Behavioural Biometrics for Authentication

The research project aims at investigating the feasibility of using various behavioral biometrics in authentication scenarios. This field of study focuses on establishing uniquely identifying patterns in human activity such as keystroke, mouse and touchscreen dynamics as well as voice, gait and cognitive behaviour. This is typically a non-invasive method for authentication as it does not require users to learn how to operate a particular system or remember unique passcodes and phrases. Furthermore, there are no active steps required for authentication but rather it is a seamless integration with the regular operation of the system. Often authentication systems based on behavioural biometrics can be used as a multifactor safeguard in conjunction with other more traditional cybersecurity measures. Despite being a somewhat well research area with some apparently successful projects currently there are few successful commercial systems employing the technology. The goal of the research is to design, develop and test novel systems for authentication based on behavioural biometrics and close the gap between promising research and practical applications. For instance, developing a continuous authentication model based on phone usage patterns such as touchscreen gestures and gyroscope micro movements in space. Another aspect of the project focuses on identifying problems in past research in the area and some of the reasons it tends to be unsuitable for practical use. For example, the reported sample sizes in some of the studies might not be large enough to accurately represent the population using such systems. Finally, there are unique privacy challenges stemming from the use of highly accurate authentication systems based on behavioural biometrics. One way to maliciously employ this technology is to create unique fingerprints for users which can then be exploited for tracking behaviour and identity throughout multiple non-connected systems. It also might be possible to reveal personal information about users through their behaviour patterns. Gender, age and cultural groups could exert specific traits which might be detectable by the technology described above. This project falls within the ESPRC Cybersecurity research area.

It is part of the nature of Cyber Security - and a key reason for the urgency in developing new research approaches - that it now is a concern of every section of society, and so the successful CDT will have a very broad impact indeed. We will ensure impact for:

* The IT industry; vendors of hardware and software, and within this the IT Security industry;

* High value/high assurance sectors such as banking, bio-medical domains, and critical infrastructure, and more generally the CISO community across many industries;

* The mobile systems community, mobile service providers, handset and platform manufacturers, those developing the technologies of the internet of things, and smart cities;

* Defence sector, MoD/DSTL in particular, defence contractors, and the intelligence community;

* The public sector more generally, in its own activities and in increasingly important electronic engagement with the citizen;

* The not-for-profit sector, education, charities, and NGOs - many of whom work in highly contended contexts, but do not always have access to high-grade cyber defensive skills.

Impact in each of these will be achieved in fresh elaborations of threat and risk models; by developing new fundamental design approaches; through new methods of evaluation, incorporating usability criteria, privacy, and other societal concerns; and by developing prototype and proof-of-concept solutions exhibiting these characteristics. These impacts will retain focus through the way that the educational and research programme is structured - so that the academic and theoretical components are directed towards practical and anticipated problems motivated by the sectors listed here.