AMES, Iowa – We’ve all typed in a password to access a computer network. But how secure is that? Passwords can be hacked or hijacked to get at sensitive personal, corporate or even national security data.
That reality has Iowa State engineers looking for methods beyond passwords to verify computer users and protect data. They started by tracking individual typing patterns; now they’re working to identify and track individual patterns for using a mobile device or a computer mouse.
Morris Chang, an Iowa State University associate professor of electrical and computer engineering, says the patterns are unique to individuals.
“These pauses between words, searches for unusual characters and spellings of unfamiliar words, all have to do with our past experiences, our learning experiences,” he said. “And so we call them ‘cognitive fingerprints’ which manifest themselves in typing rhythms.”
Prototype software technology developed by Chang and his research team can identify differences in typing rhythms: In experiments at Iowa State involving more than 2,000 computer users, the technology recorded false acceptance and rejection rates of .5 percent.
“Our technology is able to distinguish legitimate users versus imposters, based on the large-scale experiments we’ve been able to conduct,” Chang said.
He also said engineers can improve those accuracy rates by combining analysis of typing patterns with analysis of mouse or mobile device patterns.
A defense initiative
The Defense Advanced Research Projects Agency (DARPA) of the U.S. Department of Defense has supported Chang’s study of typing patterns with a one-year grant of $500,000. It is now supporting additional work in mobile device and mouse patterns with a two-year, $1.76 million grant.
Working with Chang to develop the cyber security technologies are Terry Fang, Kuan-Hsing Ho and Danny Shih, Iowa State graduate students in electrical and computer engineering.
Chang said studies of keystroke dynamics go all the way back to the Morse code days. But he said the earlier attempts weren’t accurate enough to reliably identify users. The available technology just wasn’t up to the job.
“The technology we use today helped us to facilitate our research approach,” Chang said.
The engineers’ Cognitive Typing Rhythm technology records and collects a computer user’s typing patterns during a 90-minute typing exercise. That information is then loaded into the security system where it can be used to constantly monitor network users.
“The system can see if the same person or an imposter is coming in to hijack the computer,” Chang said.
And when the system detects a hijacking, Chang said it could lock a user out of the network, restrict access to sensitive information or ask for another password.
The technology operates behind the scenes and is invisible to computer users. It doesn’t require any additional hardware. And it’s now available for licensing from the Iowa State University Research Foundation.
“When you use a computer today, the user is typically only verified during the initial login,” Chang said. “But DARPA wanted to know how we can assure the same person is using the computer as long as a session is still active. We had a hypothesis about how to do that, we implemented it and we proved it.”