Академический Документы
Профессиональный Документы
Культура Документы
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2017.2658539, IEEE
Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 1
Abstract—Due to the increasing vulnerabilities in cyberspace, maybe to identify him or her. In the previous example of the
security alone is not enough to prevent a breach, but cyber online exam, in case fraud is detected when the authentication
forensics or cyber intelligence is also required to prevent future module detects that the student was typing the exam is not
attacks or to identify the potential attacker. The unobtrusive
and covert nature of biometric data collection of keystroke the intended student, it could be interesting to identify this
dynamics has a high potential for use in cyber forensics or cyber person because it could be one of the current or previous
intelligence. students that already has passed the exam. Another situation
In this paper, we investigate the usefulness of keystroke where identification could be useful is in an online closed or
dynamics to establish the person identity. We propose three open user forum. Here it could be used to identify the person
schemes for identifying a person when typing on a keyboard.
We use various machine learning algorithms in combination posting an anonymous yet offensive or criminal comment, or
with the proposed pairwise user coupling technique and show posting a comment under the name of another person, e.g. after
the performance of each separate technique as well as the getting access to the account of the other person. Finally, an
performance when combining two or more together. In particular, example where identification could be of use is in a chat room,
we show that pairwise user coupling in a bottom-up tree structure where the behaviour of an unknown person is compared to the
scheme gives the best performance, both concerning accuracy and
time complexity. The proposed techniques are validated by using known profiles. For example, if a person is showing pedophile
keystroke data. However, these techniques could equally well be behaviour, then his or her typing behaviour can be compared
applied to other pattern identification problems. We have also to the behaviour of a set of known pedophiles.
investigated the optimized feature set for person identification In our research, we will explore the potential of KD for
by using keystroke dynamics. Finally, we also examined the
performance of the identification system when a user, unlike his
person identification. We will focus on classification tech-
normal behaviour, types with only one hand, and we show that niques with different KD features for identification. We will
performance then is not optimal, as was to be expected. also study the effect of user handedness on the accuracy of
Index Terms—Pairwise User Coupling; Keystroke Dynamics,
identification. The main contributions of this paper are as
Person Identification, Behavioural Biometrics; Cyber-forensics. follows:
• We propose three different identification schemes in this
I. I NTRODUCTION paper. These schemes are based on the pairwise user cou-
pling, where the multi-class pattern identification problem
Keystroke Dynamics (KD) is a well established behavioural will be divided into several two-class problems. These
biometric modality due to the unobtrusive nature of biometric schemes could be useful for person identification when
data collection, low computational complexity and no special the biometric features are weak, or there are few samples
hardware required for data collection [1], [2], [3], [4]. KD present for learning;
is a well-explored research domain in authentication, where • Extensive analysis was done with an online exam based
the research problem is a two class problem i.e. legitimate or keystroke datasets; This dataset was collected from 64
imposter user, but there is little research on the potential of individuals with three different typing modes. To validate
KD for person identification i.e. on the N class problem. our research approach furthermore we have used another
In most cases, it is important to detect that the current user keystroke dynamics dataset with our optimum settings.
is not the authenticated user, for example in the event of PC All These datasets are publicly available for future re-
hijacking, where the information on a system is protected search;
against unauthorized access or modification. Another case • We performed the analysis for both open-set and close-set
could be an online exam where there needs to be certainty settings and show that our optimum settings outperform
that the student behind the keyboard is, in fact, the one that the state of the art research.
should be taking the exam. In some cases, it could also be
interesting to not only authenticate the current user but also The remainder of this paper is as follows. In Section
II, we will discuss some background knowledge for better
Manuscript received August 26, 2016; revised January 11, 2017; accepted understanding of this research that includes the related studies
January 19, 2017. and the classifiers used in this research. In Section III we
S. Mondal was with the Norwegian Information Security laboratory (NIS-
lab), Norwegian University of Science and Technology (NTNU), Gjøvik, provide the description of the dataset and the feature extraction
Norway (email: mondal.soumik@gmail.com, s.mondal@utwente.nl). process. In Section IV we provide the description of the system
P. Bours is with the NISlab, NTNU, Gjøvik, Norway (email: pipeline and the proposed identification schemes followed in
patrick.bours@ntnu.no).
Color versions of one or more of the figures in this paper are available this research. Result analysis presented in Section V and a
online at http://ieeexplore.ieee.org. discussion related to our research can be found in Section VI.
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2017.2658539, IEEE
Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 2
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2017.2658539, IEEE
Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 3
A. Data Collection
Fig. 1. Block diagram of our system pipeline.
The dataset consists of typing data of 64 students who
provided at least 500 keystrokes on each of the three exams.
Feature Vector Class Label
A subset of data from both hands typing (i.e. data from the 𝑭𝑽𝟏𝟏 𝟏
first exam) was used as a training set, while the rest of the … …
data was used for testing. 𝑭𝑽𝟏𝒏 𝟏
𝑭𝑽𝟏𝟐 𝟐
The training dataset consisted of a set of 500 normally
… …
typed (i.e. both hands typing) keystrokes from each of the 𝑭𝑽𝟐𝒏 𝟐
64 students. All testing is done with sets of keystrokes, where … …
to 38, with a total of 471 such sets. Split over the three exams 𝑭𝑽𝑵
𝒏 𝑵
we find:
Fig. 2. A conventional multi-class training data preparation.
• 203 sets from the first exam (i.e. both-hands typing);
• 131 sets from the second exam (i.e. left hand typing);
• 137 sets from the third exam (i.e. right hand typing). IV. S YSTEM P IPELINE
We would like to mention that this dataset was collected in We learned from the previous research on this dataset
an uncontrolled environment. From various previous studies that the conventional multi-class classification technique with
we learned that collecting experimental data under controlled machine learning or distance-based classification approaches
settings, with a particular task on a specific computer, has failed to achieve a good identification rate (see Table VI for
significant disadvantages. In such a case the user will be these results). To achieve better performance, we applied the
focused more on completing the task, and their keystroke Pairwise User Coupling (PUC) technique using the above
dynamics will not represent their normal typing behaviour mentioned classifiers (see Section II-B). During literature sur-
[26], [27]. vey, we found BradleyTerry model for comparison by pairwise
To the best our knowledge, this is the first keystroke dataset coupling [28], [29], [30]. This model is based on the Bayesian
where one-handed typing of users has been considered for solution for classification that requires posterior probability
free-text analysis. Moreover, a realistic scenario where the density for all the classes, which poses a limitation to our
reference template was built by the keystroke data typed by research. Therefore, we came up with the PUC approach to
both hand and the test data is partially coming from the single mitigate this limitation. Figure 1 shows the pipeline of our
hand typing. In an everyday situation, it might happen that system. A conventional training data preparation is signifi-
the user uses one hand for another task, like making a phone cantly different from the pairwise training data preparation. We
call or writing down notes. In this scenario, the identification elaborate on the description of this data preparation process
performance of keystroke dynamics based on the one-handed in Section IV-A.
typing needs to be studied.
A. Pairwise Training Data Preparation
B. Feature Extraction Figure 2 shows an example of a multi-class (i.e. N class)
Due to the limited information we can capture for KD, training dataset for conventional training data preparation. In
every keystroke raw data k is encoded as k = (A, T p , T r ), this example, F Vqi represents the feature vector of user i from
where T p , T r are the timestamps in millisecond for key q th sample, where i = 1, 2, . . . N , q = 1, 2, . . . n and n is the
press and key release and A is the value of the pressed total number of training samples for user i. The last column
key. From the raw data are the feature vectors encoded as represents the class label i.e. a value between 1 and N . When
F Vi = (Ai , Ai+1 , di , lirp , lirr , lipp ), where Ai and Ai+1 are the we prepared our training dataset according to this process,
ith and (i + 1)th keys encoded with ASCII values, and di we found a low learning accuracy of the classifiers and we
is the duration of the ith pressed key (i.e. di = Tir − Tip ). are unable to achieve good results. Therefore, we came up
Furthermore do lirp , lirr , and lipp represent latencies between with a solution called PUC, where the multi-class classification
the ith and (i + 1)th keys, in particular lirp = Ti+1 p
− Tir , problem will be divided into several two-class classification
rr r r pp p p
li = Ti+1 − Ti , and li = Ti+1 − Ti . problems.
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2017.2658539, IEEE
Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 4
𝑺𝟑 < 𝑺𝟒
𝑺𝟏 < 𝑺𝟐
𝑺𝟓 > 𝑺𝟔
𝑷𝑴𝟐𝟏 𝑷𝑴𝟐𝟑 𝑷𝑴𝟐𝟒 … 𝑷𝑴𝟐𝑵−𝟏 𝑷𝑴𝟐𝑵 𝟐 𝟒 𝟓 𝟖 𝟏𝟎 𝟏𝟏 𝟏𝟒 𝟏𝟓 𝟏𝟖 𝟐𝟎
𝑷𝑴𝟏𝟓
𝟏𝟖
𝑺𝟏𝟓 > 𝑺𝟒
… … Decision
𝟏𝟓
ID, Score (15, 𝑺𝟏𝟓)
𝑭𝑽𝟒𝒏 𝟏
𝑭𝑽𝟓𝟏 𝟐
Fig. 5. A graphical representation of Algorithm 1 where N = 20 and r = 1.
… …
𝑭𝑽𝟓𝒏 𝟐
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2017.2658539, IEEE
Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 5
where q = 1, 2, . . . k. Then we obtain the resultant score for Figure 7 shows an example of how the S2 scheme works
the ith user by when the total number of users is 32, i.e. N = 32. In these
figures, dots represent the scores obtained from the selected
k m model, and the circle represents the mean scores. Figure 7a
1 XX q
Si = sc (2) represents the score plot when k = 2. In this figure, we can see
m × k q=1 p=1 p
that the mean score for user 4 is highest compared to others,
but the mean scores from user 13 and 30 are very close to
We repeat this procedure for all users (i.e. i = 1, 2, . . . N ) the mean score for user 4. This indicates that there is still
and select the user with the highest score S i as the identified certain doubt whether or not user 4 is the correctly identified
user. The number of comparisons T2 for this scheme is user. As we increased the value of k, the difference between
independent of r, but depends on N and k, in particular we the mean score for user 4 and the mean scores for the other
have T2 (N, k) = N × k.
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2017.2658539, IEEE
Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 6
1 1
Mean Score Mean Score
0.9 0.9
0.8
0.8
0.7
0.7
0.6
0.6
Score
Score
0.5
0.5
0.4
0.4
0.3
0.3
0.2
0.2 0.1
0.1 0
0 5 10 15 20 25 30 35 0 5 10 15 20 25 30 35
User ID User ID
(a) k = 2 (b) k = 8
1 1
Mean Score Mean Score
0.9 0.9
0.8 0.8
0.7 0.7
0.6 0.6
Score
Score
0.5 0.5
0.4 0.4
0.3 0.3
0.2 0.2
0.1 0.1
0 0
0 5 10 15 20 25 30 35 0 5 10 15 20 25 30 35
User ID User ID
(c) k = 12 (d) k = 15
Fig. 7. Mean score changes for different k values when used Algorithm 2 with N = 32.
1
Calculate m scores (𝑠𝑐1) from 𝑃𝑀𝑥1
1
TABLE II
𝟏
𝑷𝑴𝒙𝟏 𝟏
𝑷𝑴𝒙𝟐 Calculate m scores (𝑠𝑐 2) from 𝑃𝑀𝑥2
𝑘 𝑚 O BTAINED RESULTS FROM DIFFERENT PUC SCHEMES WITH DIFFERENT
1
Calculate m scores (𝑠𝑐 3) from 𝑃𝑀𝑥3 1 𝑞
𝟏
𝑷𝑴𝒙𝟑 𝟏
𝑷𝑴𝒙𝟒 1
Calculate m scores (𝑠𝑐 4) from 𝑃𝑀𝑥4 𝑆1 = 𝑠𝑐𝑝 CLASSIFIERS FOR m = 500.
1
Calculate m scores (𝑠𝑐 5) from 𝑃𝑀𝑥5
𝑘∗𝑚
𝟏 𝟏 𝑞=1 𝑝=1
𝑷𝑴𝒙𝟓 𝑷𝑴𝒙𝟔 1
Calculate m scores (𝑠𝑐 6) from 𝑃𝑀𝑥6
𝑆1 Accuracy (%)
User 1 ANN CPANN SVM DT
. S1 39.5 59 58.4 62.2
. Decision S2 24.4 51.4 41.2 45.9
. max(S) S3 41.8 58.6 58.8 61.4
ID, Score
.
.
𝑆𝑁
𝑁
Calculate m scores (𝑠𝑐1) from 𝑃𝑀𝑦1
𝑵
𝑷𝑴𝒚𝟏 𝑵
𝑷𝑴𝒚𝟐
𝑁
Calculate m scores (𝑠𝑐 2) from 𝑃𝑀𝑦2
in the reduced set of c users. We would like to mention that
𝑘 𝑚
𝑁
Calculate m scores (𝑠𝑐 3) from 𝑃𝑀𝑦3 1 𝑞 S3 is not an independent scheme, it is a combination of S2
𝑷𝑴𝑵
𝒚𝟑 𝑷𝑴𝑵
𝒚𝟒 𝑁
Calculate m scores (𝑠𝑐 4) from 𝑃𝑀𝑦4 𝑆𝑁 = 𝑠𝑐𝑝
𝑁
Calculate m scores (𝑠𝑐 5) from 𝑃𝑀𝑦5 𝑘∗𝑚 with an additional correction made after getting the Rank-c
𝑷𝑴𝑵
𝒚𝟓 𝑷𝑴𝑵
𝒚𝟔 𝑁
𝑞=1 𝑝=1
Calculate m scores (𝑠𝑐 6) from 𝑃𝑀𝑦6
users from S2. This scheme can be considered as using S2
User N
for a re-ranking process after the initial S2 scheme. For S3
Fig. 6. A graphical representation of S2 where k = 6 and r = 1. the number of comparisons T3 depends on N , k and c. To be
precise we have T3 (N, k, c) = T2 (N, k) + c × (c − 1).
users increased (see 7b, 7c and 7d). Furthermore, because of V. R ESULT A NALYSIS
the mean score values are based on more data points, that In this section will we discuss the identification results
lead to the confidence interval become smaller. Therefore, we obtained from the different analyses. The analyses focus on
identified the unknown user as user 4. the proposed algorithms, keystroke features for identification,
multi-classifier fusion, and analysis of user’s typing hand. We
D. Scheme 3 (S3) have performed an open-set experiment, and that result will
also be discussed in this section.
Algorithm 3 shows the algorithm for Scheme 3 (S3). Let
∆ = [δ1 , δ2 , . . . δc ] be the set of the Rank-c users after
applying S2 with r = c, where ∆ ⊆ {1, 2, . . . N }. Now we A. Analysis of the Proposed Schemes
repeat S2 with the set of ∆ users with a fixed value of k, i.e. Table II shows the Rank-1 identification accuracy obtained
k = c − 1. This means that we consider all impostor users for S1, S2 and S3 schemes where m = 500 (see Algorithm
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2017.2658539, IEEE
Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 7
TABLE III the identification accuracy for S3, but it will saturate after
O BTAINED RESULTS FROM S3 FOR DIFFERENT k VALUES . a certain value of k (see Table III). Therefore, we have
Accuracy (%) decided to use k = 25 for further analysis.
ANN CPANN SVM DT
k =5 31.8 56.5 52 58.6 B. Analysis on Keystroke Features
k = 15 41.4 58.4 56.3 61.6
k = 25 41.8 58.6 58.8 61.4 In this section, we analyze various keystroke features
k = 35 42.5 58.4 57.1 61.6 that have significant information for person identifica-
tion. The details of the extracted features (i.e. F Vi =
(Ai , Ai+1 , di , lirp , lirr , lipp )) for this research can be found in
1, 2 and 3). The system performance obtained from S2 where Section III-B. We used three different feature subsets in our
k = 25 for Algorithm 2 and for the S3 scheme k = 25 and analysis:
c = 8 for Algorithm 3. We have also tested this scheme with • FE1: The feature vector will be the duration of a partic-
different k values for Algorithm 3, where k = 5, 15, 25, or 35. ular keystroke, i.e. fi = (Ai , di ) and fi ⊂ F Vi ;
Table III shows the Rank-1 identification accuracy for different • FE2: The feature vector has been all the keystroke
classifiers with different k values. features extracted for our research, i.e. fi = F Vi ;
We would like to mention that all the above analysis was • FE3: We have used the feature selection technique pro-
done with the feature vector fi = (Ai , di ) (i.e. only key press posed by Ververidis et al. [31], i.e. fi ⊆ F Vi . In this
time of a particular key). Below are some observations made case, the feature subset is different for different choices
during these analyses: of classifiers.
• We can see from the results that the ANN performance is Table IV shows the identification accuracy when using
low compared to the performance of the other classifiers, the feature subsets as mentioned above for the identification
for all the schemes for any given scenario (see Table II schemes S1 and S3. We clearly see from these figures that the
and III). FE1 feature setting performs better than the other settings for
• We observe that S1 performs better than S2, while the each of all the classifiers with all the different identification
number of comparisons for S1 is also lower compared schemes. We can also observe that the DT classifier performs
to S2 (i.e. T2 > T1 ). The identification accuracy of S3 better than the other classifiers irrespective of the feature
is significantly higher when compared to S2, but it was subset and identification schemes. When we use FE2 feature
similar performance accuracy like S1. Also the number subset, we can see that SVM and CPANN classifiers failed
of comparisons for S3 is higher compared to the S2 and unexpectedly for both the identification schemes. In the case
S1, i.e. T3 > T2 > T1 (see Sections IV-B, IV-C and IV-D of FE3, we can find large accuracy differences for S1 and S3
for T1 , T2 and T3 ). For the above reasons we decided not for the CPANN classifier.
to use S2 for further analysis. We observe that the FE1 feature subset is the most robust
• We can see that increasing the value of k will improve for person identification with this keystroke biometric dataset.
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2017.2658539, IEEE
Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 8
100
TABLE IV
O BTAINED RESULTS BY USING DIFFERENT FEATURE SUBSET. 90
Accuracy (%) 80
Accuracy (%)
FE2+S1 35 12.3 17.2 55.2 50
FE2+S3 34.6 20.6 16.6 54.8
FE3+S1 32.1 14 38 53.3 40
20
TABLE V
10
O BTAINED RESULTS FROM THE MCF ANALYSIS . FE1+ALL MCF+S1
FE1+ALL MCF+S3
0
0 50 100 150 200 250 300 350 400 450 500 550
Accuracy (%) Number of Keystrokes
CPANN-DT SVM-CPANN SVM-DT ALL MCF
FE1+S1 62.8 60.9 62.4 63.3
FE1+S3 60.5 59.7 60.5 61.6 Fig. 8. Rank-1 identification accuracy when used test samples that are typed
by using both hands.
Therefore, we will not consider feature subsets (i.e. FE2 and 100
50
C. Multi-Classifier Fusion (MCF)
40
In case of MCF, we denote by (c1 , c2 , c3 ) = (λp , ρp , τp ),
30
where λp , ρp and τp are the obtained score values from
CPANN, SVM and DT classifiers respectively, where p = 20
1, 2, ..., m. Then the resultant score value scp is a weighted 10 FE1+ALL MCF+S1
FE1+ALL MCF+S3
sum of the three separate scores (see Algorithms 1 and 3 for 0
0 50 100 150 200 250 300 350 400 450 500 550
scp ). In particular Number of Keystrokes
3 3
X X Fig. 9. Rank-1 identification accuracy when used test samples that are typed
scp = ( wq cqp )/( wq ) (3) only by right hand.
q=1 q=1
where wp denote the weights for the weighted fusion tech- 100
0; 40
0. 20
0
from S1 and S3 schemes. We can see the clear improvement 0 50 100 150 200 250 300 350
Number of Keystrokes
400 450 500 550
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2017.2658539, IEEE
Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 9
100
VI. D ISCUSSION
90
A. Summary of findings
80
We can clearly see from our analysis that for the dataset
Detection and Identification Rate (%)
•
70
[15] the keystroke duration of a given key is the most
60
stable feature for person identification.
50 • We found that Pairwise User Coupling (PUC) with
40 bottom-up tree structure based scheme, i.e. S1, is the most
30
robust identification scheme during our analysis. Also,
this technique has a lower computational complexity than
20
the other proposed schemes.
10 FE1+ALL MCF+S1
FE1+ALL MCF+S3
• Of the four classifiers used in this research is Decision
0
0 50 100 150 200 250 300 350 400 450 500 550 Tree (DT) is found to be the most robust classifier in
Number of Keystrokes
combination with PUC on the given dataset.
Fig. 11. Detection and Identification Rate (DIR) for S1 and S3. • Multi-Classifier Fusion (MCF) can improve the identifi-
cation accuracy.
• We obtained an overall identification accuracy of 63.3%
for the closed-set analysis (see Table V) and a DIR of
typing when using both hands. Figure 8 shows the results 68.4% for the open-set analysis (see Figure 11). These
obtained from this analysis and we can see that the results were obtained without considering typing hand.
performance of S1 and S3 are very similar. • We can see that there is high recognition accuracy in case
• Right Hand: The test samples that are typed only with the of normal both hands typing compared to single hand
right hand. Figure 9 shows the results we obtained from typing, i.e. 89.7% identification accuracy. It is obvious
this analysis and we can see that S1 performs better than that typing with only one hand will influence the typing
S3. behaviour, but despite this, we can still identify users
• Left Hand: The test samples that are typed with the left with 36.6% accuracy when they use the left hand and
hand only. Figure 10 shows the results we obtained from 50.4% accuracy when they use the right hand. All of
this analysis and similar to the Right Hand result we also these achieved identification rates are better than the state
observe that S1 performs better than S3. of the art identification rates achieved on this dataset.
• The better performance for the right hand is most likely
due to the fact that most people are right-handed and
E. Open-set Experiment hence typing with the right hand resembles the natural
typing behaviour better than typing with the left hand.
We also performed an open-set analysis, where 50% of the Therefore, we can say that keystroke dynamics has the
users is known to the system, and the other 50% are completely potential to identify a person, provided that the data is
unknown to the system. In this experiment, the set of users I based on the normal typing behaviour of a user.
for all the schemes will be I = {1, 2 . . . N 2−1 } (see Algorithms • We would like to mention that after the initial survey, we
1 and 3). To measure the Detection and Identification Rate have used some well-known classifiers (i.e. ANN, SVM,
(DIR), we used a threshold (i.e. Topen ) that will decide whether CPANN and DT ) for our analysis. All these classifiers
the user is within the group of known users or not. If the are trained in a binary classification environment as
U serscore ≥ Topen (see Algorithms 1 or 3 for U serscore ) mentioned in section IV-A. We have tried to maintain
then we say that the user is within the set of known users, a balance between prediction models as well as logistic
otherwise the person is said to be an unknown user. If we regression models. Acceding to our PUC technique, it
find that the user is known to the system, then the system will does not depend on upon the selected classifier; it can
establish the identity of the user. The DIR is the summation work on any given classifier if the classifier can provide
of the following two values: the matching score.
• True ID: Where U serscore ≥ Topen i.e. adversary is
within the known user set and correctly identified. B. Comparison with previous research
• True Not In: Where U serscore < Topen i.e. adversary
As we have mentioned before, this dataset was used in the
was indeed not in the known user set.
”One-handed Keystroke Biometric Identification Competition”
Figure 11 shows the DIR obtained from this analysis for S1 with 500 keystrokes as a sample for evaluation. We take the
and S3 with FE1 and ALL MCF setting. We can see that the competition results from [15] to compare with our results.
DIR is higher for S1 when compared to S3 for any given size Table VI shows the comparison between our best identification
of the keystrokes. accuracy with the top three positions in the competition. We
We have added the Credible Interval for the Figures 8 to can clearly see that both of our techniques perform better than
11 to show the statistical significance of our achieved results. the best place in the competition. The [Baseline] performance
A Credible Interval is an interval in the domain of a posterior was obtained by applying a similar technique as proposed by
probability distribution used for interval estimation [32]. Tappert et al. [14]. Both of our techniques achieved 89.7%
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2017.2658539, IEEE
Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 10
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2017.2658539, IEEE
Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 11
in court. In the future, we will also investigate how well we [25] R. Barros, M. Basgalupp, A. de Carvalho, and A. Freitas, “A survey
can improve the performance for one handed typing and the of evolutionary algorithms for decision-tree induction,” IEEE Trans.
on Systems, Man, and Cybernetics, Part C: Applications and Reviews,
scalability of our proposed schemes. vol. 42, no. 3, pp. 291–312, 2012.
[26] P. S. Dowland and S. M. Furnell, “A long-term trial of keystroke
R EFERENCES profiling using digraph, trigraph and keyword latencies,” in Security and
Protection in Information Processing Systems, 2004, vol. 147, pp. 275–
[1] R. V. Yampolskiy and V. Govindaraju, “Behavioural biometrics: a survey 289.
and classification,” Int. Journal of Biometrics, vol. 1, pp. 81–113, 2008. [27] A. A. Ahmed and I. Traore, “Biometric recognition based on free-text
[2] S. P. Banerjee and D. L. Woodard, “Biometric authentication and keystroke dynamics,” IEEE Trans. on Cybernetics, vol. 44, no. 4, pp.
identification using keystroke dynamics: A survey,” Journal of Pattern 458–472, 2014.
Recognition Research, vol. 7, pp. 116–139, 2012. [28] R. A. Bradley and M. E. Terry, “Rank analysis of incomplete block
[3] S. Bhatt and T. Santhanam, “Keystroke dynamics for biometric authen- designs: I. the method of paired comparisons,” Biometrika, vol. 39, no.
tication - a survey,” in Int. Conf. on Pattern Recognition, Informatics 3/4, pp. 324–345, 1952.
and Mobile Engineering (PRIME’13), 2013, pp. 17–23. [29] T. Hastie and R. Tibshirani, “Classification by pairwise coupling,” The
[4] M. Karnan, M. Akila, and N. Krishnaraj, “Biometric personal authen- Annals of Statistics, vol. 26, no. 2, pp. 451–471, 04 1998.
tication using keystroke dynamics: A review,” Applied Soft Computing, [30] M. Cattelan, “Models for paired comparison data: A review with
vol. 11, no. 2, pp. 1565 – 1573, 2011. emphasis on dependent data,” Statistical Science, vol. 27, no. 3, pp.
[5] L. Araujo, J. Sucupira, L.H.R., M. Lizarraga, L. Ling, and J. B. T. Yabu- 412–433, 2012.
Uti, “User authentication through typing biometrics features,” IEEE [31] D. Ververidis and C. Kotropoulos, “Information loss of the mahalanobis
Trans. on Signal Processing, vol. 53, no. 2, pp. 851–855, 2005. distance in high dimensions: Application to feature selection,” IEEE
[6] F. Bergadano, D. Gunetti, and C. Picardi, “Identity verification through Trans. on Pattern Analysis and Machine Intelligence, vol. 31, no. 12,
dynamic keystroke analysis,” Intelligent Data Analysis, vol. 7, no. 5, pp. pp. 2275–2281, 2009.
469–496, 2003. [32] E. T. Jaynes and O. Kempthorne, Confidence Intervals vs Bayesian
[7] K. S. Killourhy, “A scientific understanding of keystroke dynamics,” Intervals. Springer, 1976, pp. 175–257.
Ph.D. dissertation, Carnegie Mellon University, January 2012. [33] J. V. Monaco, N. Bakelman, S. H. Cha, and C. C. Tappert, “Developing
[8] P. Bours and S. Mondal, Continuous Authentication with Keystroke a keystroke biometric system for continual authentication of computer
Dynamics. Science Gate Publishing, 2015, ch. Recent Advances in users,” in European Intelligence and Security Informatics Conference
User Authentication Using Keystroke Dynamics Biometrics, pp. 41–58. (EISIC’12), 2012, pp. 210–216.
[9] D. Umphress and G. Williams, “Identity verification through keyboard
characteristics,” Int. Journal of Man-Machine Studies, vol. 23, no. 3, pp.
263 – 273, 1985.
[10] S. M. Furnell, J. P. Morrissey, P. W. Sanders, and C. T. Stockel,
“Applications of keystroke analysis for improved login security and
continuous user authentication,” in Information Systems Security, 1996,
pp. 283–294.
[11] J. Stewart, J. Monaco, S.-H. Cha, and C. Tappert, “An investigation of
keystroke and stylometry traits for authenticating online test takers,” in
Int. Joint Conf. on Biometrics (IJCB’11), 2011, pp. 1–7.
[12] H. Locklear, S. Govindarajan, Z. Sitova, A. Goodkind, D. G. Brizan,
A. Rosenberg, V. V. Phoha, P. Gasti, and K. S. Balagani, “Continu-
ous authentication with cognition-centric text production and revision
features,” in Int. Joint Conf. on Biometrics (IJCB’14), 2014, pp. 1–8. Soumik Mondal is a post-doctoral research fellow
[13] M. Obaidat and D. Macchiarolo, “An online neural network system at University of Twente (UT), Netherlands, and his
for computer access security,” IEEE Trans. on Industrial Electronics, primary research goals are directed towards under-
vol. 40, no. 2, pp. 235–242, 1993. standing the pattern recognition and machine learn-
[14] C. C. Tappert, M. Villani, and S.-H. Cha, “Keystroke biometric identifi- ing challenges related to biometrics. Prior to joining
cation and authentication on long-text input,” Behavioral Biometrics for UT, Soumik successfully defended his doctoral dis-
Human Identification: Intelligent Applications, pp. 342–367, 2010. sertation in Information Security from Norwegian
[15] J. Monaco, G. Perez, C. Tappert, P. Bours, S. Mondal, S. Rajkumar, University of Science and Technology (NTNU).
A. Morales, J. Fierrez, and J. Ortega-Garcia, “One-handed keystroke bio- As a doctoral fellow at NTNU, he has developed
metric identification competition,” in Int. Conf. on Biometrics (ICB’15), robust solutions for continuous user authentication
2015, pp. 58–64. and identification problem by using behavioural bio-
[16] D. Gunetti and C. Picardi, “Keystroke analysis of free text,” ACM Trans. metrics. His research interests are in cyber security, cyber forensics and
on Information and System Security, vol. 8, pp. 312–347, 2005. biometrics.
[17] R. Joyce and G. Gupta, “Identity authentication based on keystroke
Patrick Bours studied mathematics at the Eind-
latencies,” Commun. ACM, vol. 33, no. 2, pp. 168–176, 1990.
hoven University of Technology in the Netherlands.
[18] F. Monrose and A. D. Rubin, “Keystroke dynamics as a biometric for
He got his M.Sc. and Ph.D. with a specialization
authentication,” Future Generation Computer Systems, vol. 16, no. 4,
in coding theory. After his studies he worked at
pp. 351–359, 2000.
the Netherlands National Communication Security
[19] Y. Zhong, Y. Deng, and A. K. Jain, “Keystroke dynamics for user
Agency (NLNCSA) in the area of cryptology. In
authentication,” in Conf. on Computer Vision and Pattern Recognition
July 2005 he moved to Norway where he joined the
Workshops (CVPRW’12), 2012, pp. 117–123.
Norwegian Information Security laboratory (NISlab)
[20] S. Mondal, “Continuous user authentication and identification: Combi-
which is a part of NTNU. Since September 2012 he
nation of security & forensics,” Ph.D. dissertation, Norwegian University
holds a full Professor position. He is specialized in
of Science and Technology (NTNU), February 2016.
behavioural biometrics. His current research focus is
[21] J. Kittler, M. Hatef, R. P. W. Duin, and J. Matas, “On combining
on gait recognition and on static and continuous keystroke dynamics.
classifiers,” IEEE Trans. on Pattern Analysis and Machine Intelligence,
vol. 20, no. 3, pp. 226–239, 1998.
[22] C. M. Bishop, Neural Networks for Pattern Recognition. Oxford
University Press, Inc., 1995.
[23] W. Melssen, R. Wehrens, and L. Buydens, “Supervised kohonen net-
works for classification problems,” Chemometrics and Intelligent Labo-
ratory Systems, vol. 83, no. 2, pp. 99 – 113, 2006.
[24] C. Burges, “A tutorial on support vector machines for pattern recog-
nition,” Data Mining and Knowledge Discovery, vol. 2, pp. 121–167,
1998.
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.