报告题目: Biometric Schemes for Risk-Based Authentication in Web Environment Systems
报 告 人：Mohammad S. Obaidat Professor
主 持 人：何道敬 教授
报告时间：2018年6月19日 周二 16:00-17:00
Professor Mohammad S. Obaidat (Fellow of IEEE and Fellow of SCS) is an internationally well-known academic/researcher/ scientist. He received his Ph.D. and M. S. degrees in Computer Engineering with a minor in Computer Science from The Ohio State University, Columbus, Ohio, USA.
Among his previous positions are Advisor to the President of Philadelphia University for Research, Development and Information Technology, President of the Society for Molding and Simulation International, SCS, Senior Vice President of SCS, Dean of the College of Engineering at Prince Sultan University, Chair and Professor at the Department of Computer and Information Science and Director of the MS Graduate Program in Data Analytics at Fordham university, Chair and Professor of the Department of Computer Science and Director of the Graduate Program at Monmouth University. He is also a Full Professor at the ECE Department, Nazarbayev University, a Full Professor at the King Abdullah II School of Information Technology, University of Jordan, Distinguished Honorary Professor at The Amity University and Distinguished Visiting Professor at the University of Science and Technology Beijing.
Existing risk-based authentication systems rely on basic web communication information such as the source IP address or the velocity of transactions performed by a specific account, or originating from a certain IP address. Such information can easily be spoofed, and as such, put in question the robustness and reliability of the proposed systems.
Risk-based authentication can be applied from two different perspectives: proactively and reactively. When applied proactively, risk-based authentication can be integrated with the login process and used to block from the beginning access to users flagged as risky. In contrast, reactive risk-based authentication can be used to identify and revert ongoing or completed transactions considered as risky.
Although proactive risk-based authentication may be considered as more desirable than reactive risk-based authentication, the cost of a misclassification error is far greater in the former than in the latter. In other words, more stringent accuracy requirements underlie proactive approaches compared to reactive ones. Actually, each category is adequate for specific scenarios. While proactive risk based authentication is important in situations where confidentiality is essential such as in military or intelligence transactions, reactive risk-based authentication may be enough in situations where integrity is the primary concern. For instance, in online banking transactions, malicious transactions can be reverted (immediately) by the end of the session if the user is classified as risky.
In this talk, we review the basic techniques for biometrics-based security and our related works on keystroke based security. We them introduce our new online biometric risk-based authentication system that provides more robust user identity information by combining mouse dynamics and keystroke dynamics biometrics in a multimodal framework. Experimental evaluation of our proposed model with 24 participants yields an Equal Error Rate of 8.21%, which is promising considering that we are dealing with free text and free mouse movements, and the fact that many web sessions tend to be very short. Moreover, we believe this performance is good for reactive risk-based authentication, where the goal is not to prevent the user from using the system, but rather to identify malicious sessions and trigger appropriate risk mitigation measures.