Multimedia Tools and Applications

, Volume 71, Issue 2, pp 575–605 | Cite as

Online risk-based authentication using behavioral biometrics

  • Issa Traore
  • Isaac Woungang
  • Mohammad S. Obaidat
  • Youssef Nakkabi
  • Iris Lai


In digital home networks, it is expected that independent smart devices communicate and cooperate with each other, without the knowledge of the fundamental communication technology, on the basis of a distributed operating system paradigm. In such context, securing the access rights to some objects such as data, apparatus, and contents, is still a challenge. This paper introduces a risk-based authentication technique based on behavioral biometrics as solution approach to tackle this challenge. Risk-based authentication is an increasingly popular component in the security architecture deployed by many organizations to mitigate online identity fraud. Risk-based authentication uses contextual and historical information extracted from online communications to build a risk profile for the user that can be used accordingly to make authentication and authorization decisions. Existing risk-based authentication systems rely on basic web communication information such as the source IP address or the velocity of transactions performed by a specific account, or originating from a certain IP address. Such information can easily be spoofed, and as such, put in question the robustness and reliability of the proposed systems. In this paper, we propose a new online risk-based authentication system that provides more robust user identity information by combining mouse dynamics and keystroke dynamics biometrics in a multimodal framework. We propose a Bayesian network model for analyzing free keystrokes and free mouse movements involved in web sessions. Experimental evaluation of our proposed model with 24 participants yields an Equal Error Rate of 8.21 %. This is very encouraging considering that we are dealing with free text and free mouse movements, and the fact that many web sessions tend to be very short.


Risk-based authentication Network security Mouse dynamics Keystroke dynamics biometric technology Bayesian network model Digital home network Infrastructure technology 


  1. 1.
    [Online] Available: AdmitOne Security Suite
  2. 2.
    [Online] Available: RSA Adaptive Authentication System
  3. 3.
    Ahmed AA, Traore I (2007) A new biometric technology based on mouse dynamics. IEEE Transactions on Dependable and Secure Computing 4(3):165–179CrossRefGoogle Scholar
  4. 4.
    Aksarı Y, Artuner H (2009) Active authentication by mouse movements. In Proc. of the IEEE 24th Intl. Symposium on Computer and Information Sciences (ISCIS’09), Metu, Northern Cyprus pp. 571–574Google Scholar
  5. 5.
    Bergadano F, Gunetti D, Picardi C (2002) User authentication through keystroke dynamics. ACM Trans Inf Syst Secur 5(4):367–397CrossRefGoogle Scholar
  6. 6.
    Bouckaert RR (2004) Bayesian network classifiers in Weka. University of Waikato,
  7. 7.
    Bours P, Fullu CJ (2009) A login system using mouse dynamics. In Proc. of the 5th Intl. Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIH-MSP’09), Kyoto, Japan, Sept. 12–14Google Scholar
  8. 8.
    Cheng P-C, Rohatgi P, Keser C, Karger P, Wagner GM, Reninger AS (2007) Fuzzy multi–level security: an experiment on quantified risk–adaptive access control. IBM Research Report RC24190Google Scholar
  9. 9.
    Diep NN, Lee S, Lee Y-K, Lee HJ (2007) Contextual risk-based access control. Secur Manag, pp. 406–412Google Scholar
  10. 10.
    Dimmock N, Bacon J, Ingram D, Moody K (2005) Risk models for trust–based access control. In Proc. of the 3rd Annual Conference on Trust Management (iTrust’05), Series LNCS, Vol. 3477, Springer, May, 426 pagesGoogle Scholar
  11. 11.
    Dowland P, Furnell S, Papadaki M (2002) Keystroke analysis as a method of advanced user authentication and response. In Proc. of the 17th Intl. Conference on Information Security: Visions and Perspectives (IFIP TC11), The Netherlands, May 07–09, pp. 215–226Google Scholar
  12. 12.
    Dowland P, Singh H, Furnell S (2001) A preliminary investigation of user authentication using continuous keystroke analysis”, In Proc. of the 8th IFIP Annual Working Conference on Information Security Management and Small System Security, Las Vegas, NevadaGoogle Scholar
  13. 13.
    Enokido T, Takizawa M (2011) Purpose-based information flow control for cyber engineering. IEEE Trans Ind Electro 58(6):2216–2225CrossRefGoogle Scholar
  14. 14.
    Fayyad UM, Irani KB (1993) Multi-interval discretization of continuous-valued attributes for classification learning. In Proc. of the 13th Intl. Joint Conference on Artificial Intelligence, Chambery, France, Aug. 28 – Sept. 3Google Scholar
  15. 15.
    Friedman N, Geiger D, Goldszmidt M (1997) Bayesian network classifiers. Mach Learn 29:131–163CrossRefMATHGoogle Scholar
  16. 16.
    Gaine R, Lisowski W, Press SJ, and Shapiro N (1980) Authentication by keystroke timing: Some preliminary results. Rand Report No R-2526-NSF, Rand CorporationGoogle Scholar
  17. 17.
    Gamboa H, Fred A (2003) An identity authentication system based on human computer interaction behaviour. In Proc. of the 3rd Intl. Workshop on Pattern Recognition in Information Systems, Angers, France, pp. 46–55Google Scholar
  18. 18.
    Gunetti D, Picardi C (2005) Keystroke analysis of free text. ACM Trans Inf Syst Secur 8(3):312–347CrossRefGoogle Scholar
  19. 19.
    Jiang C-H, Shieh S, Liu J-C (2007) Keystroke statistical learning model for web authentication. In Proc. of the 2nd ACM Symposium on Information, Computer and Communications Security (ASIACCS’07), Singapore, Mar., pp. 359–361Google Scholar
  20. 20.
    Kononenko I (1995) On biases in estimating multi-valued attributes. In Proc. of the 14th Intl. Joint Conference on Artificial Intelligence, Montreal, Quebec, Canada, Aug. 20–25Google Scholar
  21. 21.
    Legget J, Williams G (1988) Dynamic identity verification via keystroke characteristics. International Journal on Man–machine Studies 35:859–870CrossRefGoogle Scholar
  22. 22.
    Lian S, Chen X, Wang J (2012) Content distribution and copyright authentication based on combined indexing and watermarking. Multimedia Tools Appl 57(1):49–66CrossRefGoogle Scholar
  23. 23.
    Monrose F, Rubin A (1997) Authentication via keystroke dynamics”, In Proc. of the 4th ACM Conference on Computer and Communications Security, Zurich, Switzerland, April 01–04, pp. 48–56Google Scholar
  24. 24.
    Obaidat MS, Macchairllo DT (1993) An on-line neural network system for computer access security. IEEE Trans Ind Electron 40(2):235–242CrossRefGoogle Scholar
  25. 25.
    Obaidat MS, Sadoun B (1997) Verification of computer users using keystroke dynamics. IEEE Transactions on Systems, Man, and Cybernetics, Part B 27(2):261–269CrossRefGoogle Scholar
  26. 26.
    Orozco M, Graydon M, Shirmohammadi S, El Saddik A (2012) Experiments in haptic-based authentication of humans, International Journal of Multimedia Tools and Applications - Springer Science + Business Media B.V. (To Appear)Google Scholar
  27. 27.
    Pusara M, Brodley C (2004) User Re-authentication via mouse movement. In Proc. of the 11th ACM Workshop on Visualization and Data Mining for Computer Security (CCS’04), Oct. 25–29, Washington, DC, USAGoogle Scholar
  28. 28.
    Revett K, Jahankhani H, De Magalhaes S, Santos H (2008) A survey of user authentication based on mouse dynamics, In Proc. of the 4th Intl. Conference on Global E-Security, London, UK, June 23–25, pp. 210–219Google Scholar
  29. 29.
    Syukri A, Okamoto E, Mambo (1998) A user identification system using signature written with mouse. In Proc. of the Australasian Conference on Information Security and Privacy (ACISP ’98), Vol. 1438, Brisbane, Australia, pp. 403–414Google Scholar
  30. 30.
    Traore I, Woungang I, Obaidat MS, Nakkabi Y, Lai I (2012) Combining mouse and keystroke dynamics biometrics for risk-based authentication in web environments. In Proc. of the 4th IEEE Intl. Conference on Digital Home (ICDH 2012), Guangzhou, China, pp. 138–145, Nov. 23–25Google Scholar
  31. 31.
    Tubin G (2005) Emergence of risk-based authentication in online financial services: You Can’t Hide Your Lyin’ IP. Whitepaper #V43:15N, Tower Group, MayGoogle Scholar
  32. 32.
    Tuptuk N, Lupu E (2007) Risk based authorization for mobile Ad Hoc networks. In Proc. of the 1st Intl. Conference on Autonomous Infrastructure, Management and Security: Inter-Domain Management (AIMS 2007), LNCS 4543, Springer-Verlag, Berlin, Heidelberg, pp. 188–191Google Scholar
  33. 33.
    Villani M, Tappert C, Giang N, Simone J, Fort H, St., Sung-Hyuk C (2006) Keystroke biometric recognition studies on long-text input under ideal and application-oriented conditions, In Proc. of the IEEE Conference on Computer Vision and Pattern Recognition Workshop (CVPRW’06), New York, USA, June 17–22, pp. 39Google Scholar

Copyright information

© Springer Science+Business Media New York 2013

Authors and Affiliations

  • Issa Traore
    • 1
  • Isaac Woungang
    • 2
  • Mohammad S. Obaidat
    • 3
  • Youssef Nakkabi
    • 1
  • Iris Lai
    • 1
  1. 1.Department of Electrical and Computer EngineeringUniversity of VictoriaVictoriaCanada
  2. 2.Department of Computer ScienceRyerson UniversityTorontoCanada
  3. 3.Department of Computer Science and Software EngineeringMonmouth UniversityWest Long BranchUSA

Personalised recommendations