DARPA first announced Active Authentication in 2011. The project seeks to replace password-based authentication with what I might have intuitively called a more active model: rather than requiring the user to take a specific login action (which can be discretely spoofed), a device should continually gather data based on usage patterns (typing speed, mouse movement, …) and then compare that data to the known patterns of an authorized user. As the system gains confidence that its user is authorized, it will gradually (but over a very short duration of perceived human time) remove access restrictions. If the system detects an unauthorized user, it'll shut down and call security (or follow whatever other procedure, as specified).
The phase 1 briefing was pretty vague. Kind of a blue-sky "here's what might be possible, gimme y'ur best shot" approach. The original timeline released in phase 1's BAA seems to have been too ambitious. When phase 2's updated timeline was published, it indicated that a bunch of what had previously been phase 1 work had been pushed farther down the line into phase 2.
The goal of phase 1 is to research possible authentication modalities to determine what the possibilities are.
Phase 2 is about actual development. Chosen teams are expected to develop usable tools, and report back to DARPA every six months. Phase 2 will be complete later this year.
They've been super vague about Phase 3. I think the idea is that if DARPA isn't satisfied with the results of Phase 2, they'll have the opportunity to switch the teams up or allow for more time.
- project homepage includes links to all the other sources, main hub for the project
- open catalog listing this is the meatiest resource when it comes to connections. List of all papers and software that resulted from the project. I haven't found a better list than this of actual participants.
- proposers day slideshow fairly detailed overview ppt
- FBO page not super useful, honestly.
- FBO BAA full description of the project requirements
- proposers day slideshow fairly detailed overview ppt
- FBO page not super useful, honestly.
- FBO BAA full description of the project requirements
Allure describes itself as a spin off of Columbia's CS dept.
Their published papers indicate that their focus with regard to Active Authentication is in creating decoy documents without any real sensitive information in them to lure attackers away from high-value data.
BAE Systems is a major British military contractor.
Their papers for AA are about using keystroke patterns as a modality for authentication. A number of other papers they've written for other DARPA projects are listed on the AA page as related.
BehavioSec is a Swedish firm that appears to have been founded specifically for this DARPA project.
It seems like their focus is compiling the other research groups' efforts into commercial products, but they haven't published much so it's hard to say.
In addition to their security contracting, Coveros seems to primarily focus on development consulting work; helping teams effectively use agile methods and continuous integration.
Their work on AA focuses generally on the idea of tracking and fingerprinting a user's system API calls using Microsoft's existing Detours API.
Drexel's team's focus is on stylometric authentication: macro-er than simple key patterns, it uses linguistic analysis of written text to identify the author.
Iowa State published 1 paper for AA about using micro-level keystroke dynamics for authentication.
Based on their papers, Louisiana Tech is on the red team. Their work on AA rigorously evaluates keyboard and touch-based authentication systems to see how attackable they are.
The Naval Reseach Lab published a paper for AA about user authentication based on online behaviors.
Another red team member, New York Institute of Technology's team is focusing on possible attacks for keystroke evaluation, and on optimizing the thresholds at which a user is considered 'identified'
SwRI is a huge nonprofit government/industrial R&D contractor.
Their approach to AA, which I find super clever, is to interrupt the user "by deploying covert games disguised as Windows alerts," and observing and tracking the strategies employed to get rid of the annoying popups (which not a single research participant realized were anything but).
SRI, formerly affiliated with Stanford University, is one of the largest private nonprofit R&D institutes in the world.
Their work on AA focuses on voice-based biometrics.
The University of Maryland is employing a novel approach to authentication, analyzing screen recordings (so computer output rather than input) for uniquely-identifiable human biometrics information.
Hi,
Thanks for putting this gist together. The links to "project homepage " and "open catalog listing" do not work. Could you kindly fix them?