Password-based authentication is widely used on the Internet. However, when login into an account there is usually much more data available than just the password, such time of day, origin IP and geo-location, software setup, just to name a few.In this project, we study how this "behavioral" information can be used to improve the user experience of the login procedure andincrease both security and usability. One central advantage of this approach is that it is relatively easy to deploy on a large scale, asit does not change the user interface and does not require changes to the client-side software and hardware.The basic idea is to use machine learning techniques to classify behavioral data as "legitimate" or "illegitimate". This leads toseveral interesting questions: which features are available, how reliable are these features, and which classifiers have the bestdiscriminatory power for this application. While it is known that some websites use a limited set of behavioral features, their detailsare considered corporate secrets and their effectiveness has hardly been scientifically studied.Using classifiers to aid the authentication decision gives rise to a new type of attacks which target the classifier itself, trying tocircumvent or influence the classifier. This is known as adversarial machine learning and is usually studied in the context of spamprevention; it has never been considered in the context of user authentication. We will consider adversarial attacks againstdifferent classifiers, construct preventative measures, and aim to extend the previous work on adversarial machine learning to thecontext of user authentication. We believe that the new models and requirements required for the new context will show new researchdirections beyond this specific project.

DFG Programme Research Grants