Cyberspace Security Use Keystroke Dynamics. Alaa Darabseh, B.S. and M.S. A Doctoral Dissertation In Computer Science

(1)

Cyberspace Security Use Keystroke Dynamics

by

Alaa Darabseh, B.S. and M.S.

A Doctoral Dissertation In

Computer Science

Submitted to the Graduate Faculty of Texas Tech University in

Partial Fulfillment of

the Requirements for the Degree of

Doctor of Philosophy

Approved

Dr. Akbar Siami Namin

Committee Chair Dr. Rattikorn Hewett

Dr. Donald Jones Dr. Susan Mengel

Dr. Mark Sheridan Dean of Graduate School

(2)

(3)

Texas Tech University, Alaa Darabseh , August 2015

ii

ACKNOWLEDGMENTS

First, I would like to thank my advisor Dr. Akbar Siami Namin for his great support and long hours with me. The research presented in this dissertation will not be possible without his help. I also would like to express my appreciation to my committee members (Drs. Rattikorn Hewett, Donald Jones, and Susan Mengel) for their endless support to make this work possible. I feel privileged and honored to have them as members of my dissertation committee.

None of this work could have been done without the support of my father, who always encouraged me to be successful. Without his prayers and love I would never have reached this moment. Finally, I would like to dedicate this achievement to my mother soul.

(4)

iii

TABLE OF CONTENTS

Acknowledgments ... ii

Abstract ... vi

List of Tables ... viii

List of Figures ... ix

1. Introduction ...1

1.1. Biometrics: The Focus of This Dissertation ...2

1.2. Motivation ...3

1.3. Research Questions ...5

1.4. Contributions ...6

2. Background ...8

2.1. User Authentication in Computer Security ...8

2.1.1. Something You Know ...8

2.1.2. Something You Have ...9

2.1.3. Something You Are ...9

2.1.4. Combination of Authentication Factors ...9

2.2. Biometric Systems ...10

2.2.1. Performance Measures ...11

2.3. Keystroke Dynamics ...13

2.3.1. Static and Dynamic Authentication Systems ...14

2.3.2. Keystroke Features ...16

2.4. Literature Review ...17

2.4.1. Static Verification ...17

2.4.2. Continuous Verification ...19

3. Motivational Challenges and Contributions of the Thesis ...23

3.1. Research Motivations ...23

3.2. Research Contributions ...25

4. Experimental Setup ...28

4.1. Data Collection ...28

(5)

iv

5. Keystroke Feature Selection Using Statistical Methods In Hypotheses Testing ...32

5.1. Motivations ...32

5.3. Data Analysis Methods ...33

5.3.1. Mann-Whitney Statistics Test ...33

5.3.2. Effect-Sizes ...34

5.3.3. R's Statistics Package ...36

5.4. Analyses And Results ...36

5.4.1. Mann-Whitney Test Analyses ...36

5.4.2. Mann-Whitney Test Results ...40

5.4.3. Effect-Size Analyses ...43

5.4.4. Effect-Size Results ...44

5.4.5. Subset Feature Performance ...45

5.5. Conclusion ...47

6. Keystroke Feature Selection Using Machine Learning-Based Classifications ...49

6.2. Machine Learning Methods ...50

6.2.1. Support Vector Machine ...50

6.2.2. Linear Discriminate Classifier ...51

6.2.3. K-Nearest Neighbors ...52

6.2.4. Naïve Bayes ...53

6.2.5. One Class SVM ...53

6.2.6. R Packages ...54

6.3. Machine Learning Analyses And Results ...54

6.3.1. Feature’s Items Performance ...54

6.3.2. Features Performance ...59

6.4. Conclusion ...61

7. Keystroke Feature Selection Using Wrapper-Based ...64

7.1. Feature Selections ...64

7.1.1. Filter Approach ...65

(6)

v

7.2. Wrapper-Based Feature Subset Selection Techniques ...67

7.2.1. Greedy Algorithms ...68

7.2.2. Best-First Search Algorithm ...70

7.2.3. Genetic Algorithm ...72

7.2.4. Particle Swarm Optimization ...73

7.2.5. Weka Analyses Tools ...75

7.3. Results ...75

8. Continuous User Authentication Based on Sequential Change-Point Analysis ...77

8.1. Motivations ...77

8.3. Intrusion Detection ...78

8.4. Change-Point Detection ...79

8.4.1. Batch Change-Point Detection ...82

8.4.2. Sequential Change-Point Detection ...84

8.4.3. CMP R Package ...85 8.5. Analyses ...86 8.5.1. Data Set ...86 8.5.2. Analyses Methods ...86 8.5.3. Analyses Results ...90 8.6. Conclusion ...94

9. Conclusion and Future Work ...95

(7)

vi ABSTRACT

Most of the current computer systems authenticate the user identity only at the point of entry to the system (i.e., login). However, an effective authentication system includes continuous or frequent monitoring of the identity of the user to ensure the valid identity of the user throughout a session. Such a system is called a continuous authentication system. An authentication system with such security scheme protect against certain attacks such as session hijacking that can be performed by a malicious user.

Recently, keystroke analysis has acquired popularity as one of the main approaches in behavioral biometrics techniques that can be used for continuously authenticating user. There are several advantages when applying keystroke analysis: First, keystroke dynamics are practical, since every user of a computer types on a keyboard. Second, keystroke analysis is inexpensive because it does not require any additional components (such as special video cameras) to sample the corresponding biometric feature. Third and most importantly, typing rhythms can be still available even after the authentication stage has been passed.

A major challenge in keystroke analysis is the identification of the major factors that influence the performance accuracy of the keystroke authentication detector. Two of the most influential factors that may impact the performance accuracy of the keystroke authentication detector include the classifier employed and the choice of features.

Currently, there is insufficient research that addresses the impact of these factors in continuous authentication analysis. The majority of exciting studies in keystroke analysis focuses primarily on the impact of these factors in the static authentication analysis. Understanding the impact of these factors will contribute to the improvement of

continuous authentication keystroke based system performance. Furthermore, most of the existing schemes of keystroke analysis require having predefined typing models either for legitimate users or impostors. However, it is difficult or even impossible in some

(8)

vii

instance, consider a personal computer that a user carries to a college or to a cafe. In this case, only the computer owner (legitimate user) is known in advance. For another instance, consider a computer that has a guest account in a public library; in this case, none of the system users are known in advance. Thus, a new automated and flexible technique that has the ability to authenticate the user without the need for any prior user typing model is needed.

This dissertation focuses on improving continuous user authentication systems (that are based on keystroke dynamics) designed to detect malicious activity caused by another person (impostor) whose goals to is take over the active session of a valid user. The research will be carried out by1) studying the impact of the selected features on the performance of keystroke continuous authentication systems; 2) proposing new timing features that based on utilization of the most frequently used English words (e.g. “The”,

“And”, For””) that can be useful in distinguishing between users in continuous authentication systems; 3) comparing the performance of keystroke continuous

authentication systems with the application of different algorithms; 4) investigating the possibility of improving the accuracy of continuous user authentication systems by combining more than one feature; 5) proposing a new detector that does not require predefined typing models either from legitimate users or impostors.

(9)

viii

LIST OF TABLES

‎4.1: Number of occurrences of the feature items in the English passages ... 31

‎5.1: Average of effect sizes for all feature items using 28 users ‘data, sorted ascendingly. ... 45

‎6.1: Item performance using SVM... 56

‎6.2: Item performance using OC-SVM ... 57

‎6.3: Item performance using KNN ... 58

‎6.4: Item performance using NB ... 58

‎6.5: Performance Comparison of four different keystroke features on SVM, LDC, NB, and KNN. ... 60

‎7.1: Comparison of features selected. ... 76

‎8.1: Performance of detection system using different ARL of letter “E”. ... 90

‎8.2: Letter performance using sequential change-point detection when employing Lepage statistical tests, the change occurs after 50 observations. ... 91

‎8.3: Letter performance using sequential change-point detection when employing Lepage statistical tests, the change occurring after 100 observations. ... 92

‎8.4:Letter performance using sequential change-point detection when employing different statistical test techniques. ... 93

(10)

ix

LIST OF FIGURES

‎2.1: Traditional biometrics system. ... 10

‎2.2: Keystroke dynamics enrollment and authentication schemes. ... 14

‎2.3: Security cycles of static and continuous keystroke authentication system. ... 15

‎2.4: Keystroke timing information. ... 17

‎4.1: Main window of the application used to collect the data from users. ... 29

‎4.2: An example of four keystroke features extracted for the word “the”. ... 30

‎5.1: A comparison between the performances of four different keystroke features. (a) Results obtained using Whitney statistic test. (b) Results obtained using Mann-Whitney statistic test and Voting Schema. ... 41

‎5.2: A comparison between the performance of four different keystroke features items using 28 participants’ data with Mann-Whitney statistic test. ... 42

‎5.3: The performance of different combinations of different keystroke features performed using 8 participants’ data. ... 43

‎5.4: FAR values for the 5, 10, and 15 most discriminative items based upon two approaches applied (p-values and effect sizes) using 28 user’s data. ... 46

‎5.5: FAR values for the 5, 10, and most frequent items of each feature using 28 users’ data. ... 46

‎6.1: Performance comparison of four keystroke features used independently against the ten different combinations performed on SVM. ... 61

‎6.2: Performance comparison of four keystroke features used independently against the ten different combinations performed on KNN. ... 61

‎7.1: Three main categories of feature selection. ... 65

‎7.2: Feature subset selection using Wrapper approach. ... 68

‎7.3: Forward and Backward Selection Wrapper Approach Algorithm... 69

‎7.4: Best-First Search Wrapper Approach Algorithm. ... 71

‎7.5: Genetic Search Wrapper Approach Algorithm. ... 72

‎7.6: Particle Swarm Optimization Wrapper Approach Algorithm. ... 74

(11)

x

‎8.2: An illustration of sequential change–point detection. The detection delay is measured in the amount of data a test needed to signal a change point in the sequence. ... 88 ‎8.3: Performance of detection system using different ARL of letter “E” ... 89

(12)

1 CHAPTER 1 INTRODUCTION

In modern society, the combination of username and password security scheme is being the mainly used authentication method to control access to sensitive and important resource particularly in computer security and related fields. In this case, the user claims an identity by providing her user name and then proves the ownership of the claimed identity by providing a password. However, these traditional protection mechanisms that relay on using a passwords are less satisfactory and vulnerable to be stolen. Moreover, these traditional protection mechanisms that relay on using username and passwords are only verify user’s identity at the point of entry to the system (i.e., login). However, an effective authentication system includes continuous or frequent monitoring of the identity of the user to ensure the valid identity of the user throughout a session. Such a system is called a continuous authentication system. An authentication system with such security scheme protect against certain attacks such as session hijacking that can be performed by a malicious user. There are numerous conceivable applications and scenarios that require a continuous user authentication approach. For instance, consider a student who takes online quizzes/tests. This is an important application in the light of the fact that the number of students taking online classes is increasing and teachers are getting more concerned about true assessment and academic integrity. Threat in this case includes substitute of the valid student who is already authenticated at the start of the exam. For another example, consider an employee who works for an organization. In this case, threats include an insider intruder who can takes over an active session.

Recently, keystroke analysis has acquired popularity as one of the main approaches in behavioral biometrics techniques that can be used for continuously authenticating user. There are several advantages when applying keystroke analysis: First, keystroke dynamics are practical, since every user of a computer types on a keyboard. Second, keystroke analysis is inexpensive because it does not require any additional components (such as special video cameras) to sample the corresponding biometric feature. Third and

(13)

2

most importantly, typing rhythms can be still available even after the authentication stage has been passed.

The intention that forms the basis of this dissertation is to improve continuous keystroke biometrics user authentication systems designed to detect malicious activity caused by another person (impostor) who intends to take over the active session of a valid user. Section 1.1 provides an overview of biometrics. The motivation of this dissertation is provided in Section 1.2. The main questions that will be addressed in this dissertation are provided in Section 1.3. Dissertation contributions are provided in Section 1.4.

1.1.Biometrics: The Focus of This Dissertation

Authentication and Identification of individuals are amongst the most emerging problems that have been arisen in daily operations. Since the beginning of human interactions, humans have used facial features and voices to recognize others. In this context, biometrics refers to human characteristics and traits that make each individual unique. For a long time, humans have used fingerprints as a biometric feature to authenticate the identity of others. Handwriting, signature, voice, and hand geometry have also been used since the 1980s. During the 90’s, commercial software capable of facial recognition and iris scanning have been added to the market.

In a modern society that heavily depends on computers, biometrics plays a critical role in nearly every aspect of our lives. Government agencies, transportations, healthcare, financial institutions, education, and security are increasingly reliant on biometrics to ensure the quality and more importantly the integrity and security of daily activities. Biometrics can be used to prevent unauthorized access to ATMs, smart cards, cellular phones, desktop PCs, and computer networks. Unlike traditional authentication

mechanisms, such as keys or passwords, biometrics cannot be lost, stolen, or forgotten. Biometrics is inherently secure by nature and cannot be socially engineered or shared with others, unless it is forged.

(14)

3

In terms of computer security, biometrics refers to authentication techniques that depend on the use of human characteristics that make each individual unique, and often involves personal characteristics that can be used to uniquely verify a person's identity. Biometrics- based techniques are mainly classified as physiological biometrics features such as fingerprint, face, or iris or behavioral biometrics features, such as gait,

handwritten signatures, keystroke dynamics, etc.

Biometric techniques based on physiological features are considered more successful than those based on behavioral characteristics (Ashbourn 2014). This relative success is probably due to the fact that physiological features are more stable and generally do not change over time, whereas behavioral features can be affected by an impermanent state, such as stress or illness. However, biometrics techniques based on physiological features usually require an additional sampling special tool (such as video cameras). Therefore, in the case of access to computers, the need for an additional special tool leads to increased cost. In contrast, biometrics techniques based on behavioral features such as keystroke dynamics can be a natural choice to increase computer access security when used in conjunction with traditional authentication methods.

The aim of this dissertation is to advance the user active authentication using

keystroke dynamics. Through this dissertation, we assess the performance and influence of various keystroke features on keystroke dynamics authentication systems.

Furthermore, this dissertation proposes a new detector that does not require predefined typing models either from legitimate users or impostors.

1.2.Motivation

Keystroke dynamics are defined as “a behavioral biometric characteristic which involves analyzing a computer user’s habitual typing pattern when interacting with a computer keyboard” (Ashbourn 2014). In other words, keystroke biometric systems assume that typing characteristics of an individual are unique and difficult to reduplicate. A biometric keystroke authentication system consists of two phases: the enrollment

(15)

4

phase, which includes capturing typing data, filtering, feature extraction, and pattern learning; and the verification phase, which includes capturing typing data, filtering, feature extraction, and performing the comparison with the biometric pattern.

The amount of typing data that is required to build a user pattern in the enrollment phase and the amount of typing data that must be collected before the comparison occurs in verification phase is an important issue in the keystroke authentication system. An efficient keystroke authentication system should have the ability to build the user pattern in minimal time, and it should be able to achieve quickest detection while maintaining good accuracy. However, maintaining high detection accuracy and short detection time is difficult and somehow these two are conflicting requirements that must be balanced for optimum detection.

In order to tackle this problem, we could reduce the amount of data needed to be collected without loss of accuracy of a prediction model. This can be achieved by reducing the number of features that need to be learned by the classifier. As a matter of fact, the proper selection of features plays a key role in enhancing the accuracy of keystroke authentication detectors (Killourhy and Maxion 2010).

Through this dissertation, we assess the performance and influence of various keystroke features in keystroke dynamics authentication systems. In particular, this dissertation investigates the performance of keystroke features on various subsets of the 20 most frequently used English alphabet “letters”, the 20 most frequently appearing pairs of English alphabet “letters”, and the 20 most frequently appearing English

“words”. The performance of four features including the key duration, flight time latency, digraph time latency, and word total time duration are analyzed. Experiments are

conducted to measure the performance of each feature individually and of different subset combinations of these features.

This dissertation focuses on improving continuous user authentication systems (that are based on keystroke dynamics) designed to detect malicious activity caused by another person (impostor) whose goals to is take over the active session of a valid user. The

(16)

5

research will be carried out by 1) studying the impact of the selected features on the performance of keystroke continuous authentication systems; 2) proposing new timing features that based on utilization of the most frequently used English words (e.g. “The”,

“And”, For””) that can be useful in distinguishing between users in continuous authentication systems; 3) comparing the performance of keystroke continuous

authentication systems with the application of different algorithms; 4) investigating the possibility of improving the accuracy of continuous user authentication systems by combining more than one feature; 5) proposing a new detector that does not require predefined typing models either from legitimate users or impostors.

1.3.Research Questions

The main research questions addressed in this dissertation are the follows:

1. Which keystroke timing feature(s) among key duration, flight time latency, digraph time latency, and word total time duration timing performs better in keystroke dynamics? This question will be discussed in Chapters 5 and 6.

2. Does any combination of timing features improve the accuracy of an

authentication scheme? This question will be discussed in Chapters 5 and 6.

3. Which feature item contribute more to the accuracy of the model, where feature item are defined as the exact instances of letters in each feature, e.g. “a”, “Th”, etc.? This question will be discussed in Chapters 5 and 6.

4. How does word total time duration feature perform in comparison with key duration, flight time latency, and digraph time latency? This question will be discussed in Chapters 5 and 6.

5. Which authentication algorithm(s) among (SVM, LDC, NB, and KNN) performs better in keystroke dynamics? This question will be discussed in Chapter 6.

(17)

6

6. Can we detect the impostor who takes over from the legitimate user during the computer session when NO predefined typing models are available in advance either for legitimate users or impostors? This question will be discussed in Chapter 8.

7. Is it possible to detect an imposter in the early stages of an attack? If so, what amount of typing data is needed for a system in order to be able successfully detect the imposter? This question will be discussed in Chapter 8.

1.4. Contributions

The aim of this dissertation is to advance active user authentication technology that utilizes keystroke dynamics. This dissertation focuses on various keystroke features as they affect the performance of the keystroke dynamics authentication system. The present study also considers the possibility of improving performance by combining four

keystroke features including key duration, flight time latency, digraph time latency, and word total time duration.

The major contribution of this dissertation is the utilization of most frequently used English words in determining identify of users typing on the keyboard. A comparison is conducted between a less common timing feature for keywords, namely the total time to type whole word, and other more common features, such as digraph and flight times of letters.

Another important contribution of this dissertation includes proposing a novel

approach based on sequential change-point methods for early detection of an imposter in computer authentication. There are two main advantages of the sequential change-point methods. First, they can be implemented online, and hence, enable the building of continuous user authentication systems without the need for any user model in advance. Second, they minimize the average delay of attack detection while maintaining an acceptable detection accuracy rate.

(18)

7

The key contributions of this dissertation are as follows:

 Introduction of new features that can distinguish between users in continuous authentication systems based on keystroke dynamics. The new features are based on utilization of the most frequently used English words in deciding the identity of users typing on the keyboard.

 Extraction of various types of keystroke features and investigation as to which one is the most efficient in keystroke dynamics.

 Adaptation of new anomaly detection algorithm for analyzing typist data. The new algorithm is based on sequential change-point analysis for early detection of an imposter in computer authentication.

 Performance comparison of several anomaly detection techniques in terms of their ability to distinguish between users i n continuous authentication systems.

 Application of machine learning-based features selection techniques useful in selecting the most influential features in continuous authentication systems based on keystroke dynamics, which maintain sufficient classification accuracy of the system and decrease the training and testing time required.

(19)

8 CHAPTER 2 BACKGROUND

This chapter provides an overview of the authentication concepts. It also provides an overview of different kinds of biometrics authentication methods focusing on keystroke authentication methods.

This chapter is organized as follows. Section 2.1 provides an overview of

authentication methods. Section 2.2 discusses biometrics authentication systems. Section 2.3 discusses keystroke dynamic systems in detail. Section 2.4 provides a brief summary of extant studies of keystroke analysis.

2.1.User Authentication in Computer Security

Authentication can be defined as the process that verifies if someone is, in fact, who he or she claims to be. In other words, it gives proving ownership of the claimed identity. For instance, passwords are usually required to gain access to computers; PIN codes are required to get money from ATM machines. There are several methods that provide the ability to authenticate a user. Traditionally, these methods are categorized into three main types:

 Something you know and do not share, e.g., passwords, PIN or pass-phrases.  Something you have and keep safe, e.g., smart cards.

 Something you are and cannot be shared, e.g. biometric features such fingerprints. In the following subsections we provide a brief description of each type.

2.1.1. Something You Know

In this type, the user who needs to get access to the system must simply provide knowledge of a secret. For example, PIN codes are required to get money from ATM machines, or passwords are usually required to gain access to computers. The main

(20)

9

advantages of this method are that it is a fast authentication mechanism with less cost compared to other methods, and easy to implement in real world. However, this method has some limitations: namely, secrets are easy to forget, or they can be stolen when the user writes them down.

2.1.2. Something You Have

In this type, the user who wants access to the system is required to provide a unique piece of hardware (a key, a smart card, a SIM card) that can be used to match a user identity. The main advantage of this method is that the user here does not need to remember any secrets to get access to the system as in the case of the previous class. However, this method is more expensive since it requires special pieces of hardware for the equipment as well as for the user. Moreover, this method requires taking action when the hardware is lost or stolen.

2.1.3. Something You Are

An authentication process of this type is based on utilization of biometric features such as fingerprints or an iris pattern. It based on the assumption that biometric features are unique from one person to another. For instance, fingerprints are unique even in the case of identical twins. The main advantage of this method is that biometric features cannot be lost, stolen, or forgotten. Biometrics is inherently secure by nature and cannot be socially engineered or shared with others, unless it is forged.

2.1.4. Combinations of Authentication Factors

In this type, to access to a digital system, the user must provide at least two

authentications from the above three types. One example of such a combination could be in the case of withdrawing money from an ATM machine where two things must be provided: the bank card and the PIN code. In this case, the user provides two factors: something he knows (a PIN code) and something he has (a bank card) to access his bank account. It is apparent that the purpose of this sort of combination is to increase the system security.

(21)

10

2.2.Biometric Systems

According to (Ashbourn 2014), a biometric system is "the automated verification of human identity through repeatable measurement of physiological and/or behavioral characteristics". The operation of biometric authentication systems consists of two phases (Ashbourn 2014):

I. The enrollment phase: this phase includes data capture, data filtering, feature extraction, and pattern learning.

II. The verification phase: this phase includes data capture, feature extraction, and the comparison of the performance with the biometric pattern.

The main scheme for a biometric authentication system as outlined by Ratha et al. (2001) is depicted in Figure 2.1.

Figure 2.1: Traditional biometrics system.

The biometric authentication system is based on utilization of human characteristics (features) that make each person unique. However, in order for those features to be used in building practical and effective biometric systems, they need to satisfy, to some degree, certain essential properties. The properties are:

1. Universality- The characteristic (features) should exist for each person. 2. Distinctiveness- No two people share the same characteristic.

(22)

11

3. Permanence- The characteristic should be constant over time.

4. Collectability-Data of the characteristic must be quantitatively measurable. 5. Performance- The characteristics need to provide good accuracy.

6. Acceptability- The characteristics must be accepted by most people. 7. Circumvention- The characteristics cannot be easily imitated or replicated.

Generally, biometric characteristics should meet all of these properties in order for the biometric system to be a feasible and effective. However, it is clear that no characteristics can possibly satisfy all those properties to the highest degree. The degree to which a candidate characteristic satisfies these properties usually determines the type or level of biometric security application it can be used for.

2.2.1. Performance Measures

In the previous section, we have seen that the operation of a biometric authentication system consists of two phases, the enrollment phase and the verification phase. In the enrollment phase, the system tries to learn user characteristics and build a pattern. In the verification phase, the system compares the new sample with the stored pattern and generates a similarity or dissimilarity score. The generated score is then matched against some predetermined threshold. The threshold is a line that represents the difference between the legitimate user and the imposter. All scores that fall below a threshold line are considered to characterize the legitimate user, and all scores that fall above a threshold line are considered to characterize an impostor.

A biometric authentication system requires the person being identified to make a claim to an identity. Given the fact that the claimant may or may not be a genuine user, there are four possible outcomes, two of which describe false claims.

1. An impostor tries to authenticate and is denied (true negative). 2. A legitimate user tries to authenticate and is accepted (true positive). 3. An impostor tries to authenticate and is accepted (false positive).

(23)

12

4. A legitimate user tries to authenticate and is denied (false negative).

Typically, performance of biometric systems is measured in terms of various error rates. The most commonly used error rates are False Acceptance Rate (FAR) and False Rejection Rate (FRR). FAR refers to the percentage of imposters who were mistakenly accepted by the system. In statistics, this error is referred to as a Type II error, defined as:

Attempts Match Imposter of Number Total Attempts Imposter Accepted of Number  FAR

FRR refers to the percentage of authorized users whose identities were mistakenly denied from the system. In statistics, this error is referred to as a Type I error, defined as:

Attempts Match Legitimate of Number Total Attempts User Legitimate Rejected of Number  FRR

For an ideal case, both of these error rates should be equal to 0%. However, there is a trade-off between these two metrics; i.e., increasing one might not be possible without decreasing the other one. The choice of which threshold to use is a very critical issue in biometric authentication systems that may depend heavily on the security level of the application. For instance, in domains where a high security application is required, FAR must be as low as possible to detect as many impostors as possible.

Another important error metric that is often used to compare different biometric systems is the Equal Error Rate (EER). EER can be defined as the point where FAR value is equal to FRR value.

In the next section, we describe the keystroke dynamics authentication in detail as one of the behavioral biometric types.

(24)

13

2.3.Keystroke Dynamics

Keystroke dynamics are defined as “a behavioral biometric characteristic which involves analyzing a computer user’s habitual typing pattern when interacting with a computer keyboard” (Ashbourn 2014). In other words, keystroke biometric systems assume that typing characteristics of an individual are unique and difficult to reduplicate. There are several advantages to keystroke analysis: First, keystroke dynamics are

practical, since every computer user types on a keyboard. Second, it is an inexpensive method because it does not require any additional components. Third and most important, typing rhythms can remain available even after the authentication phase has passed.

The concept behind keystroke dynamics is inspired by much older works that differentiate telegraph operators by their tapping rhythm over telegraph lines. This capability was improved and used during World War II by the US military to distinguish an ally from an enemy. In the mid-70s, Spillane (1975) in an IBM technical report was the first to suggest using a computer keyboard’s typing rhythms to identify users. In the early 80s, Gaines et al. (1980) conducted a feasibility study on the timing of keystroke patterns as an authentication method. Since that time, keystroke dynamics has been an active research area. Keystroke dynamics research is known by other names such as keystroke analysis, typing rhythms, and typing biometrics. Several studies (Joyce and Gupta 1990, Bleha et al. 1990, Obaidat and Sadoun 1997, Sang et al. 2005) conclude that users tend to have constant behavior patterns when they type on a keyboard. Thus, keystroke dynamics can be used for authentication.

As with other biometric authentication systems, a keystroke authentication system consists of two phases: the enrollment phase, which includes capturing typing data, filtering, feature extraction, and pattern learning; and the verification phase, which includes capturing typing data, filtering, feature extraction, and performing the comparison with the biometric pattern. The main scheme for the keystroke dynamics system as outlined by Romain et al. (2011) is pictured in Figure 2.2. A user types on the keyboard and the timing of typing features is extracted and compared with the user's

(25)

14

stored typing pattern by the matcher. The matcher decides whether the current user is a legitimate user.

Figure2.2: Keystroke dynamics enrollment and authentication schemes.

2.3.1. Static and Dynamic Authentication Systems

Keystroke analysis techniques can be primarily classified into two main categories – static and dynamic (or continuous) analysis. Static analysis means that the analysis is executed at certain points in the system (i.e., at log-in time). This type of analysis ordinarily involves short typing samples such as those which might be seen at log-in time; for example, user IDs, passwords, names, and/or passes phrases. This method is often used to add additional security to the system and to address some limitations inherent in the traditional authentication techniques.

With such a security scheme, during an authentication process (at log-in time), the verification system attempts to verify two issues: first, is the user credential correct? Second, is the manner of typing the password similar to the user profile? Therefore, if an attacker was able to steal the user’s credentials, he/she will be rejected by the verification system because he/she will not type in the same pattern as the legitimate user.

(26)

15

With a static security scheme, the authentication process is statically performed only at the point of entry to the system (i.e., log-in). However, an effective authentication system continuously verifies the identity of the user by gathering typing data throughout the user’s session to ensure the valid identity of the user. An authentication system with such a security scheme can be protected against certain attacks, such as session hijacking performed later by a malicious user.

In contrast to static analysis, dynamic analysis includes continuous or frequent monitoring of one's keystroke behavior. It is first checked during the log-in session and continues after the initial authentication. In this case, larger typing samples are usually necessary in order to build an individual model. Typing samples can be collected directly, by requiring individuals to type some predefined long text several times, or indirectly, by monitoring their keystroke activities (e.g., while they are writing emails and using word processing).

Figure 2.3 shows the security life cycles of static and continuous keystroke authentication systems. It is obvious that continuous keystroke authentication systems provide greater security.

Figure 2.3: Security cycles of static and continuous keystroke authentication system.

Additionally, static authentication analysis can be utilized only in systems where there is no need for additional text entry (e.g., to check bank accounts online). By contrast, there are numerous conceivable applications of the keystroke biometric for dynamic authentication analysis.

(27)

16

One such application is the verification of the identity of students taking online quizzes/tests. This is an important application in light of the fact that the number of students taking online classes is increasing, leading to growing concerned among education professionals about true assessment and academic integrity. Another good application is the use of dynamic biometrics to prevent insider attacks by installing key loggers on each employee's computer to monitor his/her keystroke activities.

2.3.2. Keystroke Features

When a person types on a keyboard, two main events occur: 1) the key down event, when a person presses a key, and 2) the key up event, when a person releases a key. Timestamps of each event are usually recorded to keep track of when a key is pressed or released.

A variety of timing features can then be extracted from this timing information. Two of the most used features are 1) duration of the key, which is the time the key is held down, and 2) keystroke latency, which is the time between two successive keystrokes. Latency can be calculated by many different methods. The most commonly used methods are:

 Press-to-press (PP) latency, which is the time interval between consecutive key presses; PP is also called digraph time.

 Release-to-press (RP) latency, which is the time interval between releasing the key and pressing the next one; PR is also called flight time.

 Release-to-release (RR) latency, which is the time interval between releases of two consecutive keys.

It is also possible to capture other keystroke dynamics information, such as the time it takes to write a word, two letters (digraph) or three letters (tri-graph). Figure 2.4 presents the most popular features that can be extracted from keystroke timing information. Other features such as difficulty of typing phrase, pressure of keystroke, and frequency of word

(28)

17

errors can also be used as features in keystroke analysis. However, not all features are favorable since some of them require extra tools, as in the case of keystroke pressure. Therefore, this dissertation focuses on keystroke timing information of the user when typing on the keyboard.

Figure 2.4: Keystroke timing information.

2.4.Lierature Review

So many reports can be found on keystroke analysis based on a static authentication. Fewer works are to be found on keystroke analysis with continuous authentication. In this section, we present a brief summary of extant studies on both types of keystroke

analysis.

2.4.1. Static Verification

Joyce and Gupta performed a study on 33 users, out of whom six users represented legitimate users and 27 users represented impostors (Joyce and Gupta 1990). All users were asked to type in their log-in name, password, first name and last name, eight times in one session. The mean reference's signature was computed by calculating the mean of the eight values. Digraph latencies that fall within 1.5 standard deviations of the

reference’s signature mean are considered to belong to a valid user. Using absolute distance, the researchers achieved 0.25% of FAR and 16.67% of FRR.

(29)

18

(1990), using a digraph to distinguish between legitimate users and impostors. They performed experiments on 39 users, out of whom 14 users represented legitimate users, whereas 25 users represented impostors. Using a minimum distance classifier, Bleha et al. achieved 8.1% of FAR and 2.8% of FRR.

Brown and Rogers (1993) used the search strategies introduced in Artificial Neural Networks (ANNs) as a pattern classifier for keystroke dynamics data. They were the first researchers to use keystroke duration as a feature to differentiate between legitimate users and impostors. They performed experiments on 61 users, out of whom 46 users

represented legitimate users, while 15 users represented impostors. Each user provided 41 and 30 samples of eight characters long. This study reported the FAR to 0.0 percent and achieved a FRR of 0.115 percent.

Obaidat and Sadoun (1997) used keystroke duration and latency together as a feature to differentiate between legitimate users and impostors. Their experiment involved 15 participants who were asked to type their names 225 times each day over a period of eight weeks. Using neural network as a classifier, Obaidat and Sadoun were able to achieve a FAR of 0.0 percent and a FRR of 0.0005 percent.

Cho et al. (2000) collected the required data online for their experiments. In the study, 21 participants represented legitimate users and 15 represented impostors who provided 275 and 75 samples of 8 characters long. Cho et al. used the multi-layer perceptron (MLP) ANN for classification, reporting a FAR of 0.0 and a FRR of 0.01.

Sang et al. (2005) performed a similar experiment to that of Obaidat and Sadoun, using duration and latency together as a feature to differentiate between legitimate users and impostors. Support vector machine (SVM) was used to classify ten user profiles. This study achieved very good accurate results of 0.02% FAR and 0.1% FRR.

Ara´ujo et al. (2005) conducted seven experiments on 30 users. They attempted to improve the regular log-in-password authentication performance by combining more than

(30)

19

one feature. Four features (key code, two keystroke latencies, and key duration) were analyzed. The statistical distance classifier was used in their experiments for

classification. The better results were achieved with the use of all features, which yielded a FAR of 1.89% and FRR of 1.45%.

Revett et al. (2007) performed an experiment on 50 participants using the probabilistic neural network (PNN). In this study, 20 participants represented legitimate users and 30 represented impostors, who provided 13 and 30 samples of text range from 6 to 15

characters long. Keystroke event times were recorded in milliseconds with an accuracy of ±1 ms. they reported an average FAR/FRR of 0.039.

2.4.2. Continous Verification

As previously mentioned, fewer studies are to be found on the subject of continuous verification. Some papers tested the possibility of continuous verification of the user during a complete typing session.

Gaines et al. (1980) conducted a feasibility study on the use of timing patterns of keystrokes as an authentication method. The experiment involved six professional typists who were required to provide three passages consisting of 300 to 400 words, two times each, over a period of four months. A statistical t-test was applied under the hypothesis that the means of the digraph times were the same in both settings, and with the

assumption that the two variances were equivalent. It was demonstrated that the number of digraph values that exceeded the test were typically between 80 to 95 percent. The most frequent five digraphs that appeared as distinguishing features were in, io, no, on, ul.

Umphress and Williams (1985) conducted an experiment in which 17 participants were asked to provide two typing samples. The first sample, which was used for training, included about 1400 characters, and the second, which was used for testing, included about 300 characters. Digraph latencies that fall within 0.5 standard deviations of its

(31)

20

mean are considered to belong to a valid user. They achieved 6% of FAR and 12% of FRR.

John and Williams (1988) performed experiments on 36 participants who were asked to type the same text of 537 characters twice in two separate events over a month . The first sample was used for training and building an authentication model of the users, and the second sample was used for testing. The test digraph latency was counted valid if it fell within a 0.5 standard deviation of the mean reference digraph latency, and was

accepted if the ratio of valid digraph latencies to total latencies was more than 60 percent. A False Acceptance Ratio (FAR) of 5.5% and a False Rejection Ratio (FRR) of 5% were achieved.

Monrose and Rubin (2000) performed a study on both static and dynamic keystroke analyses. Overall, 31 users were asked to type a few sentences from a list of available phrases and/or enter a few free sentences. Three different methods were used to measure similarities and differences between typing samples: normalized Euclidean distance, weighted maximum probability, and non- weighted maximum probability measures. About 90% of correct classification was achieved when fixed text was used, which was later enhanced to 92.14% with expansion of the analyses to 63 users (Monrose and Rubin 1997). However, it was reported that when different texts are used, accuracy collapsed to 23% of correct classification in the best state.

Dowland et al. (2001) monitored normal activities of four users for some weeks on computers using Windows NT, which means there were no constraints on the users. Different statistical techniques were applied. Only digraphs that occurred less frequently by the users were used to build the users’ profiles. A new sample compared users’

profiles in two steps: first, each digraph in the new sample is compared to the mean and standard deviation of its corresponding digraph in the users’ profiles and marked

(32)

21

the user whose profile provided the largest number of “accepted” digraphs. A 50% correct classification was achieved.

Bergadano et al. (2002) used the type error and intrinsic variability of typing as a feature to differentiate between legitimate users and impostors. Their experiment involved 154 participants, of whom 44 users, as legitimate users, were asked to type a fixed text of 683 characters long for five times over a period of one month, while 110 users were asked to provide only one sample to be used as impostor users. The degree of disorder within tri-graph latencies was used as a measure for dissimilarity metric and statistical method for classification to compute the average difference between the units in the array. This approach was able to achieve 0.0% of FAR and 2.3% of FRR.

Curtin et al. (2006) conducted three identification experiments in which subjects were asked to type three texts 10 times. The first two texts were 600 characters in length and the third one was 300 characters in length. The first text was used for training. The nearest neighbor classification technique employing Euclidean distance was used in these experiments. A 100% identification accuracy was achieved on eight users typing the same text. However, this accuracy diminished with 30 subjects, typing different texts, and gradually decreasing the length of the text. It was concluded that the best performance could be achieved under these conditions: sufficient training and testing text length, sufficient number of enrollment samples, and the same keyboard type used for enrollment and testing.

Gunnetti and Picardi (2005) conducted an experiment on 205 participants. Their work focuses on long free text passages. They used 40 participants to represent legitimate users who provided 15 samples each, and 165 participants to represent impostors who provided only one sample each. They developed a method for comparing the two typing samples based on the distance between typing times. They reported a FAR below 5% and a FRR below 0.005%.

(33)

22

Hu et al. (2008) used 19 participants to represent legitimate users who provided 5 typing samples each, and 17 participants to represent impostors who provided 27 samples. Typing environment conditions were not controlled in the experiment. Typing samples were used in building users’ profiles by creating averaging vectors from all training samples. K-nearest neighbor technique was employed to cluster the users’ profiles based on the distance measure. 66.7% of correct classification.

(34)

23 CHAPTER 3

MOTIVATIONAL CHALLENGES AND CONTRIBUTIONS OF THE THESIS

A major challenge in keystroke analysis is the identification of the major factors that influence the performance accuracy of the keystroke authentication detector. Two of the most influential factors that may impact the performance accuracy of the keystroke authentication detector include the classifier employed and the choice of features.

Currently, there is insufficient research that addresses the impact of these factors in continuous authentication analysis. The majority of exciting studies in keystroke dynamics focuses primarily on the impact of these factors in the static authentication analysis. Understanding the impact of these factors will contribute to the improvement of continuous authentication system performance.

While chapter 1 provides an overview of the motivations and contributions of this dissertation, this chapter provides a detailed account of the same. The motivation of this dissertation is provided in Section 3.1. And dissertation contributions are provided in Section 3.2.

3.1. Research Motivations

Extant literature on keystroke dynamics demonstrates conflicting results regarding which feature is the most effective timing feature in terms of distinguishing between users in keystroke dynamics domain. Experiments show that hold times are much more important than latency times (Pin et al. 2012, Robinson et al. 1998). It is also observed that using tri-graph time offered better classification results than using digraphs or higher order n-graphs (Killourhy and Maxion 2010). Revett et al. (2007) also reported that the digraph and tri-graph times were more effective compared to hold time and time of flight. Accordingly, recent studies combine more than one of these features (Pin et al. 2012, Araújo et al. 2005). Research has found that use of all three types of features (i.e., hold times, digraph times, and flight times) produces better results (Araújo et al. 2005). In

(35)

24

contrast, it has also been reported that, when hold times and either digraph times or flight times are included, the particular combination has a trivial effect (Pin et al. 2012).

Another observation taken from the literature on keystroke dynamics is that existing schemes use some features (i.e., hold times, digraph times, and flight times) from static authentication keyboard-based systems to represent user typing behavior in continuous authentication keyboard-based systems. These features can be used in the static

authentication keyboard-based systems for successful user authentication. However, these features do not guarantee strong statistical significance in continuous authentication keyboard-based systems. Hence, better informative timing features must be added to the extant literature to guarantee successful distinguishing between users in continuous authentication keyboard-based systems.

On the other hand, other research demonstrates that the employed algorithm (classifier) also plays an important role in enhancing the performance of keystroke dynamic systems (Killourhy et al. 2009, Zhao 2006). Killourhy et al. (2009) benchmarked and compared the performance of 14 algorithms on a single data set. Techniques varied from simple statistics classifiers such as the mean and standard deviations of typing times, to more complex pattern-recognition classifiers, such as neural networks and support vector machines. The study reported that different algorithms will have different error rates. Zhao (2006) used seven machine learning methods to build models to differentiate user keystroke patterns and found that certain classifiers are more accurate than others. However, even though these existing works are helpful in terms of deciding which classifiers provide more accurate rates, the focus of these studies is comparison of the algorithms’ performance on static authentication keyboard-based systems. Hence, more work is required to compare the algorithms’ performance in continuous authentication keyboard-based systems.

From a different angle, another important conclusion that can be drawn from the existing literature of keystroke dynamics is that most of the existing schemes require

(36)

25

having predefined typing models either for legitimate users or impostors. It is difficult or even impossible in some situations to have typing data of the users (legitimate or

impostors) in advance. For instance, consider a personal computer that a user carries to a college or to a cafe. In this case, only the computer owner (legitimate user) is known in advance. For another instance, consider a computer that has a guest account in a public library; in this case, none of the system users are known in advance. Thus, a new

automated and flexible technique that has the ability to authenticate the user without the need for any prior user typing model is needed.

3.2.Research Contributions

This dissertation focuses on the impact of the selected feature on the performance of the keystroke dynamics authentication system. The major contribution of this dissertation is the utilization of most frequently used English words in ascertaining identify of users typing on the keyboard. Another important contribution of this dissertation is the proposal of a novel approach based on sequential change-point methods for early detection of an imposter in computer authentication. There are two main advantages of the sequential change-point methods: First, they can be implemented online, and hence, enable the creation of continuous user authentication systems without the need for any user typing model in advance. Second, they minimize the average delay of attack detection while maintaining an acceptable detection accuracy rate.

The key contributions of this dissertation are as follows:

 Identification of two main factors that may influence error rates of a continuous keystroke authentication system. In particular, this dissertation focuses on the impact of the choice of features and algorithm employed on error rates of a continuous keystroke authentication system.

 Introduction of a new anomaly detection approach based on sequential change-point methods for early detection of attacks in computer authentication. The

(37)

26

developed algorithms are self-learning, which allow the construction of

continuous keystroke authentication systems without the need for any user typing model in advance.

 Introduction of new features useful in distinguishing between users in continuous authentication systems based on keystroke dynamics. The new features are based on the utilization of the most frequently used English words to ascertain identify of the users typing on the keyboard.

 Introduction of feature selection techniques useful in selecting the most influential features in continuous authentication systems based on keystroke dynamics, which maintain sufficient classification accuracy of the system and decrease the training and testing times required. The proposed techniques use a wrapper approach based on different machine learning classifiers such as SVM for use in feature evaluation. The process of subset feature selection is performed by various searching algorithms such as Genetic Algorithm and Greedy Algorithm.

 Investigation of the possibility of improving the performance of the keystroke continuous authentication system by performing various combinations of the extracted keystroke features. In particular, this dissertation compares the

independent performances of four keystroke features, including i) key duration, ii) flight time latency, iii) digraph time latency, and iv) word total time duration against ten different combinations of these keystroke features.

 Extraction of various types of keystroke features and determination of the most efficient in keystroke dynamics. In particular, the performance of four features such as i) key duration, ii) flight time latency, iii) digraph time latency, and iv) word total time duration are extracted and analyzed in order to find which one among these four features performs better in keystroke dynamics.

(38)

27

 Introduction and comparison of the performance of several anomaly detection techniques in the terms of their ability to distinguish between users i n continuous authentication systems. In particular, four machine learning techniques are adapted for keystroke authentication in this dissertation. The selected

classification methods are: Support Vector Machine (SVM), Linear Discriminate Classifier (LDC), K-Nearest Neighbors (K-NN), and Naive Bayesian (NB). The adapted techniques are selected because of their prevalence in the literature. Furthermore, these techniques are accompanied by a good and comprehensive set of methods and implementations to enable various comparisons of less common timing features used in keywords, such as total time to type whole word, with other more common features, such as digraph and flight times of letters.

(39)

28 CHAPTER 4

EXPERIMENTAL SETUP

This chapter describes the experimental procedures, data collection, and keystroke features used in this dissertation. A set of experiments is executed based on the collected data. Those experiments were based on fixed rather than free text, and designed to collecting keystroke timing data from users with different typing experience levels.

This chapter is organized as follows. Section 4.1 provides data collection procedures. Section 4.2 discusses feature extraction.

4.1Data Collection

A VB.NET windows form application was developed to collect raw keystroke data samples. For each keystroke, the time (in milliseconds) a key was pressed and the time a key was released, was recorded. Participants had the ability to use all keys on the

keyboard including special keys such as Shift and Caps Lock keys. More importantly, they were also able to use the Backspace key to correct their typing errors.

Participants had the choice of either using our laptop computer or downloading the application for collecting data on their own machines. The main window of the

application was split into two sections. The top section displayed the text that participants were required to type, i.e., fixed text. The bottom section provided a space to allow the participant enter the text. The texts used in our experiment were a collection of random English sentences randomly selected from a likewise randomly selected pool of English passages. Figure 4.1 shows a screen shot of the main window of the application used to collect the data from users.

Once the participant finished typing the text, the participant was asked to hit the

collect data button. The collected timing raw data was sent to SQL database that was developed to save participant timing data. The timing raw data file that was recorded by

(40)

29

the application for each participant contains the following information for each keystroke entry:

• Key character that was pressed.

• Time the key was pressed in milliseconds. • Time the key was released in milliseconds.

The experiment of keystroke timing dynamic involved 28 participants. However, the process of collecting data from participants involves two stages, in the first stage; we collect data only from 8 participants, in the second stage, we collect data from another 20 participants. The participants were undergraduate and graduate students with different majors. All participants were asked to type the same prepared text (5000 characters) one time. Furthermore, 6 of the 28 participants were asked to provide other two-samples of the same text at different times. We were thus able to have two data sets: the first data set contained one sample for each one of the 28 users; the second data set contained two additional samples for only 6 users who played the role of the owner of the device and whose active authentications were of interest.

(41)

30

4.2.Features and their Extractions

The collected raw data from both data sets were used to extract the following features for our experiment:

1. Duration (F1) of the key presses for the 20 most frequently appearing English alphabet letters (e, a, r, i, o,t, n, s, h, d, l, c, u, m, w, f, g, y, p, b) (Gaines 1956). 2. Flight Time Latency (F2) for the 20 most frequently appearing pairs of English alphabet letters (in, th, ti, on, an, he, at, er, re, nd, ha, en, to, it, ou, ea, hi, is, or, te) (Gaines 1956).

3. Digraph Time Latency (F3) for the 20 most frequently appearing pairs of English alphabet letters (in, th, ti,on, an, he, at, er, re, nd, ha, en, to, it, ou, ea, hi, is,or, te) (Gaines 1956).

4. Word Total Duration (F4) for the 20 most frequently appearing English words (for, and, the, is, it, you, have, of, be, to, that, he, she, this, they, will, I, all, a, him) (Fry and Jacqueline 2012).

Every feature (F1, F2, F3, and F4) consisted of 20 data items. For instance, F1

contained 20 alphabet letters, where each letter represented an item. Figure 4.2 illustrates an example of four keystroke features extracted for the word “the."

Figure 4.2: An example of four keystroke features extracted for the word “the”.

Table 4.1 reports the number of instances a feature item occurs in the English passages. The items are grouped into one letter, two letters, and words with more than

(42)

31

two letters. These items are reported to be the most frequent English letters and words [ (Gaines 1956), (Fry, Edward B., and Jacqueline E. Kress 2012)] [8, 9].

Table 4.1: Number of occurrences of the feature items in the English passages Item Ave Frequency Item Ave Frequency Item Ave Frequency

A 388 AN 62 AND 27 E 568 AT 61 FOR 27 I 418 ED 30 HAVE 27 N 222 ER 53 IS 49 O 412 HE 136 IT 37 R 236 IN 37 OF 28 S 320 ON 22 THE 29 T 472 TH 125 YOU 28 H 350 EA 28 ALL 32 D 159 EN 29 BE 28 L 249 HA 81 HE 32 C 68 HI 71 I 50 U 124 IS 107 SHE 28 M 138 IT 64 THAT 27 W 129 ND 45 THEY 28 F 103 OR 51 THIS 34 G 86 OU 49 TO 34 Y 120 RE 55 WILL 29 P 58 TE 27 A 59 B 59 TO 54 HIM 28

(43)

32 CHAPTER 5

KEYSTROKE FEATURES SELECTION USING STATISTICAL METHODS IN

HYPOTHESES TESTING

This chapter focuses on comparison of features to determine the features most

effective in distinguishing users. The individual performance of four features is analyzed, including key duration, flight time latency, digraph time latency, and word total time duration. Experiments are conducted to measure the performance of each feature individually and the results from the different subsets of these features. In addition, this chapter reports how the word total time duration feature performs compared to key duration, flight time latency, and digraph time latency in determining identify of users when typing.

This chapter is organized as follows. Section 5.1 provides chapter motivation. Section 5.2 provides research questions to be addressed in this chapter. Section 5.3 describes and explains the methods of analysis to be used. Section 5.4 explains the analyses conducted and the results obtained. Section 5.5 provides a conclusion and answers to the questions posed.

5.1. Motivations

Section 3.1 showed that the literature of keystroke dynamics demonstrates conflicting results regarding which feature is the most effective timing feature in the keystroke dynamics domain. Section 3.1 showed that existing schemes in the continuous

authentication keyboard area use some features from static authentication keyboard-based systems to represent user typing behavior. However, these features do not guarantee strong statistical significance in continuous authentication keyboard-based systems. Hence, it is necessary for new piece of informative timing feature to be added to the existing literature to guarantee successful performance of continuous authentication keyboard-based systems.

(44)

33

5.2.Research Questions

The main research questions that will be addressed in this chapter are:

Q1. Which keystroke timing feature(s) among key duration, flight time latency, digraph time latency, and word total time duration timing performs better in keystroke dynamics?

Q2. Does any combination of timing features improve the accuracy of authentication scheme?

Q3. Which feature items contribute more to the accuracy of the model, where feature items are defined as the exact instances of letters in each feature, e.g. “a”, “Th”, etc.?

Q4. How does the word total time duration feature perform compared with key duration, flight time latency, and digraph time latency?

5.3. Data Analysis Methods

In order to answer the research questions posed in the previous section, two statistical methodologies are applied. Statistical methodologies are based on finding statistical parameters (mean and standard deviation) differences between the typing samples of the users. In particular, Mann-Whitney statistics test and effect sizes are applied in this chapter. The following subsections describe these methodologies and their application to the collected data.

5.3.1. Mann-Whitney Statistics Test

This statistical test is one of the most powerful and common non-parametric tests for comparing the mean values of two populations. If one of the two random variables is randomly greater than the other, the test evaluates the differences in mean values between the two underlying populations.