Deep learning based graphical password authentication approach against shoulder-surfing attacks

Abstract

The password used to authenticate users is vulnerable to shoulder-surfing assaults, in which attackers directly observe users and steal their passwords without using any other technical upkeep. The graphical password system is regarded as a likely backup plan to the alphanumeric password system. Additionally, for system privacy and security, a number of programs make considerable use of the graphical password-based authentication method. The user chooses the image for the authentication procedure when using a graphical password. Furthermore, graphical password approaches are more secure than text-based password methods. In this paper, the effective graphical password authentication model, named as Deep Residual Network based Graphical Password is introduced. Generally, the graphical password authentication process includes three phases, namely registration, login, and authentication. The secret pass image selection and challenge set generation process is employed in the two-step registration process. The challenge set generation is mainly carried out based on the generation of decoy and pass images by performing an edge detection process. In addition, edge detection is performed using the Deep Residual Network classifier. The developed Deep Residual Network based Graphical Password algorithm outperformance than other existing graphical password authentication methods in terms of Information Retention Rate and Password Diversity Score of 0.1716 and 0.1643, respectively.

Keywords

Graphical password security authentication shoulder-surfing attack deep residual network

1. Introduction

Textual passwords are currently the most used authentication method. However, it is commonly known that most users find these conventional passwords to be frustrating in general. Even if they desire to act safely, people frequently do not know what a “secure” password is because there are rarely sufficient instructions for creating secure passwords. The password algorithm guarantees that information and computer is accessed by those who are arranged right to view or access them [9]. In the present era, the authentication procedure is crucial since it is used to safeguard the system so that only authorized users may access it. Additionally, authentication is divided into three categories: knowledge-based, biometric-based, and token-based procedures. Here, token-based authentication methods are mainly depending on what the user possess, for instance, an Identity card for executing authentication process. In addition, bio-metric-based scheme is based on user’s attributed, like thumbprint for performing authentication, whereas the knowledge-based method mainly relies on users’ known information, like alphanumeric password in order to done authentication [11, 12, 13]. Additionally, the most popular authentication method used in mobile devices is the password-based user authentication mechanism. In a password-based user authentication system, the user’s graphical or alphanumeric password is regarded as their user credential. The password entry model is thus vulnerable to shoulder-surfing assaults, in which the password entered on the user interface is viewed by nearby enemies without the use of technical record devices, such as concealed cameras. Attackers that use shoulder surfing are only able to target people because they are more likely to carry and use mobile devices often and widely, especially in crowded areas. Meanwhile, it is significant to address the attackers, thus mobile users’ passwords are protected [5].

A physical security risk known as the shoulder surfing attack is created by a stander who takes legitimate user passwords by directly watching or videotaping password submission. Currently, a number of methods are being developed to counter shoulder surfing attacks. However, many approaches are still exposed to shoulder surfing attacks [4]. Meanwhile, the shoulder surfing model is a type of intrusion, where which attackers watch over user’s shoulder for obtaining data. For launching shoulder surfing attacks [14, 15, 16], two kinds of process are available first one is attacker users naked eye and second one is attacker uses camera-based device. Generally, shoulder surfing attack directs to take place in crowd in which users are not certainly identify attackers, because of chaotic structure. Moreover, some of the attackers capture the videos, which record authentication scenes one or more times as well as it is capable to evaluate user behavior, and it crack the passwords [3]. Additionally, other common measure for diminishing shoulder surfing attack risks is to alter the passwords occasionally or frequently, therefore producing revealed passwords is inadequate for shoulder surfing attackers. Meanwhile, these practice may still obtains poor user experience as well as makes user fail in the authentication process, because it forces the user to remember passwords that they can remember barely. Hence, it residues as a major challenge for alleviating shoulder-surfing attacks and obtains better usability at a similar time for password-based user authentication on devices [1].

The alphanumeric passwords are the primary and most significant system of user authentication [17]. This structure is simple and easy to execute and it is mostly utilized from earlier days [18]. The secure password must be unsystematic and informal to reminisce. Accordingly, a secure password, which is created as a random string for instance, special cases, lower and upper cases, and at least eight character length is very hard to remember by user. Thus, the graphical password was developed as different way for assisting the users in order to remember the password [19]. Moreover, the graphical password is an authentication approach in computer security system. Additionally, computer security is one of the significant standards in computer science area. In addition, graphical passwords influence the human remembrance because human brain has vital memorizing ability to identify and recall visual images [13, 19]. It is confident, that the user can register random and secure password and still they have no complexity in memorizing register password [13]. In general, graphical passwords are categorized as three types, such as cued-recall, recall and recognition-based model [19]. The recall model needs the user reproducing formerly tired password object, for example shape, icon, picture or image. Images are applied in graphical password, which is easy to memorize and complex to guesstimate by other persons. Meanwhile, textual passwords are the best alternative method for a textual password [5].

The main intention of this research is to develop a graphical password model, termed Deep Residual Network (DRN) based Graphical Password (GPass) against shoulder-surfing attacks. The overall process of the developed approach involves three stages, including registration, login and authentication phase. The first stage is the registration segment where user enters the username and thereafter the secret pass images is selected from a set of images shown by the server. The server generates the session password based on the secret pass images such that the challenge set is created from the secret pass images and then the challenge set is sketched using the DRN classifier [10]. After that, the user gives username and the session password based on the secret pass images for login process. Once the user name and session password is given, the user is logged in, only if the session password is correct. In the authentication phase, server sends the challenge set to the user for identifying the secret pass images, from the challenge set within a time limit if the user is not authenticated.

The main contribution of this research work is the developed DRN based GPass model for graphical password authentication technique. The DRN model is employed for detecting the edges of secret pass images. In the authentication phase, the challenge set generation is carried out by generating the decoy and pass sketches, which are performed by the edge detection process.

The remainder of the work is divided into the following sections: Section 2 explains the literature review of traditional graphical password authentication systems, and Section 3 describes the created DRN based GPass method. The developed graphical password authentication model’s findings and discussion are shown in Section 4, and the paper’s conclusion is stated in Section 5.

2. Literature review

The literature study of various current shoulder surfing attack strategies using graphical passwords is explained in this part. Yu et al. [1] modeled an Evolvable graphical password authentication model, termed EvoPass. This method converts a collection of pass photos that have been chosen by the user into pass sketches, which are then used as user credentials. Using the original pass image as a starting point, edges were extracted to create each pass drawing. Without negatively compromising the user experience, this model effectively increased the conflict to shoulder-surfing attacks. However, by reducing computational complexity, this strategy failed to improve the standard of the task. Panda et al. [6] designed the Safe Graphical Password authentication system, a revolutionary Safe Graphical Password method. In this method, graphical password images are entered using pattern digits. With this setting, location input graphics are effectively changed with each authentication period. Additionally, this approach prevents shoulder-surfing attackers from determining which password images are used by the user. This authentication approach effectively enhanced the user privacy, although this method did not reduced the computational complexity. Zhou et al. [2] presented Polynomial-based Google Map Graphical Password model in cloud structure. Here, a graphical password enlarges the danger of revealing passwords shoulder surfing attacks. The password and response points were transferred through the Hypertext Transfer Protocol Secure (https) channel. This model proficiently decreased the time taken for authentication, although this algorithm not decreased computational problem on users. Zhou et al. [3] developed a shoulder surfing-resistant authentication approach that is graph-augmented and textual, termed PassGrid. This method effectively prevents the attackers based on one-time login indicators and recurrent movement blocks with textual factors. Moreover, one set of the password was considered to reduce the workload of users. This model effectively avoids attackers, but still this model not improved the high time consumption. Yee et al. [4] introduced shoulder-surfing resistance technique based on digraph substitution rules and pass-image output feedback for avoiding shoulder-surfing attacks. This authentication approach mainly includes two phases, namely the enrolment and authentication stage. This model provides better protection against shoulder-surfing attack. However, this method failed to utilize dataset images for inducing recall measure for obtaining effective outcomes.

Lip Yee Por et al. [5] presented a graphical password method, named LocPass for avoiding the shoulder-surfing process. At first, the registered position and five image directions were estimated for finding the pass location. After that, images employed in this process were offset each other, which increases the password spaces. This method effectively enhanced the password spaces, so that it was more challenging for attackers to estimate how many registered positions were utilized by users. However, this method did not discover more meaningful images for identifying pass-image or position in the challenge set, which improves the system performance. Pandey, [7] introduced a shoulder surfing preventive model for graphical password authentication. Initially, modified authentication process was designed for resolving shoulder surfing using the recognition-based model. Moreover, a recall-based graphical password technique was used for analyzing feature usability. This technique effectively secured the user from unauthorized access, although does not improves the security level. Hanif et al., [8] developed a Textual graphical password model for secure authentication process. This approach was integrated with color and alphanumeric characters, such that users were comfortable with textual passwords. This model was highly secure and simple to use, even though failed to include two-factor authentication models for improving robustness.

The PassGrid approach was developed for protecting sensitive and privacy information, although this model did not evaluate the security against various typical attacks for improving practical performance [3]. Shoulder-surfing resistance technique based on pass-image output feedback and digraph substitution rules was devised in [4] to prevent shoulder surfing attack. However, this method not implemented user graphical authentication process for enhancing password effectiveness. The shoulder surfing preventive model was designed in [7] for avoiding shoulder surfing attacks, even though this method not enhanced the security level through employing various rules of mathematics with Internet of Things (IoT) for login process. The textual graphical password method [8] was developed to enhance security, although this approach did not improve the performance by enlarging the number of characters, sectors colors of sectors. In [9], a graphical password approach was developed to prevent shoulder surfing attacks, but still, secure and simple access is the main challenging job of this approach.

3. Proposed deep residual network based GPass model for graphical password authentication process

Graphical passwords are the best approach where the user selects the image in order to authenticate them in place of providing passwords. Moreover, this process is more secure than textual password methods. The developed graphical password authentication method mainly includes three stages, namely registration, login and authentication part. At first, the user Identity is entered in the registration phase in which two-step authentication is performed. In the two-step authentication process, secret pass image selection and challenge set generation is carried out. The secret pass and decoy images are transferred to gray scale images, after those edges are detected from these images for challenge set generation. Afterwards, login phase is performed where the selected images are correct, and then authentication is executed. The schematic diagram of developed graphical password authentication method is depicted in Fig. 1.

Figure 1.

Block diagram of developed graphical authentication process.

3.1 Registration phase

In the registration segment, the user enters the user Identity $U_{ID}$ . Following that, two-step authentication is completed; including challenge set generation and secret pass image selection. Here, secret pass image selection and challenge set generation are carried out for the registration process [9].

3.1.1 Secret pass image selection

At first, verifier or server sends a set of images to the user for selecting a password. For example, 12 images are displayed to the user as depicted in Fig. 2. Then, user selects the pair of images as a password, which is in an even number. The selected pair of images is called as secret pass image. This session password and secret pass are the major modification in this model for strong secure system. The images chosen through the user is specified in a panel, below the gird of images in consecutive way thereby, chosen images are easily remembered by a user in order. Moreover, server generates the session password based on secret pass images.

Figure 2.

Secret pass image selection.

3.1.2 Challenge set generation

In this section, the challenge set is generated and the generation process is explained as follows [1]. Based on the user’s registration request and pass images, the server first chooses a set number of decoy photos from the system database. In order to protect against harvest assaults, the system database is typically arranged using recorded pass images of each user. The secret pass and decoy photos are transformed into grayscale images by the server. After that, a DRN classifier based edge detection procedure is used to produce pass and decoy sketches. As a result, the server gives the user a challenge set that is made up of pass and fake sketches. Additionally, the user can select the pass photos in the challenge set multiple times until no issues are encountered when detecting pass sketches. Meanwhile, if the user is not fulfilled with challenge set, then the set is refreshed by restarting the process from registration phase.

The edge detection process in challenge set generation is carried out using the DRN classifier, and the DRN classifier is explicated as follows.

The generalization performance and training efficiency is highly enhanced in DRN classifier thus, it is applied for the edge detection process. DRN classifier [10] mainly includes various layers, namely residual blocks, pooling layer, linear classifier, and convolutional layer. DRN has effectual training and learning performance under a limited number of training data. Thus, the DRN classifier is utilized for the effectual edge detection process. The edge detection process is performed using the DRN model for producing pass and decoy sketches. The input of the DRN classifier is secret pass images $R_{s}$ in which edge detected image is obtained as output and it is denoted as $G_{s}$ . The architecture diagram of the DRN model is signified in Fig. 3.

Figure 3.

Structural diagram of Deep Residual Network (DRN) model.

Convolutional layer: In this case, the two-dimensional convolutional layer is used to reduce the number of free parameters during the training process, indicating the effectiveness of the local receptive field and weight sharing. This layer is used to process the input with a kernel-based series of filters known as filters. The mathematical operation that slides every filter in the input matrix during the convolutional layer’s main process estimates the dot product on the kernel as well as on each location, which has a comparable standard to one-dimensional convolution. Additionally, the two-dimensional and one-dimensional convolutional layer computing process is as follows:

$\displaystyle C2t(d)=\sum\limits_{m=0}^{p-1}{\sum\limits_{n=0}^{p-1}{\chi_{m,n% }\cdot d({e+m})({f+n})}}$ (1) $\displaystyle C1t(d)=\sum\limits_{o=0}^{U-1}{\chi_{r}*d}$ (2)

where $d$ indicates two-dimensional output attained from the previous layer, $\chi$ represents $p\times p$ kernel matrix, and the learnable parameter is used in the training process, $e$ and $f$ is employed for storing the coordinates $m$ , and $n$ symbolizes position index in two-dimensional kernel matrix $\chi_{r}$ denotes kernel size of $r^{\text{th}}$ neuron, and $*$ depicts cross correlation operator.

Pooling layer: The pooling layer is mostly implanted to subsequent convolutional layers, which are typically used to reduce the spatial dimension of feature maps and preserve control over fitting concerns.

$\displaystyle i_{\textit{out}}=\frac{i_{in}-c_{i}}{O}+1$ (3) $\displaystyle j_{\textit{out}}=\frac{j_{in}-c_{j}}{O}+1$ (4)

where $i_{in}$ signifies width of the two-dimensional input matrix, $c_{j}$ refers height for kernel size, $c_{i}$ denotes width for kernel size, $i_{\textit{out}}$ and $j_{\textit{out}}$ symbolizes width and height of 2 two-dimensional matrix output.

Activation function: Generally, the non-linear activation function is considered for learning about the complex and non-linear features, which is enabled for improving the non-linearity of extracted features. Moreover, the activation function is termed a Rectified Linear unit (ReLU) in this layer, which is expressed as follows,

$\displaystyle\nu(d)=\left\{{\begin{array}[]{l}0,d<0\\ d,d\geqslant 0\\ \end{array}}\right.$ (5)

Batch normalization: In batch normalization, the training set is divided into several little groups, known as mini-batches, and the small groups are used to train the model in order to obtain useful tradeoffs between conversional and computational complexity. By normalizing the input layers, the batch normalization is developed to lessen the internal covariance shift. In order to increase training speed and reliability by reducing overfitting and explosion problems, activation scaling and tweaking is also done.

Residual Blocks: This layer includes a shortcut connection from input to output, while compared with CNN. Here, input is directly connected to output layer, and it is illustrated as,

$\displaystyle\varpi=\tau(d)+d$ (6)

In addition, the element matching factor is utilized for matching the output and input dimension, and it is specified by,

$\displaystyle\varpi=\tau(d)+\rho\cdot d$ (7)

where $\varpi$ denotes residual block output, $\rho$ refers dimension matching factor, $\tau$ indicates mapping relationship among output and input layer, and $d$ symbolizes input.

Linear classifier: The classifier used for the graphical password authentication procedure is called a linear classifier. In general, a Fully Connected layer and softmax function are expected in a linear classifier. The Fully Connected layer, which has linked multi-layer perceptrons and integrates all neuron from one layer to another, is the exception. Additionally, dot product, which is defined by, is used to estimate the Fully Connected layer is given

$\displaystyle\varpi=\rho_{O\times P}d_{Q\times P}+\tau_{O\times P}$ (8)

Using the softmax function, the input value is normalized to a probability vector that is a member of all classes, with the class with the highest probability being chosen as the successful class in the graphical password authentication process.

$\displaystyle\eta({d_{\delta}})=\frac{y^{d_{\delta}}}{\sum\limits_{z=1}^{% \omega_{0}}{y^{d_{\delta}}}},\delta=1,2,\ldots,\omega_{0}$ (9)

where $\omega_{0}$ specifies output dimension, $d_{\delta}$ refers exact portion in output layer, $\rho_{O\times P}$ is weight matrix with $O\times P$ dimension and $d_{Q\times P}$ indicates input feature map with $Q\times P$ dimension. Therefore, the edge detected image is obtained as output from DRN model.

3.2 Login phase

Once the registration phase is completed, then login phase is performed. The user gives the user Identity for login. The server asks to enter session password, but the user only knows the secret pass images. Thus, the server sends set of images to user, such that user has to click the intersection image. The example of selecting intersection image is explained as follows, the set of images exposed to user is displayed in Fig. 4. Here, six set of images are considered if the user selected image is 2 and 8, then the corresponding intersection image 4 is clicked by the user.

Figure 4.

Set of images shown to user by server.

After that, the server is refreshed and another set of images is generated automatically and it is transmitted to user, which is displayed in Fig. 5. Here, six set of images are considered if the user selected image is 10 and 11, then the corresponding intersection image seven is clicked by user. Therefore, 4, 7 is the corresponding session password.

Figure 5.

Another set of images shown to user by server.

If the user click correct image, then the user will be logged in. If the intersection images clicked by user are incorrect, then user will not be logged in.

3.3 Authentication phase

The process of confirming that someone or something is, in fact, who or what it claims to be is known as authentication. By comparing a user’s credentials to those stored in a database of authorized users or on a data authentication server, authentication technology controls access to systems. The graphical password authentication process’s last phase is the authentication phase. The user reaches the authentication phase if the session password they provided is accurate. The user receives the challenge set from the server at this point. Within a set amount of time, the user must recognize the photographs of the secret pass from it. The user will be blocked if the limit is exceeded. The created approach confronts a user with the challenge set presented on the user interface during the authentication process. Every pass sketch must be predicted by the user. In order to prevent shoulder surfing attacks, every sketch picture included in the challenge set is also accessible for all authentication attempts in a random structure. In order to reduce password guessing attacks, this newly developed model enforces the lock-out strategy to ban users who repeatedly fail to pass authentication. Based on specific security requirements, the precise number of failed attempts must be given. After being blocked, a user cannot be unblocked without providing additional credentials.

If the user identified the secret pass images from the set wrong, then the challenge set is made complicated as time evolves. Moreover, edge detection is performed over the detected output generated previously, tending to decrease the image quality in order to reduce the attacks. This graphic password authentication model evolves pass sketches to more shoulder surfing resilient versions by decreasing detectable information included in all pass sketch. The evolving operations are carried out occasionally or continuously, depending on the user configuration. Besides, the developed model permits the users to initiate evolving functions at any time as requested. Figure 6 shows the processes involved in the authentication phase.

Figure 6.

Authentication phase.

4. Results and discussion

This section displays the findings and analysis of the developed DRN based GPass technique for graphical password authentication. This part discusses the experimental setup, dataset description, performance measures, experimental findings, comparative methods, comparative analysis, and comparative commentary.

4.1 Experimental setup

Python is used to run the created graphical password authentication method along with Windows 10 OS, 8GB RAM, and an Intel Core i3 processor.

4.2 Database description

The execution of the developed graphical password authentication model is performed by means of corel-10k (dataset #1) [20], and GHIM-10k part 1 (dataset #2) [20] and it is explained as follows.

Corel-10k database: This database comprises 100 groups along with 10,000 images from several parts, like flowers, sunset, horses, car, fishes, food, building, door, mountains, and so on. Moreover, every group comprises 100 images with the dimension of $192\times 128$ or $128\times 192$ in JPEG structure.

Figure 7.

Sample output of developed graphical password authentication method using datasets #1 and #2 with six and eight secret pass images.

GHIM-10k part 1 dataset: This data contains 20 groups with 10000 images, each of them are from various divisions, namely car, flower, sunset, mountains, insect etc. Every group embraces 500 images with $300\times 400$ or $400\times 300$ dimensions in JPEG format.

4.3 Experimental results

This section exposes the experimental outcome of the developed graphical password authentication method. The experimental output of the developed graphical password authentication technique using dataset #1 and 2with six and eight secret pass images is explicated in Fig. 7. Figure 7 displays the registration images #1, $\sim$ #4, as well as edge detection images #1, $\sim$ #4.

4.4 Comparative methods

The existing graphical password authentication methods, namely EvoPass [1], Polynomial-based Google Map Graphical Password (P-GMGP) system [2], LocPass [5], and graphical password technique [9] are considered for evaluating the performance of developed DRN based GPass algorithm.

4.5 Comparative analysis

This section examines the comparative analysis of the created DRN based GPass approach using Information Retention Rate (IRR) and Password Diversity Score (PDS) based on datasets #1 and #2 and altering the amount of secret pass images.

4.5.1 Comparative analysis using dataset #1

This section exposes the comparative analysis of the developed DRN based GPass scheme with six and eight secret pass images by altering distortion parameter in terms of IRR and PDS based on dataset #1.

a) Based on six secret pass images

Figure 8 represents the comparative analysis of developed DRN based GPass using dataset #1 by changing distortion parameter in terms of IRR and PDS. Figure 8a depicts the comparative analysis of developed DRN based GPass model with six secret pass images by varying distortion parameter in terms of IRR. The IRR of developed DRN based GPass is 0.2945, whereas EvoPass, P-GMGP system, LocPass, and graphical password approaches are 0.4465, 0.4587, 0.3456, and 0.4836 for 0.7 distortion parameter. The comparative analysis of developed DRN based GPass with eight secret pass images by altering distortion parameter with respect to PDS is specified in Fig. 8b. When the distortion parameter is 0.7, the PDS of EvoPass, P-GMGP system, LocPass, graphical password method and DRN based GPass algorithm are 0.4628, 0.5432, 0.3769, 0.5237, and 0.2734. Figure 8c shows the Standard deviation for IRR. The standard deviation for IRR of developed DRN based GPass is 0.151, whereas EvoPass, P-GMGP system, LocPass, and graphical password approaches are 0.155, 0.160, 0.191, and 0.168. Figure 8d shows the Standard deviation for PDS. The standard deviation for PDS of developed DRN based GPass is 0.194, whereas EvoPass, P-GMGP system, LocPass, and graphical password approaches are 0.202, 0.147, 0.163, and 0.155.

Figure 8.

Comparative analysis of developed Deep Residual Network (DRN) based GPass based on dataset #1 with six secret pass images by varying distortion parameter.

b) Based on eight secret pass images

The comparative analysis of developed DRN based GPass using dataset #1 by changing distortion parameter in terms of IRR and PDS is exposed in Fig. 9. The comparative analysis of developed DRN based GPass with eight secret pass images by varying distortion parameter with respect to IRR is specified in Fig. 9a. When the distortion parameter is 0.7, PDS of EvoPass, P-GMGP system, LocPass, graphical password method and DRN based GPass algorithm are 0.3176, 0.2638, 0.2326, 0.2843, and 0.2054. Figure 9b depicts the comparative analysis of developed DRN based GPass model with eight secret pass images by varying distortion parameter in terms of IRR. The IRR of developed DRN based GPass is 0.2507, whereas EvoPass, P-GMGP system, LocPass, and graphical password approach are 0.4578, 0.4187, 0.6095, and 0.4263 for 0.7 distortion parameter. Figure 9c shows the Standard deviation for IRR. The standard deviation for IRR of developed DRN based GPass is 0.118, whereas EvoPass, P-GMGP system, LocPass, and graphical password approaches are 0.127, 0.127, 0.143, and 0.132. Figure 9d shows the Standard deviation for PDS. The standard deviation for PDS of developed DRN based GPass is 0.205, whereas EvoPass, P-GMGP system, LocPass, and graphical password approaches are 0.184, 0.171, 0.181, and 0.182.

Figure 9.

Comparative analysis of developed Deep Residual Network (DRN) based GPass based on dataset #1 with 8 secret pass images by varying distortion parameter.

4.5.2 Comparative analysis using dataset #2

This section exposes the comparative analysis of developed DRN based GPass scheme using dataset #2 with six and eight secret pass images by altering distortion parameter in terms of IRR and PDS.

a) Based on six secret pass images

Figure 10 represents the comparative analysis of developed DRN based GPass using dataset #1 by changing distortion parameter in terms of IRR and PDS. Figure 10a depicts the comparative analysis of developed DRN based GPass model with six secret pass images by varying distortion parameter in terms of IRR. The IRR of developed DRN based GPass is 0.2861, whereas EvoPass, P-GMGP system, LocPass, and graphical password approach are 0.4386, 0.4562, 0.3368, and 0.4761 for 0.7 distortion parameter. The comparative analysis of developed DRN based GPass with eight secret pass images by altering distortion parameter with respect to PDS is specified in Fig. 10b. When the distortion parameter is 0.7, the PDS of EvoPass, P-GMGP system, LocPass, graphical password method and DRN based GPass algorithm are 0.4459, 0.5179, 0.3523, 0.4951, and 0.2661. Figure 10c shows the Standard deviation for IRR. The standard deviation for IRR of developed DRN based GPass is 0.144, whereas EvoPass, P-GMGP system, LocPass, and graphical password approaches are 0.153, 0.159, 0.186, and 0.165. Figure 10d shows the Standard deviation for PDS. The standard deviation for PDS of developed DRN based GPass is 0.189, whereas EvoPass, P-GMGP system, LocPass, and graphical password approaches are 0.194, 0.141, 0.152, and 0.147.

Figure 10.

Comparative analysis of developed Deep Residual Network (DRN) based GPass using dataset #2 with six secret pass images by varying distortion parameter.

b) Based on eight secret pass images

The comparative analysis of developed DRN based GPass using dataset #2 by changing distortion parameter in terms of IRR and PDS is exposed in Fig. 11. The comparative analysis of developed DRN based GPass with eight secret pass images by varying distortion parameter with respect to IRR is specified in Fig. 11a. When the distortion parameter is 0.7, PDS of EvoPass, P-GMGP system, LocPass, graphical password method and DRN based GPass algorithm are 0.3098, 0.2545, 0.2297, 0.2819, and 0.2022. Figure 11b depicts the comparative analysis of developed DRN based GPass model with eight secret pass images by varying distortion parameter in terms of IRR. The IRR of developed DRN based GPass is 0.2622, whereas EvoPass, P-GMGP system, LocPass, and graphical password approach are 0.4479, 0.4039, 0.6095, and 0.4504 for 0.7 distortion parameter. Figure 11c shows the Standard deviation for IRR. The standard deviation for IRR of developed DRN based GPass is 0.116, whereas EvoPass, P-GMGP system, LocPass, and graphical password approaches are 0.124, 0.123, 0.123, and 0.141. Figure 11d shows the Standard deviation for PDS. The standard deviation for PDS of developed DRN based GPass is 0.165, whereas EvoPass, P-GMGP system, LocPass, and graphical password approaches are 0.180, 0.215, 0.181, and 0.192.

Table 1

Comparative discussion

Dataset	Metrics	Number of secret pass images	EvoPass	P-GMGP system	LocPass	Graphical password technique	Proposed Deep Residual Network (DRN) based GPass model
Dataset #1	Information Retention Rate (IRR)	6	0.3465	0.3164	0.2964	0.2643	0.1943
		8	0.1956	0.1942	0.1842	0.2045	0.1743
	Password Diversity Score (PDS)	6	0.3826	0.4289	0.3538	0.3945	0.1845
		8	0.3178	0.3589	0.4185	0.3153	0.1643
Dataset #2	Information Retention Rate (IRR)	6	0.3404	0.3147	0.2889	0.2602	0.1887
		8	0.1908	0.1873	0.1819	0.2028	0.1716
	Password Diversity Score (PDS)	6	0.3686	0.4089	0.3307	0.3730	0.1796
		8	0.3110	0.3462	0.4185	0.3331	0.1718

Figure 11.

Comparative analysis of developed Deep Residual Network (DRN) based GPass using dataset #2 with 8 secret pass images by varying distortion parameter.

4.6 Comparative discussion

Table 1 explicates a comparative discussion of the developed DRN based GPass method based on dataset #1 and 2 with the number of secret pass images six and eight in terms of IRR and PDS. The IRR value of EvoPass, P-GMGP system, LocPass, graphical password model, and developed DRN based GPass is 0.3465, 0.3164, 0.2964, 0.2643, and 0.1943, while the distortion parameter is 0.9 with six number of secret pass images. When, the distortion parameter is 0.9 with 8 number of secret pass images, then the PDS of the developed DRN based GPass approach is 0.1743, whereas EvoPass is 0.1956, P-GMGP system is 0.1942, LocPass is 0.2964, and graphical password algorithm is 0.2643. Thus, the developed DRN based GPass method obtained better performance with IRR of 0.1716 based on dataset #2 with number of secret pass images is 8 and PDS of 0.1643 using dataset #1 with the number of secret pass images is 8.

5. Conclusion

This paper presents an effective graphical password authentication model against shoulder-surfing attacks based on the developed Deep Residual Network (DRN) based Graphical Password (GPass) scheme. This graphical password authentication method involves three segments, like registration, login and authentication stage. The initial phase is the registration phase where the user enters the user Identity and subsequently secret pass images are selected from the set of images shown by the server. The server generates the session password based on the secret pass images, such that the challenge set is created from the secret pass images. The user provides a username and session password based on the secret pass images for the login process. Once the user name and session password is given, the user is logged in only if the session password is correct. The performance of the developed graphical password authentication model is evaluated using two metrics, namely Information Retention Rate (IRR) and Password Diversity Score (PDS) of 0.1716 and 0.1643. Furthermore, the developed DRN based GPass method can be further extended by including other deep learning models.

Footnotes

Author’s Bios

	Norman Ignatius Dias is a research scholar at Dayananda Sagar University Bengaluru, he pursued Bachelor of Computer Engineering from Goa University and Master of Computer Science in year 2013. He also pursued PG Diploma in Embedded System and Design at Centre of Development and Advanced Computing C-DAC, Kolkata. He is currently working as Assistant Professor in Department of Computer Engineering, at Don Bosco College of Engineering, Goa University since 2014. His main research work focuses on Human Computer Interaction. He has 9 years of teaching experience.
	Mouleeswaran Singanallur Kumaresan working as Assistant Professor in the department of Computer Engineering at Dayananda Sagar University. He earned his doctorate from Anna University Chennai, Masters (M.E) from Anna University Chennai and B.E (CSE) from Bharadidasan University, Trichy. He has more than 14 years of Teaching, 2 years of Industry and 8 years of Research experience. He has many publications in reputed journals, conferences and guided both UG and PG thesis. His research interests are in the areas of Cloud computing, IoT, Computer Networks, Software Engineering, Network security and Mobile Computing.
	Reeja Sundaran Rajakumari a Professor in the Department of Computer Science and Engineering, at VIT AP. She earned her Ph.D in Computer Science & Engineering from Visvesvaraya Technological University (VTU), Govt. of Karnataka for her thesis Real Time Video Denoising. She has nearly 12 years of teaching experience in various engineering colleges and 5 years of research experience in the concerned field. She has worked in VSSC/ISRO as a Research Assistant in QRSG (Quality Assurance & Reliability Software & mission Group) for 1 year. She has published 8 international Journal, 1 national journal, 5 international conferences and 3 national conferences. She was also a Programme committee member for the first international conference on bioinformatics and bioscience (ICBB) held in Pune, first international conference on Computer science and information technology (CoSIT) held in Royal orchid centre Bangalore, the second international conference on Artificial intelligence and Application(ARIR) in Switzerland and the fourth international conference on Natural Language Processing (NLP) in Australia
and Editorial Board member of an international journal Signal and image processing (SIPIJ).

References

Wang

Zhu

W.T.

and Song

, EvoPass: Evolvable graphical password against shoulder-surfing attacks, Computers & Security 70 (2017), 179–198.

Zhou

Yang

C.N.

Yang

and Sun

, Polynomial-based Google map graphical password system against shoulder-surfing attacks in cloud environment, Complexity 1 (2019), 1–8.

Zhou

Liu

Wang

and Jiang

, PassGrid: Towards graph-supplemented textual shoulder surfing resistant authentication, In the proceeding of International Symposium on Security and Privacy in Social Networks and Big Data, Springer Heidelberg 1095 (2019), 251–263.

Yee

C.S.

and Ang

T.F.

, Preventing shoulder-surfing attacks using digraph substitution rules and pass-image output feedback, Symmetry 11(9) (2019), 1–16.

Yee

Adebimpe

L.A.

Idris

M.Y.

Khaw

C.S.

and Ku

C.S.

, LocPass: A graphical password method to prevent shoulder-surfing, Symmetry 11(10) (2019), 1–20.

Panda

Kumari

and Mondal

, SGP: A Safe Graphical Password System Resisting Shoulder-Surfing Attack on Smart phones, in: In the Proceeding of International Conference on Information Systems Security, Bangalore, India, 2018, pp. 129–145.

Pandey

, Restricting shoulder surfing: A modified graphical password Technique, International Journal of Research in Industrial Engineering 8(4) (2019), 394–405.

Hanif

Sohail

Shehrbano

A.T.

and Babar

M.I.

, A new shoulder surfing and mobile key-logging resistant graphical password scheme for smart-held devices, Editorial Preface From the Desk of Managing Editor 10(9) (2019), 432–437.

Gokhale

M.A.

and Waghmare

V.S.

, The shoulder surfing resistant graphical password authentication technique, Procedia Computer Science 79 (2016), 490–498.

10.

Chen

Cheng

and Lin

, Deep residual network based fault detection and diagnosis of photovoltaic arrays using current-voltage curves and ambient conditions, Energy Conversion and Management 198 (2019), 111793.

11.

Por

L.Y.

C.S.

Islam

and Ang

T.F.

, Graphical password: Prevent shoulder-surfing attack using digraph substitution rules, Frontiers of Computer Science 11(6) (2017), 1098–1108.

12.

Dhamija

and Perrig

, Deja Vu-A User Study: Using Images for Authentication, in: In the proceeding of USENIX Security Symposium, USENIX Association, Vol. 9, 2000.

13.

Biddle

Chiasson

and Van Oorschot

P.C.

, Graphical passwords: Learning from the first twelve years, ACM Computing Surveys 44(4) (2012), 1–41.

14.

Lin

Tang

and Yao

, Dynamic sampling approach to training neural networks for multiclass imbalance classification, IEEE Transactions on Neural Networks and Learning Systems 24(4) (2013), 647–660.

15.

Quinlan

J.R.

, C4. 5: programs for machine learning, Elsevier, 2014.

16.

Rahman

M.M.

and Davis

, Cluster based under-sampling for unbalanced cardiovascular data, in: In the Proceedings of the World Congress on Engineering, London, U.K., Vol. 3, 2013, pp. 1–6.

17.

Alsaiari

Papadaki

Dowland

P.S.

and Furnell

S.M.

, A Review of Graphical Authentication Utilising a Keypad Input Method, in: In the Proceedings of the Eighth Saudi Students, London, U.K., 2016.

18.

Maity

Dhane

D.M.

Mungle

Chakraborty

Deokamble

and Chakraborty

, A Secure One-Time Password Authentication Scheme Using Image Texture Features, in: In the Proceedings of the International Symposium on Security in Computing and Communication, Vol. 625, 2016, pp. 283–294.

19.

Por

L.Y.

Lim

X.T.

M.T.

and Kianoush

, The design and implementation of background Pass-Go scheme towards security threats, WSEAS Transactions on Information Science and Applications 5(6) (2008), 943–952.

20.

Corel-10k and GHIM-10k datasets taken from. http://www.ci.gxnu.edu.cn/cbir/Dataset.aspx. accessed on September 2021.