1 / 29

RiskCog: Privacy-preserving Unobtrusive Real-time Mobile User Authentication

RiskCog: Privacy-preserving Unobtrusive Real-time Mobile User Authentication. Yan Chen Lab of Internet and Security Technology (LIST) Zhejiang University, China Northwestern University, USA. How many of you use your smartphones to make payments? What about to storing sensitive data

toviel
Download Presentation

RiskCog: Privacy-preserving Unobtrusive Real-time Mobile User Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RiskCog: Privacy-preserving Unobtrusive Real-time Mobile User Authentication Yan Chen Lab of Internet and Security Technology (LIST) Zhejiang University, China Northwestern University, USA

  2. How many of you use your smartphones to make payments? What about to storing sensitive data or personal photos?

  3. Source: http://www.creditcards.com/credit-card-news/mobile-payment-statistics-1276.php

  4. WHAT HAS BEEN DONE SO FAR

  5. PASSWORDS • Hard to remember • Hard to type on handheld devices • Prone to dictionary attacks

  6. PASSWORDS IRIS SCAN • Hard to remember • Hard to type on handheld devices • Prone to dictionary attacks • Cumbersome to use • Not practical in all situations • Still under active research

  7. FINGERPRINTS • Needs a fingerprint sensor • Privacy concern • Vulnerable to Play-Doh attacks!

  8. FINGERPRINTS PATTERN • Needs a fingerprint sensor • Privacy concern • Vulnerable to Play-Doh attacks! • Strong patterns are hard to use • Prone to shoulder surfing • Not practical in all situations vs

  9. FACE RECOGNITION • Needs a camera • Privacy concern • Easily hackable (... using your photo!)

  10. FACE RECOGNITION SPEECH RECOGNITION • Needs a camera • Privacy concern • Easily hackable (... using your photo!) • Ambient noise affects the recognition • Privacy concern still exists • Still hackable (recording your voice)

  11. what if… There was a way to and ‘unobtrusively’ identify the phone’s owner in an ‘implicit’ way (without compromising user privacy!)

  12. Goal • A learning-based mechanism for user fraud detection • Least user privacy required, high detection accuracy, training without labeled data • Device-level approach: only one copy of data is uploaded • Use of cheap and universal sensors • Robust, hard to evade • Work at constrained environment even when being disconnected, Internet scale users

  13. Goal

  14. Problem Statement Fingerprinting Bob’s usage manner Verify based on classification results

  15. Challenges • Lack of features • A feature set which is effective to fingerprint authorized user based on motions sensors • Feature selection (6 values  56 features) • Data availability & device placement • A data collection mechanism that recognizes phone’s active state to resolve data availability issue • A data preprocessing algorithm to remove the effect of dynamic device position

  16. Challenges • Unlabeled data • A semi-supervised online learning algorithm to handle the unlabeled data with supervised learning algorithm • Imbalanced dataset • Stratified sampling plus sample randomization to address the issue of imbalanced data set • Constrained mobile environment

  17. Data Preprocessing • Filter useless data on client side • The device is put on a flat plane • Identify motion state on server • Each motion state has one corresponding classifier trained

  18. SVM Algorithm optimization • Given ε = 0.01, change C from 1 to 90,000 and γ from 0 to 0.1, the model size

  19. Unlabeled Data: Semi-supervised Online Learning

  20. Evaluation • Data • Collected with “Phone manager” by Tencent, 1513 users • Labeled data collected in lab, 10 participants • Provided by Alipay for benchmarking test, 34 users • Metrics • Accuracy • True positive: owner is correctly identified • False positive: other is incorrectly identified as owner • False negative: owner is incorrectly identified as other • True negative: other is correctly identified • Powner = TP/(TP+FP), Rowner = TP/(TP+FN), Pother = TN/(TN+FN), Rother = TN/(TN+FP) • ROC curve • Overhead • Robustness

  21. Accuracy • 1513 users with full data • Collect 60s per hour for 10 days (sample rate 50Hz) • Size of training set: size of test set = 4:1

  22. Accuracy • Data of 34 users from Alipay • Combine 1,513 users from Tencent as others’ data • Size of training set: size of test set = 4:1 • TP:98.74% • TN:92.02%

  23. ROC Curve • True positive rate v.s. False positive rate • TPR = TP/(TP+FN), FPR = FP/(FP+TN) • Changes the classification threshold (0-1)

  24. Overhead • Impact on client (3 hours) • Server latency (over 1,513 users)

  25. Overhead • Overhead • Offline verification • Offline model size: about 200kb

  26. Product Demo On Android

  27. Robustness • Brute-force attack • The classifier model for each authorized owner is pre-trained • A set of 500K randomly generated samples • Percentage of samples detected as non owner: 94.01%

  28. Robustness • Human attack • A pre-trained classifier for the owner • 3 participants handle the phone with various gestures • Each participant lunches 10 attacks • Each attack last for 10 seconds • Percentage of samples detected as non owner: 93.84%

  29. Conclusion and Ongoing Work • RiskCog: The first device level user identification system with wild collected sensor data • Deploy on the phone, to replace existing password/fingerprint authentication for apps. • Enable offline detection • Port to smart watches where no other user authentication system available yet.

More Related