[KSCI] Korea Science Citation Index Service

http://dx.doi.org/10.3837/tiis.2019.05.024

TG-SPSR: A Systematic Targeted Password Attacking Model

Zhang, Mengli (State Key Laboratory of Mathematical Engineering and Advanced Computing)
Zhang, Qihui (State Key Laboratory of Mathematical Engineering and Advanced Computing)
Liu, Wenfen (School of Computer Science and Information Security, Guangxi Key Laboratory of Cryptogpraphy and Information Security, Guilin University of Electronic Technology)
Hu, Xuexian (State Key Laboratory of Mathematical Engineering and Advanced Computing)
Wei, Jianghong (State Key Laboratory of Mathematical Engineering and Advanced Computing)

Publication Information

KSII Transactions on Internet and Information Systems (TIIS) / v.13, no.5, 2019 , pp. 2674-2697 More about this Journal

Abstract

Identity authentication is a crucial line of defense for network security, and passwords are still the mainstream of identity authentication. So far trawling password attacking has been extensively studied, but the research related with personal information is always sporadic. Probabilistic context-free grammar (PCFG) and Markov chain-based models perform greatly well in trawling guessing. In this paper we propose a systematic targeted attacking model based on structure partition and string reorganization by migrating the above two models to targeted attacking, denoted as TG-SPSR. In structure partition phase, besides dividing passwords to basic structure similar to PCFG, we additionally define a trajectory-based keyboard pattern in the basic grammar and introduce index bits to accurately characterize the position of special characters. Moreover, we also construct a BiLSTM recurrent neural network classifier to characterize the behavior of password reuse and modification after defining nine kinds of modification rules. Extensive experimental results indicate that in online attacking, TG-SPSR outperforms traditional trawling attacking algorithms by average about 275%, and respectively outperforms its foremost counterparts, Personal-PCFG, TarGuess-I, by about 70% and 19%; In offline attacking, TG-SPSR outperforms traditional trawling attacking algorithms by average about 90%, outperforms Personal-PCFG and TarGuess-I by 85% and 30%, respectively.

Keywords

password authentication; targeted password attacking; BiLSTM; probabilistic context-free grammar; Markov chain; personal information;

Citations & Related Records

Reference

1	Y. Li, H. Wang, and K. Sun, "A study of personal informationin human-chosen passwords and its security implications," in Proc. of IEEE Inform, pp. 1-9, April 10-14, 2016.
2	Nearly 80 percent of Internet users suffer identity leaks, July, 2015.
3	Four Years Later, Anthem breached again: hackers stole credentials, Feb. 2015.
4	A. Grimes. Roger, "Password size does matter[EB/OL]," July 2006.
5	R. Shay, S. Komanduri, A. Durity, et al., "Designing password policies for strength and usability," ACM Transactions on Information and System Security, vol. 18, no. 4, pp. 1-34, 2016.
6	J. Bonneau, C. Herley, P. C. Van Oorschot, "Passwords and the evolution of imperfect authentication," Communications of the ACM, vol. 58, no. 7, pp. 78-87, 2015. DOI
7	C. Castelluccia, A. Chaabane, M. Durmuth, et al., "When privacy meets security: leveraging personal information for password cracking," Computer science, 2013.
8	A. Singer, W. Anderson, R. Farrow, "Rethinking password policies," Usenix and Sage, vol. 38, pp. 14-18, 2013.
9	R. Wash, E. Rader, R. Berman, and Z. Wellmer, "Understanding password choices: how frequently entered passwords are reused across websites," in Proc. of Symposium on Usable Privacy and Security, pp. 175-188, June 22-24, 2016.
10	S.M. Haque, M. Wright, and S. Scielzo, "A study of user password strategy for multiple accounts," in Proc. of 3th ACM Conference on Data and Application Security and Privacy, pp. 173-176, 2013.
11	Y. Zhang, F. Monrose, and M. K. Reiter, "The security of modern password expiration: an algorithmic framework and empirical analysis," in Proc. of 17th ACM Conference on Computer and Communications Security, pp. 176-186, 2010.
12	S. Pearman, J. Thomas, P. E. Naeini, et al., "Let's go in for a closer look: observing passwords in their natural habitat," in Proc. of ACM Sigsac Conference on Computer and Communications Security, pp. 295-310, 2017.
13	S. Hochreiter, J. Schmidhuber, "Long short-tem memory," Neural computation, Vol. 9, no. 8, pp. 1735-1780, 1997. DOI
14	A. Narayanan, V. Shmatikov, "Fast dictionary attacks on passwords using time-space trade off," in Proc. of 12th ACM conference on Computer and communications security, pp. 364-372, October 16-18, 2005.
15	Ping Wang, Ding Wang, Xinyi Huang, "Advances in password security," Computer Research and Development, vol. 53, no. 10, pp. 2173-2188, 2016.
16	J. Bonneau, C. Herley, P. V. Oorschot, et al., "Passwords and the evolution of imperfect authentication," Communications of the ACM, vol. 58, no. 7, pp. 78-87, 2015. DOI
17	C. Herley, P. V. Oorschot, "A research agenda acknowledging the persistence of passwords," IEEE Security & Privacy, vol. 10, no. 1, pp. 28-36, 2012. DOI
18	D. Freeman, M. Durmuth, B. Biggio, "Who are you? a statistical approach to measuring user authenticity," in Proc. of the Network & Distributed System Security Symposium, pp. 1-15, February 21-24, 2016.
19	J. Yan, A. Blackwell, R. Anderson and Grant A, "password memorability and security: empirical results," IEEE Security & Privacy, vol. 2, no. 5, pp. 25-31, 2004. DOI
20	M. Weir, S. Aggarwal, B. D. Medeiros, et al., "Password cracking using probabilistic context-free grammars," in Proc. of 30th IEEE Symposium on Security and Privacy, pp. 391-405, May 17-20, 2009.
21	J. Ma, W. N. Yang, M. Luo, et al., "A study of probabilistic password models," in Proc. of 35th IEEE Symposium on Security and Privacy, pp. 689-704, May 18-21, 2014.
22	M. Durmuth, F. Angelstorf, C. Castelluccia, et al., "OMEN: Faster password guessing using an ordered markov enumerator," in Proc. of 7th International Symposium on Engineering Secure Software and Systems, pp. 119-132, March 4-6, 2015.
23	Turkey: personal data of 50 million citizens leaked online, April 2016.
24	S. Houshmand, S. Aggarwal, R. Flood, "Next gen PCFG password cracking," IEEE Transactions on Information Forensics & Security, vol. 10, no. 8, pp. 1776-1791, 2015. DOI
25	D. Wang, Z. J. Zhang, P. Wang, et al., "Targeted online password guessing: an underestimated threat," in Proc. of 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1242-1254, October 24-28, 2016.
26	All Data Breach Sources, May, 2016.
27	Amid Widespread Data Breaches in China, Dec, 2011. Article(CrossRef Link)
28	Y. Zhang, F. Monrose, and M. Reiter, "The security of modernpassword expiration:an algorithmic framework and empirical analysis," in Proc. of ACM CCS, pp. 176-186, October 4-8, 2010.
29	A. Das, J. Bonneau, M. Caesar, N. Borisov, and X. Wang, "The tangled web of password reuse," in Proc. of NDSS, pp. 23-26, February 23-26, 2014.