This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3004077, IEEE Internet of Things Journal IEEE INTERNET OF THINGS 1 Behavioral Biometrics for Continuous Authentication in the Internet of Things Era: An Artificial Intelligence Perspective Yunji Liang, Sagar Samtani, Bin Guo, and Zhiwen Yu Abstract—In the Internet of things (IoT) era, user authen- tication is an essential to ensure the security of connected devices and the customization of passive services. However, conventional knowledge-based and physiological biometric-based authentication systems (e.g., password, face recognition, and fingerprints) are susceptible to shoulder surfing attacks, smudge attacks and heat attacks. The powerful sensing capabilities of IoT devices including smartphones, wearables, robots and autonomous vehicles enable the continuous authentication (CA) based on behavioral biometrics. Artificial Intelligence (AI) ap- proaches hold significant promise in sifting through large volumes of heterogeneous biometrics data to offer unprecedented user authentication and user identification capabilities. In this survey paper, we outline the nature of continuous authentication in IoT applications, highlight the key behavioral signals, and summarize the extant solutions from an AI perspective. Based on our systematic and comprehensive analysis, we discuss the challenges and promising future directions to guide the next generation of AI-based continuous authentication research. Index Terms—Behavioral Biometric, Continuous Authentica- tion, Data Mining, Internet of Things, Artificial Intelligence, Con- strained Devices, Body Area Networks, Cyber-Physical Systems; I. INTRODUCTION ITH the flourishing of IoT, our daily life is being W transformed by ambient intelligence [1] along with massive connected IoT devices ranging from smartphones and wearables to robots, autonomous vehicles and drones [2], [3]. Fig. 1. An overview of credentials for user authentication and identification The broad penetration of IoT devices in consumer market and their applications makes user authentication critically important to secure users have the appropriate right to access IoT devices [2] and to avoid the devastating damages caused by one attack occurring in the local vulnerable spots [4]. Apart from the security Due to the importance of user authentication, researchers concerns, user authentication is beneficial for passive and cus- and industries are increasingly studying the development of tomized services when the user switching occurs. For example, sophisticated methods to verify and recognize user identities. for one autonomous car shared among family members, the As shown in Fig. 1, authentication systems can be divided driving habits among family members differ significantly. To into three categories: knowledge-based, physiological biomet- assist the drivers, different assistance strategies can be applied ric based, and behavioral biometric based solutions [2], [5]. based on user identities [3]. Thus, user authentication can Knowledge-based authentication explicitly requests user to protect crucial information against potential attacks and offer enter credentials such as password, personal identification customized services for improved user experience. number (PIN) and graphical PIN to confirm the identity of an individual. Physiological biometric based authentication Y. Liang, B. Guo, and Z. Yu are with the School of Computer Sci- uses biological traits (e.g. fingerprint, iris, and facial images) ence, Northwestern Polytechnicial University, Xi’an, Shaanxi, China. E-mail: [email protected] and employs the machine learning methods to discriminate S. Samtani is with the Operations and Decision Technologies Department user identities. Behavioral biometrics including walking gait, in the Kelley School of Business, Indiana University, USA. keystroke and touchscreen dynamics are used for user authen- Copyright (c) 20xx IEEE. Personal use of this material is permitted. However, permission to use this material for any other purposes must be tication as well. Authentication systems can be classified into obtained from the IEEE by sending a request to [email protected]. two sub-categories: user authentication to detect whether the 2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. Authorized licensed use limited to: University of South Florida. Downloaded on June 28,2020 at 15:53:57 UTC from IEEE Xplore. Restrictions apply. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3004077, IEEE Internet of Things Journal IEEE INTERNET OF THINGS 2 user is one unauthorized visitor or genuine user and user Obtrusiveness: Existing solutions require explicit inputs or identification to recognize whom the current user is. actions, which are obtrusive for users by requiring extra user The essence of authentication systems is to build the map- attention. They also cause a distraction from the undergoing ping relationship between users and objectives. According to tasks [20], [21]. For example, iris and facial recognition the object-user mapping relationship, authentication systems require users to stare at the camera in specific angles, which can be categorized as Fig. 2. Among them, one-to-one map- is unnatural and uncomfortable for users. ping aims to verify whether the user is the genuine user In recent years, the rapid proliferation of IoT devices such or imposter for one privately-owned device (such as mobile as smartphones, wearable devices and facility cameras has phones and laptops) or one mobile application. One-to-many made it possible to seamlessly sense and track user behaviors. mapping provides the appropriate access control among mul- The analysis and mining of behavior fingerprints offer new tiple users for one object shared within a group of persons. In opportunities for continuous authentication [22], [23]. In this IoT systems, numerous smart devices are connected to provide paper, we provide a systematic overview about the continuous pervasive services for one user (such as smart home and authentication based on behavioral biometrics from the per- vehicle-to-vehicle systems [6]). In the dynamic environment spective of AI. Our contributions in this paper are as follows: participants need to finish one session across shared IoT • We provide a systematic overview of the key components devices where complex and robust authentication schemes and differentiators between user authentication and iden- are needed [7]. The many-to-one mapping and many-to- tification; many mapping fit well for the user authentication in complex • We summarize the key elements of behavioral biometrics; dynamic environment. • We provide a summary of the emerging types of sensing technologies being integrated into emerging IoT technolo- gies, with a specific focus on how the data they generate and common representations of these data; • We present a general framework on how future re- searchers can develop innovative AI-based approaches for continuous user authentication and identification. • We summarize emerging directions for future AI-based research in the aforementioned areas. The remainder of this paper is organized as follows. In Section II, we characterize the nature of behavioral biometrics. In Section III, we propose a general framework for continuous user authentication from sensing and computing perspectives. Sections IV and V provide one systematic survey about data Fig. 2. The mapping relationship between devices and users sensing and inference methods respectively. Finally, Section VI presents the open issues and challenges in CA based on Although numerous user authentication and identification behavioral biometrics and Section VII concludes this paper. methods are proposed, prior methods have several key draw- backs as it pertains to their fit with IoT applications: Vulnerability: Prior systems are prone to a diverse range II. CHARACTERIZING BEHAVIORAL BIOMETRICS of attacks. For knowledge-based authentication, imposters can Behavioral biometrics refer to the unique behavioral traits capture inputs by shoulder surfing and recording attacks [8]– that can be used for human authentication. Unlike the [10], thermal attack [11], [12] and smudge attacks [13], knowledge-based credentials and physiological biometrics [14]. For facial recognition, an adversary could conquer the shown in Fig. 1, behavioral biometrics identify people by how facial detection through legitimate users’ facial photos. The a user conducts the specified activity rather than by static fingerprint can be conquered by smudge attack [13]–[15] and information or physical characteristics. User authentication forged by deep learning methods [16]. The automated speaker based on behavioral biometrics is characterized as secure, verification based on the personal characteristics of voices is continuous, transparent, and cost effective. subject to replay attacks [17], [18]. Secure: In contrast to knowledge-based credentials and Discreteness: In general, user identification and authentica- physiological biometrics, behavioral biometrics provide a dy- tion is executed once at the beginning of