1 .0 Introduction
In recent times, the use of computer towards accessing information has increased and this has made our lives simplified in different ways, whereby easing people around the globe to communicate and share information. Due to this growing computer technology, the need for an improved network service which involves public accessing these devices is to be put in place. Generally, this advancement in knowledge towards the use of modernised technology has lead to the investigating and unveiling of new threats to computer system security which affects the today’s organisations.
From my research carried out it has been noticed that most organisations are in search of better means of improving their information security system, and also a cost effective means towards safeguards against fraud and impersonation .As we all know that data protection is a valuable resource which must be kept strictly, controlled and managed properly in an organisation. In the nutshell, the term security basically referred to as the protection and guidance of a system from unauthorised access, be it intentional or accidentally, irrespective of the service provided by the database management system. This work will generally involve the use of keystroke dynamics as a means of establishing a unique identity, which will be used as an additional measure towards enhancing information/data security in an organisation (e.g. Banks, Institutions, legislative departments, finance houses, production firms etc). This unique identity will help present a safeguard towards authenticating the access to computers by recognizing an individual based on his stored features i.e. mouse movement, keyboard application, typing rhythm etc.
The protection of an information database system at all level in an organisational system, has over the years become an essential concern, this is as a result of different type of threats and unauthorised advances made by malicious individuals. Many organisations, over the years gone ahead towards the development and adoption of a stronger web-based services of computer controls, because from my research I gathered that information and transaction worth fortunes are been dealt with on a daily basis and the organisation has to ensure its protection by all means. Because any breach of security will lead to fatal destruction of the system. During my report it was noticed that in most organisational application, the access to information database system where usually restricted through the use of a login ID/password protection scheme. This has been in place for years and if by any means this scheme is breached, and then the organisations information is generally exposed towards any possible fraudulent misuse. During my research work I gathered that, hardware based security managed systems has a positive impact towards the reduction of unauthorised access by imposter. According to “David Zhang and Anil Jain” 2006, in there
book “Advance biometric” it stated that acceptance rate is still study dependent and the results indicate that the false acceptance ratio (FAR) is still on the order of 5%, beyond the acceptable risk level of many organizations, considering the costs in terms of hardware and training time. In the nutshell it will be said that security and database plays an important role in all areas where computers are used, including business, electronic commerce, engineering, medicine, law, library science and many lot of more fields.
I would like to give a brief definition of what database is all about and its surrounding topics on which we will deal with as we proceed on the project work. Generally, database can be said to be a cart where information are stored, updated and retrieved, it is a very important part of everyday life, and has to be secured from utterances. The term Biometric said to be gotten from the combination of the Greek words ‘Bios’, which means life, and ‘Metrikos ‘which is said to be measuring. This technology is said to be the ability to identify an individual based on their unique characteristic, which can either be physiologically (passive) or behavioural (active) characteristic mode of identification.
Over the years it has been notice that one of the most secured and effective means of authenticating and identifying an individual involves the verification of their personal unique characteristic. This is sometimes usually done in conjunction with a PIN or token (known as multi-factor authentication) also by users name and password. One of the proper ways of managing biometric secured information database includes its registration, storage, and verification which is known as “Biometric Identity Management”. However, from research Information security is known to be one of the fastest growing areas in the IT world, and its efficiency is to be assured by minimising exposure to external and internal attacker. “Enhancing information security using keystroke dynamics (Behavioural Biometrics) as an additional measure in organisations” as my research topic was brought to light. This research report is basically aimed at reviewing information database security system and the use of keystroke biometric towards security enhancement, where by reviewing the effective implementation, design and management of information system in organisation, and protecting it from intruder. Also it will clearly highlight on the pros and cons of traditional means compared to biometrics means of application. I will strictly focus on keystroke biometrics, which is a human behavioural biometric whereby need for any form of physiological attribute, is not needed. This study (Information security and biometric application) will be place into the following stages: (Nanavati. S, (2002), Von Solms S.H (2000))
- Identification and authentication – An individual been identified and authenticated;
- Authorisation – Being authorised to use certain resources;
- Confidentiality – Ensuring confidential information i.e. data or software, stays confidential and accessible only to authorised individuals;
- Integrity – Making sure only authorised individuals can change the content of data or software;
- Non-denial – Ensuring that an individual cannot deny the authorisation of a transaction (e.g. in Banks), like changing the content of data.
The deployment of Biometrics and the above stages will require a solid understanding of the technology and why it is been deployed, its mode of function, performance and accuracy will be looked into and analysed. Also the choice of which biometric application to use depends highly on the intended application of the system, here are some of the biometric applications in existence today: finger print; face recognition, hand geometry and iris recognition etc. Some of these biometric features are applied in areas like, time and attendance systems, voter’s registration, immigration and border control, access control, computer security, and financial firms. This project research work will involve a practical part of the application and to achieve the aims successfully, the following objective will be put into consideration.
- Presenting details of biometric applications for information security purposes.
- Comprehensive review on information security threat, breaches, awareness solutions and discussing case studies on its effect on organisational system.
- Building / implementing a keystroke access database application.
- Critically analyse and evaluate the impact of the design keystroke enable database(Pros and Cons)
- To conclude on findings and recommendation for future developments of information security system.
1.1 Why the Study and Goals
The scope of this study is to present, review and analyse problems which are been faced in organisations information security, where by been able to create and suggest a means of securing sensitive information from external sources and mostly internal sources. In recent times from information gathered it has been found that most security breaches /threat in organisations have been linked to internal sources. Here I will recommend a keystroke biometric application in organisations which are known to have a friendly environment between member of staff and the easy of sharing personal details, are on the high side. Generally I am not saying there are no securities measures in organisations to curb these intrusions, but as earlier mentioned most of these leakages are carried out by internal sources. But most organisations make use of traditional login process (user names and password, chip and pin). Alternatives to password-based authentication, keystroke biometric can either be used as an additional measure or replace the traditional method, this can help identify intruded and access are denied. A special focus will be on keystroke dynamics, in which firstly, the goal is to verbalize requirements which these alternative authentication schemes need to satisfy. After reviewing the alternative methods from a security and usability point of view, the result should be to answer the question whether the presented schemes is capable of being alternatives to password-based authentication mechanisms or not.
1.2 Related Studies.
In the past and at present a lot of studies and researches is been carried out, in regards to users identification, verification and authentication, with their respective ways of securing information system. Keystroke dynamics was first introduced in the early 1980s as a method for identifying the individuality of a given sequence of characters entered through a traditional computer keyboard (R. Gaines, W. Lisowski, S. ). Keystroke dynamics originated from studies of the typing patterns exhibited by users when entering text into a computer using a standard keyboard. Researches in this field focused on the keystroke pattern in terms of keystroke duration and keystroke latencies. Evidence from preliminary studies indicated that typing patterns were sufficiently unique and easily distinguishable from one another, much like a person’s written signature (R. Gaines, W. Lisowski, S., R. Joyce and G. Gupta ).Here are some studies which have been carried out towards information security such as that conducted by “Arwa Al-Hussain (2008)”, “Biometric-based Authentication Security”, “Saleh Bleha”, “Charles Slivinsky”, and “Bassam Hussein”: “Computer-access security systems using keystroke dynamics”, “R. Joyce and G. Gupta”: User authorization based on keystroke latencies. And also “Revett, K. and Khan, A”, 2005, carried out a research on Enhancing login security using keystroke hardening and keyboard griddling. But In my research work I will look into all aspect of biometric applications in regards to keystroke dynamic application and it suitability towards detecting intruders trying to gain access into a database information system.
1.3 Problem Statement
In this research which is to attempt the implementation of keystroke biometric and mouse application as a security measures towards preventing the gaining of access to sensitive data from unauthorised individual in organisation, also to prevent password sharing and identity theft from within and outside the organisation. To be able to achieve this, I will be looking into the different types of biometrics and the added advantage presented by keystroke biometrics in relation to cost and easy of application. Finally I will not neglect the difficulties that may be encountered towards the successful achievement and completion of this research, also all necessary steps will be taken to have a conclusive project work.
1.4 Outline of Dissertation Topics and Organisation
The other part of this paper work is organised and subdivided in the following pattern. Chapter 2 will focus more on the in-depth of Biometrics application, the benefits of biometrics compared to traditional authentication methods, advantages and disadvantages of the different identification mechanism ,it challenges and effect on today’s society and finally the different types of biometrics. Chapter 3 will concentrate on the information security issues, social engineering and security solutions presented by biometrics enhanced system. In Chapter 4 an in-depth analysis of the keystroke biometrics will be look into and its application towards information security. Chapter 5 will concentrate mainly on implementation of keystroke biometrics, a demonstration of its design application and functions, towards security enhancement and also user acceptability survey on the application mode will be analysed. Finally in chapter 6 I will conclude on findings and recommendation for future developments of information security system.
From my research it has been gathered that access to most organisation‘s computer systems which content various information are done by using authentication and identification means. The commonly used security approach towards identification and authentication is by “login process”, which involves the users ID and password. This has been in use for years towards the verification of a person trying to gain access to a computer information system. This mode of security approach has over the years been a big problem to most organisations security management system, as a result where workers could routinely share passwords with one another, sometimes forgetting their passwords or stored them in places which they could be easily seen by other people. This has lead to the level of security breaches, threats and fraudulent transaction increasing to a disturbing state, due to this the need for highly secure identification and personal verification technologies is being searched for. From researches carried out it has been found that biometric authentication can solve some of these problems, whereby help in reducing this growing security threat to a minimal level. Another importance of biometrics is its ability to improve the usability of a system since the person in use does not need to remember his or her passwords when trying to gain access to the information system. Biometrics as we know is not a new discovery to the world at large this has been in existence, during the BC and AD, just that of present more attention is been shown towards biometrics and its applications.
2.1 Why Biometrics Applications
In the application of biometrics towards security setting is “Ten times” the security for that of traditional means and also cost effective in the long run. Due to issues relating to Identity theft, terrorism and increase in the general level of crime which have also combined to heighten the need for a just technology security approach.( Security Seminar K. Tracy 1998) Biometrics application over the years has been the recommended solution choice for many organisational systems towards information security, both privately owned and government companies are in use of biometric application towards maintaining secured environmental system for information sharing and distribution.
Lets imagine the ability to unlock the door, obtain money from a machine, authenticate a credit card, retrieve information from a system or even start a car with just a glance at a camera or a touch, that is what bio application is all about and has helped to improve users security application by there uniqueness.
2.2 Introduction to Biometrics
What Is Biometrics: The word biometrics is known to be gotten from a combination two words from Greek origin meaning (bios =”life”, metrikos (metrics) =”measure”).The terms “Biometrics”have been in existence since the 20th century and was used to refer to the field of development of statistical and mathematical methods applicable to data analysis problems in the biological sciences (Nanavati. S. 2002). In the nutshell biometrics can be said to be an automated method in science and technology which is used in recognising, measuring and statistically analyzing biological data of an individual. These bio – measurements are done based on ones physiological or behavioural characteristics, which can be used to verify the identity of the individual. Some of the examples of biological characteristic include DNA, blood group genes, whereby physical characteristics include fingerprints, eye retinas and irises, facial patterns and hand measurements, and behavioural characteristics include signature, voice, gait and typing patterns (keystroke). One of the greatest important advantages of biometrics lies in the fact that physical or behavioural traits’ cannot be transferred to other individuals, or can they be forgotten. (Wikimedia Foundation, Inc, (2006),)
2.3 How does biometrics work?
Biometrics can be classified in two main types, which are as follows: “physiological biometrics”, this involves the use of physical trait, such as a fingerprint, iris, hand or face for recognition of an individual. Here the physical traits are collected, then analyzed, measured and stored for use. In the case of fingerprint, it is automated through a numeric encryption of its ridges, splits, dots, valleys, furrows and minutiae points. This encryption is called an algorithm, creating a binary encoded template. The iris is also digitally stored using an algorithm in the same way. (Wikimedia Foundation, Inc, (2006))
The other type of biometric solution is “behavioural biometric”. This mainly involves the use of a person’s behavioural trait or pattern, such as a voice, signature or key stroke. These traits are stored in the same way to that of the physiological traits except that they are updated regularly to be able to cope with the ever changing patterns in the trait. The both type of biometrics are relevant to different situations and circumstances. Naturally it has been gathered that physiological biometrics has proved to be more reliable than that of behavioural biometric, in the sense that physical traits generally stay the same all time irrespective of the age, while that of behavioural trait changes due to one or two situation which can be caused by advancement in age, learnt habit or accidental causes.
2.3.1 Mode of biometric operations:
In biometrics operations, when the device/networked server hold a database of registered users and when these traits are presented, it is then authorizes the searching of the database so as to establish a match with the presented trait. In theory the device is asking “Do I know you?” This method of identification is called one too many (1: N) according to “www.posid.co.uk”.
The theory here is that the device is requesting “Are you who you claim to be”? By presenting a user id number or a Smartcard (containing the biometric algorithm) you then prove who you claim to be. In order to prove that this id number or Smartcard belongs to the user, one is requested to present his /her biometric trait directly to the device. You are authorized if they match and denied if they do not match. This method is called one to one (1:1) “www.posid.co.uk”.
In the nutshell this is known to be the last stage of a biometric system function, after identification the system search for a match and then confirms it authentication where by requesting unique feature and if matched with the stored details, you are then authorized. (Wikimedia Foundation, Inc, (2006))
2.4 Importance Of Biometrics Over Traditional Authentication Methods:-
In present times most organisation, make use of Login passwords, PINs, and token towards verification and authentication for gaining access to there information database system. This are mainly designed to help protect and secure the organisations computer information network and its applications. However in most cases these technologies have been discovered to having some problems associated with them, mostly when faced with modern technology applications, like online transactions, which could involve the accessing of sensitive information such as medical reports, financial or income support information. In order to reduce these increasing problems, biometrics features are been introduced in some of these computer information applications areas. As earlier stated, “Biometrics” is known to be an automated methods of recognizing and identifying an individual based on their physical or behavioural characteristics.”(Samir Nanavati, Michael Thieme, Raj Nanavati 2002) Every individual different biometric characteristic which are unique and peculiar to them, no two person have or share the same biometric features. Some of the commonly known used biometric applications in today’s society are facial, fingerprint, iris, hand scan, voice and dynamic signature. Biometric data application as a means and methods of identification is well preferred by organisation due to its several advantages over the known traditional method, which have been highlighted earlier in this chapter. Some of the major reason for the preference of bio data for information security system is that the individual to be identified is required to be present physically during the identification process, and this identification process does not require the need for password remembrance in any form. With the present increasing integration of computer, as well as internet usage in our day to day activities towards information accessing, this has called for a growing need to use a more protective method on information system assessing. This could be done by either replacing the PINs (traditional method) totally with biometrics or combining the both towards effective security measures whereby prevents unauthorized access to computer information system. As stated in previous chapter, one of the biggest issues with the use of PINs or passwords as a security measure is that it could be forgotten, likewise tokens such as passports and driver’s licenses may be forged, stolen, or lost which is unlikely in biometric traits. Basically biometric applications can be used for real-time recognition, and the most popularly used is face, voice, signature, iris and fingerprint. (S.Nanavati, M. Thieme, R. Nanavati 2002) In view to biometric application compared to the traditional application, a biometric system is basically known to be a pattern of recognition of an individual by determining the authenticity of a specific physiological or behavioural characteristic possessed by the person. Several important issues are put into place during designing a functional biometric system. Basically all biometric systems consist of three (3) basic elements, which are as follows:
Enrolment: It is known to be the process which involves the collecting of biometric samples from an individual, and this is captured and stores in a secured template in a central database or a smart card issued to the user.
Templates: This is a storage cart where all the data or information representing the individual/enrolee’s biometric features is stored. The template is usually been retrieved when identification is to be carried out on an individual.Biometrics system can operate using either verification (authentication) or identification mode.
Matching: It is a process which involves the comparing and analysing of individual biometric details which has been stored in the database system templates. Mainly the enrolment is the first stage during authentication, in which a template is then generated and will be used towards matching of the user’s authentication.
2.4 Types of Biometric Technologies
Biometric can be classified into two main classes which are Physiological and Behavioural biometrics, this involves two main modes of applications, which can be said to be contact and contactless biometric applications. The main function of biometric technology system is to assist in the controlling of access to a network system, and also helping to authenticate an individual by establishing there identity by comparing it with already stored details, which are unique to the individual. The most significant factor which enable the implementation of a biometric towards authentication is it uniqueness, i.e no two person can have same bio data and can not be lost or guessed. Looking at the recent increase in the breach of information system, biometric authentication system is a more reliable, efficient and effective to reduce this increasing threat compared to the traditional password based authentication process.
2.4.1 Physiological Biometrics:-
In this type of biometric application, the individual is required to have biometric features stored in the bio data storage device (scanner).This device is where the user’s details are collected and stored for feature use. Due to reason that a person or individual stores their bio-data and need to make direct contact when needed to gain access to an information system, has made many people have to consider this to be a technology which invades on ones personal privacy .Below are some examples.
This is the most commonly used biometrics and the most advanced of all the biometric technologies and it is highly accurate. The challenges lies in varying quality of fingerprints across individuals and in dealing with wear in the defining irregularities in the ridges and valleys of one’s finger (Nanavati. S, (2002),). New technologies have recently employed the use of pattern matching and ultrasonic scanning rather than evaluation of the irregularities which has increased the accuracy of fingerprint scanning and reduced the risk of misidentification. By scanning the geometry of an individual’shand, including height, width, shape and proportion, security systems can accurately recognize and identify individuals. This method is primarily used for physical access control and is considered the most useful in terms of durability and application. In fact, hand scanning is used effectively where other biometrics technologies cannot work due to frequency, volume, or environmental disruptions. Here is a finger print sample from Wikipedia.
is considered among the most accurate of the biometric technologies through its evaluation of the shape and make-up of inner surface of the back of the eye. This method, while highly accurate, is also fairly costly and often perceived as difficult to use. Other complications include interference from foreign objects such as eye glasses or contact lenses. Further, scanning of a sensitive area such as one’s eye decreases receptivity and willingness to use. Even so, the accuracy of retina scanning and the minimized risk of imitation make it useful in extremely high security areas where accountability is of utmost importance (Nanavati. S, (2002),) .
Hand or finger geometry is an automated measurement of many dimensions of the hand and fingers. Neither of these methods takes actual prints of the palm or fingers. Only the spatial geometry is examined as the user puts his hand on the sensor’s surface and uses guiding poles between the fingers to properly place the hand and initiates the reading. Hand geometry templates are typically 9 bytes, and finger geometry templates are 20 to 25 bytes. Finger geometry usually measures two or three fingers. Hand geometry is a well-developed technology that has been thoroughly field-tested and is easily accepted by users. (Nanavati. S, (2002),) See example below of a typical hand geometry.
This is similar to retina scanning in method and level of accuracy. However, its application is considered less intrusive and is thus becoming more common. Recently, it has been introduced into the airline and banking industries and while system integration remains a challenging part of implementation, improvements are continually being made (5).
These applications are most often used in conjunction with other verification methods such as identification cards systems or with existing security cameras and monitors. This method utilizes high resolution images of distinct facial features such as eye sockets, shape of the nose, and/or the position of certain features relative to each other (1). Problems arise with this application if the subject is not properly positioned for the camera or if environmental changes such as lighting changes prevent an accurate read. (Nanavati. S, (2002)).
2.4.2 Behavioural Biometrics:
Behavioural biometrics is said to be the ability for a system to be able to recognizing, identifying and authenticating a users based on there behavioural characteristic, which are unique to them. Basically this type of biometric can be learnt or developed over a period of time, and may follow a particular pattern of usage by the individual. Example of some behavioural traits used in biometrics is as follows: handwriting, speech, keystroke, walking pattern, e.t.c. In the nutshell, this type of biometric identification over a certain period can be changed due to some factors like age, weather etc. As a result of the changes in this type of biometric application, for the system to still maintain a secured system training or registering repetitions is to be carried out from time to time. Some of the behavioural biometrics are stated here below and will be explained further as we proceed in this research work.( Nanavati. S, (2002))
This verification means has been existing for a long time, they are mostly used in the banking sectors to identify individual who make use of there services. They are used mostly to give authorisations to documents like cheques, contracts and sensitive documents. Despite its long time existence, automating the recognition process remains a challenge because peoples’ signatures are not always identical and can change drastically over time. These changes could be as a result of some factors like old age, mental or physical state e.t.c
Is a behavioural biometrics which is mainly based on an individual’s speech pattern. Here a persons voice is compared or recognized based on its previously recorded stored voice output. Voice verification is a sensitive biometric type of approach because of its acceptability by a lot of user and also high rated error could be significant since it is not really invasive like the physiological biometrics, an example of its use is in “telephone transactions”. (Nanavati. S, (2002))
This type of behavioural biometrics is an automated method of examining and monitoring the typing patterns of an individual on a keyboard. The technology examines and determines the dynamics characteristic rhythms, speed, and pressure, also calculating the total time used in typing a particular word, the time the individual or user takes to hitting certain keys. This technique could be combined with the traditional password system to improve security when accessing sensitive information on computer systems using keyboards or mouse .Basically this method of verification is quite new and still in it development stage, but not to say it has not been in use. Also the “keystroke biometrics is of high flexibility” because it can accommodate the changing of password over a time when users observes behavioural changes. The keystroke biometrics as it has advantages so does it have its disadvantages as well. In the nutshell these said biometrics applications (Keystroke biometrics) will be talked about more as we proceed in the research work.
2.5.0 Advantages and Disadvantages of the Different Identification Mechanisms.
The pros and cons associated with specific devices are highlighted below:
· Not much storage space is required for the biometric template
· Has traditionally been associated with criminal activities and thus users could be reluctant to adopt this form of biometric a