Abstract
We consider delegation attack in authentication systems in which a credential holder shares their credentials with a third party that we call helper, to allow them to use their account. We motivate this problem and propose a model for non-delegatable authentication and a novel authentication system, based on behavioural biometrics, that achieves non-delegatability. Our main observation is that a user’s behaviour in complex activities such as playing a computer game, provides an imprint of many of their personal traits in the form of measurable features, that can be used to identify them. Carefully selected features will be “hard” to pass on to others, hence providing non-delegatability. As a proof of concept we designed and implemented a computer game (a complex activity), and used the feature points in the game play to construct a user model for authentication. We describe our implementation and experiments to evaluate correctness, security and non-delegatability. Compared to using traditional biometrics, the system enhances user privacy because the user model is with respect to an activity and do not have direct relation to the user’s identifying information. We discuss our results and deployment of the system in practice, and propose directions for future research.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Alayed, H., Frangoudes, F., Neuman, C.: Behavioral-based cheating detection in online first person shooters using machine learning techniques. In: 2013 IEEE Conference on Computational Intelligence in Games (CIG), pp. 1–8, August 2013
Barker, E., Kelsey, J.: Recommendation for the entropy sources used for random bit generation, August 2012. http://csrc.nist.gov/publications/drafts/800-90/draft-sp800-90b.pdf
Balfe, S., Mohammed, A.: Final fantasy – securing on-line gaming with trusted computing. In: Xiao, B., Yang, L.T., Ma, J., Muller-Schloer, C., Hua, Y. (eds.) ATC 2007. LNCS, vol. 4610, pp. 123–134. Springer, Heidelberg (2007)
Bojinov, H., Sanchez, D., Reber, P., Boneh, D., Lincoln, P.: Neuroscience meets cryptography: designing crypto primitives secure against rubber hose attacks. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012, pp. 33–33. USENIX Association, Berkeley (2012)
Carroll, J.B.: Human Cognitive Abilities. Cambridge University Press (1993)
Cattell, R.: Personality and motivation structure and measurement (1957). http://psychology.about.com/od/trait-theories-personality/a/16-personality-factors.htm
Chen, K.-T., Hong, L.-W.: User identification based on game-play activity patterns. In: Proceedings of the 6th ACM SIGCOMM Workshop on Network and System Support for Games, NetGames 2007, pp. 7–12. ACM, New York (2007)
Chen, K.-T., Kenneth Pao, H.-K., Chang, H.-C.: Game bot identification based on manifold learning. In: Proceedings of the 7th ACM SIGCOMM Workshop on Network and System Support for Games, NetGames 2008, pp. 21–26. ACM, New York (2008)
Denning, T., Bowers, K., van Dijk, M., Juels, A.: Exploring implicit memory for painless password recovery. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2011, pp. 2615–2618. ACM, New York (2011)
Drimer, S., Murdoch, S.J.: Keep your enemies close: distance bounding against smartcard relay attacks. In: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, SS 2007, pp. 7: 1–7: 16. USENIX Association, Berkeley (2007)
Fiddy, H.O.: Method and system for defeat of replay attacks against biometric authentication systems, US Patent 8,508,338 (2013)
Gianvecchio, S., Zhenyu, W., Xie, M., Wang, H.: Battle of botcraft: fighting bots in online games with human observational proofs. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 256–268. ACM, New York (2009)
Haeberlen, A., Aditya, P., Rodrigues, R., Druschel, P.: Accountable virtual machines. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI 2010, pp. 1–16. USENIX Association, Berkeley (2010)
Monrose, F., Rubin, A.D.: Keystroke dynamics as a biometric for authentication. Future Generation Computer Systems 16(4), 351–359 (2000)
McDaniel, R., Yampolskiy, R.V.: Development of embedded captcha elements for bot prevention in fischer random chess. Int. J. Comput. Games Technol., p. 2:2 (2012)
Pusara, M., Brodley, C.E.: User re-authentication via mouse movements. In: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, pp. 1–8. ACM (2004)
Revett, K., Biometrics, B.: A Remote Access Approach. John Wiley & Sons Ltd. (2008)
Schluessler, T., Goglin, S., Johnson, E.: Is a bot at the controls?: detecting input data attacks. In: Proceedings of the 6th ACM SIGCOMM Workshop on Network and System Support for Games, NetGames 2007, pp. 1–6. ACM, New York (2007)
Tian, H.Y., Brooke, P.J., Bosser, A.-G.: Behaviour-based cheat detection in multiplayer games with event-B. In: Derrick, J., Gnesi, S., Latella, D., Treharne, H. (eds.) IFM 2012. LNCS, vol. 7321, pp. 206–220. Springer, Heidelberg (2012)
Thanh Ha, T.: Us developer outsourced his job to china (2013). http://www.theglobeandmail.com/technology/how-a-model-employee-got-away-with-outsourcing-his-software-job-to-china/article7409256/3/
Woo, J., Kim, H.K.: Survey and research direction on online game security. In: Proceedings of the Workshop at SIGGRAPH Asia, WASA 2012, pp. 19–25. ACM, New York (2012)
Wortham, J.: No tv? no subscription? no problem (2013). http://www.nytimes.com/2013/04/07/business/streaming-sites-and-the-rise-of-shared-accounts.html
Watson, G.J., Safavi-Naini, R., Alimomeni, M., Locasto, M.E., Narayan, S.: Lost: location based storage. In: Proceedings of the 2012 ACM Workshop on Cloud Computing Security Workshop, CCSW 2012, pp. 59–70. ACM, New York (2012)
Yampolskiy, R.V., Govindaraju, V.: Strategy based behavioural biometrics: a novel approach to automated identification. Int. J. Comput. Appl. Technol. 35(1), 29–41 (2009)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Alimomeni, M., Safavi-Naini, R. (2015). How to Prevent to Delegate Authentication. In: Thuraisingham, B., Wang, X., Yegneswaran, V. (eds) Security and Privacy in Communication Networks. SecureComm 2015. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 164. Springer, Cham. https://doi.org/10.1007/978-3-319-28865-9_26
Download citation
DOI: https://doi.org/10.1007/978-3-319-28865-9_26
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-28864-2
Online ISBN: 978-3-319-28865-9
eBook Packages: Computer ScienceComputer Science (R0)