Leveraging Personal Knowledge for Robust Authentication Systems

1
Leveraging Personal Knowledge for Robust
Authentication Systems

• Mentor Danfeng Yao
• Anitra Babic
• Chestnut Hill College
• Computer Science Department

2
Background

• A secret question is the question that will
  often times be asked as a secondary
  authentication question
• Examples include
• What is your pers name?
• What is your favorite song?
• What was the name of your first school?
• This sort of security has appeared on
• Gmail, Yahoo! Mail, Hotmail, AOL, Facebook

3
Secret Questions Online
4
Negative Results of Secret Questions

• A Microsoft study found that currently
  implemented secret questions are far from
  foolproof
• Focused on top four email providers secret
  questions
• 17 of a users friends could guess the answer on
  first try
• 13 could do it within 5 tries
• 13 are statically guessable
• The study focused on making secret questions
  easier to remember for the user
• Have proposed a multiple questions, printing out
  user answers, among other methods to help users
  remember

Schechter, S, Brush, A. J., Egelman, S
(2008). It's No Secret Measuring the security
and reliability of authentication via 'secret'
questions. 1-16.
5
Goals

• A more challenging approach to authentication
  through the use of the users personal knowledge
• To create a series of questions to identify the
  user from an invisible/bot intruder or malicious
  user
• Bot - a compromised machine which acts
  autonomously
• To identify human users from bots by utilizing
  human interaction with their machines
• To use the findings from previous studies to
  create improved secret questions

6
Characterization Study on Individuals Web Usage
Patterns

• A statistical and temporal analysis on 500 users
  4-month long HTTP port 80 trace at Rutgers was
  preformed
• Found that Users tend to visit the same IPs

Xiong, H, Yao, D (2008). Towards Personalized
Security Analysis of Individual Usage Patterns
in Organizational Wireless Networks .
7
Users Traffic Recognition Ability

• Experiment methodology
• While a users surfing, inject arbitrary traffic
• Ask user to classify traffic as own or bot
• 7 users, 10-minute sessions
• Findings
• lt1 false negative rate - injected bot URLs are
  easily detected by users
• 40 false positive rate - tend to classify
  unknown URLs as malicious
• 91 false positives are due to third-party
  content

Xiong, H, Yao, D (2008). Towards Personalized
Security Analysis of Individual Usage Patterns
in Organizational Wireless Networks .
8
Approach

• We plan on developing questions that are based
  off of user activities
• Network Activities
• Browsing History, Emails
• Physical Events
• Planned Meetings, Calendar Items
• Conceptual Opinions
• Opinions as derived from emails, still conceptual
  
• These questions will be generated and then
  replace the less secure secret questions

9
Process

• Plan to develop a novel approach to secret
  questions because the areas we are focusing on
• Are dynamic, personal, and have less
  vulnerabilities
• Plan
• Develop Questions
• Find out the security of them through a user
  study
• Solicit Help from SurveyMonkey
• Use a Parallel Attack Model