TouchAuth：基于触屏行为的隐式持续用户身份认证机制

马璐萍; 朱大立; 张顺亮; 马宇晨; 冯维淼; 彭淑敏; 张珠君

引用本文：

马璐萍,朱大立,张顺亮,马宇晨,冯维淼,彭淑敏,张珠君.TouchAuth：基于触屏行为的隐式持续用户身份认证机制[J].信息安全学报,已采用 [点击复制]
Ma Luping,Zhu Dali,Zhang Shunliang,Ma Yuchen,Feng Weimiao,Peng Shumin,Zhang zhujun.TouchAuth：An Implicit Continuous User Identity Au-thentication Mechanism based on Touch Screen Behavior[J].Journal of Cyber Security,Accept [点击复制]

本文已被：浏览 2965次下载 1540次
TouchAuth：基于触屏行为的隐式持续用户身份认证机制
马璐萍^1,2, 朱大立¹, 张顺亮¹, 马宇晨³, 冯维淼¹, 彭淑敏⁴, 张珠君^1,2
0 字体:加大+\|默认\|缩小-
(1.中国科学院信息工程研究所;2.中国科学院大学网络空间安全学院;3.中国科学院大学网络安全学院;4.郑州大学信息工程学院)

摘要:

随着移动互联网的日益普及，保护移动终端中的大量隐私数据和敏感信息不被他人非法查看已成为亟待解决的问题。用户身份认证机制通常被用于移动终端中的隐私信息保护。但传统的身份验证方法在用户通过初始身份验证后不能提供持续的保护从而导致隐私泄露。本文提出了一种支持多属性关联的特征采样方法及基于用户触屏行为驱动的隐式持续身份认证机制TouchAuth。TouchAuth对用户触屏行为数据进行采样以提取用户行为特征信息，然后采用典型的机器学习方法判断用户触屏行为的合法性。为提高 TouchAuth的稳定性和准确性，我们引入了决策步长机制，通过综合判断决策步长内多个触屏行为的合法性来确定用户合法性。基于公开数据集合的大量实验结果表明：攻击者仅完成7次本文定义的触屏行为就可以被TouchAuth检测到，平均EER为10.1%，这优于现有身份认证机制。TouchAuth克服了以往基于用户触屏行为进行身份认证的机制局限于某一类场景或某一类（几类）应用程序，以及会话内操作稀疏时身份认证效果无法保证的缺陷。

关键词: 隐私保护隐式持续身份认证触屏行为

DOI：10.19363/J.cnki.cn10-1380/tn.2023.08.10

投稿时间：2021-01-26修订日期：2021-04-27

基金项目:

TouchAuth：An Implicit Continuous User Identity Au-thentication Mechanism based on Touch Screen Behavior

Abstract:

With the increasing popularity of mobile terminals, it has become an urgent problem to protect private data and sensitive information in mobile terminals from being illegally viewed by others. User identification authentication mechanism is usually used for privacy information protection in mobile terminals. However, the traditional authentication methods cannot provide continuous protection after the user passes the initial authentication, which leads to privacy leakage. This paper proposes an implicit continuous identity authentication mechanism--TouchAuth. Based on the feature sampling method proposed in this paper, TouchAuth samples the user''s touch screen behavior data and judges its legitimacy by employing typical machine learning approaches. To improve the stability and accuracy of TouchAuth, we introduce the decision steps mechanism, which determines the legitimacy of users by comprehensively judging the legitimacy of multi-ple touch screen behaviors in the decision steps. The experimental results on the public data set show that TouchAuth can detect the attacker with an average EER of 10.1%, based on data from seven touches as defined in this paper. Moreover, TouchAuth overcomes the following problems: firstly, the authentication efficiency is limited to a certain kind of scenario or application. Secondly, the authentication efficiency cannot be guaranteed when the operations in the session are sparse.

Key words: privacy protection implicit continuous identity authentication