On the Security of Picture Gesture Authentication Ziming Zhao †‡, Gail-Joon Ahn †‡, Jeong-Jin Seo †, Hongxin Hu § † Arizona State University ‡ GFS Technology.

Slides:



Advertisements
Similar presentations
A Unified Framework for Context Assisted Face Clustering
Advertisements

ECE 5367 – Presentation Prepared by: Adnan Khan Pulin Patel
Patch to the Future: Unsupervised Visual Prediction
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Facial feature localization Presented by: Harvest Jang Spring 2002.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
Region labelling Giving a region a name. Image Processing and Computer Vision: 62 Introduction Region detection isolated regions Region description properties.
Advanced Computer Vision Introduction Goal and objectives To introduce the fundamental problems of computer vision. To introduce the main concepts and.
Leveraging Personal Knowledge for Robust Authentication Systems Mentor: Danfeng Yao Anitra Babic Chestnut Hill College Computer Science Department.
Building Robust and Automatic Authentication Systems with Activity- Based Personal Questions Mentor: Danfeng Yao Anitra Babic Chestnut Hill College Computer.
Password Management Strategies for Online Accounts Gaw & Felten Optional Reading.
Extracting Interest Tags from Twitter User Biographies Ying Ding, Jing Jiang School of Information Systems Singapore Management University AIRS 2014, Kuching,
Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.
Jacinto C. Nascimento, Member, IEEE, and Jorge S. Marques
HumanAUT Secure Human Identification Protocols Adam Bender Avrim Blum Manuel Blum Nick Hopper The ALADDIN Center Carnegie Mellon University.
All about me slideshow Insert your name.
Vision-Based Biometric Authentication System by Padraic o hIarnain Final Year Project Presentation.
A Study of Computational and Human Strategies in Revelation Games 1 Noam Peled, 2 Kobi Gal, 1 Sarit Kraus 1 Bar-Ilan university, Israel. 2 Ben-Gurion university,
Healthy Body Image. Find a partner. With your partner write down what you think it means to like and accept your body.
Pseudorandom Number Generators. Randomness and Security Many cryptographic protocols require the parties to generate random numbers. All the hashing algorithms.
Wang, Z., et al. Presented by: Kayla Henneman October 27, 2014 WHO IS HERE: LOCATION AWARE FACE RECOGNITION.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication.
E XPLORING USABILITY EFFECTS OF INCREASING SECURITY IN CLICK - BASED GRAPHICAL PASSWORDS Elizabeth StobertElizabeth Stobert, Alain Forget, Sonia Chiasson,
Multiple Password Interference in text Passwords and click based Graphical Passwords by Sonia Chiasson, Alian Forget, Elizabeth Stobert, PC van Oorschot.
Multimedia Specification Design and Production 2013 / Semester 2 / week 8 Lecturer: Dr. Nikos Gazepidis
Prakash Chockalingam Clemson University Non-Rigid Multi-Modal Object Tracking Using Gaussian Mixture Models Committee Members Dr Stan Birchfield (chair)
Honors Advanced Algebra Presentation 1-3 SAMPLING METHODS.
CIS 450 – Network Security Chapter 8 – Password Security.
ZOOBURST CHRISTINA LAMAN WHAT IS ZOOBURST? A digital storytelling tool that allows you to create 3-D pop up books. Allows children of.
Process by which a system verifies the identity of a user wishes to access it. Authentication is essential for effective security.
Passwords. Outline Objective Authentication How/Where Passwords are Used Why Password Development is Important Guidelines for Developing Passwords Summary.
Password Management Strategies for Online Accounts Shirley Gaw, Edward W. Felten Princeton University.
Chapter 1 Getting Started. 2Practical PC 5 th Edition Chapter 1 Getting Started In this Chapter, you will learn: − How to power up the computer − About.
Longitude Usability Study Final Presentation Amir Malik Fiel Guhit Viet Pham Sabel Braganza.
A Novel Local Patch Framework for Fixing Supervised Learning Models Yilei Wang 1, Bingzheng Wei 2, Jun Yan 2, Yang Hu 2, Zhi-Hong Deng 1, Zheng Chen 2.
User Friendly Passwords Nicole Longworth Michael Shoppell RJ Brown.
C. Lawrence Zitnick Microsoft Research, Redmond Devi Parikh Virginia Tech Bringing Semantics Into Focus Using Visual.
Face Detection Ying Wu Electrical and Computer Engineering Northwestern University, Evanston, IL
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Microsoft Management Seminar Series SMS 2003 Change Management.
CVPR2013 Poster Detecting and Naming Actors in Movies using Generative Appearance Models.
WEBSITES AND ADDRESS RELATIONSHIP By: Nahed Alnahash Dr. Wenjin Zhou.
Measuring Real-World Accuracies and Biases in Modeling Password Guessability Segreti. et al. Usenix Security 2015.
Face Image-Based Gender Recognition Using Complex-Valued Neural Network Instructor :Dr. Dong-Chul Kim Indrani Gorripati.
Iasonas Polakis, Panagiotis Ilia, Federico Maggi, Marco Lancini, Georgios Kontaxis, Stefano Zanero, Sotiris Ioannidis, and Angelos D. Keromytis. In Proceedings.
Typing Pattern Authentication Techniques 3 rd Quarter Luke Knepper.
Final Year Project Vision based biometric authentication system By Padraic ó hIarnain.
Power Point by: Marc Prenger. The Society of Mind is broken up into 30 chapters. Each of these chapters is broken up into subsections. As stated in the.
This work is licensed under a Creative Commons 3.0 Attribution License 1 Wikispaces for Teachers A Guide to Using Them in Your Classroom.
Combining Evolutionary Information Extracted From Frequency Profiles With Sequence-based Kernels For Protein Remote Homology Detection Name: ZhuFangzhi.
Identifying “Best Bet” Web Search Results by Mining Past User Behavior Author: Eugene Agichtein, Zijian Zheng (Microsoft Research) Source: KDD2006 Reporter:
A Framework to Predict the Quality of Answers with Non-Textual Features Jiwoon Jeon, W. Bruce Croft(University of Massachusetts-Amherst) Joon Ho Lee (Soongsil.
Single Sign-on with stoneware Presented by:. Access Stoneware Visit the district home page. In the main menu, hover over LCS Employees and choose Stoneware.
Face Recognition Technology By Catherine jenni christy.M.sc.
Computer Security Set of slides 8 Dr Alexei Vernitski.
Digital Citizenship Unit 2 Lesson 1: Strong Passwords
Dove science academy Cyber Club
Chapter 1 Getting Started
LECTURE 01: Introduction to Algorithms and Basic Linux Computing
3.6 Fundamentals of cyber security
COMP61011 : Machine Learning Ensemble Models
When Security Games Go Green
DOVE SCIENCE ACADEMY CYBER CLUB
Expandable Group Identification in Spreadsheets
BASEAL Relationships - 1
Movie Recommendation System
Andrew can talk with Kids!
My.
Presentation transcript:

On the Security of Picture Gesture Authentication Ziming Zhao †‡, Gail-Joon Ahn †‡, Jeong-Jin Seo †, Hongxin Hu § † Arizona State University ‡ GFS Technology § Delaware State University

Picture Gesture Authentication (PGA) A b uilt-in feature in Microsoft Windows 8 60 million Windows 8 licenses have been sold 400 million computers and tablets will run Windows 8 in one year 2

How PGA Works 3 Autonomous picture selection by users Three types of gestures are allowed Tap Circle Line

Research Questions 4 1.How to understand user-choice patterns in PGA? Background Pictures Gesture Location Gesture Type Gesture Order 2.How to use these patterns to guess PGA password?

Outline 5 Part 1: Analysis of more than 10,000 PGA passwords collected from user studies Part 2: A fully automated attack framework on PGA Part 3: Attack results on collected passwords

Part 1: User Studies 6 1.Web-based PGA system Similarity to Windows PGA Workflow Appearance 2.Data collection 3.Analysis: survey and results

7 Dataset-1 ASU undergraduate computer security class (Fall 2012) 56 participants 58 unique pictures 86 passwords 2,536 login attempts Part 1: User Studies

8 Dataset-2 Scenario: The password is used to protect your bank account Amazon MTurk 15 pictures selected in advance 762 participants 10,039 passwords Part 1: User Studies

9 Survey questions General information of the subject General feeling towards PGA How she/he selects a background picture How she/he selects a password Part 1: User Studies

10 Part 1: User-choice Patterns Background Picture Dataset-1 Dataset-2 Survey People, Civilization, Landscape, Computer-generated, Animal, Others

Advocates: i)it is more friendly ‘ The image was special to me so I enjoy seeing it when I log in ’ ii)it is easier for remembering passwords ‘ Marking points on a person is easier to remember ’ iii)it makes password more secure ‘ The picture is personal so it should be much harder for someone to guess the password ’ Others: i)leak his or her identify or privacy ‘ revealing myself or my family to anyone who picks up the device ’ 11 Part 1: User-choice Patterns Why or why not picture of people

12 Part 1: User-choice Patterns Background Picture Dataset-1 Dataset-2 Survey People, Civilization, Landscape, Computer-generated, Animal, Others

Dataset-1 population characteristics: 81.8% Male 63.6% Age 18-24, 24.0% Age % College students Survey answers: ‘ computer game is something I am interested [in] it ’ ‘ computer games picture is personalized to my interests and enjoyable to look at ’ 13 Part 1: User-choice Patterns Why computer-generated pictures The background picture tells much about the user's identity, personality and interests.

Dataset-1Dateset-2 I try to find locations where special objects are.72.7%59.6% I try to find locations where some special shapes are. 24.2%21.9% I try to find locations where colors are different from their surroundings. 0%8.7% I randomly choose a location to draw without thinking about the background picture. 3.0%10.1% Which of the following best describes what you are considering when you choose locations to perform gestures? 14 Part 1: User-choice Patterns Gesture Locations Most users tend to draw passwords on Points-of-Interest (PoIs) in the background picture.

15 Part 1: User-choice Patterns Gesture Locations (Picture of People) Attributes# Gesture# Password# Subject Eye36 (38.7%)20 (64.5%)19 (86.3%) Nose21 (22.5%)13 (48.1%)10 (45.4%) Hand/Finger6 (6.4%)5 (18.5%)4 (18.2%) Jaw5 (5.3%)3 (11.1%)3 (13.7%) Face4 (4.3%)2 (7.4%)2 (9.1%) Dataset-1 22 subjects uploaded 27 pictures of people 31 passwords (93 gestures)

16 Part 1: User-choice Patterns Gesture Locations (Civilization) Dataset-1 Two versions of Starry Night uploaded by two participants Gesture 1: Tap a star Gesture 2: Tap a star Gesture 3: Tap a star Gesture 1: Tap a star Gesture 2: Tap a star Gesture 3: Tap a star Users have the tendencies to choose PoIs with the same attributes to draw on.

17 Part 1: User-choice Patterns Windows PGA Advertisements Asia South America Europe Circle an eye Circle an ear Line an arm Circle a head Line an arm Circle a head

18 To generate dictionaries that have potential passwords Picture-specific dictionary Rank passwords with likelihood Work on previously unseen pictures Our approach Automatically learns user-choices patterns in the training pictures and corresponding passwords Then applies these patterns to the target picture for dictionary generation Part 2: Attack Framework

19 Selection function Models the password creating process that users go through Takes two types of parameters Gesture type, such as tap, circle, line PoI attribute, such as face, eye, … Generates a group of gestures Part 2: Attack Framework Selection Function

20 Part 2: Attack Framework Selection Function (Examples) s(circle, face) Circle a face in the picture s(line, nose, nose) Line a nose to another nose in the picture s(tap, nose) Tap a nose in the picture s : {tap,circle,line} x PoI Attributes *

21 Part 2: Attack Framework Extract Selection Functions PasswordPoints-of-Interest Function 1: s(, )Function 2: s(line, nose, nose)Function 3: s(tap, nose) circle face

22 Part 2: Attack Framework Apply Selection Functions Function 1: s(circle, face) Output: 4 gestures Function 2: s(line, nose, nose) Output: 12 gestures Function 3: s(tap, nose) Output: 4 gestures Number of potential passwords: 4×12×4 = 192

23 Part 2: Attack Framework Rank Selection Functions 1.BestCover algorithm Derived from emts (Zhang et al., CCS’10) Optimizes guessing order for passwords in the training dataset 2.Unbiased algorithm Reduces the biased Points-of-Interest distributions in the training set

24 Part 3: Attack Results Automatically Identify PoIs OpenCV as the computer vision framework Object detection Face, eye, nose, mouth, ear, body Low-level feature detection Circle Color Objectness measure: Alexe et al. (TPAMI’12) Other standout regions

PoIs of Dataset-1 Identified by OpenCV 40 PoIs at most PoIs of Dataset-2 Manually labeled 15 PoIs at most PoIs of Dataset-2 Identified by OpenCV 40 PoIs at most 25 Part 3: Attack Results Points-of-Interest Sets

26 Part 3: Attack Results Methodology Guessability on passwords of previously unseen pictures Dictionary size: 2^19 = 524,288

27 Part 3: Attack Results Dateset-1 vs. Dateset-2 More cracked Dataset % Dataset %

28 Part 3: Attack Results BestCover vs. Unbiased (Dataset-2) Unbiased 24.09%BestCover 24.03%Unbiased 23.44% BestCover 13.27% ~9400 training passwords 60 training passwords

29 Part 3: Attack Results Labeled PoI set vs. OpenCV-Identified PoI set Labeled 29.42% Identified 24.03% More cracked

30 Part 3: Attack Results Simple Pictures (Unbiased algorithm) 243.jpg 316.jpg 13 Cracked 39.0% 6,000 guesses 31.2% 30,000 guesses

31 Part 3: Attack Results Portraits (Unbiased algorithm) 1116.jpg 7628.jpg 9 Cracked 29.0% in Total

32 Part 3: Attack Results Complex Picture (Unbiased algorithm) 6412.jpg 10.1%

33 Part 3: Attack Results Online Attacks on Dataset-2 266/10K 94/10K

34 PGA Password Strength Meter BestCover algorithm Generate dictionary and calculate strength in 20 seconds

35 Summary and Future Work We have presented an analysis of user-choice patterns in PGA passwords We have proposed an attack framework on PGA We have evaluated our approach on collected datasets We plan to improve online attack results by integrating shoulder-surfing and smudge attacks into our framework

Thank you! Q & A 36