By John Reed Friday,
DARPA is getting serious about one of the issues that cyber-security professionals inside and outside government regularly bemoan: the relative inability of weak passwords to protect…anything.
To overcome the fact that passwords can be stolen or hacked — and don’t necessarily protect a computer once the authorized user is logged on — the Pentagon’s research arm has kicked off a $14 million effort to develop sensors that can constantly monitor users’ online behavior to determine whether they are who they say they are.
This kind of vigilance is going to become all the more important as the Pentagon shrinks the number of networks it runs under its cloud-computing initiative and fields mobile devices capable of handling classified information. Ask any cyber security expert and they will tell you that computer networks will inevitably be compromised and that the best defense lies in constantly monitoring for weird behavior.
How exactly do you do that? Well, that’s where DARPA’s Active Authentication program comes in. The Active Authentication program is aimed at verifying your identity based on your online behavior instead of an easily guessed or stolen password.
“The program focuses on the development of new types of behavioral biometrics focused on the user’s cognitive processes,” Richard Guidorizzi, DARPA program manager, explained in an email to Killer Apps. In English, that means Active Authentication will monitor your computer habits — like your typing patterns, the way you use a mouse, and even how you construct sentences — to assemble an “online fingerprint.”
“Examples of this could include, but are not limited to, behavioral biometrics that focus on a user’s unique way of typing on the device or cognitive biometrics that focus on how the user processes language and structures sentences,” he said.
In theory, a user would log onto his computer using a government-issued secure ID card, known as a Common Access Control card. This would tell AA sensors to begin monitoring the user, analyzing typing and sentence structure, and comparing the patterns to previous behavior.
AA isn’t just limited to desktop computers. DARPA will also address mobile devices.
This could come in mighty handy for soldiers and spies who are increasingly reliant on smart phones and tablets to do everything from filing flight plans to collecting and sharing classified information.
Mobile devices will have their own unique safeguards. “For example, the accelerometer in a mobile phone could track how the device rests in a user’s hand or the angle at which he talks into it. Another technique might track the user’s gait, reflecting how he walks as it is transported. In theory, each of these examples could be another layer of user validation,” Guidorizzi writes.
Don’t expect AA tech to be put into place anytime in the near future, though — AA’s work is experimental. “This program is not intended to develop fielded systems but instead to advance the technologies and concepts outlined above,” added Guidorizzi.
Still, some type of online identity software may emerge in the coming years. Just today White House Cyber Security Coordinator Michael Daniel told an audience at the Center for Strategic and International Studies that he wants to see research and development programs that sound a lot like AA shift the balance of cyber power from favoring the attacker, as it does right now, to favoring the defender.
Daniel told Killer Apps he wants to know whether there are “ways that you can bake in better credentialing into the underlying structure of the Internet? Are there ways you can get the software manufacturers make software secure by default, so that you actually have to work at browsing insecurely?”