Keystroke dynamics-based user authentication service for cloud ...

CONCURRENCY AND COMPUTATION: PRACTICE AND EXPERIENCE Concurrency Computat.: Pract. Exper. 2015 Published online in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/cpe.3718

Keystroke dynamics-based user authentication service for cloud computing Alshaimaa Abo-alian*,†, Nagwa L. Badr and M. F. Tolba Faculty of Computer and Information Sciences, Ain shams University, Cairo, Egypt

SUMMARY User authentication is a crucial requirement for cloud service providers to prove that the outsourced data and services are safe from imposters. Keystroke dynamics is a promising behavioral biometrics for strengthening user authentication, however, current keystroke based solutions designed for certain datasets, for example, a fixed length text typed on a traditional personal computer keyboard and their authentication performances were not acceptable for other input devices nor free length text. Moreover, they suffer from a high dimensional feature space that degrades the authentication accuracy and performance. In this paper, a keystroke dynamics based authentication system is proposed for cloud environments that is applicable to fixed and free text typed on traditional and touch screen keyboards. The proposed system utilizes different feature extraction methods, as a preprocessing step, to minimize the feature space dimensionality. Moreover, different fusion rules are evaluated to combine the different feature extraction methods so that a set of the most relevant features is chosen. Because of the huge number of users’ samples, a clustering method is applied to the users’ profile templates to reduce the verification time. The proposed system is applied to three different benchmark datasets using three different classifiers. Experimental results demonstrate the effectiveness and efficiency of the proposed system. Copyright © 2015 John Wiley & Sons, Ltd. Received 6 June 2015; Revised 19 August 2015; Accepted 16 October 2015 KEY WORDS:

keystroke dynamics; authentication; cloud computing

1. INTRODUCTION Cloud computing is an emerging paradigm for delivering software, platform, and infrastructure services to customers on demand. Cloud storage services allow the data owner to outsource local data to an online virtualized storage. The key advantage of cloud storage services is the cost effectiveness, as the data owner avoids the burden of storage management and frequent maintenance costs [1]. Instead, the data owner only needs to pay for the amount of storage the data actually consumes. Availability and reliability are major advantages because cloud data can be accessed anytime anywhere by the user when a network is available. However, cloud storage introduces new security challenges, which make data owners worry about their data being misused or accessed by unauthorized users. Therefore, it is a vital requirement to have a highly secure authentication mechanism to protect user’s private data from intruders. User authentication is the process of verifying the identity of a user, that is, whether someone is who he/she claims to be. This authentication process is often categorized by the number of factors that they incorporate [2]: (i) knowledge-based factors: factors the user knows (e.g., a password or *Correspondence to: Alshaimaa Abo-alian, Faculty of Computer and Information Sciences, Ain shams University, Cairo, Egypt. † E-mail: [email protected] Copyright © 2015 John Wiley & Sons, Ltd.

A. ABO-ALIAN, N. L. BADR AND M. F. TOLBA

PIN code); (ii) possession-based factors: factors the user possesses (e.g., token, certificate, and ID card); and/or (iii) biometric based factors: personal factors of the user (e.g., biometrics finger print, and iris scan). A multi-factor or strong authentication is referred to as a combination of two or three of these factors. Knowledge-based authentication mechanisms are the most commonly used; however, static passwords are vulnerable to various attacks such as brute-force, dictionary or replay attacks. Token-based authentication mechanisms are not reliable because tokens are vulnerable to theft or loss. Biometrics is the science of identifying a person by particular physiological features, such as fingerprint, face, and iris, or behavioral characteristics such as signature, keystroke, and dynamics. [3]. Although physiological biometrics promotes high authentication accuracy, they may possibly suffer low public acceptance because of the following reasons. First, physiological biometric authentication systems require costly specialized hardware such as a fingerprint scanner or a high resolution digital camera, which increase the implementation and deployment costs. Secondly, a person may not be willing to store his/her facial image in an untrusted third party cloud server [3]. On the contrary, the advantage of using behavioral biometrics such as keystroke dynamics is its availability because keystroke dynamics can be captured even without the knowledge of the user [2]. Keystroke dynamics refers to the process of measuring and assessing timing information of human’s typing on digital devices such as pressing keys and releasing keys [4]. The advantages of keystroke dynamics are [4] (i) low implementation and deployment costs as it does not depend on specialized hardware; (ii) transparency and simplicity because it requires none or minimal alteration to the user’s behavior; (iii) replication prevention and additional security as keystroke patterns are harder to be reproduced than the written signatures; and (iv) continuous authentication can be provided [5]. However, keystroke dynamics-based authentication has two notable limitations. First, there may be variations in the typing rhythm that are caused by external factors such as injury, stress, or interruption, which lower authentication accuracy of keystroke dynamics biometrics. Second, typing rhythms of a human may gradually change because of maturing typing proficiency, adaptation to input devices, or other environmental factors [4]. In recent years, there have been considerable research studies [6–10] regarding keystroke dynamicsbased user authentication. However, most of them focused only on a short and static text such as; identification (ID) and password typed on a traditional personal computer (PC) keyboard. Moreover, they suffer low authentication accuracy and high error rate. High verification time is another drawback of existing keystroke dynamics-based authentication systems, which considerably affects the cloud consumers with the pay-as-you-use costing model. The main contributions of this paper are as follows. First, proposing a new system for keystroke authentication for cloud environments that is suitable for fixed text and free text typed on traditional and touch screen keyboards. As mentioned earlier, a notable limitation of keystroke analysis is the high dimensionality of the keystroke feature space. The second contribution is eliminating redundant or irrelevant features from the large scale keystroke dynamics by combining different feature selection methods and different fusion rules which, in turn, achieve higher authentication accuracy and performance. The third contribution is minimizing the elapsed time of the keystroke authentication process by clustering the user profile templates in the keystroke dataset so that keystroke features of an unknown user will be checked against only the profile templates of users within the same cluster, instead of the profile templates of all users in the whole dataset. Therefore, the proposed system eliminates the tradeoff between the authentication accuracy and the elapsed time of the verification process. Finally, the proposed system is applied on three different datasets: (i) fixed-text typed on a PC keyboard; (ii) fixed-text typed on a touch screen phone; and (iii) freetext typed on a PC keyboard. The experiments illustrate the impact of different fusion methods, classifiers, sample size, and password length on the authentication accuracy and performance using the three different benchmark data sets. The rest of the paper is organized as follows. Section 2 overviews related work. Section 3 provides the detailed description of the proposed keystroke dynamics-based user authentication system. Then, Section 4 further discusses the evaluation criteria and experimental results. Finally, the conclusion is presented in Section 5. Copyright © 2015 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2015) DOI: 10.1002/cpe

KEYSTROKE AUTHENTICATION SERVICE

2. RELATED WORK Existing keystroke dynamics based user authentication systems can be broadly classified into two categories: Static or fixed text and dynamic or free text. Static text keystroke systems focus on analyzing the keystroke behavior of users on predetermined phrase(s) at certain points in the system. For example, the user’s typing pattern is analyzed when the user types the user ID and password only once while logging onto a system [2]. Dynamic text keystroke systems focus on continuous or periodic monitoring of keystroke behavior. It is first checked when a user logs onto the system and continues thereafter [2]. 2.1. Keystroke dynamics based authentication systems using fixed text Phoha et al. [11] proposed a method for user authentication using the hidden Markov model (HMM) [12] through keystroke dynamics by mapping the patterns of key hold times to speech signals. They modified hidden Markov model parameters to reduce the order of computations involved in the forward (or backward) procedure. However, each user provided a set of only nine reference keystroke patterns/sample, but the small sample size leads to a high false acceptance rate. Sentosa et al. [13] tackled the scalability issue of Gunetti and Picardi [14], that is, their system needs to verify the input with every training sample of every user within the whole database. They proposed clustering based keystroke authentication algorithm. They utilized k-nearest neighbor so that an input was compared against the user templates within the same cluster, which greatly reduced the verification load. The main limitation is determining the value of the parameter K (the number of clusters) which can have a remarkable impact on the results. Another limitation of this algorithm is that it cannot perform accurately on new unseen patterns as it has no experience of a learning data set. Killourhy and Maxion [15] collected a keystroke dynamics dataset based on static text. In addition, they developed an evaluation procedure in order to measure the performance of a range of statistical methods, for example, Manhattan [16] and Mahalanobis [17] and machine learning methods, for example, support vector machine (SVM) [18], Fuzzy Logic [19], and Neural Network [20]. However, they only use genuine users’ data at training time to build a template for each genuine user; further, they compared unforeseen login data with those templates and made an authentication decision based on a user specific threshold at testing time. Shiomi et al. [21] proposed a new filter method based on the resemblance to Hamming distance such that the down–down times of more than 200 ms are discarded as outliers. However, they utilized only statistical methods for applying dissimilarity measures such as Euclidean distance, Manhattan distance, and Gaussian probability density function [22]. Rezaei and Mirzakochaki [23] utilized three different classifiers, namely, the linear discriminant classifier [24], the quadratic discriminant classifier [25], and k-nearest neighbor [26] to classify users’ keystroke patterns. After that, a set of ensemble methods, that is, minimum, maximum, mean, median, product, and majority vote functions, were adopted to reduce the error rate and increase the reliability of their system. However, their dataset was relatively small, that is, the patterns are collected only on 24 users, each entering a fixed 10-character password. Deng and Zhong [27] addressed the limitation of [15] and used the Gaussian mixture model [28] with the universal background model (GMM–UBM) and the deep belief nets [29] to enhance the model’s discriminative capability without seeing the imposter’s data at training time. Their proposed approach reached a 58% relative error rate reduction. Alpar [30] introduced a novel authentication system using artificial neural networks with Red, Green, Blue (RGB) histograms. They collected key codes and inter-key times for passwords in the register and login steps, colorized keys to generate RGB histograms and trained the histograms with neural networks to determine a password keystroke interval. However, it also suffers from the small number of training subjects and small sample sizes. Moreover, the reject error changes between 30% and 40% and the false accept error changes between 0% and 70%, according to the keystroke attributes. Recently, Giuffrida et al. [31] proposed sensor-enhanced keystroke dynamics to authenticate users typing on mobile devices with a touch screen and a software keyboard via keystroke timings and movement sensor information (i.e. accelerometer, gyroscope). Although their implementation supports Copyright © 2015 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2015) DOI: 10.1002/cpe

A. ABO-ALIAN, N. L. BADR AND M. F. TOLBA

one-class SVM, naive Bayes and k-nearest neighbors and achieves equal error rate (EER) equals 0.08, their experiments are conducted on a few numbers of users (i.e., only 20 users). Moreover, they did not evaluate the system performance with respect to the verification time. 2.2. Keystroke dynamics-based authentication systems using free text The main advantage of free text keystroke authentication over static text keystroke authentication is its ability to continuously ensure the validity of a legal user throughout the interaction period [4]. Possible applications of free text keystroke authentication may include account activity monitoring and intrusion detection. Unfortunately, there is limited literature on keystroke authentication systems using free text due to the complexity of the experiment setup and the huge number of features compared with static/fixed-text authentication. Gunetti and Picardi [14] proposed the GP method, which is based on ‘R’ and ‘A’ measures. ‘R’ measure is the relative degree of disorder between the typing speeds of two users on digraphs. So if two users have a similar order of digraph typing speeds, they will be identified as the same user. ‘A’ measure is the absolute degree of disorder between the typing speed of two users on digraphs. So if two users have similar speeds for the same digraphs, then they are considered as the same user. The main advantage is the low achieved false acceptance rate (FAR), that is, 0.005%. On the contrary, their method is not practical for large scale systems due to its severe scalability problem, because the computational cost is n2 where n is the number of registered users in the system. Hu et al. [3] proposed two keystroke verification approaches (nGdv-V and nGdv-C) to overcome GP’s limitations [14]. They designed a new correlation measure using n-graph equivalent feature (nGdv) that enables more accurate recognition for genuine users and reduces the false rejection rate (FRR). Moreover, they proposed correlation-based hierarchical clustering (nGdv-C) to address the scalability issue. Although the nGdv-V approach is 1,000 times faster than the GP approach, the nGdv-V approach is not as accurate as the GP approach. The nGdv-V approach suffers from a high error rate. Stefan et al. [32] proposed a keystroke authentication framework called human and bot aparttelling (TUBA). TUBA analyzes the keystroke data from a group of users on a different set of inputs, including email addresses, a password, and web addresses. TUBA uses SVM for classification with a Gaussian radial basis function. They evaluated the security of TUBA against synthetic forgery attacks. However, their dataset contains only a few numbers of subjects (i.e., 20 users). Tappert et al. [33] developed an authentication system for students taking online examinations. They presented performance statistics on keystroke, stylometry, and combined keystroke–stylometry systems, which were obtained from the data of 30 students taking examinations in a university course. They claimed that the performance of the keystroke biometric system is far superior to that of the stylometry one but their results may not be confident due to the small sample size, that is, 4–8 samples/user. Ahmed and Traore [34] combined monograph and digraph analysis, and used a neural network to predict missing digraphs based on the relation between the monitored keystrokes. Although they obtained an EER of 2.13%, the small sample size and the low scalability are the main drawbacks of their system.

3. THE PROPOSED KEYSTROKE-BASED AUTHENTICATION SYSTEM Most existing work on keystroke authentication measures performance using the metrics of FAR, FRR, and the EER. Unfortunately, they did not consider the elapsed time of the verification (login) process; however, it is a crucial performance metric because long verification time frustrates the user with long waiting times. So it is not accepted if the verification time takes minutes. Moreover, most existing work was designed for a special dataset, for example, a text typed on a traditional PC keyboard and their authentication performances might not be acceptable for other input devices. This section describes the architecture and the detailed processes of the proposed keystroke based authentication system for cloud computing that solves the aforementioned issues. As in all other behavioral biometric systems, the proposed system operates in two modes: Offline and online as illustrated in Figure 1. The offline mode is also called registration or enrollment mode. During registering a new account, the new user firstly specifies login information such as ID and password, and provides a certain number Copyright © 2015 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2015) DOI: 10.1002/cpe

KEYSTROKE AUTHENTICATION SERVICE

Figure 1. The architecture of the proposed keystroke based authentication system.

of typing samples. Secondly, the system extracts the keystroke timing features for that user, removes outliers, selects relevant feature sets, and finally builds a profile template for that user. Thirdly, the user profile template can be included in an existing cluster if it satisfies the predefined cluster rules or establishes a new cluster. It is noteworthy that people’s keystroke dynamics, as behavioral biometrics, are believed to be difficult to copy. Additionally, in the proposed system, the profile template of each user is built based on many different samples collected in different sessions. A huge number of features are extracted to build the profile template of each user (i.e., 700 features in the case of free text). The selected combinations of those features are unknown to any keylogger in order to prevent any malicious keystroke regeneration using any keylogger. Moreover, the whole keystroke dataset is encrypted using advance encryption standard algorithm. The online mode is also called login or verification mode. During login, the user provides an ID and a password for comparison with the valid user profile template stored in the clustered system dataset. If the user provides the wrong password, access will be rejected. However, if the user provides the correct password, the extracted keystroke features are provided as input to the classifier. If the classifier determines that the user’s keystroke features are similar to that of a valid user profile template, access to the system will be granted; otherwise, access will be rejected even if the user provides the correct password. 3.1. Data acquisition In this primary process, raw keystroke timing measurements are collected via various input devices such as a PC keyboard, a virtual keyboard or a touch screen of a smart phone. In this paper, we conduct experiments using a user profile dataset derived from three public datasets, namely, CMU dataset [15], GP dataset [14], and the AndroidKeystroke dataset [35]. 3.2. Keystroke feature extraction In the feature extraction process, the timing measurement of user’s keystroke typing is then processed and stored as a profile template for further login verification. Feature extraction process includes outlier detection and feature selection methods as preprocessing procedures in order to increase the quality of feature data, for further improving the authentication accuracy and efficiency. a. Outlier detection In keystroke dynamics, an outlier is a timing measure that appears to deviate obviously from other timing measures in the sample. An outlier may indicate noisy data. For example, the timing data may have been measured incorrectly or an experiment may not have been run correctly. So the outlier value should be deleted from the feature vector (or corrected if possible) because it may consequently affect the authentication decision. We utilized the modified z-score method [36] in order to identify outliers in the keystroke feature vector. Copyright © 2015 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2015) DOI: 10.1002/cpe

A. ABO-ALIAN, N. L. BADR AND M. F. TOLBA

Modified z-score applies the median computation technique to identify outliers because the median is not affected by a few extreme values. So, in many cases, the modified z-score provides more robust statistical detection of outliers. Assuming that xij be the ith feature value for user j, the modified z-score (Mij) is computed as
 0:6745ðxij  median xij (1) M ij ¼ MADj where MADj is the Median Absolute Deviation of feature j, which is the median of the absolute deviations from the data’s median:

  MADj ¼ median xij  median xij  (2) As suggested by [37], any sample feature with |Mij| > 3.5 is considered an outlier. b. Feature selection and reduction Keystroke dynamics suffer from high dimensionality and a huge number of irrelevant and dependant features which may degrade the classification accuracy and efficiency. Therefore, three different feature selection methods, that is, Fisher’s linear discriminant (FLD) [38], quickly typed digraphs (QTD) [39], and information gain (IG) ratio [40], to optimize classification performance, in terms of verification accuracy and time. Feature selection methods are utilized as preprocessing steps in order to select a subset of the most informative or discriminative features from the original feature set and eliminate redundant or irrelevant features from the large scale keystroke dynamics. i. FLD Fisher’s linear discriminant is a machine learning method which is commonly used to select the set of relevant features that separates two or more classes. It aims at finding a feature representation by which the within-class variance is minimized and the between-class variance is maximized. The premise of FLD is to condense high dimensional data to lower dimensions in order to improve verification accuracy and efficiency. For each feature, let μ1, μ2, …, μm represent the statistical means of that feature, measured over the samples associated with each of the m users. For example, μj is the mean of that feature measurement for user j. FLD score is formulated as follows: FLD ¼

between  class variance within  class variance

So the numerator indicates the discrimination between two classes, and the denominator indicates the scatter within each class. 2 μj  μ  2 m n ð n  1 Þ∑ ∑ x  μ m ij j j¼1 i¼1

=ðm1Þ∑  1

FLD ¼ 1

m j¼1



(3)

where n = number of features for each user. m = number of different users. xij = ith feature value for user j. μj = mean of all feature values for user j. μ = mean of all feature values over all users. The FLD score is the highest when a feature exhibits both a low within-class variance and high between-class variance. In other words, the larger the FLD score is, the more likely this feature is more discriminative. However, a disadvantage of using FLD score is that it does not reveal mutual information among features. Therefore, the proposed system uses feature fusion rules to combine the FLD score with other feature selection methods. Copyright © 2015 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2015) DOI: 10.1002/cpe

KEYSTROKE AUTHENTICATION SERVICE

ii. QTD The proposed system implements the QTD feature selection as it is a simple filtering method that considers the close relations between features and their dependencies such as the hold time and the release time of the keys. The QTD method obtains digraphs that are typed quickly, that is, having least typing time. It computes averages of the digraphs for all of the user samples in order to determine the digraphs with the smallest average. Then, the digraph list is ordered ascendingly by the average time. The QTD method consequently selects the top d digraphs as the most QTD and so the most relevant digraphs. iii. IG ratio Information gain ratio of a feature measures how precisely the feature predicts the classes of subject samples, if the only information available is the presence of the feature and the corresponding class distribution. In other words, IG ratio measures the expected reduction in entropy when the feature is existed versus absent. Therefore, a feature is more relevant if its normalized information gain is larger. Information gain for feature f is h i IGð f Þ ¼ eðpos; negÞ  Pf eðTP; FPÞ þ Pf ′ eðTN; FN Þ

(4)

where eðx; yÞ ¼ 

x x y y log  log2 ; xþy 2xþy xþy xþy

TP The number of true positives TN The number of true negatives FN The number of false negatives FP The number of false positive pos number of positive cases = TP + FN neg number of negative cases = FP+ TN Pf Probability of feature f. iv. Feature fusion methods The proposed system utilizes different feature fusion methods in order to combine the features extracted from the mentioned feature selection methods and to achieve the most discriminative and informative feature set. So the classifier is consequently given the resulting optimal feature set. The more informative and relevant a feature set is, the more accurate and efficient the classifier decision is achieved. 3.3. Clustering The main objective of the clustering process in the proposed system is optimizing the keystroke verification performance. Instead of verifying the keystroke features of an unknown user with profile templates of every user within the whole dataset, we utilize k-medoids clustering algorithm [41] to group a set of users’ profile templates into clusters so that similar templates are assigned to the same cluster. As a result, the extracted keystroke features of an unknown user will be checked against the templates of users within the same cluster only, instead of the templates of all users. Therefore, clustering will greatly reduce the keystroke verification computational time. The k-medoids algorithm is similar to the most popular clustering algorithm k-means, except that k-medoids algorithm uses medoids to represent the clusters rather than centroids. A medoid is the element of a cluster with the minimum average dissimilarity to all the objects in the same cluster. Copyright © 2015 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2015) DOI: 10.1002/cpe

A. ABO-ALIAN, N. L. BADR AND M. F. TOLBA

Thus, it is more robust to noise and outliers as compared wirh k-means because it minimizes the sum of dissimilarities instead of the sum of squared Euclidean distances. As illustrated in Figure 2, the clustering process works in the offline mode as follows: Let Tu be a representative user profile template of user u which is a vector of n features, that is, Tu = {fu1, fu2, …, fun}and m be the total number of user profile templates in the database. 1. 2. 3. 4.

Randomly select K of the m profile templates as the medoids. Calculate distances between each profile template Tu and each medoid using Manhattan distance. Associate each profile template Tu to the closest medoid. For each pair of non-medoid profile templates (Tu)random and medoid profile templates (Tu)mod, calculate the total swapping cost TC. 5. If TC < 0, (Tu)mod is replaced by (Tu)random. 6. Repeat steps 2–5 until there is no change. In the online mode, a distance is calculated between the extracted feature vector of an unknown user and the medoids of K clusters. Then, the feature vector of an unknown user will be associated to the closest cluster and checked against the templates of users within the same cluster only, instead of the templates of all users.

3.4. Classification In the online mode, the user provides the user ID and password to log onto the system, a classification method is used in order to grant or reject the request based on the extracted keystroke features of the user and the stored templates in the clustered keystroke database. The proposed system supports and tests three different classifiers: SVM [42], naive Bayesian [43], and multilayer perceptron (MLP) [44] for the three different datasets. a. SVM based classification The proposed system utilizes SVM to train and classify the data because SVM can be used to classify both linearly separable data and nonlinearly separable data. SVM aims at maximizing the margins between the considered classes by implicitly mapping the input feature vectors to a higher dimensional space by using the kernel function. Concisely, SVM classifies data by finding the best hyperplane that separates all data points of one class from those of the other class. The larger the margin is, the better the generalization error of the classifier will be.

Figure 2. The clustering process in the offline mode. Copyright © 2015 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2015) DOI: 10.1002/cpe

KEYSTROKE AUTHENTICATION SERVICE

We exploit the nonlinear version of the one class SVM algorithm in MATLAB, which maps the input data into a high dimensional feature space via a radial basis function kernel: 
′ x  x’2 (5) K x; x ¼ exp  2σ 2 where x and x′ are two samples. We set two parameters C = 100.0 (the penalization coefficient of the SVM) and σ = 1.0 (the parameter of the radial basis function kernel). b. Naive Bayesian-based classification The proposed system also supports naive Bayesian classifier because of its simplicity and efficiency; however, it usually requires a huge number of samples in order to attain accurate classification decisions. Bayesian classifiers are statistical approaches capable of predicting class membership likelihoods, that is, the probability of the training set belonging to a specific class. It is based on Bayes theorem and well known for its efficiency when applied to a large dataset. Let d be a sample that will be classified and let Cy be a hypothesis that d belongs to class y. In our system, we have two classes; genuine and imposter. In the classification process, P(Cy|d) needs to be calculated, which is the probability that the hypothesis Cy holds based on the data sample d. It can be calculated through


 P djC y :P C y (6) P C y jd ¼ P ðd Þ Naïve Bayesian assumes that features have independent distributions and thereby estimates




 P C y dÞ ¼ P d 1 C y Þ:P d2 C y Þ:P d 3 Cy Þ… P dn C y Þ

(7)

c. MLP based classification Because of the excellent generalization ability of the MLP, the proposed utilizes the MLP system to gradually adjust and train previously unseen patterns with minimal errors. The MLP is a feed-forward neural network, which means that the information propagates from input to output. The MLP utilizes the back propagation technique for training the network. A MLP consists of an input layer, several hidden layers, and an output layer. The inputs are fed with the values of each feature and the outputs provide the class value. The hidden layer is an extra layer of neurons with nonlinear activation functions which works as a nonlinear mapping between the input and output. The MLP can achieve accurate classification decisions with a small number of samples. We utilize one hidden layer with 25 nodes and apply a sigmoid function as an activation function in the hidden layer.

4. EXPERIMENTAL RESULTS AND DISCUSSION The experiments are conducted using MATLAB R2013a (version 8.1) and Java jdk 1.7.60 on a system with an Intel Core i5 processor running at 2.2 GHz and 4 GB RAM running Windows 7 (Intel Corporation, Santa Clara, California, USA). The experiments are performed with 10-fold cross validation. Performance is assessed using the evaluation criteria across the ten-folds. 4.1. Datasets Most existing keystroke authentication systems were designed for a special dataset, for example, a text typed on a traditional PC keyboard and their authentication performances might not be satisfactory for other input devices. Therefore, we evaluated the proposed keystroke authentication system using three public datasets: a. CMU dataset [15]: static text keystroke dynamics dataset collected via a traditional PC keyboard. b. GP dataset [14]: free text keystroke dynamics dataset collected via a traditional PC keyboard. Copyright © 2015 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2015) DOI: 10.1002/cpe

A. ABO-ALIAN, N. L. BADR AND M. F. TOLBA

c. AndroidKeystroke dataset [35]: static text keystroke dynamics dataset collected via a touch screen keyboard. a. CMU dataset The CMU benchmark dataset contains keystroke dynamics consisting of the hold time for each key, that is, the time from when the key was pressed to when it was released, and the latencies between two successive keys for a static password string ‘.tie5Roanl.’ In the dataset, there are 51 subjects recruited from within the university. Each subject completed eight data-collection sessions (of 50 passwords each), for a total of 400 password-typing samples, with at least one day apart between two sessions. Some data samples are shown in Figure 3. As illustrated in Figure 3, the data are arranged as a table with 34 columns. Each row of data corresponds to the timing information for a single repetition of the password by a single subject. The first column, subject, is a unique identifier for each subject (e.g., s002 or s057). The second column, sessionIndex, is the session in which the password was typed (ranging from 1 to 8). The third column, rep, is the repetition of the password within the session (ranging from 1 to 50). The remaining 31 columns present the timing features for the password. The name of the column encodes the type of timing feature. Column names of the form H. key designate a hold time for the named key. Column names of the form DD.key1.key2 designate a keydown–keydown time for the named digraph (i.e., the time from when key1 was pressed to when key2 was pressed). Column names of the form UD.key1.key2 designate a keyup–keydown time for the named digraph (i.e., the time from when key1 was released to when key2 was pressed). b. GP dataset The GP dataset is a free text keystroke dataset. So volunteers were allowed to type any text they wanted instead of a pre-defined text during the data acquisition process. Volunteers were asked to type into a text area of 65 characters wide and 12 lines long for a total of 780 characters. On average, the gathered samples have a length varying between 700 and 900 characters. The original dataset consists of 40 internal users (subjects) with 15 typing samples per subject. Another 165 external users, each with only one typing sample, act as impostors to the system. Because of the privacy issue, the dataset owners published only the keystroke samples of 31 internal subjects and 165 impostors. Each user sample file contains data in the form:{ 60870 65 61040 32 62910 80 63130 85… … … }. Each number in bold is the absolute time in milliseconds at which the corresponding key was depressed. Key is reported next to the bold number as a decimal ASCII. In the aforementioned example, key ‘A’ (65 decimal) has been depressed at time 60870, the space (32 decimal) has been depressed at time 61040, which is 61040–60870 milliseconds after the ‘A’ and so on. c. AndroidKeystroke dataset The AndroidKeystroke dataset contains keystroke dynamics captured via a touch screen keyboard. Two types of android devices were used, a Nexus 7 tablet and a Mobil LG Optimus L7 II P710 device (LG, Korea). The dataset consists of a total number of 42 subjects. The subjects are composed of 37 tablet users and 5 mobile phone users. The dataset contains 51 input samples from each subject. Each subject completed two sessions during a period of two weeks. In each session, users had to enter the same password (.tie5Roanl) 30 times. The total number of features are 71. Table I explains the various keystroke features in the AndroidKeystroke dataset. Table II presents a summary of the different datasets used in the proposed system evaluation.

Figure 3. Some data samples from the CMU keystroke dynamics benchmark dataset. Copyright © 2015 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2015) DOI: 10.1002/cpe

KEYSTROKE AUTHENTICATION SERVICE

Table I. Keystroke features in the AndroidKeystroke dataset. Feature name Key hold time (H) Down–down time (DD) Up–down time (UD) Key press pressure (P) Finger area (FA) Average hold time (AH) Average finger area (AFA) Average pressure (AP)

Explanation

Number of features

Time between key press and release Time between consecutive key presses Time between key release and next key press Pressure at the moment of key press Finger area at the moment of key press Average of key hold times Average of finger areas Average of key pressures

14 13 13 14 14 1 1 1

Table II. Summary of the datasets used. Dataset

Number of users

Number of samples per user

Number of features

Description

51 31 37

50 15 51

31 700 71

Fixed text/ PC keyboard Free text/ PC keyboard Fixed text/ touch screen keyboard

CMU GP AndroidKeystroke

CMU, Carnegie Mellon University; PC, personal computer.

4.2. Evaluation criteria In order to evaluate the authentication system, the following criteria have been measured using the confusion matrix as shown in Table III: 1. FAR: The percentage of imposters falsely accepted as genuine users to the total number of imposFP ters trying to access the system. FAR is defined as FAR ¼ TNþFP 2. FRR: The percentage of genuine users falsely rejected as imposters to the total number of genuine FN users. FRR is defined as: FRR ¼ TPþFN 3. EER: The value of FAR/FRR at an operating point on ROC where FAR equals FRR. 4. Elapsed time of login: The amount of time in milliseconds taken since the user provided the login information till the user is granted or rejected. 5. Precision: The percentage of accepted users that are correct genuine users. It is defined as: TP Precison ¼ TPþFP 6. Recall (Sensitivity): The percentage of genuine users that were correctly accepted. It is defined TP as: Recall ¼ TPþFN 7. Specificity: The percentage of imposters that were correctly rejected. It is defined as TN Specificity ¼ TNþFP 8. F-measure: The harmonic mean of recall and precision. It is defined as F  measure ¼

2TN 2TPþFPþFN

Table III. A Simple confusion matrix. True Class

Predicted Class

Genuine Imposter

Genuine

imposter

TP FN

FP TN

TP, the number of true positive; FP, the number of false positive; FN, the number of false negative; TN, the number of true negatives. Copyright © 2015 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2015) DOI: 10.1002/cpe

A. ABO-ALIAN, N. L. BADR AND M. F. TOLBA

4.3. Results and discussion Several experiments are conducted on the proposed system to explore the impact of the following parameters on the FAR, FRR, EER, and elapsed time using three different datasets: i. Different feature selection and fusion methods. ii. Different cluster sizes. iii. Different classification methods, user sample size and password length. Moreover, some experiments are conducted to compare the proposed system with the state-of-theart, and some experiments were conducted to evaluate the proposed system using other accuracy criteria such as precision, and recall i. The impact of feature selection and fusion methods. As shown in Table IV, four feature fusion rules are examined in the system experiments. It is important to note that S1 is the FLD score, S2 is the QTD score, and S3 is the IG score. In the weighted sum fusion method, weights are computed based on the assumption that the feature selection method is more effective, that is, selects more relevant features, if it results in a small equal error rate in the further classification. In other words, a feature selection method is assigned a higher weight if the resulting 1 . So the weight can be computed as follows: classification EER is low, that is, wi α EER i wi ¼

ci 1 ; where ci ¼ f or i ¼ 1; 2; 3 ∑i ci EERi

(8)

Tables V–VII show the impact of different feature selection and fusion methods on the accuracy metrics and the elapsed time of the proposed system when applied to three different datasets; CMU, GP, and AndroidKeystroke datasets, respectively. For the CMU dataset, the number of clusters chosen are 5, and the password length is 10 using SVM classifier. For the AndroidKeystroke dataset, the number of clusters chosen are 5, and the password length is 14 using the SVM classifier. For the GP dataset, the number of clusters chosen are 10 and the password length is 14 using the MLP classifier. In the weighted sum fusion method, the weights are computed based on the resulting EERs of the corresponding feature selection methods using Equation 8. For the CMU dataset, the weighted sum will be 0.35 (1- FLD) + 0.403 QTD + 0.248 IG. For the GP dataset, the weighted sum will be 0.337 (1- FLD) + 0.321 QTD + 0.342 IG. For the AndroidKeystroke dataset, the weighted sum will be Table IV. Feature fusion rules. Fusion rule

Fused score s1 þs2 þs3 3 w1s1 + w2s2 + w3s3

Sum Weighted sum Product Max

s1 × s2 × s3 max(s1, s2, s3)

Table V. The impact of feature selection and fusion methods using the CMU dataset. Fusion method

No. of selected features

FAR (%)

FRR (%)

EER (%)

Elapsed time (ms)

All features QTD FLD IG Sum Weighted Sum Product Max

31 22 17 15 16 19 22 17

0.015 0.020 0.040 0.100 0.100 0.030 0.020 0.040

0.200 0.180 0.120 0.140 0.160 0.120 0.180 0.120

0.030 0.059 0.068 0.096 0.100 0.055 0.059 0.068

103 69 37 26 34 34 78 51

FAR, false acceptance rate; FRR, false rejection rate; EER; equal error rate; QTD, quickly typed digraphs; FLD, Fisher’s linear discriminant; IG, information gain ratio. Copyright © 2015 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2015) DOI: 10.1002/cpe

KEYSTROKE AUTHENTICATION SERVICE

Table VI. The impact of feature selection and fusion methods using the GP dataset. Fusion method

No. of selected features

FAR (%)

FRR (%)

EER (%)

Elapsed time (ms)

All features QTD FLD IG Sum Weighted Sum Product Max

700 220 47 103 76 54 85 63

0.08 0.068 0.058 0.065 0.050 0.042 0.064 0.055

0.180 0.175 0.160 0.162 0.140 0.129 0.159 0.155

0.090 0.063 0.060 0.059 0.051 0.051 0.070 0.085

400 210 96 180 85 69 98 79

FAR, false acceptance rate; FRR, false rejection rate; EER; equal error rate; QTD, quickly typed digraphs; FLD, Fisher’s linear discriminant; IG, information gain ratio.

Table VII. The impact of feature selection and fusion methods using the AndroidKeystroke dataset. Fusion method

No. of selected features

FAR (%)

FRR (%)

EER (%)

Elapsed time (ms)

All features QTD FLD IG Sum Weighted Sum Product Max

71 30 21 35 25 23 38 21

0.020 0.030 0.060 0.028 0.035 0.033 0.028 0.055

0.200 0.140 0.100 0.160 0.120 0.121 0.165 0.120

0.035 0.057 0.100 0.069 0.080 0.061 0.070 0.085

125 86 46 96 90 53 110 62

FAR, false acceptance rate; FRR, false rejection rate; EER; equal error rate; QTD, quickly typed digraphs; FLD, Fisher’s linear discriminant; IG, information gain ratio.

0.345 (1- FLD) + 0.417 QTD + 0.345 IG. The experimental results show that the IG method selects the lowest number of features which results in a high reduction in elapsed time but the EER is increased. On the contrary, the resulting EER in the case of the QTD method is lower than those of the IG and FLD methods but the elapsed time is increased. The weighted sum fusion method has the minimum EER and the lowest elapsed time. Therefore, the weighted sum fusion rule is used in all the next experiments. Apparently, the feature selection methods with the weighted sum fusion method reduce the verification load which mitigates the scalability issue of adopting keystroke authentication in a cloud environment. ii. The impact of cluster sizes. Clustering solves the problem of the high verification elapsed time. Instead of comparing keystroke features of an unknown user against the profile templates of all users, the keystroke features will be checked against only the profile templates of users within the same cluster. However, the number of clusters has a deterministic effect on the verification results, that is, verification accuracy and elapsed time. As shown in Figure 4, the optimal number of clusters is 5 which results in EER of 0.055 and an elapsed time of 23 ms in the case of the CMU. iii. The impact of classification methods, user sample size, and password length. Figure 5 indicates that a larger sample size per user may provide more accurate authentication decisions. The SVM obtains the lowest EER in the case of applying it on the CMU and AndroidKeystroke datasets because SVM avoids over-fitting and is effective in high dimensional spaces. However, the MLP outperforms the SVM when applied to smaller number of samples, that is, 10. As illustrated in Table VIII, the MLP also outperforms the SVM in the case of applying it on the GP dataset because the MLP has an excellent generalization to previously unseen patterns which gradually adjusts and trains with the data by the testing and correction of errors. Therefore, the MLP can achieve more accurate results with the smallest number of samples. Although the naive Copyright © 2015 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2015) DOI: 10.1002/cpe

A. ABO-ALIAN, N. L. BADR AND M. F. TOLBA

Figure 4. The impact of different cluster sizes.

Figure 5. The impact of different classifiers and sample size on equal error rate (EER) using CMU and AndroidKeystroke datasets.

Table VIII. The impact of different classifiers and sample size on EER and the elapsed time using the GP dataset. GP dataset (EER)

GP dataset (EER)

No. of samples

MLP

MLP

MLP

MLP

SVM

Naive Bayes

10 15

0.060 0.051

0.060 0.051

0.060 0.051

68.9 69.0

60.2 60.2

51.1 51.0

EER; equal error rate; MLP, multilayer perceptron; SVM, support vector machines.

Baysian has the highest EER, it is more efficient, as illustrated in Figure 6. That is because naive Bayesian assumes that all features are fully independent and keystroke dynamics have many features that are highly correlated. As shown in Figure 6 and Table VIII, the elapsed time of verification is independent of the number of samples as the user samples are previously clustered in the offline/registration mode. As illustrated in Figure 7, more keystroke features can be extracted when a password of a larger size is provided, which leads to lower EER and gives more accurate verification processes. However, the large password length can increase the verification elapsed time as illustrated in Figure 8. iv. Comparison with the state-of-the-art For comparison and assessment, the performances of the proposed system and the state-of-the-art are measured in FAR, FRR, EER, and the elapsed time of the verification process, as listed in Copyright © 2015 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2015) DOI: 10.1002/cpe

KEYSTROKE AUTHENTICATION SERVICE

Figure 6. The impact of different classifiers and sample size on the elapsed using CMU and AndroidKeystroke datasets.

Figure 7. The impact of different classifiers and password length on equal error rate (EER) using three datasets.

Table IX. Another important evaluation criteria is the degree of freedom the user is given during user registration and login phases, that is, text freedom. In other words, whether the users are confined to a predefined input text (fixed text) or allowed to choose their own texts (free text). Similarly, the device freedom that allows the users to type on their favorable devices may cast some significance to the system’s convenience and performance. It is noteworthy to clarify that [15, 27] and the proposed system (fixed text version) use the same benchmark CMU dataset in the experiments. The benchmark GP dataset is used in [3, 14] and the proposed system (free text version). But as mentioned earlier in Section 4.2, the GP dataset owners have recently published only the keystroke samples of 31 subjects because of the privacy issue. The datasets used in [8, 13] and [23] are their own collected datasets. The results show that the EER of the proposed system is approximately ten times greater than that of [14], while the FRR of the proposed system is the lowest. This dramatic improvement is due to the proposed system’s generative and discriminative nature. Utilizing feature selection methods with Copyright © 2015 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2015) DOI: 10.1002/cpe

A. ABO-ALIAN, N. L. BADR AND M. F. TOLBA

Figure 8. The impact of different classifiers and password length on elapsed time using three datasets.

Table IX. Comparison of the proposed system and the state-of-the-art. Method [13] [3] [8] [12] [22] [14] [26] DBN [26]GMM–UBM The proposed system (free text) The proposed system (fixed text)

No. of subjects

No. of samples/ subject

Text freedom

Device freedom

FAR (%)

FRR (%)

EER (%)

Elapsed time (s)

40 40 10 19 24 51 51 51 31

15 15 15 5 100 50 50 50 15

Yes Yes Yes No No No No No Yes

No No No No No No No No Yes

0.005 1.650 2.000 0.045 1.770 — — — 0.042

5.000 2.750 2.000 0 0.120 — — — 0.129

0.500 — — — 1.840 0.096 0.035 0.055 0.051

3.532 0.250 NA 7.323 8.567 NA NA NA 0.069

51

50

No

Yes

0.030

0.120

0.055

0.034

FAR, false acceptance rate; FRR, false rejection rate; EER; equal error rate; DBN, deep belief nets; GMM–UBM, Gaussian mixture model with the universal background model.

feature fusion rules ensures a better selection of discriminative and informative features that fine tune the authentication accuracy. The proposed system outperforms [3, 13, 14] and [23] in terms of the elapsed time of the verification process. The authors in [8, 15] and [27] did not consider the elapsed time of verification (login) process in their experiments and evaluation; however, it is crucial because long verification time frustrates the user with long waiting times. Although the objective in [8] is reducing the sample size for keystroke authentication with only free-typed text, it achieved FRR and FAR close to 2%. Moreover, the results of [8] are not based on a benchmark dataset, that is, a dataset consists of only 10 users. On the other hand, the system achieves FAR = 0.042% and FRR = 0.129% in the case of the benchmark free text dataset Copyright © 2015 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2015) DOI: 10.1002/cpe

KEYSTROKE AUTHENTICATION SERVICE

Table X. Other accuracy measurements of the proposed system.

Precision Recall Specificity F-measure

CMU Dataset (%)

AndroidKeystroke Dataset (%)

GP Dataset (%)

95 88 99.6 91.4

94.3 88.2 99 91.1

93.1 87 98 89.9

that consists of 31 users. Moreover, the proposed system reduces the feature dimension by eliminating redundant or irrelevant features for fixed-typed text and free-typed text as well. The proposed system also reduces the verification search space by clustering the profile templates of the users. In the case of the fixed text dataset (CMU dataset), the EER of the proposed system outperforms that of the version of [27] that utilizes the Gaussian mixture model with the universal background model (GMM-UBM). Although the version of [27] that utilizes deep belief nets has a better EER, it confines the user to a predefined and fixed length text. Moreover, their system is applicable to a single input device, that is, a fixed text typed on a traditional PC keyboard and their authentication performances may not be satisfactory for other input devices. In addition, the authors in [27] did not measure the elapsed time of the keystroke verification process, while the proposed system has an efficient elapsed time of the verification process. v. Other accuracy criteria Table X lists the precision, recall, specificity, and F-measure of the proposed system using the three different datasets. The proposed system achieves the best precision (95%), specificity (99.6%), and F-measure (91.4%) using the fixed text CMU dataset, while the best recall (88.2%) is achieved using the AndroidKeystroke Dataset.

5. CONCLUSION Keystroke dynamics is a newly promising behavioral biometric, which authenticates users on the basis of extracting and analyzing the timing features of pressing and releasing keys. Many prior studies were proposed in the area of keystroke dynamics. However, high keystroke feature dimensionality and huge numbers of users with a few numbers of samples are the main dilemma of the existing keystroke authentication systems that incurs scalability issues, especially with cloudbased systems. In addition, existing keystroke authentication systems suffer from low authentication accuracy. In this paper, we adopt keystroke dynamics for user authentication in cloud computing environments. Different feature selection methods, that is, Fisher’s linear discriminant, QTD, and information gain ratio, are utilized to reduce the high dimensionality of the keystroke feature vectors that dramatically degrades the authentication performance. The proposed system also utilizes different feature fusion methods to select the most relevant features resulting from the three feature selection methods to improve the authentication accuracy and efficiency. Additionally, the proposed system utilizes a clustering method to solve the scalability issue of large scale systems with a huge number of users and a large set of training and verification data from each user; therefore, it reduces the verification load significantly. These key advantages make the proposed system better suited to cloud environments. Three different classifiers, that is, SVM, naive Bayesian, and MLP, are examined with three different benchmark datasets. Experimental evaluation of the proposed system yields very promising performance figures with an EER of 0.051 in the case of free-text typed on the traditional PC keyboard, an elapsed verification time of 34 ms in the case of fixed text typed on the traditional PC keyboard and an elapsed verification time of 53 ms in the case of fixed-text typed on the touch screen keyboard. Copyright © 2015 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2015) DOI: 10.1002/cpe

A. ABO-ALIAN, N. L. BADR AND M. F. TOLBA REFERENCES 1. Abo-alian A, Badr NL, Tolba MF. Auditing-as-a-service for cloud storage. In Proceedings of the 7th IEEE Interntional conference Intelligent Systems IS’2014, 2015; 559–568. 2. Banerjee SP, Woodard DL. Biometric authentication and identification using keystroke dynamics: a survey. Journal of Pattern Recognition Research 2012; 7(1):116–139. 3. Xi K, Tang Y, Hu J. Correlation keystroke verification scheme for user access control in cloud computing environment. The Computer Journal 2011; 54(10):1–13. 4. Teh PS, Teoh ABJ, Yue S. A survey of keystroke dynamics biometrics. The Scientific World Journal 2013:1–24. 5. Meng W, Wong DS, Furnell S, Zhou J. Surveying the development of biometric user authentication on mobile phones. IEEE Communications Surveys & Tutorials 2015:1–26. 6. Uzun Y, Bicakci K. A second look at the performance of neural networks for keystroke dynamics using a publicly available dataset. Computers & Security 2012; 31(5):717–726. 7. Wang X, Guo F, Ma J-F. User authentication via keystroke dynamics based on difference subspace and slope correlation degree. Digital Signal Processing 2012; 22(5):707–712. 8. Pinto P, Patrão B, Santos H. Free typed text using keystroke dynamics for continuous authentication. In Proceedings of Communications and Multimedia Security, 2014; 33–45. 9. Jagadamba G, Sharmila SP, Gouda T. A secured authentication system using an effective keystroke dynamics. In Proceedings of Emerging Research in Electronics, Computer Science and Technology, 2014; 453–460. 10. Kernan M, Akila M, Krishnaraj N. Biometric personal authentication using keystroke dynamics: A review. Applied Soft Computing 2011; 11(2):1565–1573. 11. Vuyyuru SK, Phoha VV, Joshi SS, Phoha S, Ray A. Computer user authentication using hidden Markov model through keystroke dynamics. Manuscript submitted to ACM Transactions on Information and System Security 2006. 12. Rao AV, Rose K. Deterministically annealed design of hidden Markov model speech recognizers. IEEE Transactions on Pattern Analysis and Machine Intelligence 2001; 9(2):111–126. 13. Hu J, Gingrich D, Sentosa A. A k-nearest neighbor approach for user authentication through biometric keystroke dynamics. In Proceedings of IEEE International Conference on Communications, 2008; 1556–1560. 14. Gunetti D, Picardi C. Keystroke analysis of free text. ACM Transactions on Information and System Security (TISSEC) 2005; 8(3):312–347. 15. Killourhy KS, Maxion RA. Comparing anomaly-detection algorithms for keystroke dynamics. In Proceedings of IEEE/IFIP International Conference on Dependable Systems & Networks, 2009; 125–134. 16. Araújo LC, Sucupira JLH, Lizarraga MG, Ling LL. User authentication through typing biometrics features. IEEE Transactions on Signal Processing 2005; 53(2):851–855. 17. Duda RO, Hart PE, Stork DG. John Wiley & Sons: Pattern classification: New York, 2012. 18. Yu E, Cho S. GA-SVM wrapper approach for feature subset selection in keystroke dynamics identity verification. In Proceedings of the International Joint Conference on Neural Networks (IJCNN), 2003; 2253–2257. 19. Haider S, Abbas A, Zaidi AK. A multi-technique approach for user identification through keystroke dynamics. In Proceedings of IEEE International Conference on Systems, Man and Cybernetics, 2000; 1336–1341. 20. Cho S, Han C, Han DH, Kim HI. Web-based keystroke dynamics identity verification using neural network. Journal of Organizational Computing and Electronic Commerce 2000; 10(4):295–307. 21. Kaneko Y, Kinpara Y, Shiomi Y. A hamming distance-like filtering in keystroke dynamics. In Proceedings of Ninth Annual International Conference on Privacy, Security and Trust, 2011; 93–95. 22. Davoudi H, Kabir E. A new distance measure for free text keystroke authentication. In Proceedings of the 14th International CSI Computer Conference CSICC, 2009; 570–575. 23. Rezaei A, Mirzakochaki S. A novel approach for keyboard dynamics authentication based on fusion of stochastic classifiers. International Journal of Computer Science and Network Security 2012; 12(8):6. 24. Zhao W, Chellappa R, Nandhakumar N. Empirical performance analysis of linear discriminant classifiers. In Proceedings of 1998 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, 1998; 164–169. 25. Dixon SJ, Brereton RG. Comparison of performance of five common classifiers represented as boundary methods: Euclidean distance to centroids, linear discriminant analysis, quadratic discriminant analysis, learning vector quantization and support vector machines, as dependent, on data structure. Chemometrics and Intelligent Laboratory Systems 2009; 95(1):1–17. 26. Zack RS, Tappert CC, Cha SH. Performance of a long-text-input keystroke biometric authentication system using an improved k-nearest-neighbor classification method. In Proceedings of Fourth IEEE International Conference on Biometrics: Theory Applications and Systems (BTAS), 2010; 1–6. 27. Deng Y, Zhong Y. Keystroke dynamics user authentication based on gaussian mixture model and deep belief nets: ISRN Signal Processing, 2013. 28. Hosseinzadeh D, Krishnan S. Gaussian mixture modeling of keystroke patterns for biometric applications. IEEE Transactions on Systems, Man, and Cybernetics Part C: Applications and Reviews 2008; 38(6):816–826. 29. Hinton G, Osindero S, Teh YW. A fast learning algorithm for deep belief nets. Neural Computation 2006; 18(7):1527–1554. 30. Alpar O. Keystroke recognition in user authentication using ANN based RGB histogram technique. Engineering Applications of Artificial Intelligence 2013; 32:213–217. 31. Giuffrida C, Majdanik K, Conti M, Bos H. I sensed it was you: authenticating mobile users with sensor-enhanced keystroke dynamics. In Proceedings Detection of Intrusions and Malware, and Vulnerability Assessment, 2014; 92–111. Copyright © 2015 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2015) DOI: 10.1002/cpe

KEYSTROKE AUTHENTICATION SERVICE 32. Stefan D, Shu X, Yao DD. Robustness of keystroke-dynamics based biometrics against synthetic forgeries. Computers & security 2012; 31(1):109–121. 33. Monaco JV, Stewart JC, Cha SH, Tappert CC. Behavioral biometric verification of student identity in online course assessment and authentication of authors in literary works. In Proceedings of IEEE Sixth International Conference on Biometrics: Theory, Applications and Systems (BTAS), 2013; 1–8. 34. Ahmed AA, Traore I. Biometric recognition based on free-text keystroke dynamics. IEEE Transactions on Cybernetics 2014; 44(4):458–472. 35. Antal M, Szabó LZ, László I. Keystroke dynamics on android platform. In Proceedings of 8th International Conference Interdisciplinarity in Engineering (INTER-ENG), 2014. 36. Seo S. A review and comparison of methods for detecting outliers in univariate data sets. Doctoral dissertation, Faculty of Graduate School of Public Health, Kyunghee University: Seoul, South Korea, 2002. 37. Iglewicz B, Hoaglin D. How to detect and handle outliers. ASQC Quality Press: Milwaukee, 1993. 38. Lachenbruch PA. Discriminant Analysis. John Wiley & Sons: New York, 1975. 39. Al Solami E, Boyd C, Clark A, Ahmed I. User-representative feature selection for keystroke dynamics. In Proceedings of the 5th International Conference on Network and System Security (NSS), 2011; 229–233. 40. Guyon I, Elisseeff A. An introduction to variable and feature selection. The Journal of Machine Learning Research 2003; 3:1157–1182. 41. Park HS, Jun CH. A simple and fast algorithm for K-medoids clustering. Expert Systems with Applications 2009; 36(2):3336–3341. 42. Van Gestel T, De Brabanter J, De Moor B, Vandewalle J, Suykens JA, Van Gestel T. Least squares support vector machines. World Scientific: Singapore, 2002. 43. Flach PA, Lachiche N. Naive Bayesian classification of structured data. Machine Learning 2004; 57(3):233–269. 44. Isa MNA, Mamat WMFW. Clustered-hybrid multilayer perceptron network for pattern recognition application. Applied Soft Computing 2011; 11(1):1457–1466.

Copyright © 2015 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. (2015) DOI: 10.1002/cpe