Title: Behavior based User Authentication ------------------------------------------------------------------------------------------- (1) the complete title of one (or more) paper(s) published in the open literature describing the work that the author claims describes a human-competitive result, 1. A Hybrid GA-PSO Fuzzy System for User Identification on Smart Phones 2. Keystroke-based User Identification on Smart Phones ------------------------------------------------------------------------------------------- (2) the name, complete physical mailing address, e-mail address, and phone number of EACH author of EACH paper, Name: Muhammad Shahzad Physical address: Next Generation Intelligent Networks Research Center National University of Computer & Emerging Sciences A.K. Brohi Road, Sector H-11/4, Islamabad, Pakistan Email: muhammad.shahzad@nexginrc.org Tel: +92 51 111 128 128 (Ext. 190) Name: Saira Zahid Physical address: Next Generation Intelligent Networks Research Center National University of Computer & Emerging Sciences A.K. Brohi Road, Sector H-11/4, Islamabad, Pakistan Email: saira.zahid@nexginrc.org Tel: +92 51 111 128 128 (Ext. 190) Name: Muddassar Farooq Physical address: Next Generation Intelligent Networks Research Center National University of Computer & Emerging Sciences A.K. Brohi Road, Sector H-11/4, Islamabad, Pakistan Email: muddassar.farooq@nexginrc.org Tel: +92 51 111 128 128 (Ext. 206) Name: Syed Ali Khayam Physical address: School of Electrical Engineering & Computer Science (SEECS) National University of Sciences & Technology (NUST) Sector H-12, Islamabad 44000, Pakistan Email: ali.khayam@seecs.edu.pk Tel : +92 51 908 52257 ------------------------------------------------------------------------------------------- (3) the name of the corresponding author (i.e., the author to whom notices will be sent concerning the competition), Muhammad Shahzad (muhammad.shahzad@nexginrc.org) ------------------------------------------------------------------------------------------- (4) the abstract of the paper(s), Title: A Hybrid GA-PSO Fuzzy System for User Identification on Smart Phones Abstract: The major contribution of this paper is a hybrid GA-PSO fuzzy user identification system, UGuard, for smart phones. Our system gets 3 phone usage features as input to identify a user or an imposter. We show that these phone usage features for different users are diffused; therefore, we justify the need of a front end fuzzy classifier for them. We further show that the fuzzy classifier must be optimized using a back end online dynamic optimizer. The dynamic optimizer is a hybrid of Particle Swarm Optimizer (PSO) and Genetic Algorithm (GA). We have collected phone usage data of 10 real users having Symbian smart phones for 8 days. We evaluate our UGuard system on this dataset. The results of our experiments show that UGuard provides on the average an error rate of 2% or less. We also compared our system with four classical classifiers (Naive Bayes, Back Propagation Neural Networks, J48 Decision Tree, and Fuzzy System,) and three evolutionary schemes (fuzzy system optimized by ACO, PSO, and GA.) To the best of our knowledge, the current work is the first system that has achieved such a small error rate. Moreover, the system is simple and efficient and can therefore be deployed on real world smart phones. Title: Keystroke-based User Identification on Smart Phones Abstract: Smart phones are now being used to store users’ identities and sensitive information/data. Therefore, it is important to authenticate legitimate users of a smart phone and to block imposters. In this paper, we demonstrate that keystroke dynamics of a smart phone user can be translated into a viable feature set for accurate user identification. To this end, we collect and analyze keystroke data of 25 diverse smart phone users. Based on this analysis, we select six distinguishing keystroke features that can be used for user identification. We show that these keystroke features for different users are diffused and therefore a fuzzy classifier is well-suited to cluster and classify them. We then optimize the front-end fuzzy classifier using Particle Swarm Optimizer (PSO) and Genetic Algorithm (GA) as back-end dynamic optimizers to adapt to variations in usage patterns. Finally, we provide a novel keystroke dynamics based PIN verification mode to ensure information security on smart phones. The results of our experiments show that the proposed user identification system has an average error rate of 2% after the detection mode and the error rate of rejecting legitimate users is dropped to zero after the PIN verification mode. We also compare error rates (in terms of detecting both legitimate users and imposters) of our proposed classifier with 5 existing state-of-the-art techniques for user identification on desktop computers. Our results show that the proposed technique consistently and considerably outperforms existing schemes. ------------------------------------------------------------------------------------------- (5) a list containing one or more of the eight letters (A, B, C, D, E, F, G, or H) that correspond to the criteria (see above) that the author claims that the work satisfies, A, E, F, G ------------------------------------------------------------------------------------------- (6) a statement stating why the result satisfies the criteria that the contestant claims (see the examples below as a guide to aid in constructing this part of the submission), User authentication has remained an important area of computer security research since the dawn of computing devices. Researchers are always on the look for novel, efficient and accurate user identification schemes which are resilient to intelligent evasion schemes. Most of the current paradigms for user authentication fall into one of three categories: (a) “What they know?”. Using passwords is an example of this paradigm. The major drawback of this scheme is that once an imposter hacks the password, he gets unrestricted access to the complete information protected by the password. (b) “What they have?”. In hotels, the door of a room is opened by scanning a special card issued to the lodger. ATM card is another relevant example. The major drawback of this scheme is that the information is breached as soon as the card is stolen. (c) “Who they are?”. The systems utilizing this paradigm use different biometric techniques -- finger print scanning -- to identify a legitimate user. These systems are computationally complex, thereby making them inappropriate for resource-constrained devices. Moreover, it is now possible to bypass these systems using fake finger prints developed using ballistic gel. To overcome the above limitations of contemporary user identification systems, we have developed a user authentication scheme on a relatively less known paradigm -- “How they use it?”. The technology is suited for both desktop and emerging mobile devices because they do not require additional hardware resources. Industry pundits estimate that the emerging smart phones will replace laptops in our new on-the-move collaborative work environments. Therefore, it is relevant to protect a user's identification and data on these resource constrained devices. Our system -- using “How they use it?” paradigm -- identifies the legitimate user on two sets of features: (1) the first set of features models the mobile phone usage pattern of a user - including, but not limited to, the duration of his calls, the number of short messages (SMS) sent and their length and the camera usage frequency. Once the system is trained, it enters the monitoring mode in which it periodically identifies anomalies in the above feature set to identify a malicious user. (2) The second set of feature set is biometric and it includes a number of keystroke dynamics of a user, such as key hold times, inter key latencies, and error rates in typing. Our system learns the normal typing pattern of the legitimate user and, once trained, it keeps on monitoring the typing pattern of a user. As a result, the system can raise alarm in case anomalies in the keystroke usage behavior are detected. If the typing pattern varies from normal, the system blocks the device. To the best of our knowledge, the first features' set has been used for the first time to identify a user on mobile phones. Keystrokes dynamics has been an active area of research in the desktop domain but has never been deployed because the best systems have over 10% error rates which is simply not acceptable for real-world deployment. (The error rates dropped to 20-30% on the dataset of mobile phones.) The other important contribution of the paper is to use a fuzzy classifier that is optimized through a hybrid of PSO and GA algorithms for accurate user identification on smart phones. We tested all classifiers on a real world dataset of 25 users and our proposed system -- using both types of features' set -- provided less than 2% error rates which is a significant leap in biometrics based user identification systems. Due to its dramatic accuracy dividends, our proposed solution has been accepted in the best security conference -- International Symposium on Recent Advances in Intrusion Detection (RAID) 2009 -- with excellent feedback from the domain experts. We believe that the system has significant commercialization potential in the lucrative, yet relatively open, smart phone security and user authentication markets. ------------------------------------------------------------------------------------------ (7) a full citation of the paper (that is, author names; publication date; name of journal, conference, technical report, thesis, book, or book chapter; name of editors, if applicable, of the journal or edited book; publisher name; publisher city; page numbers, if applicable); Muhammad Shahzad, Saira Zahid, Muddassar Farooq, "A Hybrid GA-PSO Fuzzy System for User Identification on Smart Phones", Genetic and Evolutionary Computation Conference (GECCO), July, 2009, Montreal, Canada. (In Press) Saira Zahid, Muhammad Shahzad, Syed Ali Khayam, Muddassar Farooq, "Keystroke-based User Identification on Smart Phones", 12th International Symposium on Recent Advances in Intrusion Detection (RAID), Sept, 2009, Brittany, France. (In Press) ------------------------------------------------------------------------------------------- (8) a statement either that "any prize money, if any, is to be divided equally among the co-authors" OR a specific percentage breakdown as to how the prize money, if any, is to be divided among the co-authors. Any prize money, if any, will be divided equally among the co-authors. ------------------------------------------------------------------------------------------- (9) a statement stating why the judges should consider the entry as "best" in comparison to other entries that may also be "human-competitive." We have proposed, developed and evaluated a novel bio-inspired user identification system for mobile phones that takes into account the usage pattern and keystrokes dynamics of a user. As a result, the users are continuously monitored even after they have successfully logged into the system. The feature set and bio-inspired classifiers used in the system provide less than 2% error rates as opposed to 15% or more error rates of existing classifiers. Furthermore, due to its use of bio-inspired classification algorithms, the system is lightweight (can be deployed on resource-constrained mobile devices) and adaptive (can track and learn changing user behavior). To evade the proposed system, even if an imposter hacks the password, he/she will have to type it with the same keystrokes dynamics as that of the original user -- our experiments show that this is almost impossible to do in three attempts. To the best of our knowledge, no other behavior-based user identification system in the research or commercial domains can provide an accuracy that is comparable to the proposed system. We believe that our proposed system can be used as a foundation to develop the following applications: (1) parents can monitor the activities of their minor children who have mobile phones, (2) Employers can enforce security policies on mobile phones and detect its misuse, and (3) the system acts as a last line of defence once an imposter has successfully breached all security walls. The project has attracted the attention of National ICT R&D Fund of Ministry of IT, Government of Pakistan, which provided a funding of US$250,000 for the project. (http://www.ictrdf.org.pk/fp-isk.htm), (http://isk.nexginrc.org). Moreover, research papers based on this work have been accepted by bio-inspired (ACM GECCO'09) and security (RAID'09) domain experts.