| 摘要: |
| 随着移动互联网的日益普及,越来越多的用户将大量敏感信息存入移动终端,保护移动终端中的隐私数据和敏感信息不被他人非法查看已成为亟待解决的问题。用户身份认证机制通常被用于移动终端中的隐私信息保护,但传统的身份验证方法在用户通过初始身份验证后不能提供持续的保护从而导致隐私泄露。为解决这一问题,大量基于触屏行为的用户身份认证机制被提出来,然而这些机制通常具有如下局限性—身份认证效果通常局限于某一类(几类)场景或依赖于会话内操作稀疏程度。为解决如上问题,本文提出了一种支持多属性关联的特征采样方法及基于用户触屏行为驱动的隐式持续身份认证机制TouchAuth。TouchAuth对用户触屏行为数据进行采样以提取用户行为特征信息,然后采用典型的机器学习方法判断用户触屏行为的合法性。为提高TouchAuth的稳定性和准确性,我们引入了决策步长机制,通过综合判断决策步长内多个触屏行为的合法性来确定用户合法性。基于公开数据集合的大量实验结果表明:攻击者仅完成7次本文定义的触屏行为就可以被TouchAuth检测到,平均EER为11%,这优于现有身份认证机制。TouchAuth克服了以往基于用户触屏行为进行身份认证的机制局限于某一类场景或某一类(几类)应用程序,以及会话内操作稀疏时身份认证效果无法保证的缺陷。 |
| 关键词: 隐私保护 隐式持续身份认证 触屏行为 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2023.08.10 |
| Received:January 26, 2021Revised:April 27, 2021 |
| 基金项目:本课题得到国家重点研发计划(No. 2019YFB1005200)资助。 |
|
| TouchAuth: An Implicit Continuous User Identity Authentication Mechanism based on Touch Screen Behavior |
| MA Luping,ZHU Dali,ZHANG Shunliang,MA Yuchen,Feng Weimiao,PENG Shumin,ZHANG Zhujun |
| Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;University of Chinese Academy of Sciences, Beijing 100049, China;School of Information Engineering, Zhengzhou University, Zhengzhou 450001, China |
| Abstract: |
| With the increasing popularity of mobile internet, an increasing amount of sensitive data are stored on mobile terminals. Thus, protecting a large amount of private data and sensitive information in mobile terminals from being illegally viewed by others has become an urgent problem to be solved. A user identification authentication mechanism is usually employed for privacy information protection in mobile terminals. However, traditional authentication methods cannot provide continuous protection after the user passes the initial authentication, which leads to privacy leakage. To address this issue, identity authentication schemes have been proposed based on user touchscreen behavior, but their application scenarios often have limitations—the authentication efficiency is often limited to a certain scenario or application, or the authentication efficiency cannot be guaranteed when the operations in the session are sparse. Hence, this paper proposes TouchAuth, a feature sampling method that supports multi-attribute association and an implicit continuous identity authentication mechanism based on user touch screen behavior to overcome the above issues and achieve real-time identity authentication when using mobile terminals. Based on the proposed feature sampling method, TouchAuth samples the user’s touch screen behavior data and judges its legitimacy using typical machine learning approaches. Additionally, we introduce a decision-step mechanism to improve the stability and accuracy of TouchAuth, which determines the users’ legitimacy by comprehensively judging the legitimacy of multiple touchscreen behaviors in the decision steps. Experimental results on a public dataset demonstrate that TouchAuth can detect the attacker with an average EER of 11%, based on data from seven touches, as defined in this paper. Moreover, TouchAuth overcomes the problem of authentication efficiency being limited to a certain scenario or application and not guaranteed when the session operations are sparse. |
| Key words: privacy protection implicit continuous identity authentication touch screen behavior |
