A novel keystroke biometric system for long-text input was developed and evaluated for user identification and authentication applications. The system consists of a Java applet to collect raw keystroke data over the Internet, a feature extractor, and pattern classifiers to make identification or authentication decisions. Experiments on over 100 subjects investigated two input modes–copy and free-text input–and two keyboard types–desktop and laptop keyboards. The system can accurately identify or authenticate individuals if the same type of keyboard is used to produce the enrollment and questioned input samples. Longitudinal experiments quantified performance degradation over intervals of several weeks and over an interval of two years. Additional experiments investigated the system’s hierarchical model, parameter settings, assumptions, and sufficiency of enrollment samples and input-text length. Although evaluated on input texts up to 650 keystrokes, we found that input of 300 keystrokes, roughly four lines of text, is sufficient for the important applications described.
TopIntroduction
This chapter describes the development and evaluation of a keystroke biometric system for long-text input. The system has user-identification and user-authentication internet applications that are of increasing importance as the population of application participants continues to grow. An example authentication application is verifying the identity of students taking online quizzes or tests, an application becoming more important with the student population of online classes increasing and instructors becoming concerned about evaluation security and academic integrity. Similarly, in a business setting employees can be required to take online examinations in their training programs and the companies would like the exam-takers authenticated. An example identification application is a small company environment (a closed system of known employees) in which there has been a problem with the circulation of inappropriate (unprofessional, offensive, or obscene) e-mail, and it is desirable to identify the perpetrator. Because the inappropriate email is being sent from computers provided by the company for employees to send email and surf the internet during lunch and coffee breaks, there are no ethical issues in capturing users’ keystrokes. Finally, with more businesses moving to e-commerce, the keystroke biometric in internet applications can provide an effective balance between high security and customer ease-of-use (Yu & Cho, 2004).
Keystroke biometric systems measure typing characteristics believed to be unique to an individual and difficult to duplicate (Bolle, Connell, Pankanti, Ratha, & Senior, 2004; Jin, Ke, Manuel, & Wilkerson, 2004). The keystroke biometric is one of the less-studied behavioral biometrics. Most of the systems developed previously have been experimental in nature. However, several companies, such as AdmitOne (2008) and BioChec (2008), have recently developed commercial products for hardening passwords (short input) in computer security schemes.
The keystroke biometric is appealing for several reasons. First, it is not intrusive and computer users type frequently for both work and pleasure. Second, it is inexpensive since the only hardware required is a computer with keyboard. Third, keystrokes continue to be entered for potential subsequent checking after an authentication phase has verified a user’s identity (or possibly been fooled) since keystrokes exist as a mere consequence of users using computers (Gunetti & Picardi, 2005). This continuing verification throughout a computer session is sometimes referred to as dynamic verification (Leggett & Williams, 2005; Leggett, Williams, Usnick, & Longnecker, 1991).
Most of the previous work on the keystroke biometric has dealt with user authentication, and while some studies used long-text input (Bergadano, Gunetti, & Picardi, 2002; Gunetti & Picardi, 2005; Leggett & Williams, 2005), most used passwords or short name strings (Bender & Postley, 2007; Bolle et al., 2004; Brown & Rogers, 1993; Monrose, Reiter, & Wetzel, 2002; Monrose & Rubin, 2000; Obaidat & Sadoun, 1999). Fewer studies have dealt with user identification (Gunetti & Picardi, 2005; Peacock, Ke, & Wilkerson, 2004; Song, Venable, & Perrig, 1997). Gunetti and Picardi (2005) focused on long free-text passages, similar to this research, and also attempted the detection of uncharacteristic patterns due to fatigue, distraction, stress, or other factors. Song et al. (1997) touched on the idea of detecting a change in identity through continuous monitoring.
Researchers tend to collect their own data and no known studies have compared techniques on a common database. Nevertheless, the published literature is optimistic about the potential of keystroke dynamics to benefit computer system security and usability (Woodward, Orlans, & Higgins, 2002). Gunetti and Picardi (2005) suggest that if short inputs do not provide sufficient timing information, and if long predefined texts entered repeatedly are unacceptable, we are left with only one possible solution, using users’ normal interactions with computers, free text, as we do in this research.