Authentication using EEG headset

1. Introduction:
This seminar describes a study on the value of electroencephalography headsets as a means of providing authentication. Authentication is now done using more sophisticated techniques such as graphical passwords, finger prints, iris scans or other types of biometrics but they have a major drawback i.e. these are for life time and cannot be changed. After looking at the drawbacks of the biometrics we decided to use EEG headsets for the authentication. These cannot be copied and are not permanent. Our brain can generate numerous patterns which are unique from others and are dynamic. So EEG headsets were the first step for the project. We had never thought it was possible to make use of EEG headset for authentication. EEG headset has many interesting features and uses. But we really didnt know how to make use of this headset for authentication purpose. After performing some research and knowing the working of headset, we could find a way to use it for authentication. Initially before we could work on implementation of the headset, we started to explore every bit of this headset especially its working, vulnerabilities, features and functions. During the research about the headset and its software we found one interesting thing and it was cognitive feature. Where in the thoughts in our brain would reflect on the system for example: If we think about lift action then in the screen we could see the cube moving up in the air. So we thought this interesting feature could be emulated for the key strokes. This finally made us to start working on the project. After performing numerous trial and errors, we could finally manage to use this cognitive feature and then emulate as a keystroke. This could be done by using 3rd party software which connects the headset features and the keystroke mechanism. So one this was achieved then we thought of testing this headset, weather it would work fine or not. After performing the initial testing on an individual user and the results were positive. So we thought to go to the next step i.e. performing the usability testing, to know what all problems can faced and how does people think about it. So we managed to take help of five volunteers, who agreed to be a part of our testing. Testing was later done on these users with some training, and then the results showed that every user could authenticate the system using this headset. The usability testing was done with positive results now it was time to check how secure is this system and how efficient is it. So then we made some research on the vulnerabilities of this headset and also performed efficiency testing to know how efficient the testing was. Then we got a positive result again but there were some
Dept. of CSE APPA IET College, Gulbarga Page 1

Authentication using EEG headset

unusual activity during the test which we couldnt answer it. So we thought of leaving it for discussion and future work. Finally, when all the testing was done with positive results we could say that this system can be a future for secure authentication mechanism. Thus the aim of this project is simple, which is to evaluate whether the EEG headsets are useful and efficient for authentication purpose. This seminar initially gives a research and some background information about the EEG headsets and then we move on to implementation details, then giving results of testing and a discussion about vulnerabilities and future work .Finally completing this seminar with a conclusion based on the testing results.

Dept. of CSE APPA IET College, Gulbarga

Page 2

Authentication using EEG headset

2. Background:
To use EEG in authentication process initially we need to have a device which can transfer the brain signals to the computer system. After making some research in the market we found two types of EEG headsets to our interest, which are NeuroWave and EPOC headset. NeuroWave is produced and developed by a company named Neuro Sky. This head set is cheap and has capabilities to gather signals from the scalp but it has very limited features and it can only to measure the brain signals to monitor attention and meditation level of a human brain. Other than these two functions it also detects the blink of an eye. But in the other hand we had an EEG headset developed by a company called Emotiv which is far superior to the NeuroWave, which is officially called as EPOC neuroheadset, it is made of fourteen saline sensors which were capable enough of gathering the required signals from the brain and has five times more interesting feature while comparing to NeuroWave. Hence we decided to use EPOC neuro headset and tried communicating secrets with the computer system. A detailed description of the EEG headset and the software which are been used for this research shall be explained in the next section of the seminar.

2.1 EEG Headset

Figure 1: EPOC Neuro headset

Figure 2: Details about the EPOC headset

Dept. of CSE APPA IET College, Gulbarga

Page 3

Authentication using EEG headset

The EEG headset picks up the electrical activity along the scalp and sends it to the computer via a secure Bluetooth connection. There are fourteen sensors which take the input from the scalp and transfer it to the system.

Figure 3: Sensor placement around the prefrontal cortex of the 14 data channels in the Emotive EEG

Authentication
Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. Currently the authentication is done using some sophisticated devices, algorithms and techniques. The use of User Ids and Password is very common now days, also prone to many attacks. We need more sophisticated device which is more secure than a basic password scheme We need such authentication which can be more secure and more robust. Fingerprints and iris authentication systems has one major disadvantage i.e. they cannot be changed and are valid for life time. The later stages of the seminar would suggest one technology which can be more secure and useful in the future.

Dept. of CSE APPA IET College, Gulbarga

Page 4

Authentication using EEG headset

3. Design consideration:
This section of the seminar explains about the software used and its details. As the research needs some supplied software by the Emotive and specially designed software by us (i.e. Password mechanism).We thought of making use of some software which can communicate with the headset and then transfers the bits to the computer system. Once the wave data has been transferred to the computer system it is processed by software called Emotive Control panel. The signals are hence converted into the equivalent of keystrokes by a special program supplied for this headset called EmoKey. EmoKey is the software which emulates the keystrokes of a computer system and then transfers to the desired application. To integrate all these functions and APIs of the headset, C#.Net programming language was chosen as the developing tool A basic password scheme has been developed using JAVA as a programming language which has four inputs as a password. The 3 types of software are as follows: 1) Emotive Control panel 2) EmoKey 3) Password Scheme

3.1 Emotive Control panel

This is the main software which directly interacts with the headset. It has different function and working which has been breakdown into simple bits as shown below. EmoEngine Status pane: By default, the Control Panel will automatically connect to the EmoEngine when launched. In this mode, it will automatically discover attached USB receivers and the Emotive neuroheadset.

Dept. of CSE APPA IET College, Gulbarga

Page 5

Authentication using EEG headset

Figure 4: EmoEngine status pane

Headset Setup: The image on the left of Figure 9 is a representation of the sensor locations when looking down onto the users head. Each circle represents one sensor and its approximate location when wearing the SDK headset. The color of the sensor circle indicates the contact quality (green is optimal).

Figure 5: Headset setup panel

Affective Suite Panel: The Affective Suite gathers the real time variations in the users emotions. Universal patters or characteristic are used for the Affective detection and doesnt need any kind of explicit training or signature building step on the part of the user. Every user has his profile and all the detections are linked to the users profile and saved while the Affective suites run. This data is very useful for our research as it is used to rescale the Affective suite results and improve the detection accuracy over the time. There are few Affective detections by the neuro headset which are:

Dept. of CSE APPA IET College, Gulbarga

Page 6

Authentication using EEG headset

Instantaneous Excitement is experienced as an awareness or feeling of physiological arousal with a positive value. Excitement is characterized by activation in the sympathetic nervous system which results in a range of physiological responses including pupil dilation, eye widening, sweat gland stimulation, heart rate and muscle tension increases, blood diversion, and digestive inhibition. Some of its related emotions are titillation, nervousness and agitation. Scoring behavior in general, the greater the increase in physiological arousal the greater the output scores for the detection. The Instantaneous Excitement detection is tuned to provide output scores that more accurately reflect short-term changes in excitement over time periods as short as several seconds. Long-Term Excitement is experienced and defined in the same way as Instantaneous Excitement, but the detection is designed and tuned to be more accurate when measuring changes in excitement over longer time periods, typically measured in minutes. Engagement is experienced as alertness and the conscious direction of attention towards task-relevant stimuli. It is characterized by increased physiological arousal and beta waves (a well-known type of EEG waveform) along with attenuated alpha waves (another type of EEG waveform). The opposite pole of this detection is referred to as Boredom in Emotive Control Panel and the Emotive API; however, please note that this does not always correspond to a subjective emotional experience that all users describe as boredom. Some of its related emotions are alertness, vigilance, concentration, stimulation, interest. Scoring behavior for engagements are the greater attention, focus and cognitive workload, the greater the output score reported by the detection. Examples of engaging video game events that result in a peak in the detection are difficult tasks requiring concentration, discovering something new, and entering a new area. Deaths in a game often result in bell-shaped transient responses. Shooting or sniping targets also produce similar transient responses. Writing something on seminar or typing typically increase the engagement score, while closing the eyes almost always rapidly decreases the score.

Dept. of CSE APPA IET College, Gulbarga

Page 7

Authentication using EEG headset

Figure 6: Affective suite panel

Cognitive Suite and Understanding the Cognitive Panel Display: The Cognitive detection suite is the main part of our research where in we are making use of cognitive functions to communicate the secrets mainly because it cannot be copied. The users real time brain wave activity are been gathered using this detective suite. The detection is designed to work with up to thirteen different actions: six directional movements (push, pull, left, right, up and down) and 6 rotations (clockwise, counterclockwise, left, right, forward and backward) plus one additional action that exists only in the realm of the users imagination: disappear. Due to limited features for now Cognitive allows the user to choose up to four actions that can be recognized at any given time. Only one action can be detected at once, along with an action power which represents the detections certainty that the user has entered the cognitive state associated with that action. The Cognitive Suite panel uses a virtual 3D cube to display an animated representation of the Cognitive detection output. The below figure gives a brief explanation about the buttons on the screen

Dept. of CSE APPA IET College, Gulbarga

Page 8

Authentication using EEG headset

Figure 7: Cognitive suite view of the control panel

Cognitive training: As we can see in the below image in the right corner, we can find a training tab which contains the user interface controls that support the training process. Firstly we need to select the action from the dropdown list. The actions which are already been trained are paired with a green checkmark; actions with non training data are paired with a Red Cross mark. For the training purpose only those actions can be trained which are selected on the action tab. The default action where in every user has to get trained is Neutral. This training captures the neutral state of the user and then always used as default action when idle. Next, when user is ready to begin imagining or visualizing the action user wish to train, press start training button. The duration of the training period is for eight seconds and it is very important to maintain the mental focus for the entire eight seconds. Finally, once the training is completed user is prompted to accept or reject the training recording. Ideal Cognitive detection performance is typically achieved by supplying consistent training data (i.e. a consistent mental visualization on the part of the user) across several training sessions for each enabled action. The user can also reject the training recording if there was no mental focus or there was any distraction or notice any problem with the neuroheadset contact quality indictors during the recording.

Dept. of CSE APPA IET College, Gulbarga

Page 9

Authentication using EEG headset

Figure 8: Cognitive training in action.

3.2 EmoKey
EmoKey is a software provided with the headset, which actually is a third party software which links the Emotive technology to the authenticating application by converting detected events through the EEG headset into combination of keystrokes. It is a lightweight, nonintrusive, background process that runs behind the existing application. EmoKey lets us create profiles that define how detections are mapped to keystroke combinations. EmoKey translates Emotive detection results to predefined sequences of keystrokes according to logical rules defined by the user through the EmoKey user interface. A set of rules, known as an EmoKey Mapping, can be saved for later reuse.

Figure 9: EmoKey Mapping

Dept. of CSE APPA IET College, Gulbarga

Page 10

Authentication using EEG headset

Figure 10: Defining Keys and Keystroke Behavior

The Keys dialog allows the user to specify the desired keystrokes and customize the keystroke behavior. The customizable options include: Holding a key press: hold the key down for the duration of the rule activation period. Hold the key checkbox is only enabled when a single key has been specified in the keystroke edit box. Hot keys or special keyboard keys: any combination of control, alt, shift, the Windows key, and another keystroke. You may also use this option if you need to specify special keys such as Caps Lock, Shift, or Enter. Key press duration and delay times: some applications, especially games, are sensitive to the timing of key presses. If necessary, use these controls to adjust the simulated keyboard behavior.

Figure 11: Defining an EmoKey Condition

3.3 Password scheme

The password scheme here used is a very basic password mechanism. This has been designed using JAVA programming language with Net beans IDE. The below figure shows the screenshot of the password scheme designed. It is operated by a

Dept. of CSE APPA IET College, Gulbarga

Page 11

Authentication using EEG headset

mouse click which is assigned by the EmoKey. This is one part of work done by us. We have designed this system to accept the inputs from the EmoKey.

Figure 12: Basic password scheme User Interface

Dept. of CSE APPA IET College, Gulbarga

Page 12

Authentication using EEG headset

4. Implementation:
This section mainly deals with the information of how the headset is connected to the EmoEngine and how are the keystrokes defined in the EmoKey and finally transferred to the password scheme.

Figure 13: Interaction of the headset with EmoEngine

The above figure shows the interaction of the headset with the system. When the headset is in use the headset transfers the signals to the system and to EEG and gyro post-processing unit and decrypt the signals using the help of the control logic unit in the EmoEngine. This signal then carried to the EmoState and EmoEvent query handler by the help of EmoState buffer. The EmoState buffer acts like the buffers in the computer memory, which are used to collect and transfer the signals to the next unit. The Emotive has a special set of codes which are known as APIs which interact with our password scheme or the headset. These APIs are initially been provided by the headset provider and then we made use of them with our code. Firstly, there are few software which have to be executed simultaneously and they are Control panel Emo key
Authentication system

Control panel setup

The control panel is the software which is used to access the raw data from the headset through a TCP socket. When the EEG headset is turned ON and placed on the users head, it starts emitting signals which are acquired by a Bluetooth device connected to the system. The control panel then shows that the EEG headset is connected securely to the system and ready to use, as shown in the fig below.

Dept. of CSE APPA IET College, Gulbarga

Page 13

Authentication using EEG headset

Figure 18: Status pane

Later, we trained the user with only one cognitive action that is rotate clockwise direction when the training was done then the user was able to rotate the cube with good results.

Figure 19: Control panel setup

EmoKey
To set the rules we make use of EmoKey. So the rules are set as follows. If there is any detection of rotate clockwise with a limit of 0.50 of power then it should enable a key stroke which is defined for a left mouse click and sends to the application in focus which is set to the authentication system.

Figure 2014: Emo key setup

Dept. of CSE APPA IET College, Gulbarga

Page 14

Authentication using EEG headset

Figure 151: Defining keystrokes

The above image shows the keystroke mapping which has to performed when there is rotate clockwise action detection. Hence the rules are defined making use of EmoKey. EmoKey can be used to set more complicated keys but for now we shall only use one action with fewer limits.

Authentication system:
The authentication system is a basic password system which is been designed using Java.This system takes four inputs as a key, if the key is right then it would go authenticate the user, else it is declined. It takes up to three wrong attempts and the blocks the user simultaneously alarming the authorities. The password scheme has ten numerical buttons ranging from 1-10 to input the password and a cancel button to exit. This scheme has been designed for a single user only but it can be improved for multi-users creating a database. To make this more difficult we can use alpha numeric characters or making use of graphical password system, which is more secure than basic password system. Once all the three software are set and executed, then user had to move the cursor using the Gyro feature of the EEG headset and to select any button, user has to think the same pattern (think about rotating clockwise). This system takes four inputs as a key, if the key is right then it would authenticate the user, else it is declined.

Dept. of CSE APPA IET College, Gulbarga

Page 15

Authentication using EEG headset

5. Results:
After performing the testing we can say that EEG headsets can be used for communicating the secrets. As we can see in the testing phase, every user was able to use the headset and then authenticate the password system easily. The basic prerequisite which is very important here is training. We have trained the user for a very short time but still we could get the desired results but if the user is trained for one hour a day for one week then the headset and the system would accurately acquire the signals and process it. Regarding the efficiency of this headset, it all depends on the training time. As we could see, the user was trained for less than an hour but the efficiency rate was very good. We have also seen that only the user who has been trained for his thoughts can authenticate his profile rest others failed to authenticate with other profiles. As there were some users who could get the same pattern as other user had trained and then tried breaking the system but they were not 100% successful, as there is a reason behind it. Every brain is folded differently and so even if the mental activity is exactly the same between two subjects the detected signals would be completely different because the signals coming from inside the folds are weaker than those from the outer surface. With more training it would make it much more difficult to pass through the system. Therefore we conclude that EEG headsets can be made use for communicating the secret and for now it cannot be used in places where the frequency for using this headset is more. It can be made use in the places where there is less frequency of wearing it, such as government sectors, high security areas. As this headset needs a solution after every use to keep the sensors wet as it works only with the wet sensors and also it is prone to more wear and tear.

Dept. of CSE APPA IET College, Gulbarga

Page 16

Authentication using EEG headset

6. Vulnerabilities:
We have identified vulnerability. The identification was done by interrupting the bit transferred using a tool, which gets the wireless packets and then try to analyze it, which could be used by the hackers to get through the system. As each bit is transferred wirelessly, there is a possibility of snooping on the transmitted wireless packets can be a way to get through this system. But as of now every bit which is transmitted is being encrypted. Communication with Emotive indicated that the key keys are based on fixed and variable components which partly depend on the hardware, so even if one headset is cracked, the cracker cannot deduce the key from other headsets. The encryption serves two purposes. Firstly, we use different methods on the SDK and consumer headset models. This is mainly for business reasons - we are able to control release of developer applications into the consumer market by enabling the applications to see all headset types only after we have reviewed each application. The other purpose served by the encryption is to protect the privacy of users, making it difficult for snoopers to receive what is in effect very personal information about the user. Medical applications of the EPOC technology would definitely require data encryption, so we see no reason to have a lower standard for consumer and research applications. Emotives neuroheadset can be said as secure enough as of now, as its still at the initial phase market. Other than snoop of the bits we couldnt find any vulnerability.

Dept. of CSE APPA IET College, Gulbarga

Page 17

Authentication using EEG headset

7. Future of EEG headset:

After going through every bit of this system and performing the testing of EEG headset for authentication purpose we found some interesting function for future work. There are some things which can be improved in this system. We have examined very less portion of the features of the EEG headset as we had limited time but a better efficiency testing can be performed in future to know some important aspects of the headsets. During testing we came through a shocking result, as you could see in our efficiency testing part where user2 was successful for about 75% but he could not authenticate the system. During testing we couldnt understand how was user2 able to succeed to enter 3 bits of the code. The answer we can think of was due to less training skill, so less accurate or may be headset shows some false positive due to less signal gathering or if in future we can use a better headset with more accuracy of detection then there wont be any false positive. The reason can be anything, but if there is more testing can be done using this system then we could get the answer. We would leave this point for discussion. There was one other point of discussion, while using this system and training it for neutral action, we could thought of a possible future work where a user wear this headset and a program could detect which user is this based on the neutral activity. In principle, every brain is folded differently and so even if the mental activity is exactly the same between two subjects the detected signals would be completely different because the signals coming from inside the folds are weaker than those from the outer surface. It is not really certain we can identify individuals from their neutral pattern because these also change from day to day as the user has different moods, levels of alertness etc. In summary, it is possible we could distinguish users from their neutral patterns.

Dept. of CSE APPA IET College, Gulbarga

Page 18

Authentication using EEG headset

8. Conclusion:
We provide enough testing results to prove that EEG headsets can be made use for communicating secrets and also we present a prototype of the new authenticating system using the EEG headset and some of the testing result can be helpful for improving this system. The advantages of using the EEG headset for authentication purpose are mainly Shoulder-surfing, password hijacking, user noncompliance. There are some disadvantages such as wear and tear of the costly headset. The user needs to wear it every time he has to authenticate the system. If the headset is not placed properly on the head then it would give wrong results. This authentication system can be made use only in the places where the frequency of the use is less such as government areas, nuclear facilities, high secure business places, scientific laboratory. After looking at the features and the testing results we can say that it can be a new authentication system but it can be widespread only if the users can repeat the thought easily using the headset and a better version of headset would make it easier to use.

Dept. of CSE APPA IET College, Gulbarga

Page 19

Authentication using EEG headset

9. Reference:
[1] NeuroSky. Neurosky - experience the mindset. http://www.neurosky.com/. [2] EmotiveSystems. Emotive brain computer interface technology. http://www.emotive.com. [3] Wikipedia, http://en.wikipedia.org/wiki/Eeg [4] Search security, http://searchsecurity.techtarget.com/definition/authentication [5] Rybnik, M., Panasiuk, P., Saeed, K., User Authentication with Keystroke Dynamics Using Fixed Text", Biometrics and Kansei Engineering, 2009. ICBAKE 2009. International Conference on, on page(s): 70 - 75, Volume: Issue: 25-28 June 2009 [6] Wei Hu,Xiaoping Wu, Guoheng Wei"The Security Analysis of Graphical Passwords" 2010 International Conference on Communications and Intelligence Information Security [7] Badre, 2002; Bailey, 1993; Bailey and Wolfson, 2005; Bradley and Johnk, 1995; Egan, et al., 1989; Hong, et al., 2001; Jeffries, et al., 1991; Karat, Campbell, and Fiegel, 1992; LeDoux, Connor and Tullis, 2005; Norman and Murphy, 2004; Redish and Dumas, 1993; Tan, et al., 2001 [8] Ting Li; Jun Hong; Jinhua Zhang; , "EEG classification based on Small-World neural network for Brain-Computer Interface," Natural Computation (ICNC), 2010 Sixth International Conference on , vol.1, no., pp.252-256, 10-12 Aug. 2010

Dept. of CSE APPA IET College, Gulbarga

Page 20