Keywords

1 Introduction

Traditional authentication system using passwords, personal cards and PIN-numbers can easily be breached when a card is stolen or password is compromised. Furthermore, difficult passwords may be hard to remember by a legitimate user and simple passwords are easy to guess by an impostor. The use of biometrics offers an alternative means of identification which helps avoid the problems associated with conventional methods. Nowadays, losses due to identity theft is an issue of growing concern, especially considering the increased data exposure caused by some services on the Internet. In view of this scenario, there is a need for enhanced authentication mechanisms, such as by the use of biometrics. In security area, biometrics tries to recognize users by physiological or behavioral features of the person. Among the current biometric technologies, keystroke dynamics is a promising alternative due to several factors [1, 2]. First, it usually does not need any additional cost with hardware, as a common keyboard is enough to acquire keystroke data. Second, keystroke dynamics recognition may be performed in background, while the user is typing an e-mail or entering a password. Consequently, day-to-day tasks of users are not disturbed, which may contribute to a better acceptability of this technology. Keystroke dynamic is a type of behavioral biometrics based on the users typing rhythm, which is unique for different people. Keystroke timing patterns are captured without users knowledge based on the keystroke events gathered while users typing on a keyboard.

1.1 Motivation and Contribution

Password based authentication is not secure due to several drawbacks [3]:

  1. 1.

    Someone stolen the password

  2. 2.

    Brute force attack (try all possible combination of start with one digit, two digit passwords and so on)

  3. 3.

    Dictionary attack (try with list of password in the dictionary instead of all possible combination)

  4. 4.

    Password guessed (if someone look over while type or note it down on paper if password is difficult to remember)

  5. 5.

    User shared password to others

  6. 6.

    Someone hacked the password.

To overcome the above drawbacks, introduced keystroke dynamic is an additional parameter to secure password authentication. Keystroke dynamic analyze the users way of typing on keyboard that is typing pattern and it measures the time interval between each events of user holding the key and switchover between the key (one key to another key). Individual keystroke pattern or features are different, so it is maintain consistency and uniqueness. We study different types of keystroke features and analyze the performance of individual and combination of features. We propose a Hybrid model with different fusion approach to combine the scores from Gaussian probability density function (GPDF) and support vector machine (SVM) with combination of feature data. The following contributions has been done:

  • Created keystroke database of 100 users

  • Extract four types of keystroke features and analyze the performance

  • Keystroke feature data transform to scores using hybrid model

  • The efficient combination of four fusion approach

  • Evaluate Equal error rate (EER).

1.2 Organization

The rest of paper is organized in the following way: Sect. 2 discussed the review of related research in the field while Sect. 3 presents the proposed methodology, data collection, feature extraction and template generation. Section 4 presents our proposed hybrid model and Sect. 5 presents proposed fusion approach. The experimental results analyzed and discussed in Sect. 6. Finally, Sect. 7 provides conclusions.

2 Related Works

Recent years, researchers were focusing on the collection of number of users keystroke biometric data for accurate evaluation on user database benchmark, decreasing the evaluated result errors or improve accuracy and concentrating keystroke latency as feature data. Hosseinzadeh et al. [4] conducted experiment on keystroke authentication using Gaussian Mixture Model. Training and testing data were collected from 8 users who typed their full name consecutively ten times No complexity pattern involved in the name characters due to smaller character length, so it can be easily replicated. Experiment was utilized only two extracted keystroke features and Expectation Maximization algorithm used to train the Gaussian Mixture Model. Then, Log-likelihood test platform was performed to identify the probability of closest data of testing and training data to confirm genuine user authentication. Overall experiment result is 2.4 % FRR and 2.1 % FRR, this error rate is high and also the number of users tested is not enough to conclude the final results obtained. Sang and Shen et al. [5] authors were implemented SVM classifier in the keystroke dynamics. Keystroke data collected from ten users. Experiment was performed on one class SVM which is simulating genuine data and two-class SVM is used to separate genuine and imposters’ data. The results are reliable but significant weakness is only ten samples were collected. In [6] authors have implemented Hidden Markov Models as classifier in keystroke recognition. Twenty people were enrolled to this experiment with their password ten times in four different sessions. However, lower length of eight digit password implemented. A total of 800 samples collected which is enough for the experiment. The final result of EER is 3.6 % which is considerably higher error rate. Guven et al. [7] proposed new classifier for keystroke authentication. New classifier is similar to neural network structure. Keystroke raw data was collected from sixteen users, then extracted the keystroke latency (successive key press or down). Experiment was conducted on similar to neural network structure to calculate the weights using statistical method. Statistical method include mean and standard deviation of the keystroke latencies. User test sample latency value was compared to standard deviation of reference latency, result is genuine if test latency fall two times within the standard deviation reference latency, then assume whole string being considered as valid. Due to assumption, experiment produced result with high error rate of FRR of 17 % and FAR of 26 % which was poor performance of keystroke authentication. Azevedo et al. [8] developed hybrid system based on the combination of stochastic optimization algorithm (Genetic algorithm) and support vector machine (SVM) and particle swarm optimization. Hybrid system select the keystroke features from enrolled users. Experiment was implemented on SVM uses a Genetic algorithm and particle swarm optimization. First test was conducted on SVM with Genetic algorithm (evolutionary algorithm) for feature selection with minimum error rate of 5.18 % when FAR of 0.43 % and FRR of 4.75 %. Second test was carried on particle swarm optimization with global acceleration of 1.5 gave a minimum total error of 2.21 % with error rate of 0.41 % FRR and 2.07 % FAR. This paper, proposed hybrid model with different fusion approach which is merge the scores produced by the GPDF and SVM. This approach is able to considerably improve the overall result.

3 Proposed Methodology

We introduce hybrid model in this research, which are the combination of two matching function namely the Gaussian Probability Density Function (GPDF) and Support vector machine (SVM). Figure 1 shows proposed hybrid model with two keystroke features combined and applied fusion rules against the combinations performed on SVM and GPDF. Hybrid model is developed to calculate the score between the test user templates against the reference user template (stored in database). Then, fusion applied for both SVM and GPDF matching scores. The function of fusion is fusing both matching scores and then fused output score is compared with a predefined threshold before making a final decision. The decision should be accepted if fusion output score is greater than threshold value or else rejected the user authentication. In this paper, four fusion rules are studied.

Fig. 1
figure 1

Proposed hybrid model with two keystroke features

Full size image

3.1 Data Collection

Captured keystroke biometric data with the help of GREYC Keystroke software developed at GREYC Laboratory [9]. This software is downloadable from the following address www.ecole.ensicaen.fr/~rosenber/keystroke.html. 100 users’ data was collected with an interval of 6 months apart. These users are university academic and administrative staffs. Initially, each user is allowed to choose their choice of username and password during the enrolment process. Next, same users have to continuously type fixed line of text ‘‘credential evaluation” for fifteen times. So we collect fifteen samples of each user and total of 1500 (100 user * 15) samples are stored in the database.

3.2 Feature Extraction and Template Generation

When user type a character on keyboard, two types of events occurred namely, key press (P) and key release (R). Based on occurrence of specific events, we can extract keystroke feature data. Four types of keystroke features could be generated [10] as shown Fig. 2. Extracted four features: (Press-to-Release PR = R1 − P1) the time between a key being pressed until the key being released, (Press-to-Press PP = P2 − P1) time between two successive keys being pressed, (Release-to-Press RP = P2 − R1) time between a key being released to the next key being pressed and (Release-to-Release RR = R2 − R1) the time between two successive keys being released. RP feature value may occur negative due to next key being pressed before previous key being released. Template generation is the compact form of four keystroke features, which is extracted from raw keystroke data. Each user keystroke data could be converted to one template which consists four types of features of their mean and standard deviation of keystroke feature of each character of fixed phrase text. User templates are stored in database and could be retrieved for authentication purpose. The formula of mean (μ) and standard deviation (σ) as below,

Fig. 2
figure 2

Four keystroke features extracted from phrase ‘‘AB”

Full size image
$$\mu = \frac{1}{T}\;*\;\sum\limits_{j = 1}^{T} {t_{j} } \quad and\;\sigma = \sqrt {\frac{{\sum\nolimits_{j = 1}^{T} {\left( {t_{j} - \mu } \right)^{2} } }}{T}}$$
(1)

where T represents the number of training samples and tj denotes the value of each keystroke feature. The user is required to continuously type fixed phrase text “credential evaluation” for 15 times which yields fifteen samples from each user. Testing purpose, randomly divide fifteen samples of each user into five and ten whereas five samples are converted to templates serves as reference for future authentication and ten samples reserved for testing purpose. Generated five templates are stored in the database for comparison while test user authentication.

4 Hybrid Model

Hybrid model have two matchers namely, GPDF and SVM. Test and reference feature data will be converted into individual template. Each template consists four types of features (PR, PP, RP, RR) of their mean and standard deviation of keystroke feature of each character of fixed phrase text. We use both template of two different combination of features (example: PR and RP) fetch into hybrid model which consists of: (1) GPDF used to compute the score between test feature template and reference feature template. (2) SVM used to compare the scores of each typing patterns of test feature template and reference feature template to identify genuine or imposter data. Two matcher scores are in the range of 0 to 1. Then apply fusion to two matcher output scores, get the final score which will decide the genuine or imposter user.

4.1 Gaussian (Normal) Probability Density Function (GPDF)

GPDF [11, 12] is used to analyze the data. It represents the normally distributed data in the bell shaped curve with mean value is the centroid and variance is a measure of dispersion of data around mean. This paper, GPDF is used to calculate the matching score between user test feature data template and reference feature data template. Matching score between the ranges of 0 to 1. GPDF modified form as below

$$Score_{GPDF} = \sum\limits_{i = 1}^{N} {\exp \left[ { - \frac{{(n - \mu )^{2} }}{{2\sigma^{2} }}} \right]}$$
(2)

where \(Score_{GPDF}\) represents the GPDF matching score, n denotes the test keystroke feature of a particular character, μ and σ2 denotes the mean and variance of each character from reference feature data, respectively. Calculate the matching score between two templates of test and reference data by apply variance and mean of reference data and test data into the Eq. (2). Eventually decide the final result of matching score if closer to 1, then reference feature data template and test feature data template are similar. Now the test was conducted for one feature of the template, the matching score named as sub score. Same experiment should be performed for all four features of the template, eventually final score has been calculated with average of all sub scores.

4.2 Support Vector Machine (SVM)

SVM is to compare the scores of each typing patterns of training data samples and test data samples for identifying authorized and unauthorized user. We have done experiment on linear version of SVM which maps the input user data into a high dimensional feature space through linear kernel. Detail description of SVM can be found in [13]. SVM is the determination of the optimal hyper plane which will optimally separate the two classes of genuine and imposter of input user dataset. Based on linear kernel function, SVM maps the input user dataset samples in a high-dimensional feature space and then separate the dataset from the origin with a maximum margin. SVM algorithm function f is defined as the region that majority of data from input dataset which contained in one pattern (genuine) as +1, and data outside this region is −1 (imposter), function f(x) as below

$$f(x){\kern 1pt} \, = \,\sum\limits_{i}^{N} {\alpha_{i} y_{i} K(x_{i} ,x)\, + \,b}$$
(3)

where N represents the size of training data and xi denotes the supporting vector. \(K(x_{i} \,,\,x)\) is the kernel function representing the inner product between xi and x in feature space. To maximize the margin that is distance between the nearest point of the training set and the hyper plane is called optimization problem. It could be solved can be stated as

$$\mathop {\hbox{max} }\limits_{{\alpha_{i} \ge 0}} \sum\limits_{i} {\alpha_{i} } - \frac{1}{2}\sum\limits_{j,k} {\alpha_{j} \alpha_{k} y_{j} y_{k} K(x_{j} ,x_{k} )} ,\quad 0 \le \alpha_{i} \le C{\kern 1pt} \;for\;\forall_{i\quad } and\,\;\sum\limits_{i} {\alpha_{i} y_{i} } = 0$$
(4)

where C denotes the penalization coefficient of data points on hyper plane. Based on C value to set the width of margin between data points in the middle of the hyper plane. In order to maximize the performance, we have set the values for the parameter C = 128.

5 Fusion Approach

Four fusion rules were applied in the hybrid model fusion approach. Table 1 shows formula of four fusion rules namely sum, weighted sum, product and maximum. Hybrid model have two matcher of SVM and GPDF whose output range is 0 to 1, so score normalization is not necessary before fetching to next process of fusion. Fusion helps to combine the significant information of SVM and GPDF, so it could increase the overall performance. Reason to employ fusion method to improve the performance significantly. In this research, we propose fusion to hybrid model that is fusing between SVM and GPDF scores to produce a final score. At last, fusion score will decide the user is genuine or imposter.

Table 1 Various fusion rules
Full size table

6 Experimental Results and Discussions

6.1 Experimental Setup

Our experiments were performed with fixed phrase text of users keystroke data. Collected the raw data of 15 samples from 100 users. Extracted four different keystroke features (PR, PP, RP, and RR) from 100 users raw data. Then, template could be generated based on extracted four keystroke features with calculated their mean and standard deviation for each and every character of the user typed. Each user data consists of four different templates. Testing purpose, randomly divide fifteen samples of each user into five and ten whereas five samples are converted to templates named as training samples and ten samples reserved for testing purpose named as testing samples. Experiment was carried on all sets of users’ templates with five training samples versus ten testing samples. Error rates could be calculated as false rejection rate and false acceptance rate. The false rejection rate (FRR) is the ratio of genuine user rejected and the total number of user samples attempted. The false acceptance rate (FAR) is the ratio of approved imposters as genuine users and the total number of user samples attempted. The experiment was carried by comparing the test data sample score against threshold value within the range of 0 to 1 (interval of 0.01), calculate FAR and FRR. Repeated the experiment with increase the interval each time 0.01, calculated the FAR, FRR values. After tabulation of FAR and FRR values, equal error rate (EER) is calculated when FAR is near to FRR value. Tested fifteen different combinations with five training data and ten testing data. For each combination of sample data, we have obtained final results could be the average of EER. Experimental results discussed for the next section could be described with the average value of EER, FAR and FRR.

7 Results

7.1 Keystroke Features Without Fusion

This approach, each keystroke features (PR, PP, RP, and RR) have been applied on matcher SVM and GPDF without using any fusion approaches. Observing the performance of four keystroke features on SVM and GPDF in Fig. 3 we notice that feature PR is obtained better result compared to other keystroke features (PP, RP, RR). Observing the EER % of four keystroke features without fusion in Table 2 we notice that PR feature lead the best result of 3.8214 EER % while using SVM. SVM results of all four keystroke features are better than GPDF results. Apart from that we performed this experiment with 100 user samples even though the result remains consistent.

Fig. 3
figure 3

Performance comparison of four keystroke features without fusion

Full size image
Table 2 EER % of four features on SVM and GPDF without fusion
Full size table

7.2 Hybrid Model with Fusion Approach

We proposed, hybrid model using combination of two keystroke features with four fusion approach. Initially, two keystroke features have been applied on two matcher SVM and GPDF, output scores of each matcher named partial score. Then partial score fused with four fusion rules namely sum, weighted sum, product and maximum. Each fusion rules were applied separately to partial score and analyzed the output score shown in Fig. 4. This testing was repeated with all possible combination of two keystroke features and also repeated with different fusion rules. Eventually fused output score is compared with a predefined threshold before making a final decision. The final decision should be accepted if the score is greater than threshold value or else rejected. Experiment results shown in Table 3 we noticed that PR+RP feature combination with weighted sum fusion rule produced the best result of 1.612 % EER among other feature combination. PR feature combination with any other three features provided better results compared to without PR of remaining feature combination. Noticing that the performance improvement on fusion approach than the without fusion approach on individual feature. Observed the better results of two combination features than single keystroke feature used in without fusion approach. Among the combination of features used in hybrid model with various fusion rule, weighted sum rule shown better results than the other fusion rule. Among the four fusion rules, weighted sum rule results are better and worst results obtained on max rule. Analyzed the major performance difference between weighted sum and max rule, scenario of max rule final output is the maximum probability output between two matchers that is best among the two matcher scores and discard the even small point difference score value of one matcher but weighted sum rule utilize both matcher scores with weighted value. Therefore, weighted sum rule have imposter acceptance is very less, so overall performance is high. Best equal error rate obtained among all four fusion rule is weighted sum rule at 1.612 %. At the experimental stage, weighted sum fusion rule was tested with bias weight of \(W_{1ScoreSVM}\) and \({\text{W}}_{{ 1 {\text{ScoreGPDF}}}}\) in the range starting from 0 with step size 0.1 till 1 value, observed the best result obtained at bias value of \({\text{W}}_{{ 1 {\text{ScoreSVM}}}} = \, 0. 7 3\) and \({\text{W}}_{{ 2 {\text{ScoreGPDF}}}} = \, 0. 2 7\). Weighted sum rule performs better than sum and product rule due to the setting of bias weight. Overall observation, two keystroke feature combination enhance the performance using weighted fusion rules on hybrid model than individual features used on without fusion method.

Fig. 4
figure 4

Performance comparison of hybrid model with four fusion rules

Full size image
Table 3 EER % of four fusion rules
Full size table

8 Conclusions

In light of the current need for enhanced authentication mechanisms, keystroke dynamics shows as a promising alternative. We discussed a promising method for the performance enhancement of keystroke dynamic authentication using hybrid model with four fusion approach. We showed the two keystroke features using hybrid model with four fusion approach to improve the efficiency of a keystroke dynamic authentication system. We described that hybrid model by fusing the scores from two matchers of SVM and GPDF, the result can be improved significantly than using them individually. We showed in our experiment that using two keystroke features combination is able to provide best result than individual keystroke features. The experimental results showed that proposed hybrid model with weighted sum rule using two keystroke feature combination is able to obtain better result of 1.612 % of EER, due to fusion approach helps to increase the performance.