Using Touchloggers To Build User Profiles Through Machine Learning

Roadmap Brief Introduction to Malware Two approaches to Touchloggers The Research Results Random Forest Algorithm Questions

Brief Introduction to Malware Virus – attached to executable files Worms – standalone program that spreads Trojan Horses – facilitates unauthorized access to user’s system Rootkits – changes OS to give intruder access Keyloggers – keeps a log of keys struck

Found Two Research Articles Article 1: “TouchLogger: Inferring Keystrokes On Touch Screen From Smartphone Motion” by Liang Cai and Hao Chen Article 2: “From keyloggers to touchloggers: Take the rough with the smooth” by D. Damopoulos, G. Kambourakis, S. Gritzalis

TouchLogger: Inferring Keystrokes On Touch Screen From Smartphone Motion They sought to determine whether keystrokes could be inferred through gyroscope and accelerometer readings. The touchlogger was implemented in for the android operating system. Initial results were 70% effective.

Motion of a smart phone Authors determined that motion during typing depended on factors such as: Striking force of hand Resistance of supportive hand Landing location of typing finger Position of supportive hand The researchers chose to use orientation events to capture motion.

Data collected Through the touchlogger application there were able to store a record of orientation events consisting of: α: When the device rotates along the Z-axis (pendicular to the screen plane), (azimuth) changes in [0,360). β: When the device rotates along the X-axis (parallel to the shorter side of the screen), (pitch) changes in [−180,180). γ: When the device rotates along the Y-axis (parallel to the longer side of the screen), (roll) changes in [−90,90). t : Time of the orientation event Li: Label of the key tis: Starting time of event tie: Ending time of event

Method Discardα Calculates motion caused by typing βi=βi′−β ′,γi=γi′−γ ′ Calculate AUB (Angle of Upper Bisector) and ALB (Angle of Lower Bisector) Calculates the mean (μkAUB, μkALB) and standard deviation (σkAUB, σkALB) for each key k.

Method Cont. Used:

Method Cont. Calculate AU and AL Calculate μkAU , μkAL , σiAU , σkAL Determine key probabilities:

Example

From keyloggers to touchloggers: Take the rough with the smooth They sought to build a touchlogger that could build user profiles to prevent system intrusion. The touchlogger was implemented in for the iOS. Results varied per learning algorithm, but Random Forest in virtually all cases kept intruder out and let in authorized users 99% of the time.

What the iOS touchlogger had to do Gain root permissions to be able to hook and override internal OS methods which are responsible for the detection and management of touch events. Accomplished by Jailbreaking Run in the background of the OS and constantly track and collect user’s touch behavior. Required version 4 and above

Recall, that a touchlogger can be used both defensively and offensively. So, iTL has been designed in line with this goal. It consists of two modules namely iGestureLogger (iGL) and iKeylogger (iKL). The first one is responsible to track every touch event or gesture happening on the device’s display in an effort to collect enough data to build the user’s profile for use by, say, an IDS. The other, tries to identify touch events that occur inside the area of a pre-defined soft keyboard. Then, it attempts to translate every touch to the corresponding (actual) key. If not, the corresponding touch event is dis- carded. These two modules are depicted in Fig. 1 (as (d) and (e) respectively) and as we can observe, they trigger different methods but one. Also note that these modules can operate either in tandem or independently.

Methodology For the experiment they logged touch events of eighteen participants from age 22-36 years old in order to build user profiles. Every 24 hours the application would send data to the server for profile building The analysis was performed on a 2.53 GHz Intel Core 2 Duo T7200 CPU and 8 GB of RAM laptop operating with OS X Mountain Lion. The experiments was carried out using the Waikato Environment for Knowledge Analysis. Applied four different Machine learning techniques Random Forest, Bayesian Networks, KNN, RBF

Results

Random Forest Algorithm Is used for classification and regression. Relies upon the use of many decision trees. Accuracy and variable importance are part of the results Splits data into two categories: Training set is used to estimate error (1/3 of data) Test set is used to determine results (2/3 of data)

Random Forest Algorithm

Questions What are the odds of being infected with a touchlogger? Would you want a record of your touch events stored somewhere even if it was to fight intruders? Would you install a touchlogger on your child’s phone to monitor activity?

Conclusion Brief Introduction to Malware Two approaches to Touchloggers The Research Results Random Forest Algorithm Questions

Works Cited D. Damopoulos, G. Kambourakis, S. Gritzalis, From keyloggers to touchloggers: Take the rough with the smooth, Computers & Security, Volume 32, February 2013, Pages 102-114 Liang Cai and Hao Chen. 2011. TouchLogger: inferring keystrokes on touch screen from smartphone motion. In Proceedings of the 6th USENIX conference on Hot topics in security (HotSec'11). USENIX Association, Berkeley, CA, USA, 9-9.

Works Cited F. Livingston. Implementation of breiman's random forest machine learning algorithm. Machine Learning Journal Paper, Fall 2005.  DC602028. Android Keylogger – Take Control of what is going on?. DEF-CON, 17 Feb. 2013. Web. 26 Feb 2013