Singapore Academic Cybersecurity R&D
Harnessing R&D to Secure our Nation
COMMANDO-HUMANS: COMputational Modelling and Automatic Non-intrusive
Detection Of HUMan behAviour based iNSecurity
- Lead PIs : Robert Deng, Professor, SMU ( firstname.lastname@example.org ) and Shujun Li, Professor, University of Surrey ( email@example.com )
- Host Institution : School of Information Systems, SMU
- Partner Institution : University of Surrey
Human factors have been widely acknowledged as an important aspect of cyber security. There are security issues related to low-level (“micro”) human behaviours closer to the HCI, i.e., when a human user interacts with a specific HCI he/she may behave in an insecure way to compromise the system’s security.
This project aims to develop a computational framework and software tools for automatic detection of human behaviour related insecurity at the HCI (“micro”) level without the need to involve real human users.
One of the project’s objective is to come up with human behaviour related attack models and develop the corresponding software framework and toolset. The software architecture has been designed, and being implemented as part of the CogTool+ software. We have made some architectural changes to accommodate our new findings. This includes an eye-tracking model driven by external data.
We have also designed a software module for modelling human users (and attackers) using selected human cognitive models and simulating them. A meta-model interpreter and a model simulator have been implemented. In addition, a HCI has been developed to ease development of meta models.
As a result of our research, we have submitted a paper entitled “When Human Cognitive Modeling Meets PINs: Inter-Keystroke Timing Attacks Revisited” to an international journal. In this paper, we propose the first inter-keystroke timing attack on PINs which can work with no or just a small number of observations about the typing behavior of a victim user or any other users. Our method is based on a similarity-based timing dictionary built from a human cognitive model whose parameters can be determined by a small amount of training data on any users. Therefore, our attack can be potentially launched in a large scale and is practical in real-world settings.