Active Authentication on Mobile Devices via Stylometry ... ? 1 Active Authentication on Mobile Devices

  • Published on

  • View

  • Download


1Active Authentication on Mobile Devices viaStylometry, Application Usage, Web Browsing, andGPS LocationLex Fridman, Steven Weber, Rachel Greenstadt, Moshe KamMassachusetts Institute of Technologyfridman@mit.eduDrexel University{sweber@coe, greenie@cs}.drexel.eduNew Jersey Institute of Technologymoshe.kam@njit.eduAbstractActive authentication is the problem of continuouslyverifying the identity of a person based on behavioral aspectsof their interaction with a computing device. In this study, wecollect and analyze behavioral biometrics data from 200 subjects,each using their personal Android mobile device for a period ofat least 30 days. This dataset is novel in the context of activeauthentication due to its size, duration, number of modalities,and absence of restrictions on tracked activity. The geographicalcolocation of the subjects in the study is representative of alarge closed-world environment such as an organization wherethe unauthorized user of a device is likely to be an insider threat:coming from within the organization. We consider four biometricmodalities: (1) text entered via soft keyboard, (2) applicationsused, (3) websites visited, and (4) physical location of the device asdetermined from GPS (when outdoors) or WiFi (when indoors).We implement and test a classifier for each modality and organizethe classifiers as a parallel binary decision fusion architecture.We are able to characterize the performance of the systemwith respect to intruder detection time and to quantify thecontribution of each modality to the overall performance.Index TermsMultimodal biometric systems, insider threat, in-trusion detection, behavioral biometrics, decision fusion, activeauthentication, stylometry, GPS location, web browsing behavior,application usage patternsI. INTRODUCTIONAccording to a 2013 Pew Internet Project study of 2076 people[1], 91% of American adults own a cellphone. Increasingly,people are using their phones to access and store sensitivedata. The same study found that 81% of cellphone owners usetheir mobile device for texting, 52% use it for email, 49%use it for maps (enabling location services), and 29% use itfor online banking. And yet, securing the data is often nottaken seriously because of an inaccurate estimation of risk asdiscussed in [2]. In particular, several studies have shown thata large percentage of smartphone owners do not lock theirphone: 57% in [3], 33% in [4], 39% in [2], and 48% in thisstudy.Active authentication is an approach of monitoring the behav-ioral biometric characteristics of a users interaction with thedevice for the purpose of securing the phone when the point-of-entry locking mechanism fails or is absent. In recent years,continuous authentication has been explored extensively ondesktop computers, based either on a single biometric modalitylike mouse movement [5] or a fusion of multiple modalitieslike keyboard dynamics, mouse movement, web browsing,and stylometry [6]. Unlike physical biometric devices likefingerprint scanners or iris scanners, these systems rely oncomputer interface hardware like the keyboard and mouse thatare already commonly available with most computers.In this paper, we consider the problem of active authenticationon mobile devices, where the variety of available sensor datais much greater than on the desktop, but so is the variety ofbehavioral profiles, device form factors, and environments inwhich the device is used. Active authentication is the approachof verifying a users identity continuously based on varioussensors commonly available on the device. We study four rep-resentative modalities of stylometry (text analysis), applicationusage patterns, web browsing behavior, and physical locationof the device. These modalities were chosen, in part, dueto their relatively low power consumption. In the remainderof the paper these four modalities will be referred to asTEXT, APP, WEB, and LOCATION, respectively. We considerthe trade-off between intruder detection time and detectionerror as measured by false accept rate (FAR) and false rejectrate (FRR). The analysis is performed on a dataset collectedby the authors of 200 subjects using their personal Androidmobile device for a period of at least 30 days. To the bestof our knowledge, this dataset is the first of its kind studiedin active authentication literature, due to its large size [7], theduration of tracked activity [8], and the absence of restrictionson usage patterns and on the form factor of the mobile device.The geographical colocation of the participants, in particular,makes the dataset a good representation of an environmentsuch as a closed-world organization where the unauthorizeduser of a particular device will most likely come from insidethe organization.We propose to use decision fusion in order to asynchronouslyarXiv:1503.08479v1 [cs.CR] 29 Mar 20152integrate the four modalities and make serial authenticationdecisions. While we consider here a specific set of binaryclassifiers, the strength of our decision-level approach is thatadditional classifiers can be added without having to changethe basic fusion rule. Moreover, it is easy to evaluate themarginal improvement of any added classifier to the overallperformance of the system. We evaluate the multimodal con-tinuous authentication system by characterizing the error ratesof local classifier decisions, fused global decisions, and thecontribution of each local classifier to the fused decision. Thenovel aspects of our work include the scope of the dataset,the particular portfolio of behavioral biometrics in the contextof mobile devices, and the extent of temporal performanceanalysis.The remainder of the paper is structured as follows. In II, wediscuss the related work on multimodal biometric systems,active authentication on mobile devices, and each of thefour behavioral biometrics considered in this paper. In III,we discuss the 200 subject dataset that we collected andanalyzed. In IV, we discuss four biometric modalities, theirassociated classifiers, and the decision fusion architecture. InV, we present the performance of each individual classifier,the performance of the fusion system, and the contribution ofeach individual classifier to the fused decisions.II. RELATED WORKA. Multimodal Biometric SystemsThe window of time based on which an active authenticationsystem is tasked with making a binary decision is relativelyshort and thus contains a highly variable set of biometricinformation. Depending on the task the user is engaged in,some of the biometric classifiers may provide more datathan others. For example, as the user chats with a friendvia SMS, the text-based classifiers will be actively floodedwith data, while the web browsing based classifiers may onlyget a few infrequent events. This motivates the recent workon multimodal authentication systems where the decisions ofmultiple classifiers are fused together [9]. In this way, theverification process is more robust to the dynamic natureof human-computer interaction. The current approaches tothe fusion of classifiers center around max, min, median, ormajority vote combinations [10]. When neural networks areused as classifiers, an ensemble of classifiers is constructed andfused based on different initialization of the neural network[11].Several active authentication studies have utilized multimodalbiometric systems but have all, to the best of our knowledge:(1) considered a smaller pool of subjects, (2) have not char-acterized the temporal performance of intruder detection, and(3) have shown overall significantly worse performance thanthat achieved in our study.Our approach in this paper is to apply the Chair-Varshneyoptimal fusion rule [12] for the combination of availablemultimodal decisions. The strength of the decision-level fusionapproach is that an arbitrary number of classifiers can beadded without re-training the classifiers already in the system.This modular design allows for multiple groups to contributedrastically different classification schemes, each lowering theerror rate of the global decision.B. Mobile Active AuthenticationWith the rise of smartphone usage, active authentication onmobile devices has begun to be studied in the last few years.The large number of available sensors makes for a rich featurespace to explore. Ultimately, the question is the one that we askin this paper: what modality contributes the most to a decisionfusion system toward the goal of fast, accurate verificationof identity? Most of the studies focus on a single modality.For example, gait pattern was considered in [7] achievingan EER of 0.201 (20.1%) for 51 subjects during two shortsessions, where each subject was tasked with walking down ahallway. Some studies have incorporated multiple modalities.For example, keystroke dynamics, stylometry, and behavioralprofiling were considered in [13] achieving an EER of 0.033(3.3%) from 30 simulated users. The data for these userswas pieced together from different datasets. To the best ofour knowledge, the dataset that we collected and analyzed isunique in all its key aspects: its size (200 subjects), its duration(30+ days), and the size of the portfolio of modalities that wereall tracked concurrently with a synchronized timestamp.C. Stylometry, Web Browsing, Application Usage, LocationStylometry is the study of linguistic style. It has been ex-tensively applied to the problems of authorship attribution,identification, and verification. See [14] for a thorough sum-mary of stylometric studies in each of these three problemdomains along with their study parameters and the resultingaccuracy. These studies traditionally use large sets of features(see Table II in [15]) in combination with support vectormachines (SVMs) that have proven to be effective in highdimensional feature space [16], even in cases when the numberof features exceeds the number of samples. Nevertheless, withthese approaches, often more than 500 words are requiredin order to achieve adequately low error rates [17]. Thismakes them impractical for the application of real-time activeauthentication on mobile devices where text data comes inshort bursts. While the other three modalities are not wellinvestigated in the context of active authentication, this is nottrue for stylometry. Therefore, for this modality, we dont rein-vent the wheel, and implement the n-gram analysis approachpresented in [14] that has been shown to work sufficiently wellon short blocks of texts.Web browsing, application usage, and location have not beenstudied extensively in the context of active authentication. Thefollowing is a discussion of the few studies that we are awareof. Web browsing behavior has been studied for the purposeof understanding user behavior, habits, and interests [18].Web browsing as a source for behavioral biometric data was3considered in [19] to achieve average identification FAR/FRRof 0.24 (24%) on a dataset of 14 desktop computer users.Application usage was considered in [8], where cellphonedata (from 2004) from the MIT Reality Mining project [20]was used to achieve 0.1 (10%) EER based on a portfolio ofmetrics including application usage, call patterns, and location.Application usage and movements patterns have been studiedas part of behavioral profiling in cellular networks [8], [21],[22]. However, these approaches use position data of lowerresolution in time and space than that provided by GPS onsmartphones. To the best of our knowledge, GPS traces havenot been utilized in literature for continuous authentication.III. DATASETThe dataset used in this work contains behavioral biometricsdata for 200 subjects. The collection of the data was carriedout by the authors over a period of 5 months. The requirementsof the study were that each subject was a student or employeeof Drexel University and was an owner and an active userof an Android smartphone or tablet. The number of subjectswith each major Android version and associated API level arelisted in Table I. Nexus 5 was the most popular device with10 subjects using it. Samsung Galaxy S5 was the second mostpopular device with 6 subjects using it.Android Version API Level Subjects4.4 19 1434.1 16 164.3 18 154.2 17 94.0.4 15 52.3.6 10 44.0.3 15 32.3.5 10 32.2 8 2TABLE I: The Android version and API level of the 200devices that were part of the study.A tracking application was installed on each subjects deviceand operated for a period of at least 30 days until the subjectcame in to approve the collected data and get the trackingapplication uninstalled from their device. The following datamodalities were tracked with 1-second resolution: Text typed via soft keyboard. Apps visited. Websites visited. Location (based on GPS or WiFi).The key characteristics of this dataset are its large size (200users), the duration of tracked activity (30+ days), and thegeographical colocation of its participants in the Philadelphiaarea. Moreover, we did not place any restrictions on usagepatterns, on the type of Android device, and on the AndroidOS version (see Table I).There were several challenges encountered in the collectionof the data. The biggest problem was battery drain. Due tothe long duration of the study, we could not enable modalitieswhose tracking proved to be significantly draining of batterypower. These modalities include front-facing video for eyetracking and face recognition, gyroscope, accelerometer, andtouch gestures. Moreover, we had to reduce GPS samplingfrequency to once per minute on most of the devices.Event FrequencyText 23,254,478App 927,433Web 210,322Location 143,875TABLE II: The number of events in the dataset associated witheach of the four modalities considered in this paper. A TEXTevent refers to a single character entered on the soft keyboard.An APP events refers to a new app receiving focus. A WEBevent refers to a new url entered in the url box. A LOCATIONevent refers to a new sample of the device location either fromGPS or WiFi.Table II shows statistics on each of the four investigatedmodalities in the corpus. The table contains data aggregatedover all 200 users. The frequency here is a count of thenumber of instances of an action associated with that modality.As stated previously, the four modalities will be referred to asTEXT, APP, WEB, and location. For TEXT, the action is asingle keystroke on the soft keyboard. For APP, the action isopening or bringing focus to a new app. For WEB, the actionis visiting a new website. For LOCATION, no explicitly actionis taken by the user. Rather, location is sampled regularlyat intervals of 1 minute when GPS is enabled. As Table IIsuggests, TEXT events fire 1-2 orders of magnitude morefrequently than the other three.0100200300400500600Duration of Active Interaction (Hours)200 Users (Ordered from Least to Most Active)Fig. 1: The duration of time (in hours) that each of the 200users actively interacted with their device..The data for each user is processed to remove idle periodswhen the device is not active. The threshold for what isconsidered an idle period is 5 minutes. For example, if thetime between event A and event B is 20 minutes, with no otherevents in between, this 20 minutes is compressed down to 5minutes. The date and time of the event are not changed but thetimestamp used in dividing the dataset for training and testing(see V-A) is updated to reflect the new time between eventA and event B. This compression of idle times is performed4in order to regularize periods of activity for cross validationthat utilizes time-based windows as described in V-A. Theresulting compressed timestamps are referred to as activeinteraction. Fig. 1 shows the duration (in hours) of activeinteraction for each of the 200 users ordered from least tomost active.Table III shows three top-20 lists: (1) the top-20 apps based onthe amount of text that was typed inside each app, (2) the top-20 apps based on the number of times they received focused,and (3) the top-20 website domains based on the number oftimes a website associated with that domain was visited. Theseare aggregate measures across the dataset intended to providean intuition about its structure and content, but the top-20 listis the same as that used for the the classifier model based onthe WEB and APP features in IV.Fig. 2: An aggregate heatmap showing a selection from thedataset of GPS locations in the Philadelphia area.Fig. 2 shows a heat map visualization of a selection from thedataset of GPS locations in the Philadelphia area. The subjectsin the study resided in Philadelphia but traveled all overUnited States and the world. There are two key characteristicsof the GPS location data. First, it is relatively unique toeach individual even for people living in the same area ofa city. Second, outside of occasional travel, it does not varysignificantly from day to day. Human beings are creatures ofhabit, and in as much as location is a measure of habit, thisidea is confirmed by the location data of the majority of thesubjects in the study.IV. CLASSIFICATION AND DECISION FUSIONA. Features and ClassifiersThe four distinct biometric modalities considered in our anal-ysis are (1) text entered via soft keyboard, (2) applicationsused, (3) websites visited, and (4) physical location of thedevice as determined from GPS (when outdoors) or WiFi(when indoors). We refer to these four modalities as TEXT,APP, WEB, and LOCATION, respectively. In this section wediscuss the features that were extracted from the raw data ofeach modality, and the classifiers that were used to map thesefeatures into binary decision space.A binary classifier is constructed for each of the 200 users and4 modalities. In total, there are 800 classifiers, each producingeither a probability that a user is valid P (H1) (or a binarydecision of 0 (invalid) or 1 (valid). The first class (H1) foreach classifier is trained on the valid users data and the secondclass (H0) is trained on the other 199 users data. The trainingprocess is described in more detail in V-A. For APP, WEB,and LOCATION, the classifier takes a single instance of theevent and produces a probability. For multiple events of thesame modality, the set of probabilities is fused across timeusing maximum likelihood:H = argmaxi{0,1}xtP (xt|Hi), (1)where = {xt|Tcurrent T (xt) }, is a fixed windowsize in seconds, T (xt) is the timestamp of event xt, andTcurrent is the current timestamp. The process of fusingclassifier scores across time is illustrated in Fig. 3.1) Text: As Table IIIa indicates, the apps into which text wasentered on mobile devices varied, but the activity in majorityof the cases was communication via SMS, MMS, WhatsApp,Facebook, Google Hangouts, and other chat apps. Therefore,TEXT events fired in short bursts. The tracking application cap-tured the keys that were touched on the keyboard and not theautocorrected result. Therefore, the majority of the typed mes-sages had a lot of misspellings and words that were erased inthe final submitted message. In the case of SMS, we also wereable to record the submitted result. For example, an SMS textthat was submitted as Sorry couldnt call back.had associated with it the following recorded keystrokes:Sprry coyld cpuldnt vsll back. Classificationbased on the actual typed keys in principle is a better represen-tation of the persons linguistic style. It captures unique typingidiosyncrasies that autocorrect can conceal. As discussed inII, we implemented a one-feature n-gram classifier from [14]that has been shown to work well on short messages. It worksby analyzing the presence or absence of n-grams with respectto the training set.2) App and Web: The APP and WEB classifier models weconstruct are identical in their structure. For the APP modalitywe use the app name as the unique identifier and count thenumber of times a user visits each app in the training set.For the WEB modality we use the domain of the URL asthe unique identifier and count the number of times a uservisits each domain in the training set. Note that, for example, is a considered a different domain because the subdomain is different. Inthis section we refer to the app name and the web domainas an entity. Table IIIb and Table IIIc show the top entitiesaggregated across all 200 users for APP and WEB respectively.For each user, the classification model for the valid classis constructed by determining the top 20 entities visited by5App Name Keys Per 5,617, 5,552,079com.whatsapp 4,055,622com.facebook.orca 1,252, 1,147,295com.infraware.polarisviewer4 990, 417,165com.facebook.katana 405, 377, 271, 238, 221,461com.motorola.messaging 203, 167,435com.verizon.messaging.vzmsgs 137, 134,896com.handcent.nextsms 123,065com.jb.gosms 118,316com.sonyericsson.conversations 114, 92,605(a)App Name VisitsTouchWiz home 101,151WhatsApp 64,038Messaging 60,015Launcher 39,113Facebook 38,591Google Search 32,947Chrome 32,032Snapchat 23,481System UI 22,772Phone 19,396Gmail 19,329Messages 19,154Contacts 18,668Hangouts 17,209Home 16,775HTC Sense 16,325YouTube 14,552Xperia Home 13,639Instagram 13,146Settings 12,675(b)Website Domain 19, 9, 4, 3, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 725(c)TABLE III: Top 20 apps ordered by text entry and visit frequency and top 20 websites ordered by visit frequency. These tablesare provided to give insight into the structure and content of the dataset.that user in the training set. The quantity of visits is thennormalized so that the 20 frequency values sum to 1. Theclassification model for the invalid class is constructed bycounting the number of visit by the other 199 users to thosesame 20 domains, such that for each of those domains we nowhave a probability that a valid user visits it and an invalid uservisits it. The evaluation for each user given the two empiricaldistributions is performed by the maximum likelihood productin (1). Entities that do not appear in the top 20 are consideredoutliers and are ignored in this classifier.3) Location: Location is specified as a pair of values: latitudeand longitude. Classification is performed using support vectormachines (SVMs) [23] with the radial basis function (RBF)as the kernel function. The SVM produces a classificationscore for each pair of latitude and longitude. This score iscalibrated to form a probability using Platt scaling [24] whichrequires an extra logistic regression on the SVM scores viaan additional cross-validation on the training data. All of thecode in this paper is written by the authors except for the SVMclassifier. Since the authentication system is written in C++,we used the Shark 3.0 machine learning library for the SVMimplementation.B. Decision FusionDecision fusion with distributed sensors is described by Ten-ney and Sandell in [25] who studied a parallel decisionarchitecture. As described in [26], the system comprises ofn local detectors, each making a decision about a binaryhypothesis (H0, H1), and a decision fusion center (DFC) thatuses these local decisions {u1, u2, ..., un} for a global decisionabout the hypothesis. The ith detector collects K observationsbefore it makes its decision, ui. The decision is ui = 1 if thedetector decides in favor of H1 and ui = 1 if it decidesin favor of H0. The DFC collects the n decisions of thelocal detectors and uses them in order to decide in favor ofH0(u = 1) or in favor of H1(u = 1). Tenney and Sandell[25] and Reibman and Nolte [27] studied the design of thelocal detectors and the DFC with respect to a Bayesian cost,assuming the observations are independent conditioned on thehypothesis. The ensuing formulation derived the local andDFC decision rules to be used by the system components foroptimizing the system-wide cost. The resulting design requiresthe use of likelihood ratio tests by the decision makers (localdetectors and DFC) in the system. However the thresholdsused by these tests require the solution of a set of nonlinearcoupled differential equations. In other words, the design ofthe local decision makers and the DFC are co-dependent. Inmost scenarios the resulting complexity renders the quest foran optimal design impractical.Chair and Varshney in [12] developed the optimal fusion rulewhen the local detectors are fixed and local observations arestatistically independent conditioned on the hypothesis. DataFusion Center is optimal given the performance characteristicsof the local fixed decision makers. The result is a suboptimal(since local detectors are fixed) but computationally efficientand scalable design. In this study we use the Chair-Varshneyformulation. The parallel distributed fusion scheme (see Fig. 3)allows each classifier to observe an event, minimize the localrisk and make a local decision over the set of hypothesis,based on only its own observations. Each classifier sends outa decision of the form:ui ={1, if H1 is decided1, if H0 is decided(2)The fusion center combines these local decisions by mini-mizing the global Bayes risk. The optimum decision rule62TimetextStart of Activitytext text text text textapp appweb weblocation locationClassifiersData Fusion CenterC1C2C3C4{1,1}{1,1}{1,1}{1,1}{1,1}Fig. 3: The fusion architecture across time and across classifiers. The TEXT, APP, WEB, and LOCATION boxes indicate a firingof a single event associated with each of those modalities. Multiple classifier scores from the same modality are fused via (1)to produce a single local binary decision. Local binary decisions from each of the four modalities are fused via (4) to producea single global binary decision.performs the following likelihood ratio testP (u1, ..., un|H1)P (u1, ..., un|H0)H1H0P0P1= (3)where the a priori probabilities of the binary hypotheses H1and H0 are P1 and P0 respectively. In this case the generalfusion rule proposed in [12] isf(u1, ..., un) ={1, if a0 +ni=0 aiui > 01, otherwise(4)with PMi , PFi representing the False Rejection Rate (FRR) andFalse Acceptance Rate (FAR) of the ith classifier respectively.The optimum weights minimizing the global probability oferror are given bya0 = logP1P0(5)ai =log1PMiPFi, if ui = 1log1PFiPMi, if ui = 1(6)The threshold in (3) requires knowledge of the a prioriprobabilities of the hypotheses. In practice, these probabilitiesare not available, and the threshold is determined usingdifferent considerations such as fixing the probability of falsealarm or false rejection as is done in V-C.V. RESULTSA. Training, Characterization, TestingThe data of each of the 200 users active interaction withthe mobile device was divided into 5 equal-size folds (eachcontaining 20% time span of the full set). We performedtraining of each classifier on the first three folds (60%). Wethen tested their performance on the fourth fold. This phaseis referred to as characterization, because its sole purposeis to form estimates of FAR and FRR for use by the fusionalgorithm. We then tested the performance of the classifiers,individually and as part of the fusion system, on the fifth fold.This phase is referred to as testing since this is the partthat is used for evaluation the performance of the individualclassifiers and the fusion system. The three phases of training,characterization, and testing as they relate to the data folds areshown in Fig. 4. Training on folds 1, 2, 3.Characterization on fold 4.Testing on fold 5. Training on folds 2, 3, 4.Characterization on fold 5.Testing on fold 1. Training on folds 3, 4, 5.Characterization on fold 1.Testing on fold 2. Training on folds 4, 5, 1.Characterization on fold 2.Testing on fold 3. Training on folds 5, 1, 2.Characterization on fold 3.Testing on fold 4.Sensor Performance:Training, Characterization, Testing5Methodology60% of user 1 dataUser 1We train, characterize, and test the binary classifier for User 1 on two classes:1. User 12. Users 2 through 6720% of user 1 20% of user 1Training Characterization Testing60% of user 2 dataUser 2 20% of user 2 20% of user 2Training Characterization Testing60% of user 3 dataUser 3 20% of user 3 20% of user 360% of user 67 dataUser 67 20% of user 67 20% of user 67 Class 1: AcceptClass 2: RejectFig. 4: The three phases of processing the data to determine theindividual performance of each classifiers and the performanceof the fusion system that combines some subset of theseclassifiers.7The common evaluation method used with each classifier fordata fusion was measuring the averaged error rates across fiveexperiments; In each experiment, data of 3 folds was takenfor training, 1 fold for characterization, and 1 for testing.The FAR and FRR computed during characterization weretaken as input for the fusion system as a measurement ofthe expected performance of the classifiers. Therefore eachexperiment consisted of three phases: 1) train the classifier(s)using the training set, 2) determine FAR and FRR based onthe training set, and 3) classify the windows in the test set.B. Performance: Individual Classifiers00. 4.2 7.4 10.7 13.9 17.1 20.3 23.6 26.8 30False Accept Rate (FAR)Time Before Decision (mins)LocationAppTextWeb00. 4.2 7.4 10.7 13.9 17.1 20.3 23.6 26.8 30False Reject Rate (FRR)Time Before Decision (mins)LocationAppTextWebFig. 5: FAR and FRR performance of the individual classifiersassociated with each of the four modalities. Each bar representthe average error rate for a given module and time window.Each of the 200 users has 2 classifiers for each modality,so each bar provides a value that was averaged over 200individual error rates. The error bar indicate the standarddeviation across these 200 values.The conflicting objectives of an active authentication systemare of response-time and performance. The less the systemwaits before making an authentication decision, the higherthe expected rate of error. As more behavioral biometric datatrickles in, the system can, on average, make a classificationdecision with greater certainty.This pattern of decreased error rates with an increased deci-sion window can be observed in Fig. 5 that shows (for 10different time windows) the FAR and FRR of the 4 classifiersaveraged over the 200 users with the error bars indicatingthe standard deviation. The testing fold (see V-A) is usedfor computing these error rates. The characterization folddoes not affect these results, but is used only for FAR/FRRestimation required by the decision fusion center in V-C.The time before decision is the time between the firstevent indicating activity and the first decision produced bythe fusion system. This metric can be thought of as decisionwindow size. Events older than the time range covered bythe time-window are disregarded in the classification. If noevent associated with the modality under consideration firesin a specific time window, no error is added to the average.Event Firing Rate (per hour)Text 557.8App 23.2Web 5.6Location 3.5TABLE IV: The rates at which an event associated witheach modality fires per hour. On average, GPS location isprovided only 3.5 times an hour.There are two notable observations about the FAR/FRR plotsin Fig. 5. First, the location modality provides the lowesterror rates even though on average across the dataset it firesonly 3.5 times an hour as shown in Table IV. This meansthat classification on a single GPS coordinate is sufficient tocorrectly verify the user with an FAR of under 0.1 and an FRRof under 0.05. Second, the text modality converges to an FARof 0.16 and an FRR of 0.11 after 30 minutes which is oneof the worse performers of the four modalities, even thoughit fires 557.8 times an hour on average. At the 30 minutemark, that firing rate equates to an average text block size of279 characters. An FAR/FRR of 0.16/0.11 with 279 charactersblocks improves on the error rates achieved in [14] with 500character blocks which in turn improved on the errors ratesachieved in prior work for blocks of small text (see [14] fora full reference list on short-text stylometric analysis).C. Performance: Decision FusionThe events associated with each of the 4 modalities fire atvery different rates as shown in Table IV. Moreover, textevents fire in bursts, while the location events fire at regularlyspaced intervals when GPS signal is available. The app andweb events fire at varying degrees of burstiness dependingon the user. Fig. 6 shows the distribution of the number ofevents that fire within each of the time windows. An importanttakeaway from these distributions is that most events come inbursts followed by periods of inactivity. This results in thecounterintuitive fact that the 1 minute, 10 minute, and 30minute windows have a similar distribution on the numberof events that fire within them. This is why the decrease inerror rates attained from waiting longer for a decision is notas significant as might be expected.Asynchronous fusion of classification of events from each ofthe four modalities is robust to the irregular rates at which81 2 3 4 5 6 7 8 9 10 11 12 13Number of Events Fired in Time Window0. min window10 min window30 min windowFig. 6: The distribution of the number of events that fire withina given time window. This is a long tail distribution as non-zero probabilities of event frequencies above 13 extend toover 100. These outliers are excluded from this histogram plotin order to highlight the high-probability frequencies. Timewindows in which no events fire are not included in this fire. The decision fusion rule in (4) utilizes all theavailable biometric data, weighing each classifier accordingto its prior performance. Fig. 7 shows the receiver operatingcharacteristic (ROC) curve trading off between FAR and FRRby varying the threshold parameter in (3). 0.05 0.1 0.15 0.2False Accept Rate (FAR)False Reject Rate (FRR)1 mins10 mins30 minsFig. 7: The performance of the fusion system with 4 classifierson the 200 subject dataset. The ROC curve shows the tradeoffbetween FAR and FRR achieved by varying the thresholdparameter a0 in (4).As the size of the decision window increases, the performanceof the fusion system improves, dropping from an equal errorrate (EER) of 0.05 using the 1 minute window to below 0.01EER using the 30 minute window.D. Contribution of Local Classifiers to Global Decision00. 10 30Individual Sensor Contribution (Ci)Time Before Decision (mins)LocationAppTextWebFig. 8: Relative contribution of each of the 4 classifierscomputed according to (7).The performance of the fusion system that utilizes all fourmodalities of TEXT, APP, WEB, and LOCATION is described inthe previous section. Besides this, we are able to use the fusionsystem to characterize the contribution of each of the localclassifiers to the global decision. This is the central questionwe consider in the paper: what biometric modality is mosthelpful in verifying a persons identity under a constraint ofa specific time window before the verification decision mustbe made? We measure the contribution Ci of each of the fourclassifiers by evaluating the performance of the system withand without the classifier, and computing the contribution by:Ci =Ei EEi(7)where E is the error rate computed by averaging FAR and FRRof the fusion system using the full portfolio of 4 classifiers,Ei is the error rate of the fusion system using all but thei-th classifier, and Ci is the relative contribution of the i-thclassifier as shown in Fig. 8. We consider the contributionof each classifier under three time windows of 1 minute, 10minutes, and 30 minutes. Location contributes the most in allthree cases, with the second biggest contributor being webbrowsing. Text contributes the least for the small window of1 minute, but improve for the large windows. App usage isthe least predictable contributor. One explanation for the APP9modality contributing significantly under the short decisionwindow is that the first app opened in a session is a strongand frequent indicator of identity. Therefore, its contributionis high for short decision windows.VI. CONCLUSIONIn this work, we proposed a parallel binary decision-levelfusion architecture for classifiers based on four biometricmodalities: text, application usage, web browsing, and loca-tion. Using this fusion method we addressed the problem ofactive authentication and characterized its performance on areal-world dataset of 200 subjects, each using their personalAndroid mobile device for a period of at least 30 days. Theauthentication system achieved an equal error rate (ERR) of0.05 (5%) after 1 minute of user interaction with the device,and an EER of 0.01 (1%) after 30 minutes. We showed theperformance of each individual classifier and its contributionto the fused global decision. The location-based classifier,while having the lowest firing rate, contributes the most tothe performance of the fusion system.Lex Fridman is a Postdoctoral Associate at the MassachusettsInstitute of Technology. He received his BS, MS, and PhDfrom Drexel University. His research interests include machinelearning, decision fusion, and numerical optimization.Steven Weber received the BS degree in 1996 from MarquetteUniversity in Milwaukee, Wisconsin, and the MS and PhDdegrees from the University of Texas at Austin in 1999 and2003, respectively. He joined the Department of Electrical andComputer Engineering at Drexel University in 2003, wherehe is currently an associate professor. His research interestsare centered around mathematical modeling of computer andcommunication networks, specifically streaming multimediaand ad hoc networks. He is a senior member of the IEEE.Rachel Greenstadt is an Associate Professor of ComputerScience at Drexel University, where she research the privacyand security properties of intelligent systems and the eco-nomics of electronic privacy and information security. Herwork is at layer 8 of the network analyzing the content.She is a member of the DARPA Computer Science StudyGroup and she runs the Privacy, Security, and AutomationLaboratory (PSAL) which is a vibrant group of ten researchers.The privacy research community has recognized her scholar-ship with the PET Award for Outstanding Research in PrivacyEnhancing Technologies, the NSF CAREER Award, and theAndreas Pfitzmann Best Student Paper Award.Moshe Kam received his BS in electrical engineering fromTel Aviv University in 1976 and MSc and PhD from DrexelUniversity in 1985 and 1987, respectively. He is the Deanof the Newark College of Engineering at the New JerseyInstitute of Technology, and had served earlier (2007-2014) asthe Robert Quinn professor and Department Head of Electricaland Computer Engineering at Drexel University. His profes-sional interests are in system theory, detection and estimation,information assurance, robotics, navigation, and engineeringeducation. In 2011 he served as President and CEO of IEEE,and at present he is member of the Boards of Directors ofABET and the United Engineering Foundation (UEF). He is afellow of the IEEE for contributions to the theory of decisionfusion and distributed detection.REFERENCES[1] M. Duggan, Cell phone activities 2013, Cell, 2013.[2] S. Egelman, S. Jain, R. S. Portnoff, K. Liao, S. Consolvo, and D. Wagner,Are you ready to lock? in Proceedings of the 2014 ACM SIGSACConference on Computer and Communications Security. ACM, 2014,pp. 750761.[3] M. Harbach, E. von Zezschwitz, A. Fichtner, A. De Luca, and M. Smith,Itsa hard lock life: A field study of smartphone (un) locking behaviorand risk perception, in Symposium on Usable Privacy and Security(SOUPS), 2014.[4] D. Van Bruggen, S. Liu, M. Kajzer, A. Striegel, C. R. Crowell, andJ. DArcy, Modifying smartphone user locking behavior, in Proceed-ings of the Ninth Symposium on Usable Privacy and Security. ACM,2013, p. 10.[5] C. Shen, Z. Cai, X. Guan, and J. Wang, On the effectiveness andapplicability of mouse dynamics biometric for static authentication: Abenchmark study, in Biometrics (ICB), 2012 5th IAPR InternationalConference on. IEEE, 2012, pp. 378383.[6] A. Fridman, A. Stolerman, S. Acharya, P. Brennan, P. Juola, R. Green-stadt, and M. Kam, Decision fusion for multimodal active authentica-tion, IEEE IT Professional, vol. 15, no. 4, July 2013.[7] M. O. Derawi, C. Nickel, P. Bours, and C. Busch, Unobtrusive user-authentication on mobile phones using biometric gait recognition, inIntelligent Information Hiding and Multimedia Signal Processing (IIH-MSP), 2010 Sixth International Conference on. IEEE, 2010, pp. 306311.[8] F. Li, N. Clarke, M. Papadaki, and P. Dowland, Active authenticationfor mobile devices utilising behaviour profiling, International Journalof Information Security, vol. 13, no. 3, pp. 229244, 2014.[9] T. Sim, S. Zhang, R. Janakiraman, and S. Kumar, Continuous veri-fication using multimodal biometrics, Pattern Analysis and MachineIntelligence, IEEE Transactions on, vol. 29, no. 4, pp. 687700, 2007.[10] J. Kittler, M. Hatef, R. Duin, and J. Matas, On combining classifiers,Pattern Analysis and Machine Intelligence, IEEE Transactions on,vol. 20, no. 3, pp. 226239, 1998.[11] C.-H. Chen and C.-Y. Chen, Optimal fusion of multimodal biometricauthentication using wavelet probabilistic neural network, in ConsumerElectronics (ISCE), 2013 IEEE 17th International Symposium on. IEEE,2013, pp. 5556.[12] Z. Chair and P. Varshney, Optimal data fusion in multiple sensor de-tection systems, Aerospace and Electronic Systems, IEEE Transactionson, vol. AES-22, no. 1, pp. 98 101, jan. 1986.[13] H. Saevanee, N. Clarke, S. Furnell, and V. Biscione, Text-based activeauthentication for mobile devices, in ICT Systems Security and PrivacyProtection. Springer, 2014, pp. 99112.[14] M. L. Brocardo, I. Traore, S. Saad, and I. Woungang, Authorship veri-fication for short messages using stylometry, in Computer, Informationand Telecommunication Systems (CITS), 2013 International Conferenceon. IEEE, 2013, pp. 16.[15] A. Abbasi and H. Chen, Writeprints: A stylometric approach toidentity-level identification and similarity detection in cyberspace, ACMTransactions on Information Systems (TOIS), vol. 26, no. 2, p. 7, 2008.[16] A. W. E. McDonald, S. Afroz, A. Caliskan, A. Stolerman, and R. Green-stadt, Use fewer instances of the letter i: Toward writing styleanonymization. in Lecture Notes in Computer Science, vol. 7384.Springer, 2012, pp. 299318.10[17] A. Fridman, A. Stolerman, S. Acharya, P. Brennan, P. Juola, R. Green-stadt, and M. Kam, Multi-modal decision fusion for continuous authen-tication, Computers and Electrical Engineering, p. Accepted, 2014.[18] R. Yampolskiy, Behavioral modeling: an overview, American Journalof Applied Sciences, vol. 5, no. 5, pp. 496503, 2008.[19] M. Abramson and D. W. Aha, User authentication from web browsingbehavior. in FLAIRS Conference, 2013.[20] N. Eagle, A. S. Pentland, and D. Lazer, Inferring friendship networkstructure by using mobile phone data, Proceedings of the NationalAcademy of Sciences, vol. 106, no. 36, pp. 15 27415 278, 2009.[21] B. Sun, F. Yu, K. Wu, and V. Leung, Mobility-based anomaly detectionin cellular mobile networks, in Proceedings of the 3rd ACM workshopon Wireless security. ACM, 2004, pp. 6169.[22] J. Hall, M. Barbeau, and E. Kranakis, Anomaly-based intrusiondetection using mobility profiles of public transportation users, inWireless And Mobile Computing, Networking And Communications,2005.(WiMob2005), IEEE International Conference on, vol. 2. IEEE,2005, pp. 1724.[23] S. Abe, Support vector machines for pattern classification. Springer,2010.[24] A. Niculescu-Mizil and R. Caruana, Predicting good probabilitieswith supervised learning, in Proceedings of the 22nd internationalconference on Machine learning. ACM, 2005, pp. 625632.[25] R. R. Tenney and J. Nils R. Sandell, Decision with distributed sensors,IEEE Transactions on Aerospace and Electronic Systems, vol. AES-17,pp. 501510, 1981.[26] M. Kam, W. Chang, and Q. Zhu, Hardware complexity of binarydistributed detection systems with isolated local bayesian detectors,IEEE Transactions on Systems Man and Cybernetics, vol. 21, pp. 565571, 1991.[27] A. R. Reibman and L. Nolte, Optimal detection and performanceof distributed sensor systems, IEEE Transactions on Aerospace andElectronic Systems, vol. AES-23, pp. 2430, 1987.I IntroductionII Related WorkII-A Multimodal Biometric SystemsII-B Mobile Active AuthenticationII-C Stylometry, Web Browsing, Application Usage, LocationIII DatasetIV Classification and Decision FusionIV-A Features and ClassifiersIV-A1 TextIV-A2 App and WebIV-A3 LocationIV-B Decision FusionV ResultsV-A Training, Characterization, TestingV-B Performance: Individual ClassifiersV-C Performance: Decision FusionV-D Contribution of Local Classifiers to Global DecisionVI ConclusionReferences