Professional Documents
Culture Documents
1905.11831
1905.11831
Abstract—Mouse dynamics is a potential means of authen- hand, has the potential to be much more cost efficient, since
ticating users. Typically, the authentication process is based on it does not require extra hardware to accomplish the same
classical machine learning techniques, but recently, deep learning task. Moreover, its non-intrusive nature allows users to be
techniques have been introduced for this purpose. Although
prior research has demonstrated how machine learning and authenticated continuously, which provides an additional layer
deep learning algorithms can be bypassed by carefully crafted of security by only allowing the legitimate user to have access
adversarial samples, there has been very little research performed and continuous usage of a protected resource.
on the topic of behavioural biometrics in the adversarial domain. In the area of behaviour-based authentication by means
In an attempt to address this gap, we built a set of attacks, which
of mouse dynamics analytics, a number of efforts have
are applications of several generative approaches, to construct
adversarial mouse trajectories that bypass authentication models. been undertaken [2]–[15] to improve the performance of
These generated mouse sequences will serve as the adversarial mouse dynamics authentication models. They range from
samples in the context of our experiments. We also present using statistics-based approaches [6], [8], classical machine
an analysis of the attack approaches we explored, explaining learning models [5], [7], and to using deep learning [4] to
their limitations. In contrast to previous work, we consider the
perform authentication tasks. Also, most of the adversarial
attacks in a more realistic and challenging setting in which an
attacker has access to recorded user data but does not have attacks proposed in prior studies focused on the image do-
access to the authentication model or its outputs. We explore main [16]–[22], which is considered less challenging since
three different attack strategies: 1) statistics-based, 2) imitation- there are distinct and observable features within images that
based, and 3) surrogate-based; we show that they are able to humans can identify. In contrast, mouse sequences are hard
evade the functionality of the authentication models, thereby
to distinguish through the mere act of visual inspection by
impacting their robustness adversely. We show that imitation-
based attacks often perform better than surrogate-based attacks, humans, as illustrated by Figure 1. Therefore, to the best of
unless, however, the attacker can guess the architecture of the our knowledge, very little work has been done in the area
authentication model. In such cases, we propose a potential of performing adversarial attacks in the domain of mouse
detection mechanism against surrogate-based attacks. dynamics, which deals mainly with temporal data, and also
assessing the robustness of those models to such attacks and
I. I NTRODUCTION we attempt to address these gaps in this work. We consider a
Static authentication (e.g., passwords and PINs) has been more realistic attack scenario than in previous works [16]–
the predominant means of performing user authentication in [22]; in our attack scenario an attacker has access to the
many computer systems. With the demonstrated effectiveness victim’s host machine (i.e. client), but does not have access
of machine learning methods, researchers have turned to these to the authenticators or their outputs which are deployed on
methods to perform biometrics-based authentication, both a remote secured central authentication server. The attacker
physiological [1] (e.g., iris, facial recognition and fingerprints) is only capable of recording the mouse movements of the
and behavioural (e.g, keystrokes [2] and mouse dynamics). targeted user. This makes the attack scenario more challenging
Although physiological-based authentication has proven to compared to scenarios in which the attacker has some kind of
be highly effective, it can be costly to implement due to access to the authenticators.
dedicated hardware requirements. Furthermore, this form of The contributions of our research include the following:
authentication is easily bypassed if one can have access to a 1) Considering the remote behavioural mouse dynamics
copy of the required features, since the features are usually authentication scheme, we propose three adversarial ap-
clearly defined. Behaviour-based authentication, on the other proaches to evade the authentication models: statistics-
©2019 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including
reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or
reuse of any copyrighted component of this work in other works. DOI: 10.1109/IJCNN.2019.8852414
(a) Sample mouse sequence of User 3 (b) Sample mouse sequence of User 7 (c) Sample mouse sequence of User 9
Fig. 1: Sample mouse sequences belonging to three different users from the Balabit dataset [23] illustrating the relative difficulty of the
authentication problem. This is because human visual inspection does not reveal whether a sample contains information relevant to the
prediction of the legitimacy of a particular user, in contrast to many problems in the image domain for which adversarial attacks have been
applied (e.g., digits and object classification).
based, imitation-based, and surrogate-based. We exam- forest classifier model that learns to discriminate between a
ine this in a novel and realistic setting as stated above. legitimate and an illegitimate users.
2) We address the question of which approach is the More recently, the authors in [4] utilized a deep learning
most effective for performing adversarial attacks in this approach, more specifically a two-dimensional convolutional
kind of setting. We evaluate the robustness of machine neural network (2DCNN), to learn the characteristics of
learning-based authentication models to such adversarial users’ mouse sequences for authentication. They gathered
attacks. As representative examples, we choose one mouse dynamics sequences and converted them to images
authenticator based on engineered features and another of the mouse trajectories. The authors showed that even by
based on neural networks. removing the temporal aspect of mouse movements, they
3) We analyse the relationships between the difficulty of still could achieve state-of-the-art authentication results on
the authentication task, the type of adversarial attack, different mouse datasets. Furthermore, in [4], explanations
and the adversarial success rate. were derived regarding which parts of mouse sequences con-
4) Given that the attacker is able to guess the architecture tain evidence for a particular user by layer-wise relevance
of the models, we perform the surrogate-based attack propagation [24], [25].
and analyse its impact on the robustness of the models.
Finally, we propose a potential detection mechanism. B. Adversarial Attacks
This paper is organized as follows. Section II discusses Adversarial attacks against machine learning classifier mod-
related prior work, while Section III lays out our assumptions els can be categorized into white-box or black-box attacks.
regarding the attacker and provides an example use case. In For white-box attacks, it is assumed that the attacker has
Section IV, we introduce our adversarial attack approaches. In full access to a fully-differentiable target classifier (weights,
Section V, we present our experimental results; this is followed architecture, and feature spaces). This allows the attacker to
by a discussion of the results in Section VI and our conclusions perform gradient-based attacks, for instance the fast gradient
in Section VII. sign method (FGSM), which was proposed by the authors in
[18]. This method involves calculating the gradients of the
II. R ELATED W ORK loss with respect to the model inputs, and subsequently, using
it to perturb the input sample, in order to bring the resultant
A. Mouse Dynamics Authentication Models perturbed sample closer to the point of being misclassified. In
The authors in [6] defined a total of 63 handcrafted features addition to presenting the FGSM, in [17] the authors proposed
that represents the mouse movement sequences’ spatial and the jacobian-based saliency map attack (JSMA). The JSMA
temporal information. However, in this research, the authors approach first calculates the impact of changing a particular
did not use the full set of features but instead, performed a feature (originally from class j, to a target class i) on the pre-
feature selection step that is user-specific in order to obtain dicted label. Features of higher significance will be perturbed
a subset of the most “discriminative” features. The resultant up to a defined threshold. These two proposed methods proved
subset was then used for training statistics-based classifiers to be highly effective in attacking the robustness of the victim’s
tailored to each user. The authors in [5] used multi-level machine learning model. However, having white-box access
feature aggregation based on the features introduced in [6], to a victim’s machine learning model is highly unrealistic, as
which concatenates various mouse actions to form higher level highly sensitive information, such as the model’s weights and
features. Furthermore, the authors proposed additional features architecture would be a well-guarded secret in practice.
that were derived from individual mouse actions in order to In [16], the authors addressed this limitation by introducing
reduce authentication time, due to the aggregation of several the concept of performing black-box attacks against machine
mouse sequences, while also improving the authentication learning classifiers, both deep neural networks (DNNs) and
accuracy. The final feature set was then used to train a random classical-based methods as well. The authors require only the
ability to query the classifier with a custom sample and to
access its outputs. They performed their attack by training a
surrogate classifier on a synthetic dataset which is labelled by
the target classifier by sending sample queries and collecting
its response. It should be noted that the requirement here
is to be able to feed in inputs and to collect outputs from
the authenticator. The authors then showed that the trained
surrogate model is able to approximate the decision boundary
of the target classifier, providing the opportunity for white-
box attacks. The authors concluded by showing that attacking
the robustness of the victim’s model is feasible, even with
defences in place during the phase of training the victim
Fig. 2: Illustration of the proposed threat model.
models. It is important to note that the context of the work
done by authors in [16]–[18] was in the image domain. (i.e. target classifier). We assume that the attacker does not
In [26], the authors adopted the methodology used in [16] target the secured central authentication server (see Figure
and applied it to perform adversarial attacks on malware 2) but instead compromises the host machine of the target
classifiers. Similar to [16], the authors trained a surrogate user. Thus, the attacker has the ability to record the mouse
malware classifier and generated malware through the method movement sequences of the legitimate user on the infected
proposed by [18]. The malware resulting from the perturbation host machine. We extend the threat model assumed by the
was still able to fulfil its original malicious functionality due authors in [16], by not allowing the attacker to query the target
to the introduction of “No Operations” (NOPs) as a form classifier, which makes our threat model more realistic and at
of perturbation. The authors achieved nearly perfect rates of the same time more challenging. It is important to note here
bypassing the targeted malware classifiers with this approach. that the recorded data is not a subset of the training data used
However, none of the attacks described above were applied to train the target classifier and also, no feedback regarding the
against machine learning-based authentication models. Fur- result of the authentication will be accessible to the attacker.
thermore, in contrast to the aforementioned adversarial attacks, If the attacker’s goal is achieved to a reasonable extent, the
in the domain of machine learning-based authentication, it robustness of target classifiers can indeed be adversely affected
is not realistic to assume that the adversary has access to and the reliability of these models must be verified, regardless
the authentication model; in this case, the model might be of their authentication performance.
situated in a remote server, away from the victim computer
given a highly secured environment. Hence, the attacker would IV. P ROPOSED A DVERSARIAL S TRATEGIES
not have any knowledge of the outcome of the authentication We investigated three possible attack approaches used to
computed by this remote server and thus be unable to perform bypass the target classifiers. The first approach trains a gener-
black-box attacks proposed by the authors in [16]. For the ator model to impersonate a user’s mouse movement sequence
same reason, white-box attacks that rely on access to the through the teacher-forcing approach [28], which we refer to
architecture and weights of the model are not possible. as an imitation-based attack. This trained model then generates
mouse trajectories, which will be tested against the target
III. T HREAT M ODEL classifier. The second method is based on the idea of training
While the focus of this work is on adversarial attacks, we a surrogate classifier, as proposed in [16], however, while
first provide a justification for the considered setup by an assuming that the attacker has no access to the target classifier.
example use case before describing our threat model proper. We refer to this method as a surrogate-based attack. This
We consider a remote user authentication scenario, based on trained surrogate model will be used to perform perturbation
mouse behavioural dynamics in the setting of a client/server of any mouse trajectory, through the use of a white-box
architecture (see Figure 2). In this setting, a user on the client attack method. The perturbed sequences will then be evaluated
machine is allowed to access a remote service on a server against the target classifier. Hence, our first method involves
if the users currently collected behavioural characteristics are the generation of mouse curves, while the second involves the
consistent with the model stored at the remote server. On the perturbation of any existing mouse curves. Finally, these two
other hand, if the users machine is compromised by an external methods are compared against a third attack approach, which
attacker (e.g., by exploiting a vulnerability or installing a we refer as a statistics-based attack.
malware) or by an internal attacker (i.e., insider threat such
as masquerader [27]), then after a sufficient period of time, A. Statistics-based Attack
a record about this activity would be generated at the server. As a baseline, we adopted a statistical-based approach to
Additionally, the session of the user might get interrupted by generate adversarial trajectories in an attempt to bypass the
additional verification measures. target classifier as it was the simplest and fastest to implement.
The attacker’s goal is to have the generated adversarial It does not require any overhead in training any neural network
samples evade a machine learning-based authentication model models for performing such adversarial attacks. As mentioned
earlier in Section III, we assumed that the attacker has access
to recorded mouse dynamics of the target user; hence, the
attacker can calculate several useful statistics of the user.
For sequence generation, we first compute a histogram of
position difference vectors, a histogram of starting points,
and the median time interval between each mouse event. We
then select bins in the histograms through random sampling,
weighted on the rate of occurrence. As a bin contains a range
of possible values, we sampled uniformly within the bounds of
the selected bin, in order to obtain a mouse coordinate. From
the histogram of position difference vectors, we were able to Fig. 3: Workflow of a surrogate-based attack
sample a sequence of mouse coordinate perturbations. With we have experimented training our generator with and without
the sampled start positions (from the histogram of starting regularization. Generating mouse movement sequences was
points), each subsequent point can be generated by adding done in two ways, by giving the generator an initial single
the perturbation from the last computed position vector to start position for the generator model to start generating a
form a sequence of absolute position vectors. The median full length sequence and by providing an initial sequence
time interval was then used to construct timestamps for each of coordinates, taken from the recorded mouse trajectories,
generated mouse event. to start the generation process. More details regarding the
B. Imitation-based Attack generation of these sequences are provided in Section V-C2.
We employed the gated recurrent unit variant of recurrent
C. Surrogate-based Attack
neural networks (GRU-RNN) architecture as the basis of our
generator network, g. The GRU has the ability to learn what We trained a surrogate classifier, inspired by [16], that learns
to forget through the reset gate, r(t) , as well as the relations to have the same functionality as the target classifier from
between data points across timesteps in a sequence. The a surrogate dataset, even though their network architectures
governing equations for a GRU cell are shown below: might be different. This requires positive and negative la-
belled samples for training. Therefore, the surrogate dataset
r(t) = σ(Wir X (t) + bir + Whr h(t−1) + bhr ) (1) is comprised of the target user’s mouse movement sequences
(t) (t) (t−1)
z = σ(Wiz X + biz + Whz h + bhz ) (2) recorded by the attacker and a set of other mouse sequences
n (t)
= tanh(Win X (t)
+ bin + r (t)
(Whn h (t−1)
+ bhn )) (3) that do not belong to the user. After training the surrogate clas-
(t) (t) (t) (t) (t−1)
sifier, we performed white-box attacks on the surrogate model,
h = (1 − z )n +z h (4) by starting with an arbitrary mouse movement sequence and
where W and b are the weights and biases respectively, and perturbing it for a fixed number of iterations. In order to
h(t) is the output of the GRU cell at timestep t. σ is the accomplish this, we adopted the FGSM [18]. The amount of
sigmoid activation function. perturbation, δz, to be applied on the input sequence, z, can
The GRU-RNN model was trained to predict the coordinates be defined as:
of the next timestamp, X̂ (t+1) , given the ground truth from the
δz = · sign(∇z (log p(z))) (6)
current timestamp, X (t) , and the hidden states of the previous
timestamp, h(t−1) . It can be expressed as: where is the perturbation factor that controls the extent of
X̂ (t+1)
,h (t)
= g(X (t) (t−1)
,h ; θg ) (5) the perturbation, and log p(z) is the log probability of the
legitimate user class for the input sequence, z. Note that the
where θg denotes the model parameters of the generator surrogate model can have any architecture and not necessarily
(t+1)
network g. The prediction of the generator, X̂i , and the have the same architecture as the target classifier. Also, we
(t+1)
ground truth, Xi , are used to calculate the mean square used the cross entropy loss function. Figure 3 illustrates the
error (MSE) loss, which will be used for backpropagation to process of the described surrogate-based attack.
update the model parameters, θg . We experimented with two different surrogate model ar-
Our GRU-RNN model consists of two stacked GRU layers, chitectures. One was a three-layer GRU-RNN with two fully-
with a hidden dimension of 128, and a fully-connected layer connected (FC) layers on top and a rectified linear unit (ReLU)
at the end of the GRU sequence to convert a dimension of 128 activation after the first FC layer. The model has a hidden
to two (to translate the latent space back to an x-y space). dimension of 100, and a fully-connected layer at the end to
There are a number of design choices for the representation convert the GRU-RNN outputs to two-dimensional vectors,
of X, and in our experiments, we used three different variants. which represents logits for each decision (zero or one). The
They are absolute position vectors (ABS), position difference second surrogate only uses two stacked FC layers, with an
vectors (DVs) between the mouse coordinates of the current exponential linear units (ELU) activation after the first layer.
and the previous timestamp, and, velocities (VELs) which are The first layer takes in a flattened sequence as inputs, where
DVs divided by the corresponding time difference. In addition, every odd numbered node takes in the x-axis, while every even
numbered node takes in the y-axis of the mouse sequence.1
The output of the second model has the same format as the
first. In contrast to the work of [16], we do not use the
target classifier to label our samples, due to our assumptions
mentioned in Section III.
ASR
and the angle of movement, resulting in a total of 10 features 0.44
VI. D ISCUSSION
B. Does Representation or Regularization Matter?
In this section, we discuss the relative efficiency of the
explored approaches to perform adversarial attacks in the We investigated whether the input representation or reg-
given setting. Next, we discuss in greater detail our approach ularization strategy has a statistically measurable impact on
to performing the Wilcoxon signed-ranked test and how we the ASR. The Wilcoxon signed-ranked test was performed by
TABLE VII: Surrogate-based attack results when the attacker has TABLE VIII: Alert rates (in [0, 1]) obtained for corresponding
access to the target classifier’s model architecture. The bolded values experimental settings. Covariate shifts in the data are made by
highlights the high ASR obtained when a surrogate model of the performing affine rotations ranging from 45° to 90°.
same architecture as the target classifier is used. Balabit TWOS
Balabit TWOS Experiment Setting SVM 1DCNN SVM 1DCNN
Surrogate Variant SVM 1DCNN SVM 1DCNN Legitimate user’s data 0.412 0.302 0.301 0.477
Statistics-based 0.6154 0.3183 0.3895 0.264 Surrogate-based attack (SVM) 0.0774 0.660 0.375 0.803
SVM surrogate 0.92108 0.39801 0.66970 0.22278 Covariate shift 0.444 0.352 0.525 0.561
1DCNN surrogate 0.60583 0.81707 0.36881 0.58710
at every timestep one randomly decides which authentication
forming pairs between experimental results that have the same model to use. The difference in ASR would be reflected in
settings, except for the variable being compared.6 the alert frequency which would change when the models are
At 5% significance level, the critical z-value for a two- switched (see Table VIII). Increasing alert rates (compared to
tailed test is 1.96. During the comparison between the different using legitimate user’s data) due to a shift in test distribution
model strategies, we compared between ABS and DV, ABS (covariate shifts) would affect all models to some degree,
and VEL, and DV and VEL. During each of the tests, there but an adversarial attack by a surrogate would affect one
were 48 pairs present; for brevity, the calculated z-values were model less than all of the others. Hence, detection can be
0.45642, 1.3282, and 1.1641 respectively. Thus, we concluded performed by checking the alert rates across the models to
that there is no significant evidence to claim that there is a observe whether one model has an exceptionally low alert rate,
significant impact by altering the input representation of the while the others have a much higher alert rate.
generator.
In our comparison of the regularizing strategies, we com- VII. C ONCLUSION
pared between “No” and “Cluster”, “No” and “Derivative”, In conclusion, we proposed different strategies that a poten-
and “Cluster” and “Derivative”. During each of the tests, tial attacker can use to launch synthetically-generated adver-
there were 48 pairs present; again, for brevity, the calculated sarial samples, either through imitation-based, surrogate-based
z-values were 0.35385, 0.087181, and 0.29231 respectively. or statistics-based approaches. Based on the experimental
Thus, we concluded that there is no significant evidence to results, we show that neural network-based attacks (imitation
claim that there is significant impact by altering the regular- or surrogate based) are better performing than a statistics-
izing strategy. based attacks. Although the generation of mouse sequences
is a difficult task, and the proposed adversarial attacks have
C. Surrogate-based Attack Extension their flaws, it is sufficient to show that the robustness of these
We also asked ourselves what happens if the attacker has authentication models can be adversely affected even when
knowledge of the architecture of the target classifiers and tested in a realistic setting (see Section III). Also, we have
also the dataset that consists of the same group of users that shown that if the attacker could guess the architecture of
were used to train them (e.g., if multiple users are using the the authentication model correctly, its robustness would be
victim’s machine), but when one still does not have access to greatly affected even without any form of access to it. One
the parameters learned by the classifier. Interestingly, if the can also infer from our results, particularly those presented in
attacker trains a surrogate with the same architecture as the Tables IV, V, and VII, that in a realistic setting in which the
target classifier, the ASR is much higher than the other two authentication model is inaccessible, attacking a system based
approaches, as evident in Table VII. In the Balabit dataset, on behavioural features is harder than, for example, copying
the ASR can reach 92.1% for the SVM and 81.7% for the a fingerprint.
1DCNN. For the TWOS dataset, the ASR can reach 66.9% ACKNOWLEDGMENT
for the SVM and 58.7% for the 1DCNN. This is the highest
result achieved among the proposed approaches. Therefore, This work was supported by both ST Electronics and
having any form of query access to the target classifier is not the National Research Foundation (NRF), Prime Ministers
required to achieve these relatively high ASR results, although Office, Singapore under Corporate Laboratory @ University
if the attacker fails to obtain any of this information, it is clear Scheme (Programme Title: STEE Infosec-SUTD Corporate
that the ASR will suffer. Yet the results are not close to 100%, Laboratory). Alexander Binder also gratefully acknowledges
showing that performance suffers when one cannot query the the support by PIE-SGP-AI-2018-01.
target classifier as in [16]. R EFERENCES
The results presented in Table VII suggest a possible [1] D. Bhattacharyya, R. Ranjan, F. Alisherov, M. Choi et al., “Biometric
detection strategy against surrogate-based attacks using a authentication: A review,” International Journal of u-and e-Service,
single surrogate for our threat model. Namely, one employs a Science and Technology, vol. 2, no. 3, pp. 13–28, 2009.
[2] F. Monrose and A. D. Rubin, “Keystroke dynamics as a biometric for
probabilistic average of multiple authentication models, where authentication,” Future Generation computer systems, vol. 16, no. 4, pp.
351–359, 2000.
6 For example, if we would like to compare the effects of having differing [3] A. A. E. Ahmed and I. Traore, “A New Biometric Technology Based
sequence lengths, we would form pairs between the results in which each of on Mouse Dynamics,” IEEE Transactions on Dependable and Secure
the values in the pair would come from length 50 and length 100, with all Computing, vol. 4, no. 3, pp. 165–179, 2007. [Online]. Available:
other settings being consistent. http://ieeexplore.ieee.org/document/4288179/
[4] P. Chong, Y. X. M. Tan, J. Guarnizo, Y. Elovici, and A. Binder, “Mouse malization layers,” in International Conference on Artificial Neural
Authentication Without the Temporal Aspect What Does a 2D-CNN Networks. Springer, 2016, pp. 63–71.
Learn?” 2018 IEEE Security and Privacy Workshops (SPW), pp. [25] S. Bach, A. Binder, G. Montavon, F. Klauschen, K.-R. Müller, and
15–21, 2018. [Online]. Available: https://ieeexplore.ieee.org/document/ W. Samek, “On pixel-wise explanations for non-linear classifier deci-
8424627/ sions by layer-wise relevance propagation,” PloS one, vol. 10, no. 7, p.
[5] C. Feher, Y. Elovici, R. Moskovitch, L. Rokach, and A. Schclar, “User e0130140, 2015.
identity verification via mouse dynamics,” Information Sciences, vol. [26] I. Rosenberg, A. Shabtai, L. Rokach, and Y. Elovici, “Generic black-box
201, pp. 19–36, 2012. [Online]. Available: http://dx.doi.org/10.1016/j. end-to-end attack against state of the art api call based malware clas-
ins.2012.02.066 sifiers,” in International Symposium on Research in Attacks, Intrusions,
[6] H. Gamboa and A. Fred, “A behavioral biometric system based on and Defenses. Springer, 2018, pp. 490–510.
human computer interaction,” Proceedings of SPIE, vol. 5404, no. i, [27] I. Homoliak, F. Toffalini, J. Guarnizo, Y. Elovici, and M. Ochoa, “Insight
pp. 381–392, 2004. into insiders and it: A survey of insider threat taxonomies, analysis,
[7] P. Kasprowski and K. Harezlak, “Fusion of eye movement and mouse modeling, and countermeasures,” 11 2018.
dynamics for reliable behavioral biometrics,” Pattern Analysis and [28] R. J. Williams and D. Zipser, “A Learning Algorithm for Continually
Applications, vol. 21, no. 1, pp. 91–103, 2018. Running Fully Recurrent Neural Networks,” Neural Computation,
[8] S. Mondal and P. Bours, “A study on continuous authentication using vol. 1, no. 2, pp. 270–280, 1989. [Online]. Available: http:
a combination of keystroke and mouse biometrics,” Neurocomputing, //www.mitpressjournals.org/doi/10.1162/neco.1989.1.2.270
vol. 230, no. November 2016, pp. 1–22, 2017. [Online]. Available: [29] A. Paszke, S. Gross, S. Chintala, G. Chanan, E. Yang, Z. DeVito, Z. Lin,
http://dx.doi.org/10.1016/j.neucom.2016.11.031 A. Desmaison, L. Antiga, and A. Lerer, “Automatic differentiation in
[9] C. Shen, Z. Cai, and X. Guan, “Continuous authentication for mouse pytorch,” in NIPS-W, 2017.
dynamics: A pattern-growth approach,” Proceedings of the International [30] A. Harilal, F. Toffalini, I. Homoliak, J. Castellanos, J. Guarnizo, S. Mon-
Conference on Dependable Systems and Networks, 2012. dal, and M. Ochoa, “The wolf of sutd (twos): A dataset of malicious
[10] C. Shen, Z. Cai, X. Guan, Y. Du, and R. A. Maxion, “User authentication insider threat behavior based on a gamified competition,” vol. 9, 03
through mouse dynamics,” IEEE Transactions on Information Forensics 2018.
and Security, vol. 8, no. 1, pp. 16–30, 2013. [31] F. Pedregosa, G. Varoquaux, A. Gramfort, V. Michel, B. Thirion,
[11] B. Sayed, I. Traore, I. Woungang, and M. S. Obaidat, “Biometric O. Grisel, M. Blondel, P. Prettenhofer, R. Weiss, V. Dubourg, J. Vander-
authentication using mouse gesture dynamics,” IEEE Systems Journal, plas, A. Passos, D. Cournapeau, M. Brucher, M. Perrot, and E. Duch-
vol. 7, no. 2, pp. 262–274, 2013. esnay, “Scikit-learn: Machine learning in Python,” Journal of Machine
[12] F. Mo, S. Xiong, S. Yi, Q. Yi, and A. Zhang, Intelligent Computing Learning Research, vol. 12, pp. 2825–2830, 2011.
and Internet of Things. Springer Singapore, 2018, vol. 924. [Online]. [32] F. Wilcoxon, “Individual comparisons by ranking methods,” Biometrics
Available: http://link.springer.com/10.1007/978-981-13-2384-3 bulletin, vol. 1, no. 6, pp. 80–83, 1945.
[13] Y. Aksari and H. Artuner, “Active authentication by mouse movements,”
in 2009 24th International Symposium on Computer and Information
Sciences, Sept 2009, pp. 571–574.
[14] P. Bours and C. J. Fullu, “A login system using mouse dynamics,” in
2009 Fifth International Conference on Intelligent Information Hiding
and Multimedia Signal Processing, Sept 2009, pp. 1072–1077.
[15] N. Zheng, A. Paloski, and H. Wang, “An efficient user verification
system via mouse movements,” Proceedings of the 18th ACM
conference on Computer and communications security - CCS ’11, no.
February, p. 139, 2011. [Online]. Available: http://dl.acm.org/citation.
cfm?doid=2046707.2046725
[16] N. Papernot, P. McDaniel, I. Goodfellow, S. Jha, Z. B. Celik, and
A. Swami, “Practical black-box attacks against machine learning,”
in Proceedings of the 2017 ACM on Asia Conference on Computer
and Communications Security, ser. ASIA CCS ’17. New York,
NY, USA: ACM, 2017, pp. 506–519. [Online]. Available: http:
//doi.acm.org/10.1145/3052973.3053009
[17] N. Papernot, P. McDaniel, S. Jha, M. Fredrikson, Z. Celik, and
A. Swami, “The limitations of deep learning in adversarial settings,” in
2016 IEEE European Symposium on Security and Privacy (EuroS&P).
Los Alamitos, CA, USA: IEEE Computer Society, mar 2016, pp.
372–387. [Online]. Available: https://doi.ieeecomputersociety.org/10.
1109/EuroSP.2016.36
[18] I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and
Harnessing Adversarial Examples,” pp. 1–11, 2014. [Online]. Available:
http://arxiv.org/abs/1412.6572
[19] N. Carlini and D. Wagner, “Towards evaluating the robustness of neural
networks,” in 2017 IEEE Symposium on Security and Privacy (SP).
IEEE, 2017, pp. 39–57.
[20] W. Brendel, J. Rauber, and M. Bethge, “Decision-based adversarial
attacks: Reliable attacks against black-box machine learning models,”
arXiv preprint arXiv:1712.04248, 2017.
[21] I. Evtimov, K. Eykholt, E. Fernandes, T. Kohno, B. Li, A. Prakash,
A. Rahmati, and D. Song, “Robust physical-world attacks on machine
learning models,” arXiv preprint arXiv:1707.08945, 2017.
[22] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow,
and R. Fergus, “Intriguing properties of neural networks,” arXiv preprint
arXiv:1312.6199, 2013.
[23] A. Fülöp, L. Kovács, T. Kurics, and E. Windhager-Pokol, “Bal-
abit mouse dynamics challenge data set,” https://github.com/balabit/
Mouse-Dynamics-Challenge, 2016.
[24] A. Binder, G. Montavon, S. Lapuschkin, K.-R. Müller, and W. Samek,
“Layer-wise relevance propagation for neural networks with local renor-