Obfuscating Keystroke Time Intervals to Avoid Identification and Impersonation
This addresses privacy concerns for users vulnerable to remote observation and impersonation, though it is an incremental improvement on existing obfuscation methods.
The paper tackles the problem of user identification via keystroke biometrics by introducing obfuscation strategies to mask typing behavior, reducing identification accuracy by 20% with a 25 ms random delay that is unnoticeable to users.
There are numerous opportunities for adversaries to observe user behavior remotely on the web. Additionally, keystroke biometric algorithms have advanced to the point where user identification and soft biometric trait recognition rates are commercially viable. This presents a privacy concern because masking spatial information, such as IP address, is not sufficient as users become more identifiable by their behavior. In this work, the well-known Chaum mix is generalized to a scenario in which users are separated by both space and time with the goal of preventing an observing adversary from identifying or impersonating the user. The criteria of a behavior obfuscation strategy are defined and two strategies are introduced for obfuscating typing behavior. Experimental results are obtained using publicly available keystroke data for three different types of input, including short fixed-text, long fixed-text, and long free-text. Identification accuracy is reduced by 20% with a 25 ms random keystroke delay not noticeable to the user.