A Bayesian network model of knowledge-based authentication

Knowledge-based authentication (KBA) has gained prominence as a user authentication method for electronic commerce. Our research of the KBA problem, which adopts a statistical modeling approach, consists of three parts---model selection, feature selection, and empirical investigation.; First, we present a non-parameterc Bayesian network model of KBA, which is grounded in probabilistic reasoning and information theory. The probabilistic semantics of the model parameters naturally lead to the definitions of two key KBA metrics-guessability and memorability. The statistical modeling approach allows parameter estimation using rigorous methods such as maximum likelihood and maximum a posteriori estimation. The information-theoretic view helps to derive the closed-form solutions to estimating the guessability and guessing entropy metrics. These results with respect to the KBA metrics and the models under different attacking strategies and factoid distributions are unified under a game-theoretic framework that further yields lower and upper bounds of the optimal guessability.; Second, we propose an approach to feature selection in KBA that is based on the principle of maximum entropy with proper underlying probabilistic semantics in the information security domain. If we represent a KBA domain as a generative probabilistic model, the knowledge about genuine users defines an empirical distribution of a factoid vector, whereas the attacking strategy exploited by an impostor can be formulated as another distribution that approximates the true distribution. Thus the objective of feature selection is to maximize the Kullback-Leibler divergence between the true and approximating distributions. The closed-form solutions to this optimization problem at different, granularity levels lead to three feature selection algorithms, characterized by increasing adaptivity.; Third, an empirical investigation extends the analytical modeling to the behavioral and social space of KBA, which is comprised of a pilot study and a large-scale experiment with online social networking data. The pilot study validated that the proposed Bayesian model makes a sensible approximation to the human cognitive process. Our experiments with online social networking data show that, with the cutting-edge statistical machine learning techniques and the abundant data available from the Internet; the guessability can be significantly improved.