احراز هویت متوالی و مجوز برای اینترنت اشیا Continuous Authentication and Authorization for the Internet of Things

Authentication on Devices That Maintain Continuous Physical Contact Devices that maintain contact with the user can support new forms of biometric authentication. Most of these devices fall into two categories. Devices of the first category either contain an inertial measurement unit (IMU), which is comprised of an accelerometer and a gyroscope, or can have an IMU embedded quite easily. Devices of the second category contain a photoplethysmogram (PPG) sensor, which is comprised of a few (often two or three) LEDs and a few (again, often two or three) light sensors. Both IMUs and PPG sensors can enable user authentication. Specifically, using the IMU, we can develop authentication techniques that are based on the principle that users frequently move their limbs in unique patterns throughout the time they use the device. An example of a well-known trait that differs across users is gait. If we can extract the patterns in the output of an IMU sensor due to the user’s unique gait, we can use simple machine learning techniques to learn these patterns and apply them to continuously authenticate the user based on gait. If such a technique was developed and put into practice, a device of the first category (worn by the user) could monitor the user continuously and frequently authenticate the user’s legitimacy before allowing the user to perform appropriate operations. For example, the watch in the Macbook Pro setting wouldn’t authenticate the attacker, which would prevent the Macbook Pro from being spuriously unlocked. Several behavioral biometrics solutions have been proposed that employ the IMU to authenticate users.1,2 Similarly, the PPG sensor provides an opportunity to study the PPG signal for unique patterns in blood flow rhythm. Researchers have shown that due to slight variations in every human’s heartbeat rhythm, echocardiogram (ECG) signals contain small information — but this is enough to indicate what’s unique to an individual user.3,4 Consequently, just by using the ECG signal, we can design user schemes to authenticate users. Although several ECG-based user authentication systems have been proposed, this technology has yet to achieve sufficient effectiveness to see widespread deployment. Because the PPG signal is generated based on the amount of blood flow in the user’s veins, which depends on how the user’s heart pumps blood, the PPG signal could contain enough information to enable user authentication. Using the PPG signal is particularly challenging, however, because this signal is sensitive to the motion of a person’s limbs: that is, the PPG measurement depends on the person’s speed of movement. Fortunately, most devices these days that come with a PPG sensor also come with an IMU. Therefore, we can potentially use information from the IMU sensors to measure the amount of motion of the limb and combine the two signals — or correct the measurement of the PPG sensor — to enable authentication.