Deep Learning vs. Traditional Probabilistic Models: Case Study on Short Inputs for Password Guessing

Yuan Linghu; Xiangxue Li; Zhenlong Zhang

doi:10.1007/978-3-030-38991-8_31

Deep Learning vs. Traditional Probabilistic Models: Case Study on Short Inputs for Password Guessing

Yuan Linghu
, Xiangxue Li^*
, Zhenlong Zhang

^*Corresponding author for this work

Software Engineering Institute

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

6 Scopus citations

Abstract

The paper focuses on the comparative analysis of deep learning algorithms and traditional probabilistic models on strings of short lengths (typically, passwords). The password is one of the dominant methods used in user authentication. Compared to the traditional brute-force attack and dictionary attack, password guessing models use the leaked password datasets to generate password guesses, expecting to cover as many accounts as possible while minimizing the number of guesses. In this paper, we analyze the password pattern of leaked datasets and further present a comparative study on two dominant probabilistic models (i.e., Markov-based model and Probabilistic Context-Free Grammars (PCFG) based model) and the PassGAN model (which is a representative deep-learning-based method). We use Laplace smoothing for the Markov model and introduce particular semantic patterns to the PCFG model. Our output shows that the Markov-based models can cover the vast majority of the passwords in the test set and PassGAN demonstrates surprisingly the worst effect. Nevertheless, considering the threat that an attacker may adjust the training set, the PCFG model is better than the Markov model. Using Passcode with high-frequency passwords can increase the coverage while reducing the number of guesses. Brute-force attack can also work better when used in conjunction with probabilistic models. For the same billion guesses, brute-force attack can be used to crack pure digital passwords of 4 to 8 lengths, and original-PCFG and modified-PCFG could increase by 11.16% and 8.69%, respectively.

Original language	English
Title of host publication	Algorithms and Architectures for Parallel Processing - 19th International Conference, ICA3PP 2019, Proceedings
Editors	Sheng Wen, Albert Zomaya, Laurence T. Yang
Publisher	Springer
Pages	468-483
Number of pages	16
ISBN (Print)	9783030389901
DOIs	https://doi.org/10.1007/978-3-030-38991-8_31
State	Published - 2020
Event	19th International Conference on Algorithms and Architectures for Parallel Processing, ICA3PP 2019 - Melbourne, Australia Duration: 9 Dec 2019 → 11 Dec 2019

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	11944 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	19th International Conference on Algorithms and Architectures for Parallel Processing, ICA3PP 2019
Country/Territory	Australia
City	Melbourne
Period	9/12/19 → 11/12/19

Keywords

Deep learning
Markov model
PCFG
PassGAN
Password guessing

Access to Document

10.1007/978-3-030-38991-8_31

Cite this

Linghu, Y., Li, X., & Zhang, Z. (2020). Deep Learning vs. Traditional Probabilistic Models: Case Study on Short Inputs for Password Guessing. In S. Wen, A. Zomaya, & L. T. Yang (Eds.), Algorithms and Architectures for Parallel Processing - 19th International Conference, ICA3PP 2019, Proceedings (pp. 468-483). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11944 LNCS). Springer. https://doi.org/10.1007/978-3-030-38991-8_31

Linghu, Yuan ; Li, Xiangxue ; Zhang, Zhenlong. / Deep Learning vs. Traditional Probabilistic Models : Case Study on Short Inputs for Password Guessing. Algorithms and Architectures for Parallel Processing - 19th International Conference, ICA3PP 2019, Proceedings. editor / Sheng Wen ; Albert Zomaya ; Laurence T. Yang. Springer, 2020. pp. 468-483 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{fcbff6815fad44889c9031eb3501a29f,

title = "Deep Learning vs. Traditional Probabilistic Models: Case Study on Short Inputs for Password Guessing",

abstract = "The paper focuses on the comparative analysis of deep learning algorithms and traditional probabilistic models on strings of short lengths (typically, passwords). The password is one of the dominant methods used in user authentication. Compared to the traditional brute-force attack and dictionary attack, password guessing models use the leaked password datasets to generate password guesses, expecting to cover as many accounts as possible while minimizing the number of guesses. In this paper, we analyze the password pattern of leaked datasets and further present a comparative study on two dominant probabilistic models (i.e., Markov-based model and Probabilistic Context-Free Grammars (PCFG) based model) and the PassGAN model (which is a representative deep-learning-based method). We use Laplace smoothing for the Markov model and introduce particular semantic patterns to the PCFG model. Our output shows that the Markov-based models can cover the vast majority of the passwords in the test set and PassGAN demonstrates surprisingly the worst effect. Nevertheless, considering the threat that an attacker may adjust the training set, the PCFG model is better than the Markov model. Using Passcode with high-frequency passwords can increase the coverage while reducing the number of guesses. Brute-force attack can also work better when used in conjunction with probabilistic models. For the same billion guesses, brute-force attack can be used to crack pure digital passwords of 4 to 8 lengths, and original-PCFG and modified-PCFG could increase by 11.16\% and 8.69\%, respectively.",

keywords = "Deep learning, Markov model, PCFG, PassGAN, Password guessing",

author = "Yuan Linghu and Xiangxue Li and Zhenlong Zhang",

note = "Publisher Copyright: {\textcopyright} 2020, Springer Nature Switzerland AG.; 19th International Conference on Algorithms and Architectures for Parallel Processing, ICA3PP 2019 ; Conference date: 09-12-2019 Through 11-12-2019",

year = "2020",

doi = "10.1007/978-3-030-38991-8\_31",

language = "英语",

isbn = "9783030389901",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer",

pages = "468--483",

editor = "Sheng Wen and Albert Zomaya and Yang, \{Laurence T.\}",

booktitle = "Algorithms and Architectures for Parallel Processing - 19th International Conference, ICA3PP 2019, Proceedings",

address = "德国",

}

Linghu, Y, Li, X & Zhang, Z 2020, Deep Learning vs. Traditional Probabilistic Models: Case Study on Short Inputs for Password Guessing. in S Wen, A Zomaya & LT Yang (eds), Algorithms and Architectures for Parallel Processing - 19th International Conference, ICA3PP 2019, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 11944 LNCS, Springer, pp. 468-483, 19th International Conference on Algorithms and Architectures for Parallel Processing, ICA3PP 2019, Melbourne, Australia, 9/12/19. https://doi.org/10.1007/978-3-030-38991-8_31

Deep Learning vs. Traditional Probabilistic Models: Case Study on Short Inputs for Password Guessing. / Linghu, Yuan; Li, Xiangxue; Zhang, Zhenlong.
Algorithms and Architectures for Parallel Processing - 19th International Conference, ICA3PP 2019, Proceedings. ed. / Sheng Wen; Albert Zomaya; Laurence T. Yang. Springer, 2020. p. 468-483 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11944 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Deep Learning vs. Traditional Probabilistic Models

T2 - 19th International Conference on Algorithms and Architectures for Parallel Processing, ICA3PP 2019

AU - Linghu, Yuan

AU - Li, Xiangxue

AU - Zhang, Zhenlong

PY - 2020

Y1 - 2020

N2 - The paper focuses on the comparative analysis of deep learning algorithms and traditional probabilistic models on strings of short lengths (typically, passwords). The password is one of the dominant methods used in user authentication. Compared to the traditional brute-force attack and dictionary attack, password guessing models use the leaked password datasets to generate password guesses, expecting to cover as many accounts as possible while minimizing the number of guesses. In this paper, we analyze the password pattern of leaked datasets and further present a comparative study on two dominant probabilistic models (i.e., Markov-based model and Probabilistic Context-Free Grammars (PCFG) based model) and the PassGAN model (which is a representative deep-learning-based method). We use Laplace smoothing for the Markov model and introduce particular semantic patterns to the PCFG model. Our output shows that the Markov-based models can cover the vast majority of the passwords in the test set and PassGAN demonstrates surprisingly the worst effect. Nevertheless, considering the threat that an attacker may adjust the training set, the PCFG model is better than the Markov model. Using Passcode with high-frequency passwords can increase the coverage while reducing the number of guesses. Brute-force attack can also work better when used in conjunction with probabilistic models. For the same billion guesses, brute-force attack can be used to crack pure digital passwords of 4 to 8 lengths, and original-PCFG and modified-PCFG could increase by 11.16% and 8.69%, respectively.

AB - The paper focuses on the comparative analysis of deep learning algorithms and traditional probabilistic models on strings of short lengths (typically, passwords). The password is one of the dominant methods used in user authentication. Compared to the traditional brute-force attack and dictionary attack, password guessing models use the leaked password datasets to generate password guesses, expecting to cover as many accounts as possible while minimizing the number of guesses. In this paper, we analyze the password pattern of leaked datasets and further present a comparative study on two dominant probabilistic models (i.e., Markov-based model and Probabilistic Context-Free Grammars (PCFG) based model) and the PassGAN model (which is a representative deep-learning-based method). We use Laplace smoothing for the Markov model and introduce particular semantic patterns to the PCFG model. Our output shows that the Markov-based models can cover the vast majority of the passwords in the test set and PassGAN demonstrates surprisingly the worst effect. Nevertheless, considering the threat that an attacker may adjust the training set, the PCFG model is better than the Markov model. Using Passcode with high-frequency passwords can increase the coverage while reducing the number of guesses. Brute-force attack can also work better when used in conjunction with probabilistic models. For the same billion guesses, brute-force attack can be used to crack pure digital passwords of 4 to 8 lengths, and original-PCFG and modified-PCFG could increase by 11.16% and 8.69%, respectively.

KW - Deep learning

KW - Markov model

KW - PCFG

KW - PassGAN

KW - Password guessing

UR - https://www.scopus.com/pages/publications/85082139930

U2 - 10.1007/978-3-030-38991-8_31

DO - 10.1007/978-3-030-38991-8_31

M3 - 会议稿件

AN - SCOPUS:85082139930

SN - 9783030389901

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 468

EP - 483

BT - Algorithms and Architectures for Parallel Processing - 19th International Conference, ICA3PP 2019, Proceedings

A2 - Wen, Sheng

A2 - Zomaya, Albert

A2 - Yang, Laurence T.

PB - Springer

Y2 - 9 December 2019 through 11 December 2019

ER -

Linghu Y, Li X, Zhang Z. Deep Learning vs. Traditional Probabilistic Models: Case Study on Short Inputs for Password Guessing. In Wen S, Zomaya A, Yang LT, editors, Algorithms and Architectures for Parallel Processing - 19th International Conference, ICA3PP 2019, Proceedings. Springer. 2020. p. 468-483. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-38991-8_31

Deep Learning vs. Traditional Probabilistic Models: Case Study on Short Inputs for Password Guessing

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this