Date of Award

Winter 2013

Document Type


Degree Name

Doctor of Philosophy (PhD)


Computational Analysis and Modeling

First Advisor

Vir Phoha


We present a new attack called the snoop-forge-replay attack on the keystroke-based continuous verification systems. We performed the attacks on two levels – 1) feature-level and 2) sample-level.

(1) Feature-level attack targets specific keystroke-based continuous verification method or system. In feature-level attacks, we performed a series of experiments using keystroke data from 50 users who typed approximately 1200 to 2300 keystrokes of free text during three different periods. The experiments consisted of two parts. In the first part, we conducted zero-effort verification experiments with two verifiers ("R" and "S") and obtained Equal Error Rates (EERs) between 10% and 15% under various verifier configurations. In the second part, we replayed 10,000 forged impostor attempts per user and demonstrated how the zero-effort impostor pass rates became meaningless when impostor attempts were created using stolen keystroke timing information.

(2) Sample-level attack is not specific to any particular keystroke-based continuous verification method or system. It can be launched with easily available keyloggers and application programming interfaces (APIs) for keystroke synthesis. Our results from 2640 experiments show that (i) the snoop-forge-replay attacks achieve alarmingly high error rates compared to zero-effort impostor attacks, which have been the de facto standard for evaluating keystroke-based continuous verification systems; (ii) four state-of-the-art verification methods, three types of keystroke latencies, and eleven matching-pair settings (–a key parameter in continuous verification with keystrokes) that we examined in this dissertation were susceptible to the attack; (iii) the attack is effective even when as low as 20 to 100 keystrokes were snooped to create forgeries.

In light of our results, we question the security offered by the current keystroke-based continuous verification systems. Additionally, in our experiments, we harnessed virtualization technology to generate thousands of keystroke forgeries within a short time span. We point out that virtualization setup such as the one used in our experiments can also be exploited by an attacker to scale and speed up the attack.