Computer Science Security Research Help

**cs200research** · April 18th, 2004, 06:35 AM

Hello,
We are posting this message to request some help in some keystroke biometric research that our computer science research team at University of Rochester is trying to accomplish. Your participation would greatly help our study of realtime keystroke user authentication methods. Basically we are working on a biometric program that would lock out anyone who was using your computer that does not match your keystroke profile. While this endeavor is still in its research phase, we need participants to run our program to gather information about each participants specific typing style. If you are interested in helping us please go to the following web address for a more in depth explaination of our program and how to participate in our reserach. Thank You for your time and I hope you can help us out. Please post any questions and we will try to respond quickly. Our timeframe for this research is the following 2 weeks starting today April 17- May 1st. Please only serious volunteers.

Here is the link:
http://www.csug.rochester.edu/~porda...ardbiometrics/

CS200 Research Team at University of Rochester
Warren Fong
Peter Ordal
David Lu
David Ganzhorn
Jonathan Norwood

**annihilator_god** · April 18th, 2004, 06:57 AM

i do see a problem with this project. I have probably 6 different forms of typing. Sometimes i'm eating and i only type with my right hand. When i'm programming, I tend to type in short bursts. When i talk on the phone, i typically switch hands to type depending on what i need to do. When i'm tired my hands don't strike the keys as hard, and when i'm mad i tend to beat the crap out of my keyboard. Then i have my standard type mode.

So, how does/would your program deal with these problems?

***phishphreek*** · April 18th, 2004, 07:07 AM

annihilator_god: I agree with you.

I have several types of "typing styles".

Depends on what I'm doing. If I'm typing a document, I tend to type fast. Same with replying.

When I'm entering a password... I'm really fast. After the first few times typing the password (after changing it)... I don't so much remember the password... but the keystrokes (sub-conscious?). If I look at the keyboard and type my password, I will fail. I have to just do it.

Or, what if I've been drinking? My style of typing def. changes then. I have to go back many times because I've pressed the wrong keys.

Don't get me wrong. Its a great idea. I suppose you'd just have to have a lot to think abot when you define a profile.

What if I were to break my arm tomorrow? Then I'd be locked out for how long?

How could I get access back to my system(s)?

(sorry... I've been drinking a bit 2nite...

)

**!mitationRust** · April 18th, 2004, 07:32 AM

Or, what if I've been drinking? My style of typing def. changes then. I have to go back many times because I've pressed the wrong keys.

You bid in a couple of minutes before me.

***Tiger Shark*** · April 18th, 2004, 11:45 AM

Since we are talking about "keystyle" recognition as a security measure I don't really see how you can stop me from using your machine.... See, I'll have physical access, won't I. If I boot to safe mode, disable the service, reboot, do my dirty work, reboot to safe mode and re-enable the service and reboot again I have used your computer despite your security measures.

Nice idea to keep normal users off a machine at work but I find the password protected screen savers do that well enough. You are not going to keep anyone with physical access off the box if they have even fairly minimal computer knowledge.

***jinxy*** · April 18th, 2004, 01:33 PM

Is this a commercial progect? if so i would think it flawed for the reasons above plus quite a few other reasons.

Unless i am mistaken you are asking us to download a keylogger, with a server built in. This would be of great consern to me. Even given your promises of anonimity. I see from your web page we would have the ability to turn your software off, for passward entering etc. Very easy to forget what you have running, so i do not think i will partake thank you.

**nihil** · April 18th, 2004, 02:54 PM

Hi Jinxy, You do have a good point there!

My concern is that the whole project assumes permanently online connections?............OK if you have free local connection to your ISP, also if you don't give a s**t about fire precautions?

I have participated in the "folding at home" programme.................it let me decide when to connect to the internet, and to preview what was being sent.

Seems to me that this is one for "United States and Canada Customers Only"?

Our pay per minute for local calls is a bit "foreign"?...............just as our free ISPs are to them?

Anyways if I go to a "three martini lunch", I don't want some damn quisling on my desk reporting me to the Boss?

And if I could do it from work, without approval at the director level, I would say that the head Administrator should be sacked (fired)...............bloody great potential breach of security.

I personally consider the whole project to be "trite", "flawed" and "impractical".................apart from that it won't work?

Cheers

**cs200research** · April 18th, 2004, 07:41 PM

Thank you for feedback, your suggestions are greatly appreciated. BTW the project is not currently a comercial project, we are just doing the research to see if it is possible to identify someone correctly within a certain amount of keystrokes. Previous keystroke biometric research has already proven that if certain users type the same passage multiple times their averages/deviations from the mean are still within a certain percentage refering to profiles that they created. It is actually a very high percentage of accuracy. Here is a link to a previous work in the area.
http://portal.acm.org/citation.cfm?i...CM&coll=portal
What we are trying to accomplish is this task in realtime without having to have to intially create a profile and asking you to type a hundred to two hundred words. Instead the user would initiate the program in "profile gathering mode" or something of the sort and use the computer as they would normally would. As for having different typing styles...that has definitely come to our minds, especially typing drunk.

we thought it is probably a good thing that the system would log us out if we were typing drunk.

ie typing non sober emails to your boss, or typing horrible obsecenities to your friend on Instand Messanger.
While there are many details such as restarting the system in safe mode to turn it off.....that probably wouldnt be possible if there was a password on the system? So i guess im suggesting that this program might be an addition to say your normal precautions. I do not think that this program would be the finally end all program that keeps your computer safe but it does add an additional line of security....if the research would prove to be successful. Also if you had enough time with a passworded machine physically, don't you thing you would be able to access the information on the system readily? Isn't the already comercial fingerprint recognition program started up right when you the load windows? i guess you could start it in bios...but a little modification of the code and you could do that with our program. What im saying is that this keystroke recognition would be another viable solution to additional computer security.

As for the users on dial up or not connected all the time...the server was initiated so that it would be a carefree program to use so that people wouldnt be bothered by it and could remain anonymous. We believed that we would get fewer participants if we had participates have to go through the hassle of submit their log files thru email. As for the security issue....I guarentee that it is purely for academic research.(however my word is trivial to an internet community) but if you take a look at the webpage and its links we are vouched for by the University. In the end it is your decision to partake in our research if you think its too risky, by all means you don't have to run our data collection program. If I could I would post our source code to demonstrate were not doing any shady activity. However we do not want people to steal our idea. Well hope I was informative enough to convince some people to participate. I would offer some prize but were starving college students.

Thanks again for your opinoos.

***phishphreek*** · April 18th, 2004, 08:07 PM

While there are many details such as restarting the system in safe mode to turn it off.....that probably wouldnt be possible if there was a password on the system?

With physical access... passwords don't really matter. If you were to set a password on the bios... it can be removed. physical access == all access.

An attacker could also use a live linux distro (knoppix or the like) and gain access to the hard drive and data without the need for passwords. This is why I use encryption. The xp encryption and then pgp. So, its really encrypted twice. (important data... pr0n and the like)

Its still very interesting concept. However, there are lots of concerns for me. (typing styles, temp handicap (broken arm), drinking, and what have you).

Also, I would NOT use a system that had to authenticate me with a server. What if your server went down, or was compromised? What if I didn't want to be online or didn't have the internet?

I use layerd security and don't depend on just one thing. But I surely wouldn't use a system that has the potiential to lock me out because I'm typing differently today than when I setup my "profile".

Or, what if a home user lets other people use their PC and doesn't have more than one profile/user account? I don't make my girlfriend logout of my account when all she is doing is checking her email... surely we have different typing styles.

IMO- There are way too many variables...

***ammo*** · April 18th, 2004, 08:57 PM

Originally posted here by phishphreek80
When I'm entering a password... I'm really fast. After the first few times typing the password (after changing it)... I don't so much remember the password... but the keystrokes (sub-conscious?). If I look at the keyboard and type my password, I will fail. I have to just do it.

Originally posted here by phishphreek80

This is why I use encryption. The xp encryption and then pgp. So, its really encrypted twice.

Yeah, probably a good idea (if you have "confidential" data as EFS (particularly on standalone computers (no domain)) isn't that safe. Pgp should however very much do the trick...

Its still very interesting concept. However, there are lots of concerns for me. (typing styles, temp handicap (broken arm), drinking, and what have you).

Yeah, I do that too! I think everyone who frequently uses strong random passwords intuitvely revert to this...

And while I'm not quite sold on the keystroke "profile" either, I think that this is precisly the behaviour that might make this idea successfull for passwords: we don't type our passwords the same way we type any other text; we don't think about it, it just happens.

Since we/I've aready admitted to not being able to "remember" my passwords unless I let 10 fingers do the work, it sort of put limits on the "context possibilites" to be considered for the mechanism... Still it doesn't help if you do become disabled ...

QUOTE]
I don't make my girlfriend logout of my account when all she is doing is checking her email...
[/QUOTE]
You don't? I mean, doesn't that violate your home network's AUP?

Ammo

Thread: Computer Science Security Research Help

Thread Tools

Display

Computer Science Security Research Help

Posting Permissions