Abstract
The uniqueness of behavioral biometrics (e.g., voice or keystroke patterns) has been challenged by recent works. Statistical attacks have been proposed that infer general population statistics and target behavioral biometrics against a particular victim. We show that despite their success, these approaches require several attempts for successful attacks against different biometrics due to the different nature of overlap in users’ behavior for these biometrics. Furthermore, no mechanism has been proposed to date that detects statistical attacks. In this work, we propose a new hypervolumes-based statistical attack and show that unlike existing methods, it (1) is successful against a variety of biometrics, (2) is successful against more users, and (3) requires fewest attempts for successful attacks. More specifically, across five diverse biometrics, for the first attempt, on average our attack is 18 percentage points more successful than the second best (37% vs. 19%). Similarly, for the fifth attack attempt, on average our attack is 18 percentage points more successful than the second best (67% vs. 49%). We propose and evaluate a mechanism that can detect the more devastating statistical attacks. False rejects in biometric systems are common, and by distinguishing statistical attacks from false rejects, our defense improves usability and security. The evaluation of the proposed detection mechanism shows its ability to detect on average 94% of the tested statistical attacks with an average probability of 3% to detect false rejects as a statistical attack. Given the serious threat posed by statistical attacks to biometrics that are used today (e.g., voice), our work highlights the need for defending against these attacks.
- . 2016. TensorFlow: A system for large-scale machine learning. In Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI’16). 265–283.Google Scholar
- . 2020. A usable and robust continuous authentication framework using wearables. IEEE Transactions on Mobile Computing 20, 6 (2020), 2140–2153.Google Scholar
Digital Library
- . 2007. A new biometric technology based on mouse dynamics. IEEE Transactions on Dependable and Secure Computing 4, 3 (2007), 165–179.Google Scholar
Digital Library
- . 2006. Biometric authentication revisited: Understanding the impact of wolves in sheep’s clothing. In Proceedings of the USENIX Security Symposium.Google Scholar
- . 2021. Continuous Authentication Solutions. Retrieved September 1, 2021 from https://www.behaviosec.com/.Google Scholar
- . 2002. User authentication through keystroke dynamics. ACM Transactions on Information and System Security 5, 4 (2002), 367–397.Google Scholar
Digital Library
- . 2018. Hypervolume concepts in niche-and trait-based ecology. Ecography 41, 9 (2018), 1441–1455.Google Scholar
Cross Ref
- . 2019. Hypervolume: High Dimensional Geometry and Set Operations Using Kernel Density Estimation, Support Vector Machines, and Convex Hulls (Version 2.0.12). Retrieved November 25, 2022 from https://CRAN.R-project.org/package=hypervolume.Google Scholar
- . 2018. New approaches for delineating n-dimensional hypervolumes. Methods in Ecology and Evolution 9, 2 (2018), 305–319.Google Scholar
Cross Ref
- . 2005. Gait recognition: A challenging signal processing technology for biometric identification. IEEE Signal Processing Magazine 22, 6 (2005), 78–90.Google Scholar
Cross Ref
- . 2014. Toward a framework for continuous authentication using stylometry. In Proceedings of the 2014 IEEE 28th International Conference on Advanced Information Networking and Applications. IEEE, Los Alamitos, CA, 106–115.Google Scholar
Digital Library
- . 2013. API design for machine learning software: Experiences from the scikit-learn project. In Proceedings of the European Conference on Machine Learning andPrinciples and Practices of Knowledge Discovery in Databases.Google Scholar
- . 2018. Biometrics-Secured Voice Banking with Amazon Alexa Now Available from Two Canadian Credit Unions. Retrieved July 1, 2021 from https://www.biometricupdate.com/201811/biometrics-secured-voice-banking-with-amazon-alexa-now-available-from-two-canadian-credit-unions.Google Scholar
- . 2015. Improving accuracy, applicability and usability of keystroke biometrics on mobile touchscreen devices. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems. ACM, New York, NY.Google Scholar
Digital Library
- . 2018. VoxCeleb2: Deep speaker recognition. In Proceedings of the Conference of the International Speech Communication Association (INTERSPEECH’18).Google Scholar
- . 2007. Authenticating mobile phone users using keystroke analysis. International Journal of Information Security 6, 1 (2007), 1–14.Google Scholar
Digital Library
- . 2011. Nonparametric Statistics for Non-Statisticians: A Step-by-Step Approach. Wiley.Google Scholar
- . 1971. An omnibus test of normality for moderate and large sample sizes. Biometrika 58, 34 (1971), 1–348.Google Scholar
- . 1973. Tests for departure from normality. Empirical results for the distributions of \(b^2\) and \(\sqrt {b}\). Biometrika 60, 3 (1973), 613–622.Google Scholar
- . 2018. When your fitness tracker betrays you: Quantifying the predictability of biometric features across contexts. In Proceedings of the 2018 IEEE Symposium on Security and Privacy (SP’18). IEEE, Los Alamitos, CA, 889–905.Google Scholar
Cross Ref
- . 2017. Evaluating behavioral biometrics for continuous authentication: Challenges and metrics. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. ACM, New York, NY, 386–399.Google Scholar
Digital Library
- . 2013. Touchalytics: On the applicability of touchscreen input as a behavioral biometric for continuous authentication. IEEE Transactions on Information Forensics and Security 8, 1 (2013), 136–148.Google Scholar
Digital Library
- . 2016. Active authentication on mobile devices via stylometry, application usage, web browsing, and GPS location. IEEE Systems Journal 11, 2 (2016), 513–521.Google Scholar
Cross Ref
- . 2007. Spoof attacks on gait authentication system. IEEE Transactions on Information Forensics and Security 2, 3 (2007), 491–502.Google Scholar
Digital Library
- . 2018. Voice impersonation using generative adversarial networks. In Proceedings of the IEEE International Conference on Acoustics, Speech, and Signal Processing (ICASSP’18). IEEE, Los Alamitos, CA, 2506–2510.Google Scholar
Digital Library
- . 2015. Automatic versus human speaker verification: The case of voice mimicry. Speech Communication 72 (2015), 13–31.Google Scholar
Cross Ref
- . 2016. Calculus: Volume 2. XanEdu Publishing.Google Scholar
- . 1957. A Treatise on Liminology. Wiley.Google Scholar
- . 2004. An introduction to biometric recognition. IEEE Transactions on Circuits and Systems for Video Technology 14, 1 (2004), 4–20.Google Scholar
Digital Library
- . 2011. On mouse dynamics as a behavioral biometric for authentication. In Proceedings of the 6th ACM Symposium on Information, Computer, and Communications Security. ACM, New York, NY.Google Scholar
Digital Library
- . 2016. Dynamic range boxes—A robust nonparametric approach to quantify size and overlap of n-dimensional hypervolumes. Methods in Ecology and Evolution 7, 12 (2016), 1503–1513.Google Scholar
Cross Ref
- . 2016. Targeted mimicry attacks on touch input based implicit authentication schemes. In Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services. ACM, New York, NY.Google Scholar
Digital Library
- . 2018. Augmented reality-based mimicry attacks on behaviour-based smartphone authentication. In Proceedings of the 16th Annual International Conference on Mobile Systems, Applications, and Services. ACM, New York, NY.Google Scholar
Digital Library
- . 2020. Mimicry attacks on smartphone keystroke authentication. ACM Transactions on Privacy and Security 23, 1 (2020), 1–34.Google Scholar
Digital Library
- . 2009. Comparing anomaly-detection algorithms for keystroke dynamics. In Proceedings of the 2009 IEEE/IFIP International Conference on Dependable Systems and Networks. IEEE, Los Alamitos, CA.Google Scholar
Cross Ref
- . 2007. Probability Theory: A Comprehensive Course. Springer Science & Business Media.Google Scholar
- . 1952. Use of ranks in one-criterion variance analysis. Journal of the American Statistical Association 47, 260 (1952), 583–621.Google Scholar
Cross Ref
- . 2016. NuData More Than Doubles Behavioral Transaction Volume. Retrieved September 1, 2021 from http://www.biometricupdate.com/201605/nudata-security-more-than-doubles-behavioral-transaction-volume.Google Scholar
- . 2013. Unobservable reauthentication for smart phones. In Proceedings of the 20th Network and Distributed System Security Symposium.Google Scholar
- . 2015. Exploiting eye tracking for smartphone authentication. In Proceedings of the International Conference on Applied Cryptography and Network Security. 457–477.Google Scholar
Cross Ref
- . 2006. Improved gait recognition by gait dynamics normalization. IEEE Transactions on Pattern Analysis & Machine Intelligence6 (2006), 863–876.Google Scholar
- . 2020. Biometric backdoors: A poisoning attack against unsupervised template updating. In Proceedings of the 2020 IEEE European Symposium on Security and Privacy (EuroS&P’20). IEEE, Los Alamitos, CA, 184–197.Google Scholar
Cross Ref
- . 2004. Gaze based user authentication for personal computer applications. In Proceedings of 2004 International Symposium on Intelligent Multimedia, Video, and Speech Processing. IEEE, Los Alamitos, CA, 727–730.Google Scholar
Cross Ref
- . 2020. This pin can be easily guessed: Analyzing the security of smartphone unlock pins. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA.Google Scholar
Cross Ref
- . 2016. Nationwide Mobile Banking App Uses Behavioral Biometrics. Retrieved September 1, 2016 from http://www.biometricupdate.com/201604/nationwide-mobile-banking-app-uses-behavioral-biometrics.Google Scholar
- . 2016. SMASheD: Sniffing and manipulating android sensor data for offensive purposes. IEEE Transactions on Information Forensics and Security 12, 4 (2016), 901–913.Google Scholar
Cross Ref
- . 1997. Authentication via keystroke dynamics. In Proceedings of the 4th ACM Conference on Computer and Communications Security. 48–56.Google Scholar
Digital Library
- . 2020. VoxCeleb: Large-scale speaker verification in the wild. Computer Speech & Language 60 (2020), 101027.Google Scholar
Digital Library
- . 2017. VoxCeleb: A large-scale speaker identification dataset. In Proceedings of the Conference of the International Speech Communication Association (INTERSPEECH’17).Google Scholar
Cross Ref
- . 2018. K-means++ vs. behavioral biometrics: One loop to rule them all. In Proceedings of the 25th Network and Distributed System Security Symposium.Google Scholar
Cross Ref
- . 2014. Crowdsourcing attacks on biometric systems. In Proceedings of the 10th Symposium on Usable Privacy and Security.Google Scholar
- . 1987. Silhouettes: A graphical aid to the interpretation and validation of cluster analysis. Journal of Computational and Applied Mathematics 20 (1987), 53–65.Google Scholar
Digital Library
- . 2021. Nexsign: Behavioral Biometrics for Continuous Frictionless Identity Authentication. Retrieved September 1, 2021 from https://www.samsungsds.com/us/behavioral/biometrics.html.Google Scholar
- . 2011. Finding a “ kneedle” in a haystack: Detecting knee points in system behavior. In Proceedings of the 2011 31st International Conference on Distributed Computing Systems Workshops. IEEE, Los Alamitos, CA, 166–171.Google Scholar
Digital Library
- . 2018. dynRB: Dynamic Range Boxes (Version 0.15). Retrieved November 25, 2022 from https://CRAN.R-project.org/package=dynRB.Google Scholar
- . 2013a. Examining a large keystroke biometrics dataset for statistical-attack openings. ACM Transactions on Information and System Security 16, 2 (2013), 8.Google Scholar
Digital Library
- . 2013b. When kids’ toys breach mobile phone security. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, New York, NY.Google Scholar
Digital Library
- . 2011. Using global knowledge of users’ typing traits to attack keystroke biometrics templates. In Proceedings of the 13th ACM Multimedia Workshop on Multimedia and Security.Google Scholar
Digital Library
- . 2016. Toward robotic robbery on the touch screen. ACM Transactions on Information and System Security 18, 4 (2016), 1–25.Google Scholar
Digital Library
- . 1957. Nonparametric statistics for the behavioral sciences. Journal of Nervous and Mental Disease 125, 3 (1957), 497.Google Scholar
Cross Ref
- . 2008. Bootstrap: A statistical method. Unpublished manuscript. Rutgers University.Google Scholar
- . 2015. HMOG: New behavioral biometric features for continuous authentication of smartphone users. IEEE Transactions on Information Forensics and Security 11, 5 (2015), 877–892.Google Scholar
Digital Library
- . 2016. On the effectiveness of sensor-enhanced keystroke dynamics against statistical attacks. In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy. 105–112.Google Scholar
Digital Library
- . 2007. Gait Analysis: Is it Easy to Learn to Walk Like Someone Else?Master’s thesis. Gjøvik University College, Norway.Google Scholar
- . 2019. Robust performance metrics for authentication systems. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS’19).Google Scholar
Cross Ref
- . 2015. A new probabilistic method for quantifying n-dimensional ecological niches and niche overlap. Ecology 96, 2 (2015), 318–324.Google Scholar
Cross Ref
- . 2013. I can be you: Questioning the use of keystroke dynamics as biometrics. In Proceedings of the Annual Network and Distributed System Security Symposium.Google Scholar
- . 2012. Gait identification using accelerometer on mobile phone. In Proceedings of the International Conference on Control, Automation, and Information Sciences. IEEE, Los Alamitos, CA.Google Scholar
Cross Ref
- . 2007. Asymptotic Statistics. Vol. 3. Cambridge University Press.Google Scholar
- . 2006. K-means++: The advantages of careful seeding. In Proceedings of the 18th Annual ACM-SIAM Symposium on Discrete Algorithms. 1027–1035.Google Scholar
- . 2008. New multidimensional functional diversity indices for a multifaceted framework in functional ecology. Ecology 89, 8 (2008), 2290–2301.Google Scholar
Cross Ref
- . 2010. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proceedings of the 17th ACM Conference on Computer and Communications Security. 162–175.Google Scholar
Digital Library
- . 2014. Towards continuous and passive authentication via touch biometrics: An experimental study on smartphones. In Proceedings of the Symposium on Usable Privacy and Security.Google Scholar
- . 2020. On the resilience of biometric authentication systems against random inputs. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS’20).Google Scholar
Cross Ref
- . 2011. An efficient user verification system via mouse movements. In Proceedings of the 18th ACM Conference on Computer and Communications Security.Google Scholar
Digital Library
- . 2020. One cycle attack: Fool sensor-based personal gait authentication with clustering. IEEE Transactions on Information Forensics and Security 16 (2020), 553–568.Google Scholar
- . 2020. Deep learning-based gait recognition using smartphones in the wild. IEEE Transactions on Information Forensics and Security 15 (2020), 3197–3212.Google Scholar
Index Terms
Revisiting the Security of Biometric Authentication Systems Against Statistical Attacks
Recommendations
On the Effectiveness of Sensor-enhanced Keystroke Dynamics Against Statistical Attacks
CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and PrivacyIn recent years, simple password-based authentication systems have increasingly proven ineffective for many classes of real-world devices. As a result, many researchers have concentrated their efforts on the design of new biometric authentication ...
Keystroke Biometric Systems for User Authentication
Keystroke biometrics (KB) authentication systems are a less popular form of access control, although they are gaining popularity. In recent years, keystroke biometric authentication has been an active area of research due to its low cost and ease of ...
A survey of attacks on iris biometric systems
Biometric recognition has several applications that provide reliable solutions to the user authentication problem. Its widespread use and popularity is itself making it prone to several vulnerabilities. Iris is emerging as one of the most popular and ...






Comments