Can's Projects

Selected Research Projects

Quantifying the Security of Different Types of Passwords

(Rutgers University, WINLAB)

Can Liu, Shridatt Sugrim, Gradeigh D. Clark, and Janne Lindqvist "Quantifying the Security of Recognition Passwords: Gestures and Signatures".

Strong statements about the security of a password system use an analysis of the statistical distribution of the password space, which models a best-case attacker who guesses passwords in order of most likely to least likely.

Estimating the distribution of recognition passwords is challenging because many different trials need to map to one password. In this paper, we solve this difficult problem by: (1) representing a recognition password of continuous data as a discrete alphabet set, and (2) estimating the password distribution through modeling the unseen passwords. We use Symbolic Aggregate approXimation (SAX) to represent time series data as symbols and develop Markov chains to model recognition passwords. We use a partial guessing metric, which demonstrates how many guesses an attacker needs to crack a percentage of the entire space, to compare the security of the distributions for gestures, signatures, and Android unlock patterns. We found the lower bounds of the partial guessing metric of gestures and signatures are much higher than the upper bound of the partial guessing metric of Android unlock patterns.

Exploring Performance Limits for Identification Systems

(Rutgers University, WINLAB)

Shridatt Sugrim, Can Liu, and Janne Lindqvist "Recruit Until It Fails: Exploring Performance Limits For Identification Systems", IMWUT Issue 3, Article 104 (September 2019).

Distinguishing identities is useful for several applications such as automated grocery or personalized recommendations. Unfortunately, several recent proposals for identification systems are evaluated using poor recruitment practices. We discovered that 23 out of 30 surveyed systems used datasets with 20 participants or less, which achieved misleading 93% classification accuracy.

To demonstrate why classified performance is misleading, we used publicly available datasets and created five systems with at least 20 participants each. In three cases we achieved accuracies greater than 90% by merely applying readily available machine learning software packages, often with default parameters. We argue that data from small participant count datasets do not adequately explore variations. Systems trained on such limited data are likely to incorrectly identify users when the user base increases beyond what was tested. We conclude by explaining generalizable reasons for this issue and provide insights on how to conduct more robust system analysis and design.

Robust Performance Metrics for Authentication Systems

(Rutgers University, WINLAB)

Shridatt Sugrim, Can Liu, Meghan McLean, and Janne Lindqvist "Robust Performance Metrics for Authentication Systems", NDSS 2019.

Research has produced many types of authentication systems that use machine learning. However, there is no consistent approach for reporting performance metrics and the reported metrics are inadequate. We show that several of the common metrics used for reporting performance, such as maximum accuracy (ACC), equal error rate (EER) and area under the ROC curve (AUROC), give no insight into how system performance degrades outside the ideal conditions in which they were designed. In this work, we present the unnormalized frequency count of scores (FCS) to demonstrate the mathematical underpinnings that lead to these failures and show how they can be avoided. When reported with the Receiver Operating Characteristics curve (ROC), these two metrics provide a solution to the limitations of currently reported metrics. Finally, we show how to use the FCS and ROC metrics to evaluate and compare different authentication systems.

Text Passwords Memorability

(Rutgers University, WINLAB)

Xianyi Gao, Yulong Yang, Can Liu, Christos Mitropoulos, Janne Lindqvist, and Antti Oulasvirta "Forgetting of Passwords: Ecological Theory and Data", USENIX Security '18.

Our work contributes new data and a set of analyses building on the ecological theory of memory and forgetting. We propose that human memory naturally adapts according to an estimate of how often a password will be needed, such that often used, important passwords are less likely to be forgotten. We derive models for login duration and odds of recall as a function of rate of use and number of uses thus far. The models achieved a root-mean-square error (RMSE) of 1.8 seconds for login duration and 0.09 for recall odds for data collected in a month-long field experiment where frequency of password use was controlled. The theory and data shed new light on password management, account usage, password security and memorability.

Guessing Attack on Gesture Authentication System

(Rutgers University, WINLAB)

Can Liu, Gradeigh D. Clark, and Janne Lindqvist, "Guessing Attacks on User-Generated Gesture Passwords", IMWUT Issue 1, Article 3 (March 2017)

We present the first approach for measuring the security of gestures with guessing attacks that model real-world attacker behavior. Our major contributions are: 1) a comprehensive analysis of the weak subspace for gesture passwords, 2) a method for enumerating the size of the full theoretical gesture password space, 3) a design of a novel guessing attack against user-chosen gestures using a dictionary, and 4) a brute-force attack used for benchmarking the performance of the guessing attack. Our dictionary attack achieves a cracking rate of 47.71% using 10^9 guesses. This is a difference of 35.78 percentage points compared to the 11.93% cracking rate of the brute-force attack.

Gesture Authentication System on Mobile Devices

(Rutgers University, WINLAB)

Can Liu, Gradeigh D. Clark and Janne Lindqvist, 2017, "Demo: Garda - Robust Gesture-based Authentication for Mobile Systems", UbiComp '17

Can Liu, Gradeigh D. Clark, and Janne Lindqvist, "Where Usability and Security Go Hand-in-Hand: Robust Gesture-Based Authentication for Mobile Systems", CHI '17

We presented and evaluated a novel multi-expert gesture recognizer design for authentication: Garda. We also implemented and evaluated Garda on a mobile device. All our results show that our implementation can largely improve the performance of gesture-based authentication systems. Garda was the final result of a rigorous evaluation of 13 different methods to implement gesture recognizers. Finally, we conducted the first analysis of how tuning the variables of preprocessing methods of gesture recognizers can impact their authentication performance. We found that an authentication-optimal combination (location invariant, scale variant, and rotation variant) can reduce up to 45.3% of EER on average compared to recognition-optimal configuration used in previous work.


Monitoring System of Residual Current Devices (RCD)

(Hebei University of Technology, State Key Lab of Reliability and Intelligence of Electrical Equipment, 2012)

Can Liu, Kui Li, Ning Zhang, Yao Wang, "Intelligent Data Management and Monitoring System of Residual Current Device Based on LabVIEW", Low-Voltage Apparatus, 2012

Ning Zhang, Kui Li, Can Liu, Simin Chen, "Residual Current Protection Device Monitoring System Based on LabVIEW", Low-Voltage Apparatus, 2012

With LabVIEW, we developed a monitor system for RCDs with powerful functions and stable performance. The system has the visible and easily operated interface. It can monitor the structure and operational parameters of the breakers at all levels. The fully functional database can achieve the function of storing ,inquiring and printing the history monitoring data.

Research on Residual Current Identification under Complex Conditions

(Hebei University of Technology, State Key Lab of Reliability and Intelligence of Electrical Equipment, 2011)

Yao Wang, Kui Li, Zhitao Guo, Can Liu, etc, "Development of an AC-DC Sensitive Residual Current Device", Low-Voltage Apparatus, 2013

Can Liu, Kui Li, Yao Wang, Xu Zou, etc, "Comparative Study on Residual Current Signal Processing Method of AC/DC Sensitive Residual Current Transformer", Asia-Pacific Power and Energy Engineering Conference, China, 2012

Yao Wang, Kui Li, Can Liu, Zhitao Guo, etc, "Study on Modeling and Simulation of AC/DC Sensitive Residual Current Transformer", the 1st International Conference on Electric Power Equipment-Switching Technology, China, 2011

We proposed an AC/DC RCT based on magnetic modulation principle. We modeled and simulated the AC/DC RCT based on linear regression. We analyzed the operation principle of AC/DC RCT and built a computer based simulation model. Finally, the validity of the simulation model is verified by experiment. Our work will help the design of AC/DC RCT.

We also studied five typical residual current signals, which include full-wave, half-wave, quarter-wave, and 135 degree wave signals. We also compared three approaches to process the residual current signals and found FIR low-pass digital filter is optimal for the signal processing of AC/DC sensitive residual current transformer.

Selected Course Projects

Coming Soon...