Keystroke dynamics

Keystroke dynamics, keystroke biometrics or typing dynamics, is the detailed timing information which describes exactly when each key was pressed and when it was released as a person is typing at a computer keyboard.[1]

Science of Keystroke Dynamics

The behavioral biometric of Keystroke Dynamics uses the manner and rhythm in which an individual types characters on a keyboard or keypad.[2][3][4] The keystroke rhythms of a user are measured to develop a unique biometric template of the user's typing pattern for future authentication.[5] Raw measurements available from almost every keyboard can be recorded to determine Dwell time (the time a key pressed) and Flight time (the time between "key up" and the next "key down"). The recorded keystroke timing data is then processed through a unique neural algorithm, which determines a primary pattern for future comparison.[6] Similarly, vibration information may be used to create a pattern for future use in both identification and authentication tasks.

Data needed to analyze keystroke dynamics is obtained by keystroke logging. Normally, all that is retained when logging a typing session is the sequence of characters corresponding to the order in which keys were pressed and timing information is discarded. When reading email, the receiver cannot tell from reading the phrase "I saw 3 zebras!" whether:

Origin of Keystroke Dynamics

On May 24, 1844, the message "What hath God wrought" was sent by telegraph from the U.S. Capitol in Washington, D.C. to the Baltimore and Ohio Railroad "outer depot" in Baltimore, Maryland, a new era in long-distance communications had begun. By the 1860s the telegraph revolution was in full swing and telegraph operators were a valuable resource. With experience, each operator developed their unique "signature" and was able to be identified simply by their tapping rhythm.

As late as World War II the military transmitted messages through Morse Code. Using a methodology called "The Fist of the Sender," Military Intelligence identified that an individual had a unique way of keying in a message's "dots" and "dashes," creating a rhythm that could help distinguish ally from enemy.

Use as Biometric Data

Researchers are interested in using this keystroke dynamic information, which is normally discarded, to verify or even try to determine the identity of the person who is producing those keystrokes. This is often possible because some characteristics of keystroke production are as individual as handwriting or a signature. The techniques used to do this vary widely in power and sophistication, and range from statistical techniques to AI approaches like neural networks.

Very simple rules can be used to rule out possible users in simple cases. For example, if we know that John types at 20 words per minute, and the person at the keyboard is typing at 70 words per minute, we are able to eliminate John as the typist. This form of test is based simply on raw speed uncorrected for errors. It's only a one-way test, as it's always possible for people to go slower than normal, but it's unusual or impossible for them to go twice their normal speed.

Or, it may be that the mystery user at the keyboard and John both type at 50 words per minute. However, perhaps John never really learned the numbers, and always had to slow down an extra half-second whenever a number had to be entered. If the mystery user did not slow down before numbers were typed, we can eliminate John as the typist.

The time to get to and depress a key (seek-time), and the time the key is held-down (hold-time) may be very characteristic for a person, regardless of how fast they are going overall. Most people have specific letters that take them longer to find or get to than their average seek-time over all letters, but which letters those are may vary dramatically but consistently for different people. Right-handed people may be statistically faster in getting to keys they hit with their right hand fingers than they are with their left hand fingers. Index fingers may be characteristically faster than other fingers to a degree that is consistent for a person day-to-day regardless of their overall speed that day.

In addition, sequences of letters may have characteristic properties for a person. In English, the word "the" is very common, and those three letters may be known as a rapid-fire sequence and not as just three meaningless letters hit in that order. Common endings, such as "ing", may be entered far faster than, say, the same letters in reverse order ("gni") to a degree that varies consistently by person. This consistency may hold and may reveal the person's native language's common sequences even when they are writing entirely in a different language, just as revealing as an accent might in spoken English.

Common "errors" may also be quite characteristic of a person, and there is an entire taxonomy of errors, such as this person's most common "substitutions", "reversals", "drop-outs", "double-strikes", "adjacent letter hits", "homonyms", hold-length-errors (for a shift key held down too short or too long a time). Even without knowing what language a person is working in, by looking at the rest of the text and what letters the person goes back and replaces, these errors might be detected. Again, the patterns of errors might be sufficiently different to distinguish two people.

Authentication versus identification

Keystroke dynamics is part of a larger class of biometrics known as behavioral biometrics; their patterns are statistical in nature. It is a commonly held belief that behavioral biometrics are not as reliable as physical biometrics used for authentication such as fingerprints or retinal scans or DNA. The reality here is that behavioral biometrics use a confidence measurement instead of the traditional pass/fail measurements. As such, the traditional benchmarks of False Acceptance Rate (FAR) and False Rejection Rates (FRR) no longer have linear relationships.

The benefit to keystroke dynamics (as well as other behavioral biometrics) is that FRR/FAR can be adjusted by changing the acceptance threshold at the individual level. This allows for explicitly defined individual risk mitigation–something physical biometric technologies could never achieve.

Another benefit of keystroke dynamics: they can be captured continuously—not just at the start-up time—and may be adequately accurate to trigger an alarm to another system or person to come double-check the situation.

In some cases, a person at gun-point might be forced to get start-up access by entering a password or having a particular fingerprint, but then that person could be replaced by someone else at the keyboard who was taking over for some bad purpose. In other less dramatic cases, an employee might violate business rules by sharing their password with their secretary, or by logging onto a system but then leaving the computer logged-in while someone else he knows about or doesn't know about uses the system. Keystroke dynamics is one way to detect such problems sufficiently reliably to be worth investigating, because even a 20% true-positive rate would send the word out that this type of behavior is being watched and caught.

Researchers are still a long way from being able to read a keylogger session from a public computer in a library or cafe somewhere and identify the person from the keystroke dynamics, but we may be in a position to confidently rule out certain people from being the author, who we are confident is "a left-handed person with small hands who doesn't write in English as their primary language."

Temporal variation

One of the major problems that keystroke dynamics runs into is that a person's typing varies substantially during a day and between different days. People may get tired, or angry, or have a beer, or switch computers, or move their keyboard tray to a new location, or use a virtual keyboard, or be pasting in information from another source (cut-and-paste), or from a voice-to-text converter. Even while typing, a person, for example, may be on the phone or pausing to talk. And some mornings, perhaps after a long night with little sleep and a lot of drinking, a person's typing may bear little resemblance to the way he or she types when well-rested. Extra doses of medication or missed doses could change the person's rhythm. There are hundreds of confounding circumstances.

Because of these variations, any system will make false-positive and false-negative errors. Some of the successful commercial products have strategies to handle these issues and have proven effective in large-scale use (thousands of users) in real-world settings and applications.

Surreptitious use of key-logging software is on the rise, as of this writing. Use of such software may be in direct and explicit violation of local laws, such as the U.S. Patriot Act, under which such use may constitute wire-tapping. This could have severe penalties including jail time. See spyware for a better description of user-consent issues and various fraud statutes. Spyware and its use for illegal operations such as bank-fraud and identity theft are very much in the news, with even Microsoft issuing new spyware defense products, and tougher laws in the near future being very likely.

Competent legal advice should be obtained before attempting to use or even experiment with such software and keystroke dynamic analysis, if consent is not clearly obtained from the people at the keyboard, even though the actual residual "content" of the message—the resultant text—is never analyzed, read, or retained. The status of the "dynamic context" of the text is probably in legal limbo.

There are some patents in this area. Examples:

Other uses

Because keystroke timings are generated by human beings, they are not well correlated with external processes, and are frequently used as a source of hardware-generated random numbers for computer systems.

See also

References

  1. Robert Moskovitch , Clint Feher , Arik Messerman , Niklas Kirschnick , Tarik Mustafic , Ahmet Camtepe , Bernhard Löhlein , Ulrich Heister , Sebastian Möller , Lior Rokach , Yuval Elovici (2009). Identity theft, computers and behavioral biometrics (PDF). Proceedings of the IEEE International Conference on Intelligence and Security Informatics. pp. 155–160.
  2. Deng, Y.; Yu, Y. "Keystroke Dynamics User Authentication Based on Gaussian Mixture Model and Deep Belief Nets". ISRN Signal Processing. 2013: 565183. doi:10.1155/2013/565183].
  3. User authentication through typing biometrics features
  4. Continuous authentication by analysis of keyboard typing characteristics
  5. A modified algorithm for user identification by his typing on the keyboard
  6. User authentication using rhythm click characteristics for nonKeyboard devices

Other references

  • Checco, J. (2003). Keystroke Dynamics & Corporate Security. WSTA Ticker Magazine, .
  • Bergadano, F.; Gunetti, D.; Picardi, C. (2002). "User authentication through Keystroke Dynamics". ACM Transactions on Information and System Security (TISSEC). 5 (4): 367–397. doi:10.1145/581271.581272. 
  • iMagic Software. (vendor web-site May 2006). Notes: Vendor specializing in keystroke authentication for large enterprises.
  • AdmitOne Security - formerly BioPassword. (vendor web-site home [Web Page]. URL . Notes: Vendor specializing in keystroke dynamics
  • Garcia, J. (Inventor). (1986). Personal identification apparatus. (USA 4621334). Notes: US Patent Office -
  • Bender, S and Postley, H. (Inventors) (2007). Key sequence rhythm recognition system and method. (USA 7206938), Notes: US Patent Office -
  • Joyce, R., & Gupta, G. (1990). Identity authorization based on keystroke latencies. Communications of the ACM, 33(2), 168-176. Notes: Review up through 1990
  • Mahar, D.; Napier, R.; Wagner, M.; Laverty, W.; Henderson, R. D.; Hiron, M. (1995). "Optimizing digraph-latency based biometric typist verification systems: inter and intra typist differences in digraph latency distributions". International Journal of Human-Computer Studies. 43 (4): 579–592. doi:10.1006/ijhc.1995.1061. 
  • Monrose, F., & Rubin Aviel D. (1997). Authentication via Keystroke Dynamics. ACM Conference on Computer and Communications Security. Notes: available to subscribers at , much cited
  • Monrose, F., & Rubin, A. D. (2000). Keystroke Dynamics as a Biometric for Authentication. Future Generation Computer Systems, 16, 351-359. Notes: Review 1990–1999
  • Monrose, F. R. M. K., & Wetzel, S. (1999). Password hardening based on keystroke dynamics. Proceedings of the 6th ACM Conference on Computer and Communications Security, 73-82. Notes: Kent Ridge Digital Labs, Singapore
  • Robinson, J. A., Liang, V. M., Chambers, J. A. M., & MacKenzie, C. L. (1998). Computer user Verification using Login String Keystroke Dynamics. IEEE Transactions on Systems, Man, and Cybernetics Part A, 28(2). Notes: Highlights: 10 users were distinguished from 10 "forgers" using 3 classification systems. Hold times were more effective than interkey times for discrimination. Best results used both with a learning classifier. There were a high rate of confounding errors and backspaces in the password samples.
  • Young, J. R., & Hammon, R. W. (Inventors). (1989). Method and apparatus for verifying an individual's identity. 4805222). Notes: US Patent Office -
  • Vertical Company LTD. (vendor web-site October 2006). Notes: Vendor specializing in keystroke authentication solutions for government and commercial agencies.
  • Lopatka, M. & Peetz, M.H. (2009). Vibration Sensitive Keystroke Analysis. Proceedings of the 18th Annual Belgian-Dutch Conference on Machine Learning, 75-80.
  • Coalfire Systems Compliance Validation Assessment (2007) http://web.archive.org/web/20110707084309/http://www.admitonesecurity.com/admitone_library/AOS_Compliance_Functional_Assessment_by_Coalfire.pdf
  • Karnan, M.Akila (2011). "Biometric personal authentication using keystroke dynamics: A review". Applied Soft Computing Journal. 11 (2). 
  • Jenkins, J., Nguyen, Q., Reynolds, J., Horner, W., and Szu, H., "The Physiology of Keystroke Dynamics," in SPIE Independent Component Analyses, Wavelets, Neural Networks, Biosystems, and Nanoengineering IX, 2011, vol. 8058, p. 80581N1-10.
This article is issued from Wikipedia - version of the 11/9/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.