All ETDs from UAB

Advisory Committee Chair

Nitesh Saxena

Advisory Committee Members

Nicolas Christin

Sophie Joerg

Alan Sprague

Chengcui Zhang

Document Type

Dissertation

Date of Award

2016

Degree Name by School

Doctor of Philosophy (PhD) College of Arts and Sciences

Abstract

Authentication is a fundamental security component of various critical applications. It is essential to differentiate a human user from a bot (human-machine authentication) to prevent against automated mechanisms that attack and abuse the resources of an online entity. Authentication is also essential to differentiate one human user from another (human-human authentication) to securely control the access of online accounts and computer terminals. Unfortunately, the security and usability requirements of authentication have not been adequately addressed. The current and almost universally deployed techniques, CAPTCHAs for human-machine authentication, and passwords or biometrics for human-human authentication, all suffer from numerous well-documented usability and security drawbacks. In this research, we aim to address the security and usability problems of authentication through the use of active user interaction in the authentication process. Active user interaction boasts to provide two key advantages. First, it can enhance the security of the authentication process by adopting multiple rounds of active interactions which serves as a mechanism to prevent against several types of attacks, including replay, spoofing and relay attacks. Second, it can enhance the usability of the authentication process by actively engaging the user and eliminating the need for highly distorted characters/images commonly used in most currently deployed CAPTCHAs, which users may find frustrating. The contribution of this dissertation lies in the realization of interaction-enhanced security approaches that may help in addressing the aforementioned shortcomings with current authentication technologies. In the context of human-machine authentication, we investigate interactive CAPTCHAs. These represent interactive games that are easy for the humans, but may be hard for a computer, to play successfully. Unlike existing solutions, interactive CAPTCHAs may be easy, fun, suitable for mobile devices, and resilient to both automated and human-solver relay attacks (due to their dynamic & interactive nature). First, we explore a simplistic form of interactive CAPTCHAs (simple moving-object drag and drop games) and conduct human factor studies iii to evaluate their usability and security against automated and relay attacks. The results show that the developed CAPTCHAs are highly usable and can offer some resilience against relay attacks and facilitate relay attack detection. However, these CAPTCHAs were also found to be vulnerable to different forms of automated attacks based on image processing techniques. Second, we study multiple methods to enhance the security of the proposed interactive CAPTCHAs without undermining their usability and resistance to relay attacks. These include incorporating the notions of emergence, image semantics and image orientation, and combinations thereof. In the realm of human-human authentication, we introduce interactive biometrics based on game playing patterns and multi-modal behavioral features. As opposed to most existing biometric systems, game biometrics are software-only, non-invasive and potentially very difficult to impersonate. We design and implement an interactive biometrics system based on simple drag and drop games to capture the unique user interactions. Our system is built using machine learning techniques and extracts a number features from each game challenge solving instance that capture the multiple unique cognitive abilities and the mouse dynamics of the users. We collect data sets in online and lab settings, and show that our system can identify the legitimate users and the zero-effort attackers (“different users”) with a high accuracy. We evaluate the security of the proposed game biometrics system against external attacks (e.g., device theft) as well as against a new powerful internal attack framework (malicious code) that can sniff and manipulate touchscreen events. Our analysis suggests that the proposed system can be resistant to these attacks unlike other existing behavioral biometrics schemes.

Share

COinS