Contributions to Behavioral Authentication Systems

Journal Title
Journal ISSN
Volume Title
Behavioral Authentication (BA) systems authenticate users through their behavioral characteristics. BA systems construct behavioral profiles of users from their well-designed activities, and store profiles in a profile database on the system. For a verification request, a verification algorithm evaluates the request by comparing the provided verification data with the stored profile. In this thesis, we identify a number of shortcomings of these systems that are motivated by the application of these systems in practice. We study these shortcomings and propose solutions to address each. We designed, implemented and evaluated an activity-based BA system for mobile devices that is used to evaluate our proposed systems, experimentally. In more details, we proposed a challenge-response based BA system named DAC (Draw A Circle) and later extended it to eDAC (extended DAC) to improve its accuracy and usability. In both systems, behavioral data are from users’ response to drawing challenge circles. Through extensive analysis and experiments, we chose a set of features that are non-shareable and non-emulatable, and developed a verification algorithm that can successfully authenticate users with overwhelming probability. We studied the effect of database size on verification error, and that verification error increases with the database size. We introduced the notion of scalability of BA systems that requires the error probability of the system to remain (almost) the same as profile database grows; proposed personalization of verification to achieve scalability. To estimate information in BA systems, we used Biometric Information (BI), and Biometric System Entropy (BSE), two different but related approaches used for information measure in biometric-based systems. We studied the applicability of these measures for BA systems. For cryptographic applications, we proposed BAVault, a fuzzy vault based on the profiles in BA systems that can protect a secret key (message) of reasonable length. BAVault ensures profile privacy, even when the key is known. For profile privacy in profile databases and privacy-preserving verification, we proposed a non-cryptographic approach that uses an efficient profile transformation called random projection, projects a profile (verification data) into a lower dimension space and ensures their privacy. The verification is done in the transformed domain using a similar verification algorithm. Finally, we show an attack on BA systems when the verification algorithm uses the outputs of the classifier for verification decision. To impersonate a user of the BA systems, the attacker will utilize the information leakage of the verification algorithm about the output of the classifier. In all the above cases, we implemented our proposed approach and evaluated their performance.
Computer Security, Biometrics, Behavioral Biometrics, Authentication
Islam, M. M. (2021). Contributions to Behavioral Authentication Systems (Doctoral thesis, University of Calgary, Calgary, Canada). Retrieved from