Decoding a cyber-fingerprint

Your typing rhythm holds clues to your identity, and maybe even your future health
The blink of an eye takes 300 to 400 milliseconds. It takes less time than that--about 90 milliseconds, on average--to press a computer key while typing.
Individual keystrokes as well as the "rhythm" of typing a word, sentence or document are forming the basis of a cyber equivalent to handwriting or fingerprint analysis.
In a small laboratory on the eighth floor of CMU's Gates Center for Computer Science, Dr. Roy Maxion and his team have developed the ability to capture and analyze those 90-millisecond keystrokes and read the clues encoded in them. Called "keystroke dynamics," Maxion believes the research may have the potential to not only change the world of cybersecurity, but also to identify individuals with musculoskeletal diseases, neurological disorders, cognitive decline and acute stress.
Maxion, a research professor in the School of Computer Science, became interested in keystroke dynamics about five years ago when he was asked to review a journal article on the subject. Although research into keystroke dynamics began 30 years ago, some of the most significant progress has been made in the last decade or so. The topic was new to Maxion, and it interested him. Within a short time, Maxion was working on a National Science Foundation-funded project to determine if someone could be identified from his or her typing style.
"My position is that no one has demonstrated that it isn't possible," he says.
Cybersecurity is Maxion's speciality. A member of the National Academies' Committee on Future Research Goals and Directions for Foundational Science in Cybersecurity, Maxion serves as vice chair of Professionals for Cyber Defense and director of CMU's Dependable Systems Laboratory, and has also studied intrusion detection. His early interest in keystroke dynamics focused on ways of lowering the error rate when analyzing keystrokes in applications such as Web-based financial transactions--Maxion's group was able to improve the accuracy to 99.97 percent in 10 keystrokes.
Maxion's lab is now able to measure typing rhythms on a scale far more precise than any other known system available. In addition to capturing the length of time the keys are pressed, the lab also collects information about user demographics, hand geometry, hand and body posture, and movement.
As a result, his team is close to determining what password they could assign to someone that could be distinguished not just because of the mix of numbers, letters and punctuation marks, but because of the way the user types the password--their individual typing rhythm. In other words, "can we customize your password so that your typing style would be best conveyed by that particular password?" Maxion says. For instance, for someone with short, thin fingers, a password with characters that span the keyboard would be more difficult to type than one that had characters grouped together. Conversely, for an individual with thick fingers, a combination of characters clustered in the center of the keyboard would require more effort and deliberate attention.
There are "lots of thorny little problems" that can affect a person's typing pattern, such as stress, fatigue, illness, injury or substance use, Maxion says. But just as a person can be identified by his or her gait, even when they're carrying a heavy object or wearing different shoes, Maxion says that someday, software may be able to identify someone's core typing rhythm despite a slight deviation from the norm. Finding that core typing rhythm, he says, may unlock the doors to reliable, real-world applications.
Although cybersecurity continues to be a major focus, Maxion says the research has implications in health care. Would it be possible, for instance, to detect whether someone's typing rhythm is changing because of illness or injury? Maxion's research suggests that changes in typing rhythm could provide early warning signs when someone is beginning to suffer from musculoskeletal problems such as carpal tunnel syndrome, digital flexor tendonitis, and arthritis.
Maxion recently partnered with Nancy Baker, an associate professor of occupational therapy at the University of Pittsburgh's School of Health and Rehabilitation Sciences. Baker has been conducting research on detecting musculoskeletal disorders through keyboard use since 2008.
"In my experience, as people develop illness of or injuries to the soft tissue, the way they perform certain tasks changes, as they adapt and respond to changes in the tissues," Baker says. For example, subjects with rheumatoid arthritis are more likely to use high-force keystrokes, not use a wrist rest, move their hands to strike keys, maintain their wrists and fingers in a fixed position, and use only one finger on each hand to type.
By pairing Maxion's precise measurements with Baker's studies, which include visual observations as well as measurements to determine the location of joints in space at specific moments (kinematics), the two hope to be able to determine which postures, angles and positions put a user at risk of developing a musculoskeletal disorder.
Early detection of such disorders can improve treatment and prevent further damage. The longer a patient has a disorder, Baker says, the more difficult it is to treat or reverse. Work-related musculoskeletal disorders are both common and costly. In 2010, according to the Centers for Disease Control and Prevention, an estimated 3.1 percent of U.S. adults aged 18 to 64 reported suffering from carpal tunnel syndrome at some point during the previous 12 months. A 2001 report from the National Research Council and the Institute of Medicine estimated the cost to the U.S. economy of such disorders, including lost wages and productivity, at between $45 billion and $54 billion per year. "If by using our technology we could make even a 1 percent difference, it would be a substantial savings," Maxion says.
The CMU team also is looking at connections between keystroke dynamics and neurological issues. During one recent test, the researchers identified a subject who had a very unusual, distinctive typing pattern, Maxion says. Additionally, the subject held his keystrokes for just 46 milliseconds, about half the average of other subjects. With more investigation, the team learned that the subject had recently been diagnosed with right temporal lobe epilepsy.
Maxion sees a similarity between those findings and the type of results generated by the Halstead-Reitan Finger Tapping Test, which assesses motor speed and motor control, and which is part of a battery of tests used to help identify neurological disorders. There also are some indications that early signs of Alzheimer's disease and dementia can be detected through changes in typing rhythm, which suggests keystroke dynamics could one day be used as part of the diagnostic process for these diseases. As with musculoskeletal disorders, early detection and diagnosis could give patients a better chance to benefit from early treatment. "If we obtain baseline information on enough people with and without specific diseases or disorders, then we are going to be able to separate the characteristics of the keystroke rhythms that correspond to those diseases and disorders," Maxion says.
He notes that while it's too early to know what those characteristics might be, learning those signs could lead to the development of software that can determine, by the way an individual types, if they have a susceptibility to a particular disease or disorder.
Maxion says that CMU has advanced the field of keystroke dynamics because of its specific research methods. His team built its own timing mechanism that can measure the time it takes to press keys at speeds not previously available--sub-millisecond levels. And they standardized the collection of their data to incorporate tight experimental control. During the initial studies, 51 subjects were asked to sit in the same room, at the same desk, using the same keyboard and computer, and type the same 10-character password 400 times over eight sessions.
The controlled, standardized setting is possibly the most important thing that distinguishes the research being done by Maxion's team. Many other studies of keystroke dynamics, he says, have gathered data under real-world conditions without controlling for the many variables--keyboard type, typing posture, language fluency--that may or may not affect someone's typing rhythm. Maxion likens that to doing chemistry experiments with dirty test tubes, and says the resulting datasets are "all over the map." Maxion's team has published its standardized dataset online for other researchers to download and use in their own work.
"When you first approach keystroke dynamics, it looks pretty simple," he says. "The key goes down, and some milliseconds later, it goes back up. But when you start to get into it, there are a lot of subtleties that need to be recognized and dealt with. That's what makes it hard--and interesting."
For More Information: 
Jason Togyer | 412-268-8721 |