Sandeep Gupta

Topic: 
Attack vectors & cyber-threats
Research work: 

My research focuses on the risk posed by "human behavior" while user uses security mechanisms. I am investigating authentication methods where the final decision is based on risk metrics and adjustable levels of confidence. Hence, actually designing and testing new behavioral authentication methods that aim at lowering potential security risks due to human behavior while user uses it.

Studies in the field of cyber attacks have found humans as the weakest link for most of the attacks in getting the access to critical systems. As a use case, studying the specific mechanism of user authentication securing the access to the system where a human is involved as an operator.

Existing authentication methods based on “something you know” and “something you have" is inherently binary (the level of confidence about the authenticity of the user must be 100% for the system to accept it). Particularly, I am focusing on behavioral biometrics because they are comparatively newer, user-friendly, and potentially well suited for new environments and contexts such as IoT devices and critical infrastructures. In addition, overall risk computation on which authentication decision is taken inherently asserts user behavior.

Also, I will focus on the task of applying threat model to the new authentication systems and making it resilient against possible vulnerabilities and cyber-threats specifically due to human factors.

ESRs Publications

Description:

On-demand ride services and the rideshare infrastructure primarily focus on the minimization of travel time and cost. However, the safety of riders is overlooked by service providers. For driver authentication, existing identity management methods typically check the driving license, which can be easily stolen, forged, or misused. Further, background checks are not performed at all; instead, social profiles and peer reviews are used to foster trust, thereby compromising the safety and security of riders. Moreover, the present mechanism seems ineffective in discontinuing a malicious driver from offering the services. In this paper, we present DriverAuth - a fully transparent and easy-to-use authentication scheme for drivers that is based on common behavioral biometric modalities, such as hand movements, swipes, and touch-strokes while the drivers interact with the dedicated smartphone-based application for accepting the booking. A preliminary study of behavioral biometric-based approaches offers a usable verification mechanism on smartphones that could be a potential solution to improve the safety of riders in the emerging on-demand ride and the rideshare infrastructure.

Description:

Smartphones are the most popular and widespread personal devices. Apart from their conventional use, i.e., calling and texting, they have also been used to perform multiple security-sensitive activities, such as online banking and shopping, social networking, taking pictures and emailing. On a positive side, smartphones have improved the quality of life by providing multiple services that users desire, e.g., anytime-anywhere computing, etc. However, on the other side, they also pose security and privacy threats to the users’ stored data. User authentication is the first line of defense to prevent unauthorized access to the smartphone. Several authentication schemes have been proposed over the years, however, their presentation might be perplexing
to the new researchers to this domain, under the shade of several buzzwords, e.g., active, continuous, implicit, static, transparent,
etc., being introduced in academic papers without comprehensive description. Moreover, most of the reported authentication solutions
were evaluated mainly in terms of accuracy, overlooking a very important aspect - the usability. This paper surveys various types and ways of authentication, designed and developed primarily to secure the access to smartphones and attempts to clarify correlated buzzwords, with the motivation to assist new researchers in understanding the gist behind those concepts. We also present the assessment of existing user authentication
schemes exhibiting their security and usability issues.

Description:

This paper introduces DialerAuth - a mechanism which leverages the way a smartphone user taps/enters any “text-independent" 10-digit number (replicating the dialing process) and the hand’s micro-movements she makes while doing so. DialerAuth authenticates the user on the basis of timing differences in the entered 10-digit strokes. DialerAuth provides enhanced security by leveraging the transparent and unobservable layer based on another
modality - user’s hand micro-movements. Furthermore, Dialerauth increases the usability and acceptability by utilizing the users’ familiarity with the dialing process and the flexibility of choosing any combination of 10-digit number.We implemented DialerAuth for both data collection and proof-of-concept real-time analysis. We collected, in total ≈10500 legitimate samples involving 97 users, through an extensive unsupervised field experiment, to evaluate the
effectiveness of DialerAuth. Analysis using one-class Multilayer Perceptron (MLP) shows a TAR of 85.77% in identifying the genuine users. Security analysis involving ≈240 adversarial attempts proved DialerAuth as significantly resilient against random and mimic attacks. A usability study based on System Usability Scale (SUS) reflects a positive feedback on user acceptance (SUS score = 73.29).

Description:

Smartphones have become the pervasive personal computing platform. Recent years thus have witnessed exponential growth in research and development for secure and usable authentication schemes for smartphones. Several explicit (e.g., PIN-based) and/or implicit (e.g., biometrics-based) authentication methods have been designed and published in the literature. In fact, some of them have been embedded in commercial mobile products as well. However, the published studies report only the brighter side of the proposed scheme(s), e.g., higher accuracy attained by the proposed mechanism. While other associated operational issues, such as computational overhead, robustness to different environmental conditions/attacks, usability, are intentionally or unintentionally ignored. More specifically, most publicly available frameworks did not discuss or explore any other evaluation criterion, usability and environment-related measures except the accuracy under zero-effort. Thus, their baseline operations usually give a false sense of progress. This paper, therefore, presents some guidelines to researchers for designing, implementation, and evaluating smartphone user authentication methods for a positive impact on future technological developments. The aim of the article is making sure that the published methods and results in the literature have been analyzed properly, thereby leading to higher quality products, impactful methods, and claims.