Summary: | Many banking and commerce mobile applications use two-factor authentication for userauthentication purposes which include both password and behavioral based authenticationsystems. These behavioral based authentication systems use different behavioral parametersrelated to typing behavior of the user and the way user handles the phone while typing. Theydistinguish users and impostors using machine learning techniques (mostly supervised learningtechniques) on these behavioral data. Both password and behavior based systems work well indetecting imposters on mobile applications, but they can suffer from record and replay attackswhere the touch related information of the user actions is recorded and replayedprogrammatically. These are called as Record & Replay (R & R) bots. The effectiveness ofbehavioral authentication systems in identifying such attacks is unexplored. The current thesiswork tries to address this problem by developing a method to identify R & R bots on mobileapplications. In this work, behavioral data from users and corresponding R & R bot is collectedand it is observed that the touch information (location of touch on the screen, touch pressure,area of finger in contact with screen) is exactly replayed by the bot. However, sensorinformation seemed to be different in the case of user and corresponding R & R bot where thephysical touch action misses while replaying user actions on the mobile application. Based onthis observation, a feature set is extracted from the sensor data that can be used to differentiateusers from bots and a dataset is formed which contains the data corresponding to these featuresfrom both users and bots. Two machine learning techniques namely support vector machines(SVM) and logistic regression (LR) are applied on the training dataset (80% of the dataset) tobuild classifiers. The two classifiers built using the training dataset are able to classify user andbot sessions accurately in the test dataset (20% of the dataset) based on the feature set derivedfrom the sensor data.
|