Science News - January 13, 2007

tent of what’s being typed have been prosecuted for violating wiretap laws. Because keystroke-dynamics programs don’t record contents, they aren’t expected to be subject to such laws, and no legal difficulties have arisen so far. But in some circumstances, key-stroke-timing data might be used to reconstruct a password or even the content of a message.

Gunetti and Picardi’s program, for example, records the average time elapsed between keystrokes for each pair of letters but doesn’t keep track of the order of the keystroke pairs. In a short typing session, however, that might be enough for someone to guess how to put together the keystrokes into the full message.

Typeprint analysis could also be troublesome in hackers’ hands.

In 2001, researchers pointed out that typeprints could be used by hackers to listen in when people are working on a computer from a remote location. Secure communication protocols send each keystroke across the Internet encoded in a separate data packet. A hacker can’t read the encoded packets directly, but by analyzing the rhythm of the packets, he or she might narrow the possibilities for what has been typed. This vulnerability would be difficult to remove but, so far, it has also proved difficult to exploit.

Challenges remain even for using keystroke analysis to strengthen passwords or to identify the user of a Web site. Keystroke-dynamics software may be fooled if people type differently when they’re using an unfamiliar keyboard or when they’re tired or drunk or distracted. On the other hand, those variations may be valuable to detect fatigue in situations where alertness is essential.

and when—to verify Web site visitors’ claimed identities and to prevent fraud online.

Suppose that a person ordinarily visits an online bookseller only on Sunday afternoons, spends around 15 minutes looking through the site, reads reviews of gardening books, and always buys one book with a registered credit card. If on a Monday morning, someone claims to be that person and after 8 minutes tries to buy five books on science fiction, the seller might well suspect fraudulent activity. The seller could then ask for additional verification of the visitor’s identity, for example by sending a message to that person’s e-mail address on file.

The key to verifying someone’s identity lies in accumulating data about that person’s behavior from multiple browsing sessions. The researchers’ experimental program kept track only of the session’s length, time of day, and day of the week and the number of pages viewed. In their study, Padmanabhan and Yang found that a clickstream-data program within a Web site getting small amounts of traffic would need at least 30 browsing sessions to discern the habits of a user. And even then, the program would be only about 80 percent accurate.

Web sites getting more traffic would require analysis of more habits, the researchers say.

If someone didn’t want to be identified by clickprint, he or she could easily alter behavior to elude detection, Padmanabhan and Yang say. On the other hand, it would be difficult for crooks to be successful impersonators. “They’d really have to change their behavior in a way

that’s exactly like the person they’re mimicking,” Padmanabhan says.

THE RIGHT WRITEPRINT? — A new technique for identifying Internet abusers analyzes a message and plots characteristics of several traits, such as punctuation. The similar shapes show that the top two sets of graphs come from messages by one author, and the bottom two from messages by another.

CLICKPRINTS The keyboard isn’t the only method of computer input. With the rise of the Internet and its click-through format, input devices such as the computer mouse are playing an increasingly important role.

Picardi and Gunetti are testing ways to detect intruders on a computer system by their mouse movements. The researchers suspect that people have identifiable patterns in the shapes and speeds of their usual mouse motions.

Mouse movements can be used to produce signatures, says Peter McOwan of Queen Mary, University of London. He recorded his test subjects as they drew signatures using the mouse—either an imitation of their normal, pen-and-paper signatures or a drawing of their choosing. He used these digital signatures as additions to password entry to strengthen authentication of computer users’ identities.

A. ABBASI AND CHEN

To challenge the strength of his program, he gave test participants the password of a person whose keystroke pattern and tracing signature had been previously recorded. The combined digital signature and keystroke-dynamic analyses rejected more than 95 percent of participants who were acting as intruders, while accepting the legitimate users more than 99 percent of the time, McOwan reported in 2003.

Other researchers are working to identify patterns in the ways in which people click and scroll through Web sites. Balaji Padmanabhan of the Wharton School in Philadelphia and Yinghui Yang of the University of California, Davis are looking for ways to employ what they call clickstream data—what a user clicks on

WRITEPRINTS On July 11, 1804, Alexander Hamilton had no idea that he was laying the groundwork for research into online bulletin boards. On that night, as Hamilton prepared for a morning duel with Aaron Burr, he made a list of which of the 85 essays in the Federalist Papers he’d written and which ones had been penned by James Madison or John Jay. The duel proved fatal to Hamilton, and Madison subsequently disputed Hamilton’s claim of authorship on 12 of the articles.

With the scandal, a puzzle was set for scientists, who have since tried various statistical techniques to characterize the writing styles of the three men. Altogether, researchers have considered more than 1,000 features of writing style. Nearly all the analyses have vindicated Madison.

Hsinchun Chen, a researcher in information systems at the University of Arizona in Tucson, realized that such analysis could be applied to a quite different problem. “It could be used to track anyone who is trying to hide their identity on the Web,” Chen says. “They’ll leave a trace.”

People commonly post anonymously to message boards or employ different user names. Chen seeks to enable law-enforce-ment officers to detect whether various threatening or illegal posts come from a single user.

Chen and his colleagues have studied messages from the White Knights, a chapter of the Ku Klux Klan; the Al-Aqsa Martyrs, an anti–United States Palestinian group; and English and Chinese bulletin boards where pirated software and music are commonly sold.