C-CURE: Cost-Sensitive Dynamic User Authentication with Reinforcement Learning
You are here: Home \ Projects \ C-CURE

C-CURE aims to develop a cost-sensitive approach to authenticate a user’s identity, for example, to gain access to an information system, to place an online order or bid, to validate a decision in a business or audit process, or to confirm a payment transaction.

C-CURE addresses a pressing problem with regards to user authentication: lack of flexibility. Current authentication methods are uniform and static. Their power, and thus the involved overhead for the user, is the same for small (in terms of the required security) and large processes or transactions. C-CURE aims to develop a flexible multi-modal approach which adapts the security level and procedure depending on the expected risk and the context of the user.

traditional-c-cure

Figure 1: Traditional security aims at 100% security and tends to be not user friendly while C-CURE balances cost and benefit by adapting the security level and procedure.

A multi-modal authentication process, such as the one in Figure 2, takes these costs into account and improves the security while reducing the user’s overhead. The primary authentication is, in most cases, sufficiently accurate at distinguishing authentic from malicious users. It is also user friendly. This avoids users canceling their use of the provided service. When the authentication does not yield sufficient certainty about a user’s identity, a secondary authentication is required which is much more secure but also more cumbersome for the user.

One innovation is driven by adopting a business perspective to the authentication challenge. Regardless of the exact economical purpose of operating the process requiring authentication, allowing an authentic user and prohibiting a malicious user to proceed typically generates a profit whereas allowing a malicious user and prohibiting or even hindering an authentic user to proceed will induce a loss (such as the lost profit when a business transaction is blocked or when a customer cancels a transaction because of the authentication procedure’s overhead). From a business perspective these costs and benefits should be taken into account in the decision making process, in order to optimize long term profit.

As a second innovation, C-CURE learns users’ behavior (both authentic and malicious) and develops a personalized authentication procedure. For example, C-CURE will learn what purchases a user usually does or in which order he usually requests data. When the user behaves as expected, the security threshold may be lower than when the user behaves unexpectedly. Reinforcement learning allows to continuously update these models as user behavior changes.

multi-modal-authentication-system

Figure 2: A multi-modal authentication system. The primary authentication is light weight. It is user friendly and provides enough certainty about a user’s identity most of the time. When more certainty is required, the system requires a secondary authentication. The latter is much more secure but also more cumbersome for the user.

By combining both perspectives in a single decision model, three types of information are used in identifying authentic from malicious users:

  1. information on the exact process for which the user requires authentication,
  2. individual information on previous authentication requests of this user,
  3. information on malicious user behavior.

Selecting the variables to be integrated in the decision model is an important challenge. Minimizing the probability of misidentification requires selection of the relevant technical features of the device used during the process, such as “Has the device been used by the user before?,” as well as leveraging the available security features, such as the Host Card Emulation extension introduced in Android 4.4 or the ARM-processor’s Trustzone which can reduce the chances of having transactions realized by malware on behalf of regular users.

Three companies are involved in the project and several have already shown interest. We work closely with them to work out some case studies to demonstrate abundant opportunities exist for commercial applications.

Projects Partners

Projects Sponsors

Sign2Pay_logo
Smals_logo
VASCO_logo