.e., f2 = g(x_acc, y_acc, z_acc, x_gyro, y_gyro, z_gyro) etc. Then, the final feature vector f =< f1, f2, …, fn > is generated using all the calculated features. As each element of the feature vector has different ranges, some of the features can be dominant in the distance measurement. To prevent this and create a scale-invariant feature vector, we apply a normalization to the feature vector to map the interval [x_min, x_max] into the unit scale [0,1]. We formulate this linear normalization process in WACA as follows: x_new =(x−x_min)/(x_max−x_min), where x_min and x_max are the minimum and maximum value of the features of the user’s enrolled templates. After generating the final feature vector f, in the user profiling stage, a user profile p is generated by adding the user ID and start and end timestamps of the data sample, i.e., p =< userID, t_start, t_end, f >. If the user is in the enrollment phase, this profile is transmitted to the AS to be stored in a database.
The task of this stage is classifying the user as authorized or unauthorized for given credentials entered during the initial login. For the purpose of authentication, we use distance measures. The distance measure methods simply calculate the distance between two vectors or data points in a coordinate
plane. It is directly related to the similarity of compared time-series data sets. The most widely used distance measure is Euclidean Distance. It is actually just the distance between two points in vector space and is the particular case of Minkowski Distance, which is expressed as follows:
where x = (x_1, x_2,…,x_n) and y = (y_1, y_2,…,y_n) are the set of observations to be compared. If p = 2,
it is Euclidean distance. It has been extensively used on keystroke-based authentication methods.
In WACA, while one of x, y corresponds to the data stored in authentication server the other one is the
questioned sample from the user. WACA calculates the distance and returns the result by comparing
it with a configurable predetermined threshold value (i.e., genuine distance < threshold, impostor if
distance ≥ threshold). There are several distance measurement methods utilized in biometric authentication systems and they perform differently in different contexts. Therefore, we test various distance metrics such as cosine distance, correlation distance, Manhattan (Cityblock) distance, and Minkowski with p = 5.
The second approach, namely ML, especially based on Neural Networks is widely preferred by researchers for identification purposes. Furthermore, in order to evaluate the performance of the WACA framework, we investigate the utilization of both supervised and unsupervised ML algorithms. Also, identification is an important asset in WACA to identify insider threats or unauthorized users who might be using a computing system that belongs to someone else in the same authentication realm.
A generic continuous authentication system is expected to collect, process, communicate, and store unique behavioral characteristics (more generally, biometric samples or biometric data) of individuals on a continuous basis. Biometric templates, as derived in the feature extraction stage, are used during authentication as the basis for comparison. Therefore, it is critical to protect biometric templates to minimize the security and privacy risks. It should be computationally infeasible to construct the actual biometric data from its protected template (irreversibility) and to cross-match two protected templates (unlinkability). Other expected security requirements are confidentiality, integrity, and revocability/renewability.
In our framework, we investigate new cryptographic primitives for assuring the security
and privacy of users and their data in WACA. A wide range of mathematical structures including group
theory, elliptic curves, lattices, homomorphic encryption schemes as well as encryption-free secure multiparty computation techniques will be exploited in this field for the first time.
Project Team Members
- Abbas Acar, Wenyi Liu, Raheem Bayeh, Kemal Akkaya, and A. Selcuk Uluagac, “A Privacy-preserving Multi-factor Authentication System”, Wiley Security and Privacy, 2019. [pdf] [bibtex]
- Abbas Acar, Hidayet Aksu, Kemal Akkaya, and A. Selcuk Uluagac. “WACA: Wearable-Assisted Continuous Authentication.” Security and Privacy Workshops (SPW), 2018 IEEE. IEEE, 2018. [pdf] [bibtex]
- Abbas Acar, Hidayet Aksu, Kemal Akkaya, and A. Selcuk Uluagac. WACA: Wearable-Assisted Continuous Authentication Framework with Motion Sensors. In Proceedings of the 25th Usenix Security Symposium, 2016 (poster). [pdf] [bibtex]
- Abbas Acar, Hidayet Aksu, A. Selcuk Uluagac, and Kemal Akkaya, “A Method for Continuous User Authentication with Wearables,” Filed to US Patent and Trademark Office (US 15/674,133), August 2017. [link] [bibtex]
Presentations and Talks:
- Abbas Acar, Hidayet Aksu, Kemal Akkaya, and A. Selcuk Uluagac. WACA: Wearable-Assisted Continuous Authentication Framework. Presentation of the accepted paper at 39th IEEE Symposium on Security and Privacy Workshops, San Francisco, CA, May 24, 2018.
- Abbas Acar, Hidayet Aksu, Kemal Akkaya, and A. Selcuk Uluagac. WACA: Wearable-Assisted Continuous Authentication Framework with Motion Sensors. Poster Presentation at Florida Institute of Cybersecurity Research Annual Conference on Cybersecurity, University of Florida, Gainesville, March 1, 2018. [poster]
- Abbas Acar, Amit Kumar Sikder, Leonardo Babun, and A. S. Uluagac,”Experts talk cyber attacks on business, lead live hack,” FIU News, Gisela Valencia, December 21, 2017