Continuous Authentication on Smartphones Using An Artificial Immune System Nawaf Aljohani 1 , Joseph Shelton, Kaushik Roy Department of Computer Science, North Carolina A&T State University, Greensboro, U.S.A naaljoha@aggies.ncat.edu 1 Abstract Most of the authentication systems require the users to provide their credential for authentication purposes by providing their passwords or their biometric data. However, as long as the user remains active in the system, there is no mechanisms to verify whether the user who provides the credential is still in control of the device or not. Most mobile devices rely upon passwords and physical biometrics to authenticate users only when they start using the device. Active authentication based on analyzing the user’s touch interaction could be a reasonable solution to verify that a legitimate user is still in control of a smartphone or tablet. In this research, an Artificial Immune System (AIS) is proposed to apply to continuously authenticate the users based on touch patterns. Our results show that AIS is able to actively authenticate 96.89% of the users correctly. Introduction During the authentication process, a primary concern for users and designers is the level of security. The process of authenticating an individual must be both secure and effective to be applicable for a real world authentication system. In the event that the authentication process is compromised, other aspects in the system such as availability, confidentiality, and integrity would be easily compromised as well. Knowledge-based authentication systems, such as password or pin, have several drawbacks, but many systems still use this method to authenticate legitimate users due to their simplicity and flexibility. This research proposes an authentication method for the users based on finger swipe movements. Touch screen technology is used in many mobile devices where users have the ability to access various data and resources at anytime. Most of the smartphones use PINs to authenticate the users. However, a traditional PIN typically consists of four to eight digits, making it easy to guess with its small password space and thus vulnerable to attacks Copyright held by the author(s). [Chang et al., 2012]. Nowadays, most mobile devices use graphical password that have a larger and more accepted password space. Though graphical password increases the password space in touch screen handheld mobile devices, there are no further authentication processes after unlocking the touch screen. Thus, the attacker has the ability to access and control all the users’ data and resources as long as the attacker gains access to a device after it is unlocked. This research aims to continuously authenticate the users without asking them to provide the login information multiple times while the smartphones or tablets are in use. In this research, an artificial immune system (AIS) approach will be used to secure mobile devices. The immune system is considered to be a highly complex functional system that protects the body from foreign diseases causing pathogens [Shojaie and Moradi, 2008]. This immunology inspired researchers to develop the computational intelligence technique, which is called AIS. AIS has been used in solving complex computational problems, such as classification, recognition, and network security [Dudek, 2012]. This research makes use of an AIS which has the ability to continuously keep track of any changes in the environment based on recognizing the patterns of ‘self’ and predicting and detecting new patterns of ‘non-self’. This research uses a set of 11 behavioral touch features that were extracted while the users were interacting with their smartphones. This research uses touch data collected from 100 users and each subject has 100 instances [Sitová et al. 2016]. This research proposes the use of an AIS to continuously authenticate the smartphones users where the security of smartphone is enhanced. Related Work Sitová et al. proposed a set of behavioral features based on hand movement, orientation, and grasp to continuously authenticate mobile users [Sitová et al. 2016]. The data is collected from 100 participants under two conditions: Nawaf Aljohani et al. MAICS 2017 pp. 171–174 171