Continuous User Authentication and Identification: Combination of Security & Forensics

Abstract

In almost every aspect of human life have computing devices (such as PC, smartphone, tablet, or smart watches) become important gadgets. The communication services, aviation and financial services are very much controlled by computer systems. People entrust with vital information such as medical and criminal records, manage transactions, pay bills and private documents. However, this increasing dependency on computer systems, coupled with a growing emphasis on global accessibility in cyberspace, has unveiled new threats to computer system security. In addition, crimes and imposters in cyberspace are almost everywhere. For most existing computer systems, once the user’s identity is verified at login, the system resources are available to that user until he/she exits the system or locks the session. In fact, the system resources are available to any user during that period. This may be appropriate for low security environments, but can lead to session hijacking, in which an attacker targets an open session, e.g. when people leave the computer unattended for shorter or longer periods when it is unlocked, for example to get a cup of coffee, to go and talk to a colleague, or simply because they do not have the habit of locking a computer because of the inconvenience. In high risk environments or where the cost of unauthorized use of a computer is high, a continuous check of the user’s identity is extremely important. Continuous authentication has built around the biometrics supplied by the user’s physical or behavioural characteristics and continuously checks the identity of the user throughout a session. Continuous authentication is not an alternative security solution for initial login; it provides an added security measure alongside the initial login. In this work we describe a continuous authentication system where multiple behavioural biometric modalities are fused to increase the system performance and to avoid security holes that can be exploited by imposters to avoid detection. This thesis does not only focus on the Continuous Authentication (CA), but also on Continuous Identification (CI) which can be used for forensic evidence. During our research we address two issues. The first is related to CA (Is an imposter using the system?) while the second is related to CI (Can the imposter be identified once the continuous authentication system detects that an imposter uses the system?). To the best of our knowledge this is the first time that the CI issue is addressed in research. We present the achieved results for different biometric modalities and for different computing devices. We have used four different datasets for experiments of which three are publicly available; therefore the achieved results can be reproduced and verified. We contributed a robust dynamic trust model algorithm that can be applied to any CA system irrespective of the biometric modality or computing device. Contrary to the state of the art CA approaches this algorithm is able to make decisions whether the user is genuine or imposter after each and every single action performed by the user. In most of the cases we found that genuine users are never wrongly locked-out from the system and very few actions were required to detect an imposter user. We applied a novel score boost algorithm that improves the results and the achieved results are superior when compared to state of the art results. We came up with a feature selection technique that could equally well be applied to other pattern classification problems. We came up with an identification technique called pairwise user coupling that can reduce a multi-class classification problem into several two-class classification problem. We applied this technique for CI and achieved a high identification accuracy even for weak biometric modalities. We believe however that there are some open issues which need to be addressed before this can be used as a deployable solution.