WIXLIB

Journal of Communications Vol. 10, No. 6, June 2015constraints make it difficult for complex authenticationmechanisms to be deployed on mobile devices. With allthese considerations, we define in this section themotivation, basic assumptions and the threat model ofVFA.proposed implicit authentication, which was viewed as astep forward in the direction of realizing the visiondescribed in [10]. Implicit authentication usedobservations of user behaviors (SMS, phone calls,browser history and location) for authentication. Theauthors mentioned that this approach could be used as asecond factor to augment password-based authenticationto achieve higher-assurance authentication in a costeffective and user-friendly manner, or be used to replacepasswords to relieve users from the burden of enteringcomplicate passwords. Chow et al. [14] extended implicitauthentication to cloud computing. They presented anauthentication framework, which was based on implicitauthentication, for mobile users in the cloud. But the usermodel used by implicit authentication is only thecombination of multiple probability density functions. Itdid not remove noises from sample data. Moreover, as wementioned in Section I, the schemes that directlyidentifying the user based on the user's behaviors cannotcompletely avoid false positive errors and false negativeerrors, due to the nature of probability functions.Some previous efforts have focused on how to makeauthentication mechanisms more efficient and convenientfor mobile users. Multi-factor authentication schemeshave the potential to improve security but face usabilityproblems. Czeskis et al. [15] proposed PhoneAuth, whichwas essentially a two-factor authentication scheme butoffering the same authentication experience as traditionalpasswords alone. They used mobile devices as the secondauthentication factor to provide cryptographic identityassertions. But it may not be the case in all scenarios.PhoneAuth only applies to users who have a suitablemobile phone with them and attempt logins from abrowser on another device (e.g., desktop or laptop).Progressive authentication proposed by Riva et al. [16]is an attractive solution for users who do not use anysecurity mechanism on their devices. Progressiveauthentication intends to balance security andconvenience by reducing the number of times a user isrequested to authenticate. Its key insight is to combinemultiple signals (biometric, continuity, possession) todeterminate the user's security level. Progressiveauthentication is a single-factor authentication schemewhose main goal is to protect important applications (e.g.,Android apps or iOS apps) from unauthorized use. If theuser's security level is high enough, no authentication isrequired. Otherwise, the user must go through theauthentication.III. MOTIVATIONS AND ASSUMPTIONSCompared to desktops and laptops, mobile deviceshave different usability and various limitations. First,mobile users normally take their mobile devices withthem all day. They can access their mobile devicesanytime and anywhere. Thus behaviors of mobile usersusing special applications tend to follow some patterns. Inthe next section, we conduct a survey to confirm this idea.Second, the computational limitations and input 2015 Journal of Communications368A. Usage PatternsAs we mentioned previously, VFA dynamically adjuststhe number of authentication factors, based on whether auser is suspicious or not. Whether a user is suspicious isdetermined based on user's behaviors. Thus we conducteda survey to look at the behaviors of users using somespecial applications. Are there some patterns of userbehaviors?In our survey, we chose eight most frequently usedapplications as target. These eight target applicationsinclude the Weixin client, a game application (i.e., Plantsvs. Zombies), the Weibo client, the default music player,the E-mail client, the calendar, the Taobao client and theBaidu client. As shown in the Appendix, we asked theparticipants in our survey to answer the questionnaire.For each target application, three questions were asked:a) Whether do you use this application?b) If you use the application, do you think that youhave formed some usage patterns?c) If you think that you have some patterns, please tellus where, when and how you use the applications.For question 3, we gave some check boxes, e.g.,“Using during commute hours”, “Using after supper onthe bed” and so on. Here, we explain the meaning of theoptions. For example, the option, “Using during commutehours”, means that: “over a relatively fixed time period”,“along a relatively fixed route”, “single-handedoperation” and “the phone being in portrait mode”.Similar to “Using during commute hours”, each option inthe question 3 represents some usage patterns.A total of 75 mobile users participated in our survey.The mobile devices of the participants were primarilyAndroid phones and iPhones. 31 of the 75 participantswere male and 44 are female. Our survey covereddifferent age groups: 65.3% of participants in the agerange of 20 to 30 years, 29.3% of participants in the agerange of 30 to 40 years and 5.3% of participants in theage range of 40 to 50 years.The survey results are presented below:Weixin, also called WeChat, is a multifunctionsoftware for mobile devices. By using Weixin, users canchat with others, or share photos with friends. Weixinalso helps users to subscribe to news on the Internet. Italso provides other functions, such as browsing web sites,calling a taxi, mobile payment and so on. It had grownrapidly in recent years. The 71 participants in our surveyinstalled Weixin on their mobile devices. As shown inFig. 1, 23.9% of participants logged into Weixin afterwake up, and 38% of participants were used to launchingWeixin during commuting between their homes andoffices. In summary, 74.6% (100%-25.4% of no pattern)

Journal of Communications Vol. 10, No. 6, June 2015of participants thought that they had formed some usagepatterns.Weibo is a popular MicroBlog application. It allowsusers to exchange small elements of content such as shortsentences, individual images or video links. 90.7% ofparticipants in our survey used Weibo to share their dailylives. Fig. 4 shows the survey results. The amount ofparticipants who logged into Weibo on their way to workand at home in the evening was relatively large. Theformer was 23.5%. And the latter was 39.7%. The rest ofparticipants were uniformly distributed across otherspatterns. In summary, 61.8% of participants thought thatthey had their own habits of using Weibo application.Fig. 1. Survey for weixin users.66.7% of participants (i.e., 50 participants) in oursurvey played games in their mobile phones. Asillustrated in Fig. 2, the survey result showed that theratios of participants who played mobile games on theirway to work and at home in the evening were relativelylarge, with a percentage of 64% and 52%, respectively. Insummary, 84% of participants thought that they had theirown habits of gaming.Fig. 4. Survey for weibo users.Baidu is a popular search engine in China. In oursurvey, the 60 participants were used to searchingthrough Baidu. Fig. 5 is the survey result for the Baiduclient. For instance, 33.3% of participants were used tosearch information at home after Supper. In summary,46.7% of participants thought that they formed their ownusage patterns.Fig. 2. Survey for game users.In our survey, the 52 participants listened music byusing their phones. Fig. 3 shows the statistic results forthe music player users. Among them, 69.2% ofparticipants listened music during commuting betweentheir homes and offices, and 23.1% of participantsenjoyed music at home in the evening. In summary,88.5% of participants thought that they listened musicfollowing predictable patterns.Fig. 5. Survey for baidu users.Fig. 6. Survey for calendar users.Fig. 3. Survey for music users. 2015 Journal of Communications369

Journal of Communications Vol. 10, No. 6, June 2015According to the survey result, the calendar applicationplays an important role in most participants' work. 77.3%of participants (i.e., 58 participants) in our survey usedthe calendar every day. As shown in Fig. 6, 44.9% ofparticipants thought that they used the calendarapplication following some patterns.Most of participants (totally, 73 participants) receivedor sent emails during their work time. As shown in Fig. 7,only 28.8% of participants thought that they processedtheir emails without any patterns. In another word, 71.2%of participants thought they followed some patterns whenusing the email client.As shown in Table I, in average, 65.3% of theparticipants thought that they had formed some patternswhen using the target applications. Specially, for someapplications (e.g., the Weixin and the game application),the ratio of participants whose behaviors follow usagepatterns is very high. The survey results prove thefeasibility of the idea that whether a user is suspiciouscan be determined based on his behaviors, and alsomotivate VFA. Comparing MFA, VFA could bringbenefits to more than half of the users at least.B. Assumptions, Threat Model and GoalsVFA has the following two assumptions. As brieflydescribed above, to build a user's reference model, VFAcollects multiple sensor signals and log data from mobiledevices. So we first assume the availability of low-costsensors in mobile devices. Actually, the sensors used byVFA have been widely provided in current mobiledevices. Second, we assume that the sensor signals usedby VFA are accurate and consistent.The main goal of VFA is to provide convenience whileachieving secure authentication at the presence of thefollowing adversaries with different levels of power. Theability of the level 1 adversary is the weakest. The level 3adversary has the strongest ability. Level 1: Adversary possesses none of identitycredentials (e.g., password or smart card), and knowsnothing about the victim's usage habits. Level 2: Adversary possesses the identity credentialsof the mandatory-factor authentication. But he or sheknows nothing about the victim's usage habits, anddoes not possess the identity credentials of theoptional-factor authentication. Level 3: Adversary not only possesses the identitycredentials of the mandatory-factor authentication, butalso knows the details about the victim's usage habits.Based on the assumptions and threat model describedabove, we define the goals of VFA as following:a) Make multi-factor authentication schemes moreconvenient for a legitimate mobile user. If thenumber of authentication factors is too many, alegitimate user may feel inconvenient using theirphones. Thus the first goal of VFA is to bringconvenience to a legitimate mobile user, byreducing the number of authentication factors.b) Provide security guarantees with the presence ofthe level 1 and level 2 adversaries. The secondgoal of VFA is to provide security assurancescomparable to that of a normal multi-factorauthentication scheme, when facing the adversarieswith the level 1 and level 2 of power. In other words,VFA could maximize the number of authenticationfactors for a suspicious user.c) Convert existing multi-factor authenticationschemes into variable-factor authenticationschemes. The proposed framework should begeneric enough to convert an existing multi-factorFig. 7. Survey for E-mail users.The Taobao client is an e-commerce application,belonged to Alibaba. Most of young people like shoppingusing it. In our survey, 89.3% of participants (i.e., 67participants) used it. Fig. 8 shows the survey results forthe Taobao client. In summary, about 50.7% ofparticipants thought they had some patterns whenshopping.Fig. 8. Survey for taobao users.TABLE I: SURVEY RESULTSApplication NameRatio of participants whose behaviorsfollowed some patternsWeixin74.6%GameMusic 6.7%44.9%71.2%50.7% 2015 Journal of Communications370

Journal of Communications Vol. 10, No. 6, June 2015authentication scheme to a variable-factorauthentication scheme in a short time.IV. VARIABLE-FACTOR AUTHENTICATIONAs briefly mentioned in Section I, there are three majorstages in VFA: the pre-processing stage, the user modelbuilding stage and the variable-factor authentication stage.These three stages are described in more details in thissection.A. Pre-Processing StageVFA is a generic framework that converts an existingmulti-factor authentication scheme to a variable-factorauthentication scheme. The first step for the conversion isto classify authentication factors of the existing multifactor authentication scheme into two categories:mandatory factors and optional factors. Mandatory-factorauthentication will be enabled for every login request,including the request from both legitimate users andsuspicious users. Instead, optional-factor authentication isrequired only for suspicious users.Mandatory factors should include the most importantand fundamental factors. The principles of selecting amandatory factor include the following.a) Convenient: VFA aims to make multi-factorauthentication more convenient for a legitimate user.So complex authentication factors should not be inthe mandatory group.b) Stronger: In VFA, mandatory-factor authenticationis the first line of defense, so a mandatory factorshould not be too weak.c) Balanced: The smaller number of authenticationfactors that are classified into the mandatory group,the more convenience is provided by VFA forlegitimate users. However, a small number ofmandatory authentication factors may cause a weaksecurity. We suggest that the number ofauthentication factors in the mandatory groupshould be more than half of all authenticationfactors.the set. The standardized value xi' is computed throughequation (1).B. User Model Building StageIn this stage, VFA builds the reference model (namely,the user model) using a simplified density-basedclustering algorithm. Building the user model requiressensor data and login data from a legitimate user. Tocollect these data, VFA enables both the authentication for every login request. Users cation and the optional-factor authentication areassumed to be legitimate, and the sensor data and logindata during the successful login process will be collectedto build the user model. VFA collects the following typesof sensor signals:a) Magnetic field sensors: Magnetic field sensors aremeasurement instruments used to measure the 2015 Journal of Communicationsstrength and direction of the magnetic field at apoint in space.b) Orientation sensors: Users can use the orientationsensor to determine the position of a device.Orientation sensors provide azimuth, pitch and rollvalues.c) Accelerometers: A smart phone accesses anaccelerometer to measure acceleration. VFA usesthe combination of magnetic field sensors,orientation sensors and accelerometers to capturethe status of the mobile device when a login requestis received. Some users are used to input theiraccount names and passwords in the landscapemode but others prefer to type in the portrait mode.d) GPS: GPS is a space-based satellite navigationsystem that provides location information. WithGPS, VFA can know the location of the user whena login request is received.The login data recorded by VFA includes thefollowing items:e) Login time: VFA records the time when a loginrequest is received.f) Location: The location information is another keyindicator. Besides GPS, wireless locationtechniques also provide geographic locationinformation. This is because GPS cannot be used insome places, e.g., in underground parking.g) Interval: VFA computes the time interval sincelast successful login.h) Error Rate: VFA computes the number of failedlogin requests occurred in the past t hours.At the end of the user model building stage, all the datamentioned above for a legitimate user will be collected tobe build the user model, through a three-step process thatis described below.1) Step 1: StandardizationThe collected data first needs to be standardized toremove negative impacts of variables that have a largevariance. For a data set X [ x1 , x2 , , xn ] , presentsthe mean value of X and is the standard deviation ofxi' xi , ( xi X ,1 i n)(1)2) Step 2: ProjectionEach raw data point collected by VFA consists of threesensor signals (magnetic field, orientation andaccelerometers) and four types of login data (login time,location, interval and error rate). Note that the signal fromGPS is not included in the raw data point, because it isintegrated in the location data. It is difficult to clustersuch a raw data point consisting of seven components.Few clustering algorithms can do that. So VFAtransforms every raw data point (referred to a highdimensional data point) into multiple low-dimensional371

Journal of Communications Vol. 10, No. 6, June 2015data points through a multiple-planes orthographicprojection, a process to be described next.Let sm , so and sa be the signals from the magneticfield sensor, the orientation sensor and the accelerometer,respectively. Let d t , d l , d i and d e denote the login time,the location, the interval and the error rate, respectively.A raw data point could be presented as a seven-elementvector (sm , so , sa , dt , dl , di , de ) . VFA chooses “loginThe simplified clustering algorithm will be applied sixtimes to the six two-dimensional data sets obtained fromStep 2 described above. For every data set, the algorithmgoes through the following three steps:a) Construct a grid and distribute all data points in thedata set into the cells of the grid.b) Calculate the density threshold for the grid.c) Remove noises based on .Taking the data set (dt , so ) as example, each step isdescribed below with more details.time” d t as a reference coordinate and transforms theseven-element vector into six pairs (dt , sm ) , (dt , so ) ,(dt , sa ) , (dt , dl ) , (dt , di ) , (dt , de ) . In other words, thehigh-dimensional data point is projected onto sixprojection planes, one at a time -- the time-magneticplane, the time-orientation plane, the time-accelerometerplane, the time-location plane, the time-interval plane andthe time-error plane. Taking the time-location plane as anexample shown in Fig. 9, time-axis and location-axisform a projection plane. VFA projects orthographically aseven-dimensional data point onto the time-location planeto obtain a two-dimensional data point (dt , dl ) . The sameprocess is applied to other projection planes. So(sm , so , sa , dt , dl , di , de ) is converted as (dt , sm ) , (dt , so ) ,Fig. 10. The grid for (d t , so ) and its cells.a) Each dimension of (dt , so ) , i.e. the time-axis andthe orientation-axis, is divided into m intervals.Hence, the sample space of the data set ispartitioned into m 2 rectangle cells. All of thesecells form a grid. Here, we adopt the method ofGDILC [23] to determine the number of intervalsm.(dt , sa ) , (dt , dl ) , (dt , di ) , (dt , de ) . With this approach aseven-dimensional data set is transformed into six twodimensional data sets. A simplified density-basedclustering algorithm is then used to build the user model.m n In equation (2), n is the total number of

VFA: A Variable-Factor Authentication Framework for Mobile Users . Kai Chen 1,2, Weifeng Chen3,*, Zhen Xu 1 and Yazhe Wang . 1 State Key Laboratory of Information Security, Institute of Information Engineering Chinese Academy of Sciences, Beijing 100093, China . 2 University of Chinese Academy of Science, Beijing 100049, China . 3 . Department of Math, Computer Science and Information Systems .