Keywords

1 Introduction

Recently, smart wearable devices gradually come into people’s vision. They bring new means to human-computer interaction, and are also applied to instant messaging, quick payment and other fields, which usually store contact information, bank account password and other privacy information. Unfortunately, these devices are easy to be stolen for their portable and small size, even be attacked by malware [1]. Under such circumstances, it’s emergency to solve the security problems of smart wearable devices.

The unlocking and identity authentication method is an indispensable part of smart wearable devices. Classical identity authentication methods are usually memory-based. The most widely used one is PIN unlock method. However, it’s inconvenient to set a long password due to the small screen and frequent unlocking request especially in smart wearable devices, but short passwords are vulnerable to be cracked by guessing, peeping or brute-force attack. So, the traditional unlocking approaches seem to be not feasible for smart wearable devices.

Biometric methods are explored to meet the urgent demand for security and usability of the wearables, which can be divided into two main categories [2]: physiological characteristics and behavioral characteristics. The former contain voice, fingerprints, face, iris, etc., which are sensitive to external environment or personal status. While the latter, including gesture, typing habit, gait, mouse using habit, etc., which are not easy to be affected by external circumstance and performs well in most situations especially in terms of stability and reliability.

Compared with other behavioral characteristics, handwaving has its own advantages in biometric authentication for wearable devices. which is more unique, reliable and unduplicable, as it corresponds with physiological structure and behavioral habits. It has already been applied and proved feasible in some areas (e.g. smartphone unlock and authentication) preliminarily [3]. Meanwhile, handwaving based authentication is labour-saving, especially for smartwatch users.

However, how to extract a unique and stable pattern from handwaving gestures is still a challenging task. In this paper, we propose a handwaving based unlocking system, Alertor, for wearable devices, which is lightweight and user-friendly. The system first reads accelerometer data when user waves hand, and then preprocesses the raw data via shaking functions. And then it adopts Manhattan scaled one-class classifier to discriminate the true user and imposters. We recruited 10 volunteers and established a 150-person-time handwaving dataset with a Samsung Gear 2 smartwatch in multiple scenarios. Alertor achieves an EER of 4.27% in the free-shaking scenario and 14.46% in the imitation-attack scenario, demonstrating that our system is feasible and applicable.

2 Background and Related Work

In this section, we briefly review multiple applications of biometric methods.

2.1 Gait Authentication

Previous studies composed several different identity authentication methods based on user’s gait habit [4,5,6]. But most results are claimed under an experimental environment. Actually, authentication accuracy may show an unstable behavior when facing various ground environments. For example, when people stand above the grass or snowfield or wet road, the precision rate may fluctuate observably. Besides, it can’t be used while the user remains stationary. That is to say, this method’s application is a bit limited.

2.2 Touch Authentication

The authentication based on touch gesture in literature started in 2013. Frank et al. published a paper about utilizing touchscreen swipe behavior to conduct continuous authentication [7]. After that, researchers concentrate on touchscreen click, swipe, drag and drop and other behavior features [8,9,10]. These previous studies proved the feasibility of identity authentication based on touch gesture: under the circumstance of a single environment and neglecting the observation time, the accuracy can reach more than 90% across current small data set. However, the stability of this method is not ideal since the numerical value of extracted feature vector is small. Feature will be indistinctive especially when the user has other drastic actions.

2.3 Accelerator Authentication

In biometrics areas, accelerator is an important data source for actions or behaviors sensing. There are several researches parallel to this study, utilizing accelerator to collect raw data of user’s behavior pattern and extract features from these data to identify the user [11, 12]. Just like what mentioned in [11], the user is asked to conduct a specific secret gesture in air to execute the authentication. Likewise, in [12], the user needs to hold a detection device and shake it up and down for 5 times. Both of the two means are similar to traditional PIN authentication method as they request for a specific behavior (or we can call it gesture password). So they have security vulnerabilities: once the gesture password has been recorded or glimpsed by someone else, the device may be hacked in without a hitch by action imitation.

3 Data Collection and Feature Extraction

In this section, we give a detailed introduction to data collection, establishment of dataset, and feature extraction.

3.1 Shaking Data Collection

We recruited 10 subjects into our experiment, including 7 males and 3 females, who are all students of campus. There are 9 right-handed and 1 left-handed. We developed a third-party application running in the background on a Samsung Gear S2 smartwatch to collect accelerometer data. All the data are recorded as a sequence of tuples in the form of \((x_t,y_t,z_t)\), where x, y, z donate the acceleration in x-axis, y-axis and z-axis respectively, and t represents the timestamp.

In our experiment, we considered different attacker scenarios. In each session we select a user as the genius user and others as imposters, and all the subjects form a group. Then we divide the whole group into four classes (one genius-user type and three attacker types) with different tasks: firstly, the genius user shakes the smartwatch for three times and we record a video of him, where every single shaking procedure consists of one second waiting and nine seconds shaking. And then, we choose three imposters to watch the shaking video and shake the smartwatch for three times with recalling the gesture. Meanwhile, we select other three imposters to watch the video and imitate with the video while shaking the smartwatch for three times. At last, we choose all the remaining three imposters to shake the smartwatch for three times as they want. In this way, we collect 30 times shaking data for every single group, then we choose another genius user for data acquisition, we call it Group 2.

We can get data of Group 3 to Group 5 by repeating the steps. After 5 times collection, we have a total of 150 sets of shaking data (10 subjects \(\times \) 3 times shaking \(\times \) 5 different genius users). Finally, we has obtained approximately 150,000 raw tuples in total.

Fig. 1.
figure 1

Filter effect picture

Full size image

3.2 Data Preprocessing

Although in the data collection stage we set a built-in method to filter the outliers beyond the preset range, there are still some data not satisfied with our experiment. Therefore, we have to design a filter to remove these improper data, such as the data of the initial and end stage, whose value is too low to be recognized. The filter must have the properties of efficiency and robustness. We design a filter presented as follows:

$$\begin{aligned} \sum _{i=1}^r({A_i}-m)\times \frac{(2b+1)}{(r-l+1)}< \alpha \end{aligned}$$
(1)

where \(A_i\) is the acceleration of time i, m is the mean value of raw data, r is the right boundary and l is the left boundary. b is the longest length of low-value data you can accept, a is the threshold which represents the lowest value you put into your experiment. The effect of this filtering algorithm is depicted in Fig. 1. It’s obvious that the initial stage with low-value data have been removed.

Fig. 2.
figure 2

User wave data contrast

Full size image
Fig. 3.
figure 3

Shaking function distribution result

Full size image

3.3 Feature Extraction

The raw shaking data can’t be used directly to anomaly detectors. So, we need to design a feature extraction procedure before system implementation. To investigate the raw data characteristics, we present several subjects’ raw shaking data in Fig. 2, where the user 1 test1 and test2 represent two operations of same user, and the user 2 and 3 represent another two users’ single operation respectively. Apparently, the raw data resemble across one test to another of the same subject, but differ from each other through different subjects. In order to depict the data characteristics, we define a shaking function, which is given by:

$$\begin{aligned} f = S(A) \end{aligned}$$
(2)

where A = {\((x_0,y_0,z_0 ),(x_1,y_1,z_1),\dots ,(x_n,y_n,z_n)\)}. A is the acceleration data sequence of subjects. We select A as the input and compute feature vector f as the output. We bring in 4 shaking functions which describe the data in angle and distance and apply them to the raw data and obtain results exhibited in Fig. 3. Obviously, the results of these four functions are satisfactory as the distinction of the features is clear. The distinguishing effect of \(f_4\) is the most significant above all, so we finally choose \(f_4\) as the shaking function we use to extract features.

4 Classification Framework and Experiments

Empirically, the features we extract in the previous section show a larger variance across different user than for a single user. This observation motivates us to classify the users among a classifier. In this section, we expound the classifier we use to identity authentication. Then we carried out various experiments to investigate the feasibility of the system we designed.

4.1 Choice of Classifiers

A classifier is designed to utilize the feature vector to distinguish the genius user and imposters. In the process of our experiment, we use Manhattan (scaled) classifier to classification. This classic detector was described by Araújo et al. [13]. In the training stage, the mean of feature vector matrix is computed, and the mean average deviation is also calculated. In the test stage, we calculate the Manhattan distance and make it to the similarity of two feature vectors, and choose it as the user score, the anomaly score is calculated by \(\sum _{i=1}^p|x_i-y_i|/a_i \), where \(x_i\) and \(y_i\) are the value of i-th dimension of test and mean vector respectively, and \(a_i\) is the mean average deviation.

4.2 Influence of Application Scenarios

Safety guarantee varies with the application context and environment. If we set a high security level, the true user may be locked out of our system, while if it is too low, the imposters may easily hack in the system and theft of user’s secret. Therefore, there must be a trade-off between usability and security. To measure the performance of our system, we use the FAR and FRR to generate a ROC curve, where FAR is false acceptance rate, representing the rate of imposters who has been accepted by our system; and FRR is the false rejection rate, representing the rate of genius user who has been rejected by our system. A ROC curve example of Manhattan (scaled) detector and SVM detector is shown in Fig. 4. We choose the point where the FAR equals to the FRR, and call it as EER (equal-error rate).

As described in Sect. 3, we consider three types of application scenarios, which are: imitating, imitating with video and the shake as what you like. Instinctively the first two scenarios may have a high ability to break into the system, but the last is weaker. For this reason, we experimentally analyze three different authentication scenarios.

We train our system and test it as follows:

  1. 1.

    In every single test, we choose one genius user, and let the rest of the group subjects as imposters.

  2. 2.

    Then, we train our system with the first set of shaking data of the true user.

  3. 3.

    Finally, we test the system with the remaining data of the true user and all the three sets of data of imposters.

This progress is repeated among 5 groups, designating single person in every group as the genius user in turn, and train the system the corresponding three-time shaking data. After training 150 times (10 subjects \(\times \) 5 groups \(\times \) 3 times) and testing for all datasets we collected for 4350 times(29 Non-training data \(\times \) 30 individual data in every group \(\times \) 5group), we have got 150 sets EERs (10 subjects \(\times \) 5 groups \(\times \) 3 times) in total. Then we calculate the mean value of them, and present the experiment result in Table 1 and Fig. 4. In general, the performance of our system works well in the case of uninformed imposters, and the video imitators can enter the system more easily than the imitators of memory.

Table 1. Different scenarios authentication accuracy
Full size table
Fig. 4.
figure 4

ROC curve example

Full size image

5 Conclusion

The trend to access and store privacy information using wearable devices has stressed an urgent demand of applicable and handy authentication mechanism for wearable devices. To the best of our knowledge, our work is the first to systematically design and evaluate the biometric authentication scheme on smart wearable devices. From data acquisition and preprocessing, feature extraction to classification, we provide a detailed implementation of handwaving-gesture authentication system on wearable devices. Furthermore, we collected handwaving data from 10 subjects and have established a 150-person-time dataset to evaluate authentication performance and facilitate future research. Our experimental results indicate that our system is capable of discriminating genuine user and resisting imitation attacks.