creation

TIFS.tex

@@ -0,0 +1,193 @@
+\documentclass[journal]{IEEEtran}
+
+\pagestyle{plain}
+
+\usepackage[english,american]{babel}
+\usepackage{graphicx}
+\usepackage{subfigure}
+\usepackage{amsmath}
+\usepackage{multirow}
+\usepackage{multicol}
+\usepackage{float}
+\usepackage{algorithm}
+\usepackage{algorithmic}
+\usepackage{hyperref}
+\usepackage{cite}
+\usepackage{balance}
+\usepackage{color}
+\usepackage[square,sort,comma,numbers]{natbib}
+\usepackage{url}
+\usepackage{diagbox}
+\usepackage{enumerate}
+\usepackage{setspace}
+\usepackage{enumitem}
+\usepackage{indentfirst}
+\usepackage{booktabs}
+\usepackage{tikz}
+\usepackage{listings}
+\usepackage{etoolbox}
+\usepackage{setspace}
+
+\hyphenation{op-tical net-works semi-conduc-tor}
+
+
+\renewcommand{\algorithmicrequire}{\textbf{Input:}}
+\renewcommand{\algorithmicensure}{\textbf{Output:}}
+%\usepackage{setspace}
+%\usepackage{epsfig,graphics,subfigure,psfrag,amsmath,amssymb}
+\newcommand\FIXME[1]{\textcolor{red}{FIX:}\textcolor{red}{#1}}
+\newcommand\FIXED[1]{\textcolor{blue}{FIXED: }\textcolor{blue}{#1}}
+
+
+\newcommand{\circled}[2][]{\tikz[baseline=(char.base)]
+    {\node[shape = circle, draw, inner sep = 1pt]
+    (char) {\phantom{\ifblank{#1}{#2}{#1}}};%
+    \node at (char.center) {\makebox[0pt][c]{#2}};}}
+\robustify{\circled}
+
+\begin{document}
+
+\title{Cracking Android Pattern Lock in Five Attempts}
+
+
+\author{Michael~Shell,~\IEEEmembership{Member,~IEEE,}
+        John~Doe,~\IEEEmembership{Fellow,~OSA,}
+        and~Jane~Doe,~\IEEEmembership{Life~Fellow,~IEEE}% <-this % stops a space
+\thanks{M. Shell was with the Department
+of Electrical and Computer Engineering, Georgia Institute of Technology, Atlanta,
+GA, 30332 USA e-mail: (see http://www.michaelshell.org/contact.html).}% <-this % stops a space
+\thanks{J. Doe and J. Doe are with Anonymous University.}% <-this % stops a space
+\thanks{Manuscript received April 19, 2005; revised August 26, 2015.}}
+
+
+
+% The paper headers
+\markboth{Journal of \LaTeX\ Class Files,~Vol.~14, No.~8, August~2015}%
+{Shell \MakeLowercase{\textit{et al.}}: Bare Demo of IEEEtran.cls for IEEE Journals}
+
+% make the title area
+\maketitle
+
+% As a general rule, do not put math, special symbols or citations
+% in the abstract or keywords.
+\begin{abstract}
+    Pattern lock is widely used as a mechanism for authentication and authorization on Android devices. This paper presents a novel video-based attack to reconstruct Android lock patterns from video footage filmed using a mobile phone camera. Unlike prior attacks on pattern lock, our approach does not require the video to capture ant content displayed on the screen. Instead, we employ a computer vision algorithm to track the fingertip movements to infer the pattern. Using the geometry information extracted from the tracked fingertip motions, our approach is able to accurately identify a small number of (often one) candidate patterns to be tested by an adversary. We thoroughly evaluated our approach using 120 unique patterns collected from 215 independent users, by applying it to reconstruct patterns from video footage filmed using mobile phone cameras. Experimental results show that our approach can break over 95\% of the patterns in five attempts before the device is automatically locked by the Android operating system. We discovered that, in contrast to many people's belief, complex patterns do not offer stronger protection under our attacking scenarios. This is demonstrated by the fact that we are able to break all but one complex patterns as opposed to 60\%of the simple patterns in the first attempt. Since our threat model is common in day-to-day life, this paper calls for the community to revisit the risks of using Android pattern lock to protect sensitive information.
+\end{abstract}
+
+% Note that keywords are not normally used for peerreview papers.
+\begin{IEEEkeywords}
+Pattern lock, Fingertip movement, Video-based attack, Sensitive information.
+\end{IEEEkeywords}
+
+\input{intro}
+\input{background}
+\input{overview}
+\input{details}
+\input{experiment_setup}
+\input{evaluation}
+\input{discussion}
+\input{related}
+\input{conclusions}
+
+
+
+
+
+% For peer review papers, you can put extra information on the cover
+% page as needed:
+% \ifCLASSOPTIONpeerreview
+% \begin{center} \bfseries EDICS Category: 3-BBND \end{center}
+% \fi
+%
+% For peerreview papers, this IEEEtran command inserts a page break and
+% creates the second title. It will be ignored for other modes.
+\IEEEpeerreviewmaketitle
+
+
+
+
+
+\appendices
+\section{Proof of the First Zonklar Equation}
+Appendix one text goes here.
+
+% you can choose not to have a title for an appendix
+% if you want by leaving the argument blank
+\section{}
+Appendix two text goes here.
+
+
+% use section* for acknowledgment
+\section*{Acknowledgment}
+
+
+The authors would like to thank...
+
+
+% Can use something like this to put references on a page
+% by themselves when using endfloat and the captionsoff option.
+\ifCLASSOPTIONcaptionsoff
+  \newpage
+\fi
+
+
+
+\bibliographystyle{IEEEtranS}
+\balance
+\bibliography{refs}
+
+%\begin{thebibliography}{1}
+%
+%\bibitem{IEEEhowto:kopka}
+%H.~Kopka and P.~W. Daly, \emph{A Guide to \LaTeX}, 3rd~ed.\hskip 1em plus
+%  0.5em minus 0.4em\relax Harlow, England: Addison-Wesley, 1999.
+%
+%\end{thebibliography}
+
+
+% biography section
+%
+% If you have an EPS/PDF photo (graphicx package needed) extra braces are
+% needed around the contents of the optional argument to biography to prevent
+% the LaTeX parser from getting confused when it sees the complicated
+% \includegraphics command within an optional argument. (You could create
+% your own custom macro containing the \includegraphics command to make things
+% simpler here.)
+%\begin{IEEEbiography}[{\includegraphics[width=1in,height=1.25in,clip,keepaspectratio]{mshell}}]{Michael Shell}
+% or if you just want to reserve a space for a photo:
+
+\begin{IEEEbiography}{Michael Shell}
+Biography text here.
+\end{IEEEbiography}
+
+% if you will not have a photo at all:
+\begin{IEEEbiographynophoto}{John Doe}
+Biography text here.
+\end{IEEEbiographynophoto}
+
+% insert where needed to balance the two columns on the last page with
+% biographies
+%\newpage
+
+\begin{IEEEbiographynophoto}{Jane Doe}
+Biography text here.
+\end{IEEEbiographynophoto}
+
+% You can push biographies down or up by placing
+% a \vfill before or after them. The appropriate
+% use of \vfill depends on what kind of text is
+% on the last page and whether or not the columns
+% are being equalized.
+
+%\vfill
+
+% Can be used to pull up biographies so that the bottom of the last one
+% is flush with the other column.
+%\enlargethispage{-5in}
+
+
+
+% that's all folks
+\end{document}
+
+

background.tex

@@ -0,0 +1,104 @@
+%
+%\documentclass[conference]{IEEEtran}
+%
+%\hyphenation{op-tical net-works semi-conduc-tor}
+%\usepackage{graphicx}
+%\usepackage{subfigure}
+%\usepackage{amsmath}
+%\usepackage{multirow}
+%\usepackage{multicol}
+%\usepackage{float}
+%\usepackage{algorithm}
+%\usepackage{algorithmic}
+%\usepackage{hyperref}
+%\usepackage{cite}
+%\usepackage{balance}
+%\renewcommand{\algorithmicrequire}{\textbf{Input:}}
+%\renewcommand{\algorithmicensure}{\textbf{Output:}}
+%%\usepackage{setspace}
+%%\usepackage{epsfig,graphics,subfigure,psfrag,amsmath,amssymb}
+%
+%\begin{document}
+%
+%\title{Take Care of Your Hands: A Novel Attack on Graphical Unlock Passwords }
+%
+%
+%\maketitle
+%
+%\begin{abstract}
+%
+%\end{abstract}
+%
+%% no keywords
+%\begin{IEEEkeywords}
+\section{Background}
+    \subsection{Android Pattern Lock}
+        Pattern lock is widely used to protect sensitive information and perform authentication on
+        Android touch-screen devices. To unlock a device protected with pattern lock, the user is asked to draw a predefined sequence of connected dots on a pattern grid\footnote{In this paper we use the Android default pattern grid with $3 \times 3$ dots, unless otherwise stated.}.
+        %The path traced by the fingertip on the dots is referred as a locking pattern.
+        Figure~\ref{fig:fig2} (e) shows a pattern which consists of seven dots on a $3 \times 3$ grid.
+        To form a
+        pattern, the user starts by selecting one dot as the
+        starting point and then swiping over multiple dots of the grid until the fingertip is lifted from the screen.
+        There are several rules for creating an Android pattern: (1) a pattern must consist
+        of at least four dots; (2) each dot can only be visited once; and (3) a previously unvisited dot will
+        become visited if it is part of a horizontal, vertical or diagonal
+        line segment of the pattern. Taking into account these constraints, the total number of possible patterns
+        on a $3\times3$ grid is 389,112~\cite{uellenbeck2013quantifying}.
+        Given the large number of possible patterns, performing brute-force attacks on
+        Android pattern lock is ineffective, because by default the device will be
+        automatically locked after five failed tries.
+
+\begin{figure*}[!ht]
+    \centering
+    \includegraphics[width=\textwidth]{fig/overview.pdf}
+    \vspace{-4mm}
+    \caption{Overview of the attack.
+     Our system takes in a video segment that records the unlocking process (a). The adversary first marks two areas of interest on the first video frame (b): one contains the fingertip involved in pattern drawing, and the other contains part of the device. Our system then tries to track the fingertip's location w.r.t. to the device.
+     The tracking algorithm produces a fingertip movement trajectory from the camera's perspective (c) which is then transformed to the user's perspective (d). Finally, the resulted trajectory in (d) is mapped to several candidate patterns (e) to be tested on the target device (f). }
+    \label{fig:fig2}
+    \vspace{-3mm}
+\end{figure*}
+
+    \subsection{Threat Model}
+    \label{sec:scenarios}
+        In our threat model, we assume an adversary wants to access some sensitive information from or to install malware on a target device that is protected by pattern lock.
+        This type of attacks is mostly likely to be performed by an attacker
+         who can physically access to the
+        target device for a short period of time (e.g. via  attending a meeting or party where the user presents). To quickly gain access to the device without raising suspicion, the attacker would like to obtain the user's locking
+        pattern in advance. %He can do so with the help of someone (who is likely to be a stranger to the user) to film how the
+        %user unlocks the device.
+        The attack starts from filming how the user unlocks the device. Video recording can be done on-site or ahead of time (probably with the help of someone).
+        The video will then be processed to identify a small number of patterns to be tested on the target device.
+        Because filming can be carried out in from a distance of as far as 2.5 meters using a mobile phone camera and the camera does not need to directly face the target device, this activity often will not be noticed by the user.
+        Moreover, given that many users
+         use the same pattern across devices and applications, the pattern obtained from one device could also be used to break the user's other devices.  \emph{The goal of this paper is to
+        demonstrate the feasibility of a new attack and its implications to
+        the use of pattern lock.}
+
+        \noindent \textbf{Examples of Filming Scenarios} Figure~\ref{fig:fig1} illustrates three scenarios where filming can be
+        performed without raising suspicion to many users. For all the examples presented in Figure~\ref{fig:fig1}, the
+        filming camera had a left- or right-front view angle from the target device and did not directly face the screen of the target device. Due to the filming distance (2-3 meters), the recoded video typically does not have a clear vision of
+        the content displayed on the screen.  This observation can be confirmed by the video snapshot placing
+        alongside each scenario, where it is impossible to identify the content shown on the screen.
+        The examples given in Figure~\ref{fig:fig1} are some of the day-to-day
+        scenarios where security of the user's device can be compromised under
+        our attack.
+
+        \noindent \textbf{Assumptions}
+        Our attack requires the video footage to have a vision of the user's
+        fingertip involved in pattern drawing and part of the device (e.g. an edge of a phone).
+        We believe this is a reasonable assumption because in practice many users often do not fully cover their fingers and the entire device when drawing a pattern.
+        This is particularly true when holding a large-screen device by hands.
+        To launch the
+        attack, the attacker needs to know the layout of the grid, e.g. whether it is
+        a $3 \times 3$ or a $6 \times 6$ grid. Our approach is to generate a set of
+        candidate patterns for each of the Android pattern grids and the attacker can simply decide
+        which set of candidate patterns to use after seeing the target device (at the time the
+        layout of the grid will become available). However, unlike prior work on
+        video-based attacks on keystroke based authentication~\cite{shukla2014beware}, our approach does not
+        require having knowledge of the console's geometry. In other words, the size
+        of the screen or the position of the pattern grid  on the screen does not
+        affect the accuracy of our attack. We also assume the video does not need to
+        capture any content displayed on the screen. This assumption makes previous
+        video-based attacks on pattern lock~\cite{aviv2010smudge} inapplicable.

clean.bat

@@ -0,0 +1,10 @@
+del *.aux /s
+del *.bak /s
+del *.log /s
+del *.bbl /s
+del *.dvi /s
+del *.blg /s
+del *.thm /s
+del *.toc /s
+del *.out /s
+del *.synctex /s

conclusions.tex

@@ -0,0 +1,21 @@
+\section{Conclusions}
+This paper has presented a novel video-based side-channel attack for
+Android pattern lock. The attack is based on a video filmed a distance of 2 meters away from the target device using a mobile phone camera. The attack is
+achieved by employing a computer vision algorithm to track the
+fingertip movement from the video, and then using the geometry information
+of the fingertip movement trajectory to identify the most likely patterns to be
+tested on the target device.  Our approach was evaluated using 120 unique patterns collected
+from independent users and some of the most complex patterns. The experimental results show that our approach
+is able to successfully crack over 90\% of the patterns in five attempts.
+We show that, in contrast to many people's belief, complex pattern actually provides
+weaker protection over simple patterns under our attack. Our study
+suggests that Android pattern lock is vulnerable to video-based
+side-channel attacks.
+
+    %\FIXED{In this paper, we present a novel computer vision based attack that cracks the Android locking patterns based on a video that is unnoticeably filed from a certain angle. Our attacking method uses a video tracking algorithm to track the fingertip motion trajectory, and then outputs a small number of candidate pattern locks by analyzing the line segments and their angle of the fingertip motion.}
+%
+%    \FIXED{To evaluate this attacking approach, we collect 600 patterns from 215 independent users by asking them to fill an anonymized questionnaires and select 120 unique patterns after removing identical ones for performing various experiments. The experimental results shows that the attack system can unlock the target phone with a success rate of above 95\% with no more than five attempts -- a default threshold when the phone will automatically locked by the Android operating system. Furthermore, this work shows that a complex pattern lock is easier to be cracked than a simple one, a great contradiction in most people's mind that a complex pattern lock is more secure than a simple one. At last, we propose a new insights on how to design and use a pattern lock system in a secure way.}
+%
+%    %In this paper, we present a novel computer vision based attack that cracks the pattern locks with the unnoticeably filmed video. In this attack, first we film the video from a certain angle. Then we leverages the fingertip movement during the pattern entry process to analyze pattern locks. In order to correct the video filming angles, we use the transformation matrix to map the movement to the victim's perspective. To exclude the similar patterns, we propose a novel representation for pattern locks by graphic knowledge. We implement a prototype of the attack and evaluate it with lots of videos filmed in various situations. The empirical results indicate that we can achieve an average accuracy of 95\% within five trials at two meters away from the touch-screen.
+%
+%    %However, this attack also exists some limitations which are as following. If user cover his finger during drawing the pattern lock, the accuracy of this attack will be very low and even fails to recognize the pattern lock. Indeed, with the distance increasing, the accuracy will decrease rapidly. Further, when the distance is greater than 3m, the accuracy will be very low. This above limitations is also our future work. Next we will continue on focusing our attention on this limitation and making the attack more robust.