Traditional Password Based Access Systems Computer Science Essay

Published Date: 02 Nov 2017

Index terms: Threshold algorithm, Multi Layer Perceptron, Interkey time, Press time, Valid Reject Rate, Imposter Pass Rate.

Introduction

Today, all computer based systems claims for more sophisticated mechanisms to

guarantee the information security. The fast evolution of communication systems

provided us a great volume of information anywhere any time. The security question

became proprietary. Making these systems more reliable and secure is one of the most

important challenges of the communication evolution [1].

Till now the authentication systems are based on the username and password approach. The drawback of this mechanism is that the password can be leaked by any intruder.

In order to increase the security one technique is to apply biometrics over username and password method. These biometrics are of two types physiological (retina scan, finger print scan etc.) and behavioural biometrics (typing pattern, writing pressure etc.).One kind of behavioural biometrics is "keystroke biometrics". Advantage of keystroke biometrics is that we do not require any extra hardware to implement it.

Some of the techniques that can be used for authentication using keystroke biometrics are MLP, SOM, LVQ etc. Instead of using only a single verification technique out of them, we have used a technique called Threshold technique in addition to MLP algorithm in order to provide improved authentication to the user. If the user is authenticated by both the techniques only then he will be able to access the application for which this authentication system is used.

Our system also includes a third parameter of typing pattern i.e. total time in addition to the already used press time and inter key time. Also to increase the security, we are keeping the record of history. In order to enable the user to access his/her account from any location, the database for the system is maintained over the server i.e. the concept of centralized database database has been implemented.

User authentication

Authentication is the way to correctly verify if one person is who he or she claims to be [2]. Many research works have been developed on the way to correctly identify somebody. Since old times, the humans try to identify each other correctly. The most traditional way to confirm that somebody is who he or she claims to be is to verify his or her handwrite signature. In computer systems, similar issues should be considered.

All information systems adopt some kind of authentication. The most common mechanism is called "username and password". This mechanism consists basically of an association between a public information (username - normally everyone knows it) that uniquely identifies one user on the system, and a secret word (nobody beyond the user should know it) that confirms that the person associated by that username is who he or she claims to be. Many authors, [3,4] have shown that this mechanism presents some drawbacks that make it very weak. Some of its drawbacks are: persons choose easy to break passwords as family names and birthday dates; persons normally write their passwords in places of easy access; one can easily see one password and "steal it" with no knowledge of the discloser. On the other hand, to develop an additional

authentication mechanism that carries some advantages like: low cost; high

performance and high acceptability are not easy. "User name and password" are easy to implement (low cost) and are largely acceptable by users. That’s why it is still the most famous authentication mechanism applied nowadays.

Authentication techniques

There are 3 main techniques to verify ones identification: something a person knows (a code); something a person possesses (a card); something a person has (a characteristic).

All these three techniques can be combined in the way to produce a more efficient identification system. Naturally, if we apply the three techniques together a more secure authentication mechanism will be produced. However, we still have to evaluate the cost and the acceptance issues involved in establishing a more sophisticated authentication system.

The last technique is based on one’s biometrics characteristics. A biometrical

system is a pattern recognition system that establishes the authenticity of either specific physiological characteristics (some particular structural characteristic such as hand size or iris format and colour) or behavioural characteristics (some particular behavioural characteristic such as typing speed or writing pressure) inherent to a user.

One kind of biometrical behavioural characteristic that can be used to provide a

particular identification is the dynamics characteristics of someone’s typing or the

human typing pattern. Many studies as Bleha and Slivinsky and Hussein [10], Monrose and Rubin [1,3] among others have shown that this approach is possible and effective.

Combined with the traditional authentication system, the user typing information can be of some help to identify users more precisely. Considering behavioural typing information to authenticate users can be very convenient because no extra hardware is necessary. All the behavioural information can be obtained by software systems, what generally implies in lower cost than hardware development. Moreover, nothing

changes the way the user authenticates himself, what makes it more acceptable. However, the great question that lies on this kind of authentication is: how precisely can we verify the users’ typing behavioural characteristics. Many studies, as mentioned before, have shown that this kind of identification is viable but we are still far from obtaining satisfactory indices of VRR (Valid Reject Rate) and IPR – Impostor Pass Rate) if compared with other biometric techniques like fingerprinting. Liu and Silverman [8] show that VRR and IPR go on opposite directions. It means that if we try to reduce one of these indices the other one will go up.

VRR – Valid Reject Rate - indicates how frequently a system rejects valid users.

IPR – Imposter Pass Rate - indicates how often systems accept an impostor as a

valid one.

These indices are the most common metrics to evaluate the performance of

biometric systems on their capacity to make mistakes on matching a pattern, according to Bolle and Pankanti and Jain [6].

Typing Pattern

As mentioned before, many authors have shown that typing dynamics can be used to

identify users. To evaluate typing characteristics two main measures have to be obtained about ones typing:

Interkey time – the time between two consecutively key releases and

press.

Press time – the time between one key press event and key release event.

Total Time – the time required to press the entire password i.e. time between key press of first character and the key release of the last character of the password string.

Some studies consider just the first measure other ones consider both. Obaidat and Sadoum[11] have shown that the press time may in general provide better characterization of typing skills than interkey time, but best results are obtained when both measures are considered.

However, in our system, we have used all the three parameters in combination to provide improved authentication.

Figure 1: Time measures for "et" typing

This figure presents the times obtained when two keys e and t are pressed. In

this figure,

Te: press time for "e" key;

Tt: press time for "t" key and

Tet: interkey time between Te release event and Tt press time.

This measure can be obtained through a typing data collector that read keyboard

events and processes this data for future analysis.

Proposed Authentication Mechanism

As an attempt to develop a good authentication system we proposed here a mechanism that combines two techniques of identification: something that the person knows (i.e., a password) and something the person has (typing characteristics). In this work, we are considering static authentication or authentication performed during the access to the system. Some works like Umphress and Williams, Bleha and Slivinsky and Hussein [10], have presented techniques to continuously analyze pattern typing to guarantee that

the user identity is continuously verified during all the use of the system. That is not the scope of this work.

Authentication mechanism

The authentication mechanism proposed here can operate in two modes: new user

registration and user authentication. In the first case, the mechanism will record the user username, password and typing profile.

The typing profile is then analyzed and stored so that it can be used during the

authentication phase. In this mode, the user will be asked to type his password 10 times.

On user verification mode the system will verify if username and password are correct. After the authentication has been done, the typing characteristics of that user are compared to his/her stored profile. If its typing pattern is quite similar to the stored profile the user is granted access. So, the user identifies himself/herself by a username, a password and the typing characteristics.

Working Of Authentication System

The authentication mechanism, is composed of two parts:

Admin system: See Fig. 2, in this admin can create user (who can access his application), delete user and can view database. To create user, admin will assign a temporary username (UN) and password (PW) using which user will register himself for the application.

New Picture (27)

Figure 2: Admin System

User system: See Fig 3, in this, the registered user can login directly by using his username and password and the non-registered user will first register himself. For registration, he will use temporary UN and PW assigned by the admin previously.

Registration block: This module is responsible for registering the user in the

system. It begins by obtaining user data {UN – username , PW – password, RS 10 Typing reference samples}.

After registration user can login to access the application. In authentication, first the password of the user will be matched and then typing pattern will be matched.

Authentication block:

Password Verification: During the authentication process, this block is responsible for searching the username (UN) and password (PW) information on the profile database and verifying if the username and password combination is correct. If it’s not, the user is denied access, otherwise the user goes to the next phase of authentication: typing pattern verification.

Typing Pattern Verification: After a user has been correctly verified by password verification block, this block authenticates user on the basis of his typing pattern using Threshold and MLP (Multi Layer Perceptron).

Decision block: This block is responsible for deciding if the result presented by the authentication block makes that test sample valid or not for that user. Generally it will decide based on the threshold and MLP. If the user is authenticated by both techniques only then he will be able to access his application.

Figure 3: User System

C. Centralized Database

The centralized database concept is included to enable a user to access his/her account from any location. There is a centralized database including all the registered users and all the temporary users, that is, users who have been assigned the temporary username and password by the admin but who still haven’t registered themselves. This database is maintained by the admin and is stored on a server.

D. History Tracking

Herein, the location from which user is accessing his/her account (which is recorded using the ip address) and the duration for which he/she is accessing his/her account is tracked.If there is a drastic change in the location or duration then to further access his/her account user will be asked a security question.

Implementation

We have implemented the mechanism using Threshold technique in addition to MLP.

A. Threshold

Threshold based authentication technique includes selecting a weight and then using that weight to define a range that determines the maximum possible valid deviation from a given value. Thus any value that does not lie in this range can be treated as an invalid value.

B. Multi-layer Perceptron

Classical MLP with back-propagation algorithm [11,12] was implemented using 10 neurons in hidden layer and 2 neurons in output layer and the number of neurons in the input layer depend upon length of the password. The number of neurons in hidden layers was chosen experimentally after many training and test sessions.

Also the neurons in the hidden layer are incremented dynamically as a result of dynamic learning. The neuron activation was chosen by polar sigmoid function and a desired output was chosen [0.8,-0.8] for authentic user and [-0.8,0.8] for imposter.

All parameters presented above were obtained experimentally after many training and test sessions. The best configuration for learning rate, considering conversions and training time was achieved at 0.35.

C. Combination

This project consists of both the algorithms working in a serial manner. When a person tries to login, his/her typing pattern sample is first tested by Threshold based algorithm and if it passes the check then it is tested again by MLP algorithm. If it passes both the checks only then, the user is allowed to access the account, otherwise not.

V. Test Results

A. Data Collection

In total, 10 people participate in this first step of our experiment. All they were

programmers and familiar to keyboard typing and computer usage. Each one was asked to register himself/herself using password "KEYSTROKE" 10 times.

All the participants were aware of the experiment purpose. They were asked to

type normally. Their data was collected in the profile database. Later on, during the verification phase, the typing pattern of each user is verified with their typing profile stored in the database.

Authentication Technique

Average VRR%

Average IPR%

Threshold

21

16

MLP

14

12

Combination

3

4

Table 1: Classification result for MLP, Threshold and combination of MLP and Threshold.

The above table shows that the threshold technique decreases VRR and IPR by 21 and 16 % respectively. MLP technique decreases VRR and IPR by 14 and 12 % respectively. We have implemented he combination of MLP and Threshold techniques to verify the user and the results shows that it increases the security drastically i.e. 3% and 4% respectively for VRR and IPR.

The above results infer that the combination of techniques applied to authenticate the user is better than the application of single technique.

B. Tests’ results

The results presented here consider the implemented mechanism working with two authentication units, threshold and multi-layer perceptron (MLP) with back-propagation algorithm.

Conclusion

In this project we have developed the system that can authenticate the users not only by using the passwords but also by using the typing patterns which can provides the more security to system that is to be accessed. It will consider the user’s typing patterns while it is authenticating the user. This is developed using Threshold and MLP.

The results presented here show that it is really possible to verify user identity by typing rhythm. Some users present good performance indices while others not.

Although IPR and VRR indices obtained were not so good advantages like methodology does not require expensive hardware; stolen password does not mean

access to systems; typing biometrics cannot be lost, stolen or lent; high user acceptance; methodology effectively render trial-and-error password attacks obsolete and others show that this approach can be a very interesting alternative to authentication mechanism today.

Future Works

Further studies on the subject will be accomplished concerning more the

psysiological aspect of each user in many different states of consciousness along with his/her working day. The influence of many different types of keyboard (mobile, laptop etc.) will be studied as well.