Research On Password Guessing Algorithm Based On Classical Machine Learning

With the development of computer science,researchers have proposed a variety of new identity authentication technologies and received wide attention,such as face recognition,fingerprint recognition and so on.However,passwords remain the most prevalent authentication method in the foreseeable future due to its simplicity,low cost and easy to change.Passwords have been plagued by security problems since they were born in the 1970 s.Users usually choose easy-to-remember passwords when setting passwords,so password guessing attack has become the biggest security threat faced by password-based authentication systems.In response to password guessing attacks,the websites will set up password strength meter to evaluate the security of users' passwords,in order to prevent users from setting weak passwords.The most effective way to evaluate user password strength is to use attack algorithm to simulate the actual attack from the attacker.At present,the prevalent password guessing algorithms are mostly based on traditional statistical learning methods,such as PCFG algorithm and Markov model.As the continuation and development of statistical learning,machine learning has shown good application results in more and more fields.As far as we know,the research on the application of machine learning to password guessing algorithm is still in its infancy,so whether the guessing algorithm based on machine learning can improve the attack efficiency is a very practical research topic.Based on classical machine learning,this paper designs three better password guessing algorithms for three attack scenarios: trawling attack,targeted attack based on PI and targeted attack based on password reuse behavior,which provides a basis for more accurate evaluation of password strength.This paper mainly completes the following work:· Propose a trawling attack algorithm based on random forest.As one of the most common attack scenarios,trawling attack,which does not use any personal information to guess passwords,is one of the biggest threats to password security.By transforming password guessing into a common classification problem,we design a random forestbased trawling attack algorithm,and verify the effectiveness of the algorithm through a number of experiments.Compared with the traditional password guessing algorithm,the crack rate and attack efficiency are greatly improved.Compared with the trawling attack algorithm based on deep learning proposed in 2016,there is no obvious improvement on small data sets,but on large data sets,the proposed algorithm is 70% in training time and more than 3% more in crack rate than the deep learning-based attack algorithm.So it has obvious advantages both in training time and attack rate.· Propose a targeted attack algorithm for personal information based on random forest.In order to better remember passwords,users usually add personal information(PI)to passwords when setting passwords.When evaluating password strength,websites tend to overlook the impact of PI,thus overestimating the password strength of users.Once an attacker has access to the user's PI,it may be easy to crack what the website considers a strong password.We design an algorithm to extract the characteristics of PI used in passwords,and then design a random forest-based targeted password guessing algorithm based on PI,and compared with Targeted Markov,the best targeted password guessing algorithm based on PI in academia.The experimental results show that the crack rate of our algorithm is increased by 3%?10% under small guesses and 5%?18% under large guesses.Therefore,in terms of fitting ability and generalization ability,our proposed algorithm has been significantly improved,which effectively solves the problems of PI matching and fitting principle existing in the prevalent algorithms,and provides a more effective way to more accurately assess the threat of PI to password security.· Proposed a targeted attack algorithm for password reuse based on statistics and random forest.When users set passwords for websites,since their limited memory,they often reuse another password directly or make simple changes.Once an attacker has obtained a user's password,it may take only a few guesses to crack another password.Based on statistical and random forest methods,we design a new targeted attack algorithm based on password reuse,and compared with Targuess II,which is the state-of-the-art in academia.The experimental results show that our proposed algorithm can crack 2%?5%more passwords in 10 guesses.This algorithm can be used to evaluate the reuse behavior of new passwords better when users modify passwords.