Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security IT

Verifying a User By Following the Movements of Their Mouse 101

Harperdog writes "Tom Jacobs has a very cool little story about an Israeli research team introducing a novel way of verifying a computer is being operated by its rightful user. Its method, described in the journal Information Sciences, 'continuously verifies users according to characteristics of their interaction with the mouse.'"
This discussion has been archived. No new comments can be posted.

Verifying a User By Following the Movements of Their Mouse

Comments Filter:
  • Index/Evidence (Score:5, Insightful)

    by Anonymous Coward on Friday May 04, 2012 @03:18AM (#39887623)

    Is it indexical? Yes. Is it evidential? No.

    Translation: unreliable.

    • by Samantha Wright ( 1324923 ) on Friday May 04, 2012 @03:59AM (#39887779) Homepage Journal
      "Unreliable" is a dirty word in data mining. You mod yourself down this instant!
    • Re:Index/Evidence (Score:5, Interesting)

      by leuk_he ( 194174 ) on Friday May 04, 2012 @04:14AM (#39887829) Homepage Journal

      If it is unique enough to identify (not verify ) you, then it could be used to proove user XXX did the fraudulant things on PC Y, instead of the logged on user YYY.

    • by HetMes ( 1074585 )
      Translation: you're not getting the point. Lots of false negatives and false positives is still a lot better than random guessing. Also, this is just the beginning.
      • Re:Index/Evidence (Score:4, Insightful)

        by JasterBobaMereel ( 1102861 ) on Friday May 04, 2012 @07:10AM (#39888643)

        Lots of false positives and negatives make the system constantly alerting and having to be manually checked .... i.e. annoying and people get used to just accepting that it is always warning ...

        A system that is constantly flagging alerts is next to useless ...it is only marginally better then alerting all the time ....

        • Until, of course, the system gets better and has less false negatives and false positives. And integrates with other systems, as another level of check.

          Just because this iteration of it isn't that useful does NOT mean it's a bad idea that will never be useful. Technology is often incremental, and while the beginning steps are unreliable, they are still very important ones.
      • Translation: you're not getting the point. Lots of false negatives and false positives is still a lot better than random guessing. Also, this is just the beginning.

        On the contrary: Equally large amounts of false negatives and false positives is exactly the same as random guessing. [Shannon, 1948]

        • On the contrary: Equally large amounts of false negatives and false positives is exactly the same as random guessing. [Shannon, 1948]

          Not true in general. For example, a system that yields 1% false negatives and 1% false positives is still 98% reliable, and much better than random guessing.
          • Not true in general. For example, a system that yields 1% false negatives and 1% false positives is still 98% reliable, and much better than random guessing.

            Granted, but we are talking about this specific article and not "in general". Since mouse movements are sometimes used as an entropy source for RNG seed material (http://www.freepatentsonline.com/5799088.html, for example) indicates that the uncertainty could be closer to random chance. Ie <<2-sigma

  • Trackball (Score:4, Interesting)

    by thed8 ( 1739450 ) on Friday May 04, 2012 @03:20AM (#39887629)
    i use a trackball and because of carpall tunnel switch hands often. i guess they could ID me from that alone. but really telegraph operatos could tell who was sending in the 1800's. it took us long enough.
    • Re:Trackball (Score:5, Insightful)

      by Chrisq ( 894406 ) on Friday May 04, 2012 @04:32AM (#39887895)

      but really telegraph operatos could tell who was sending in the 1800's. it took us long enough.

      Remember this for when someone starts trolling a patent

    • Re:Trackball (Score:5, Interesting)

      by PopeRatzo ( 965947 ) on Friday May 04, 2012 @07:38AM (#39888857) Journal

      i use a trackball and because of carpall tunnel switch hands often. i guess they could ID me from that alone. but really telegraph operatos could tell who was sending in the 1800's. it took us long enough.

      I don't think they're trying to use this like fingerprints or retina. I gather (from not reading the article) that they just want to know if the person who usually uses this computer is the guy who is now using this computer. And I'm guessing that all the little ticks and taps that go on when you're reading something and just have your hand (left or right) resting on your ball (left or right) is pretty distinctive.

      It made me notice just now that I do a little rhythmic dance with my pointer while I'm reading. Like a nervous tic. I never realized that until just now.

      • It made me notice just now that I do a little rhythmic dance with my pointer while I'm reading. Like a nervous tic. I never realized that until just now.

        Oh, that must be you just making the sign of the cross over each of us slashdot sinners.

        By the way, whenever I see your 'nym "PopeRatzo" I always picture in my head SNL's Father Guido Sarducci reading your posts out loud, complete with hat and cigarette waved around for emphasis.

        Makes my day a little brighter.

        • By the way, whenever I see your 'nym "PopeRatzo" I always picture in my head SNL's Father Guido Sarducci reading your posts out loud, complete with hat and cigarette waved around for emphasis.

          You have no idea how close that is to the truth.

      • I use a pretty odd arrangement at work & it makes my work 'mouse behavior' very different. I use a trackball i bought myself at work and I've always been aware that having to move my arm less to use it seems to have increased the 'nervous tic' like mousing behaviors.

        Best example of which is that if I'm working my way through a page of boring documentation, its quite likely (>25% probability) that I will be highlighting & un-highlighting bits of the paragraph as I read it for no reason at all. Thi

        • I only seem to start doing it when reading long sections of text, and not when for instance I'm reading a long section of text/code in my editor.

          That's interesting. Now that I think about it, my reading behavior (tics) is significantly different than my mouse behavior when I'm working in ProTools or Reaper. Very often, the tics are rhythmic, in time to some music in my head or on the speakers.

          Still, I doubt that it's random, and if it's like most things human beings do, there are distinctive patterns.

  • by Anonymous Coward

    But just like everything else, they'll come up with some sort of automation that replicates the some-what erratic mouse gestures a human does to get around this "security".

    • Or just a touch screen effect where the mouse instantly moves to the target rather than travelling between.
    • Re:for now.. (Score:4, Interesting)

      by jones_supa ( 887896 ) on Friday May 04, 2012 @04:13AM (#39887827)
      If you sneak into someone's office, how are you going to start such automation that replicates the behavior of the owner of the machine?
      • USB not-a-mouse-but-looks-like-one-to-software? Or a tablet/laptop with an app that draws a moving image on the screen to fool optical mouse tracking?
        • If I understood the article correctly, you would need to generate mouse input that resembles the patterns of the real user, to keep the machine usable.
      • Re:for now.. (Score:5, Insightful)

        by JasterBobaMereel ( 1102861 ) on Friday May 04, 2012 @07:13AM (#39888653)

        If you can sneak into someone's office and use their computer at all, then detecting people by mouse movements is the least of your worries

        Your staff leaving their computer unlocked, their door unlocked, and their office unattended, and no-one noticing are much worse security issues ...

        • Your staff leaving their computer unlocked, their door unlocked, and their office unattended, and no-one noticing are much worse security issues ...

          Yeah, the secretary might have her handbag in the office, in which case you could find cool stuff like used handkerchiefs or even a spare panty or somesuch!

          *pauses* *coughs* I'm merely pointing this out as a purely hypothetical case, of course. I don't condone, nor have ever engaged in any such activities. *looks down* *hurries away*

        • If you can sneak into someone's office and use their computer at all, then detecting people by mouse movements is the least of your worries

          Your staff leaving their computer unlocked, their door unlocked, and their office unattended, and no-one noticing are much worse security issues ...

          Sure, but this mouse thingy might still be an useful extra security feature after those basic things are taken care of.

      • Insert Linux flashdrive and cycle power to the computer, install automation, cycle power again?
  • by Lord Lode ( 1290856 ) on Friday May 04, 2012 @03:28AM (#39887673)

    And then get locked out if you come from cold weather outside and cold hands somehow make you move differently...

    • by jones_supa ( 887896 ) on Friday May 04, 2012 @04:16AM (#39887835)
      Then you would get a screen which requires some additional authentication to solve the situation, and after that disable the mouse protection for a while (so that your hands can warm up).
      • by Hentes ( 2461350 ) on Friday May 04, 2012 @05:47AM (#39888263)

        True, while this system is too unreliable to work on it's own, I can imagine a hybrid solution where it pops up a traditional password authentication if you move your mouse differently than usual. It could be of some use in high-security places in case an employee leaves the machine on and forgots to log out, but then if you have enemies gaining physical access to your security-sensitive stuff you have already failed.

        • The problem with this is that people will forget the password, or it will be really weak so they dont't have trouble remembering it the 3 times a year they need it. I've noticed this a lot where I work. If you don't use a password at least every week, then it's often forgotten, especially when one is in a rush, and needs to log into a system straight away.This is also a problem with passwords that change too often. if you have to change your password every 30 days, then users will often change their passwo
          • by Wattos ( 2268108 )

            if you have to change your password every 30 days, then users will often change their password, and then forget it by the next time they have to type it in. I like how windows warns me up to 2 weeks in advance that My password requires changing. When I see this, I start thinking about what my next password will be, and I always change it on a Monday. Much less chance of forgetting it over night than over a weekend.

            Are you saying that your password is actually not ?
            These "change your password every X" system are extremely stupid and create password which are weaker than the original password (e.g. append a 1 every time). So in my example, I always change the password every month, and append the current month + year my base password. This fools the security check but does not introduce any additional security. E.g.

            base pass= abcd
            Pass in January 2012: abcd012012
            Pass in February 2012: abcd022012 ...

          • The problem with this is that people will forget the password, or it will be really weak so they dont't have trouble remembering it the 3 times a year they need it.

            They can use their normal account password to get back. The mouse-movement-thing is just something extra that stops the action if someone else starts screwing with an unlocked, logged-in workstation.

            • A skilled user could do anything they needed to do without even touching the mouse. If the person leaves their computer unlocked, and the attacker starts using the keyboard to do all the commands, then there'd be no way for the system to lock them out. You could lock out people who don't use the mouse often enough, but that is problematic as well.
      • Then you would get a screen which requires some additional authentication to solve the situation

        If it were deployed on a site available to the public, the screen would likely say "Please call this telephone number during regular business hours." On a Friday evening before a bank holiday Monday. Or worse yet, "Please visit the nearest branch during regular business hours."

    • Or if you had a few drinks, smoked some pot, or are just simply a bit tired or excited or...

    • by khr ( 708262 )

      And then get locked out if you come from cold weather

      I believe that would be "frozen out" not "locked out".

  • by Xtense ( 1075847 ) <xtense@[ ]pl ['o2.' in gap]> on Friday May 04, 2012 @03:28AM (#39887675) Homepage

    I see several potential problems with this kind of identification. One of the biggies is switching hardware and the other - potential hand injuries.

    Changing mice is the biggest issue, i think. Every mouse has a different shape and ergonomy, so it is being used differently by the same user, especially during the adjustment period. This also doesn't take into account the potential precision differences of the mouse. Plus, switching to an entirely different control scheme, like a tablet or trackball, screws up any tracking attempts.

    The other problem is hand injuries - from a simple finger cut to advanced problems with nerve or bone structure. In addition to slowing down the usage, tracking movement will show an entirely different schemes of usage. This one hits especially close home to me, since having recently developed numbness and coordination problems in my dominant hand due to a relapse of Multiple Sclerosis, i now struggle to use a mouse at all and have almost completely switched to a thumb-operated trackball.

    This identification method might be useful in highly integrated/high-security environments, where employees seldom change, or for protecting single-user terminals, but the hand injury problem trumps these uses, too.

    • by tinkerton ( 199273 ) on Friday May 04, 2012 @03:35AM (#39887689)

      "potential problems" can mean different things. Who needs permanent identity verification? This could be a niche product, so scenarios where you get locked out each time you start gaming could be irrelevant. In that case dramatic mouse changes requiring retraining wouldn't happen frequently either.

      • by Xtense ( 1075847 ) <xtense@[ ]pl ['o2.' in gap]> on Friday May 04, 2012 @03:39AM (#39887709) Homepage

        The article specifically mentions "continuous verification", implying a workplace/business environment, where motions of the pointer are probably repetitive enough for the software to pick up on. This, of course, also implies not having to switch mouses every so often, but every time there IS a global company-wide switch of hardware, the ID software will go completely bananas, locking out every worker there. Without a method of purging already generated schemes for every user, this is just begging for a catastrophical company lockdown.

        • The article specifically mentions "continuous verification", implying a workplace/business environment, where motions of the pointer are probably repetitive enough for the software to pick up on.

          The article also implies a country where the workers can't sue their employers for giving them the carpal tunnel syndrome.

          After all if Pavlov were alive today, he'd argue that the seemingly insignificant penalty of getting a login screen requiring a password every time a small variation in behavior occurred would eventually condition the behavior of the computer operator and perhaps would probably cause even more employees than usual that get repetitive strain injuries as a result of their work.

    • Basically, when someone plugs a new mouse in, it'll have to reset itself, which completely negates the security of the technique anyway. If you're using the computer you've likely got hardware access to atleast plug in a new mouse.
      In a high security area there are much better ways of tracking who's using what, and this just seems like it'll be too easy to a) fake and b) work around and c) gain false negatives

      • Yes, most people working in an office use at least four or five different mice and switch between them several times a day. Therefore, the system is totally useless. It could only possibly work for the kind of people who barely even know where to plug in a mouse, which is... oh, wait.

        • When I worked in a warehouse, I would ordinarily use the mouse attached to the Windows workstation at the desk in my office and the mouse attached to the Linux development workstation during the day. When developing fixes or new features for the warehouse automation software, I would also use the mouse attached to the computer at which orders were packed and the mouse attached to the computer at which packages were weighed and postage labels were printed.
          • Yes, but they're all attached to different devices, so that would not matter in this case as each device would create its own profile of your mouse usage on that device.

    • I don't think they are suggesting that this would be a security/verification system in and of itself, just part of one. So for example if mouse movements appeared different (say due to new hardware) then it would prompt for a password or key, but otherwise it would verify them. No different really to if a user forgets a password and is required to do some extra things (secret questions, backup email etc) to verify their identity.
      • by Xtense ( 1075847 )

        Yes, in this case the method would work. The only remaining problem to address is whether it is sensitive enough to not give false-positives with random hand-related problems due to, for instance, weather conditions, and how will it impact workflow around a potential office - in a typical setup, even if workers are limited to their own cubicle, they often help each other out by going over to someone else's computer and doing something there. This, of course, depends on company policy, but having the compute

        • by gl4ss ( 559668 )

          I'm pretty sure their system works nicely for data input role workers - and not at all for anyone doing anything more complex with variety.

          for just about anything else.. the profiling can't be very good. basically they can detect if you change your mouse, screen resolution, if you change where you "rest" your mouse between clicks and such. big deal.

    • Changing mice is the biggest issue, i think.

      That's far from being the biggest issue. The tough part is tuning the system so that it offers real protection, but at the same time does not get in the way of the authorized user of the computer.

  • by Anonymous Coward

    Seriously? Why does anyone even bother to publish computer science papers there, other than because the work is too poor to be accepted by a good IEEE or ACM conference or journal?

    • by fedt ( 1096053 )
      This is the future!

      Bank of America modal dialog: "Your session has been destroyed for security purposes. Either you had two or more drinks, or your session has been hijacked (our IT guys say this happens from not upgrading your browser). Please login again and answer at least 3 security questions."

      Eh, it wouldn't be that bad though. It would probably be more like the Wii Motion Plus...wanting to recalibrate every 3 minutes...
    • Exactly. They pissed off too many serious researchers with all their restrictions and paywalls, are getting boycotted as a result, and now this is the only kind of stuff they can still get their hands on.

  • This is an interesting direction for collecting metrics, and could obviously be used to evil(tm)

    Depending on how they collect the data there are multiple potential sources for data collection.

    DPI/Sensitivity of the mouse (which users generally do not change)
    Algorithm/mouse smoothing (with enough data resolution can even narrow this down the sensor and processor used or even brand and model of mouse)
    speed of click/double click user inputs.
    degree and pitch of side to side or top to bottom of screen mouse trac

  • by martin-boundary ( 547041 ) on Friday May 04, 2012 @04:48AM (#39887973)
    *tap* *tap* *tap* *tap* *tap*
    ZZ
    vi more_code.cpp *tap* *tap* *tap* *tap* *tap*
    ZZ
    vi extra_code.cpp *tap* *tap* *tap* *tap* *tap*
    ZZ
    firefox http://www.slashdot.org/ [slashdot.org]
    INTRUDER ALERT! INTRUDER ALERT! AUTOMATIC LOGOUT AND SHUTDOWN IN PROGRESS!
  • Depending on my mood, I'm likely to get locked out? God forbid I should start using a new app, that would also lock me out as mouse movement are sure to be different. Maybe I slept bad, and my arm hurts? Maybe it's just stress over review coming up?

    Basically if any conditions change in user's personality of physiology, or computer's configuration, or your routine daily tasks security app would be useless.

    If it was used as part of hybrid solution its still useless, why just not get timed user promp
    • Basically if any conditions change in user's personality of physiology, or computer's configuration, or your routine daily tasks security app would be useless.

      That does not immediately make the software completely useless. It still works when you are functioning in your mainline. During days which your behavior is deviant enough, you might just disable the feature for a while, or something.

      And even if it would still get too much in your way, you could make it so that instead of completely locking the session, it would simply log the spurious events so you could check them if necessary.

  • by zAPPzAPP ( 1207370 ) on Friday May 04, 2012 @08:18AM (#39889269)

    Finally, using an aimbot will get you banned from your own PC.
    About time.

  • Anonymous just announced they can imitate my mouse movement. Damn that was fast, I don't even have a more current reference for it.
  • I use three different types of mice during the day. Different types means different patterns due to the way they're used. Even if I use different mice of the same type, they vary wildly in sensitivity. Plus, if I use a mouse in a different pc, I'm never sited in the same way at the same exact distance (actually, I'm usually standing, leaning over the desk) which means that a different mechanic will be used by my body to get the cursor where I want it to be.

    All in all, this is a cool idea but I can't see
  • by Anonymous Coward

    A few things make me doubt this.

    People whom are familiar with playing games that have a lot of hot keys (like mainstream MMOs), and take the time to look up the hot keys built into their OS tend to use those hot keys because it easier than moving the pointer across the screen to hit a 1 to 3 key combination. Same would likely hold true for modelers, coders, and people whom use Linux often, or any other scenario where learning the hot keys of a program simplifies usage a lot.

    Then there are mice like Razer's,

  • These types of solutions are problematic.

    My mouse use varies quite a bit from my mouse in my office, to my use of the Pointer Device on my ibm laptop to my home laptop with a touchpad. All yield very different mouse actions.

    I also don't like these solutions that there are times when you want someone else to access your acct. For example, my brothers bank uses a validation system that measures how you type your password for an additional layer of security. My brother was in a situation where i needed to a

  • I'll need to train 3 modes: 1) Optical/Laser mouse 2) Trackpad for my laptops 3) Optical/Laser mouse when I'm eating Cheetos
  • Could be a novel way to create passwords, instead of using alphanumeric 'words' you could have the computer remember mouse gestures. Two circles a triangle and a dong later... logged in.

After all is said and done, a hell of a lot more is said than done.

Working...