Oxford BioChronometrics’ eDNA: Defeating Bots + New Security Technology

Null

“Biochronometrics” – lurking behind this complex name are some of the most serious, fascinating issues for the future of: Web advertising, cyber security, BYOD authentication and the Mobile Cloud.

Dean Stamos, a friend who is U.S. President for Luxemburg-based Oxford BioChronometrics (OBC), explained that the company has developed the concept of eDNA (electronically Defined Natural Attributes). This consists of “hundreds of behavioral markers” that can be gathered from almost any connected device to provide a highly accurate authentication of the user.

Inputs From Sensors, User Behavior

OBC originated from pioneering work at Oxford led by founder Adrian Neal on analyzing data from user interactions over the Internet through mobile and desktop devices. It’s well established that every user has distinctive ways of using a device – examples are speed of typing (or touching a screen), movement of a mouse, etc.

With the addition of a vast array of sensors in mobile devices, it is obvious that the amount of information that can be collected about the device, the behavior patterns of the user and even their physical setting, is exploding.

OBC has identified up to 480 data points that can be extracted from a user’s interaction with a displayed screen, such as a website. The company has developed a series of proprietary algorithms, which it calls its Human Recognition Technology, for analyzing this data on a continuous basis to derive an individual user’s eDNA.

Individual’s eDNA – “Unique” Not Replicable

OBC claims that the pattern derived, the eDNA for any user, is “so unique, it can’t be replicated.” It states:

“Once a user’s e-DNA is established, no matter what device they use, password they enter, or site they visit, if the content they are visiting has our software installed, we can verify exactly who the person is.”

Stamos explains that user behavior may differ by type of device – a smartphone versus a tablet, for example – so that a different profile would have to be derived for a single user, by device type.

OBC embeds a small JavaScript code – its collection code – in a site, which may be a website, app, or other location. The software is capable of collecting the 480 different items of data about the device, the user’s behavior and their setting.

Three Key Steps In The System

While the technology definitely sounds nifty, understanding the entire process leads to identifying just how dramatic some of the implications are for the future of web advertising and other areas.

Stamos describes this process as having three “levels.”

The initial level involves distinguishing whether the user is a person or a “bot.”

The second level involves recognition of the device.

Finally there is the “biochronometrics,” – measurement of a user’s behavior on a continuous basis, using factors from among the 480 data points that can be collected. (“Bio” “chronometrics,” the company explains, is meant to signify “life signs” that are “measured over time.”)

The data points can include data from various sensors on cellphones, such as gyroscopes or accelerometers, GPS location data, as well as individual characteristics, such as typing cadence or mouse movements. Stamos emphasizes that it is the “combination of data” that yields a unique identification of the user.

While the vast array of data points is available, the company states that “only a fraction of them are normally needed to achieve an accepted confidence level” about the subject.

Big Implication No. 1 – Web Advertising

The first thing that jumped out of this process was the value of knowing whether hits on websites were coming from Bots or from humans. This may have been almost an unforeseen consequence as far as OBC was concerned, according to how Stamos described it.

There has, however, been a raging fight in the advertising business about the question of how many “impressions” – which are the basis for paying for “pay-for-click” ads – are ever actually seen by a human.

Studies have come up with various estimates, almost all of which concluded that most such impressions were never seen by a person. In early 2015 OBC released results of their own study. The company placed ads on Google, Yahoo, Facebook and LinkedIn ad platforms.

After monitoring the sites, OBC announced that between 88-98% of digital ad engagement appeared to be fraudulent. While all four of the companies’ results were dismal, the study pointed to Google as having the worst performance, i.e., “98% bot fraud.”

Stamos told us that the advertising segment of the business has been getting the most traction in the marketplace. He mentioned a leading advertising company client they have in Europe.

The click fraud area is a juicy one and has already been the subject of lawsuits, e.g., Google paid $90 million to settle a claim back in 2006. It continues to rage on (see, “The Alleged $7.5 Billion Fraud in Online Advertising,” moz.com, 6/22/15.)

Other Major OBC Markets

However, rather than having aimed explicitly at web advertising, OBC intended its technology to be a generalized solution for authentication requirements throughout a wide range of industries. The company lists on its site potential solutions for: eCommerce, Financial Services, Government, Enterprises and SMEs, as well as Web Developers.

Stamos states that strong NDAs prevent the company from revealing any of its clients or prospective clients. However, he did indicate that financial services was high on their list and that they are also talking to certain government agencies.

Summary Of Benefits

Stamos points to several advantages of the company’s technology.

Ease of Use. It is relatively easy to implement and is transparent to end users, requiring no downloads to their devices, nor any passwords or other actions by them.

Speed. It can analyze the multiplicity of factors in fractions of a second and produce a conclusion that the user is the individual they claim to be within a specified confidence level.

Flexibility. Clients can specify the confidence level they require. As an illustration, he states that a bank might require a confidence level of, for example, 60% for a customer checking an account balance, but 90% or higher for transferring funds.

Continuous Tracking. The user behavior is continuously reported and analyzed during the session, so that, for example, a session could be terminated if a change occurs that causes the confidence level to drop below the required threshold.

Difficult To Hack. Because the system uses a combination of factors, which may also change during a session and because the potential hacker will not know which specific factors are used during a given session, or how they are weighted, it presents a monumental challenge to attackers.

Stamos emphasizes that the company’s technology produces a “non-deterministic” result that is continuous. Other methods, such as finger print identification or passwords, while having certain attractions, are “deterministic.” With a deterministic system, there is no randomness to the result, as there is with biochronometrics. He points out that the longer a deterministic system is used where there is a static result, the more opportunity it affords an attacker to break into the system.

Our Take

We’ve written extensively, over the past three years, about the potential for using sensor-based data from mobile devices. Stamos confirmed that the system obviously gets far more input about users on mobile devices than non-mobile ones.

It appears to us that there should be a great deal of interest in the enterprise area, since virtually every firm is struggling with the BYOD invasion and that situation only increases in complexity as companies try to integrate various parties in their ecosystem, such as suppliers, partners, etc. Authentication issues are of critical importance, in terms of preventing attacks and also enforcing rules as to range of access different parties have to different levels of company information.

Stamos told us that OBC has raised significant financing. It has been suggested that the technology might be susceptible to some resistance from users’ fearing that their identities and privacy can be compromised. The company emphasizes, however, that it does not identify individuals. It merely assigns an alphanumeric code to the eDNA pattern it has identified and does not capture names or other personal data.

It would appear that users would be favorably disposed to the enhanced sense of security, the ease of the system, and the benefits of tightening up the digital advertising business. Disposing of CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) – those horrible, often undecipherable combinations of letters and numbers one must enter to confirm one’s identity (and which advanced bots have increasingly learned to neutralize) – would undoubtedly be appreciated by all users.

In addition, it should be remembered that it is the consumer who pays for bot fraud in online advertising, something that it might do well to remind them – just as the insurance industry has run nationwide ads explaining that the insurance consumer pays for insurance fraud.

OBC can expect, and is already experiencing, competition. There has been interest at other learning centers in exploring how to use data about mobile device usage and sensor readings for different applications. An example in an area quite apart from OBC’s system was Ginger.io, a company emanating from work done at MIT, which we wrote about in 2014 that uses mobile activity and sensor information to remotely monitor possible problems arising for mental health patients (“mHealth: Ginger.io & Personal Zen – New Approaches To Data,” 7/1/14). Direct competitors to date have emerged for OBC in Sweden and Israel. However, this is a very large potential market, so that OBC, as an early entrant, has plenty of opportunity.

Visit their website: www.oxford-biochron.com

2 comments