<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Publishing DTD v1.3 20210610//EN" "JATS-journalpublishing1-3.dtd">
<article article-type="research-article" dtd-version="1.3" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xml:lang="ru"><front><journal-meta><journal-id journal-id-type="publisher-id">mireabulletin</journal-id><journal-title-group><journal-title xml:lang="ru">Russian Technological Journal</journal-title><trans-title-group xml:lang="en"><trans-title>Russian Technological Journal</trans-title></trans-title-group></journal-title-group><issn pub-type="ppub">2782-3210</issn><issn pub-type="epub">2500-316X</issn><publisher><publisher-name>RTU MIREA</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.32362/2500-316X-2023-11-4-7-15</article-id><article-id custom-type="elpub" pub-id-type="custom">mireabulletin-730</article-id><article-categories><subj-group subj-group-type="heading"><subject>Research Article</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="ru"><subject>ИНФОРМАЦИОННЫЕ СИСТЕМЫ. ИНФОРМАТИКА. ПРОБЛЕМЫ ИНФОРМАЦИОННОЙ БЕЗОПАСНОСТИ</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="en"><subject>INFORMATION SYSTEMS. COMPUTER SCIENCES. ISSUES OF INFORMATION SECURITY</subject></subj-group></article-categories><title-group><article-title>Построение верификатора стойкости пароля с использованием классических методов машинного обучения и рекуррентной LSTM нейронной сети</article-title><trans-title-group xml:lang="en"><trans-title>Password strength verification based on machine learning algorithms and LSTM recurrent neural networks</trans-title></trans-title-group></title-group><contrib-group><contrib contrib-type="author" corresp="yes"><contrib-id contrib-id-type="orcid">https://orcid.org/0000-0003-1423-1072</contrib-id><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Беликов</surname><given-names>В. В.</given-names></name><name name-style="western" xml:lang="en"><surname>Belikov</surname><given-names>V. V.</given-names></name></name-alternatives><bio xml:lang="ru"><p>Беликов Владимир Вячеславович, к.воен.н., доцент, доцент кафедры информационной безопасности № 252 Института искусственного интеллекта </p><p>119454, Москва, пр-т Вернадского, д. 78</p><p>Scopus Author ID 57983605100</p></bio><bio xml:lang="en"><p>Vladimir V. Belikov, Cand. Sci. (Military), Assistant Professor, Department of Information Security, Institute of Artificial Intelligence</p><p>78, Vernadskogo pr., Moscow, 119454</p><p> Scopus Author ID 57983605100</p></bio><email xlink:type="simple">belikov_v@mirea.ru</email><xref ref-type="aff" rid="aff-1"/></contrib><contrib contrib-type="author" corresp="yes"><contrib-id contrib-id-type="orcid">https://orcid.org/0000-0003-0999-311X</contrib-id><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Прокуронов</surname><given-names>И. А.</given-names></name><name name-style="western" xml:lang="en"><surname>Prokuronov</surname><given-names>I. A.</given-names></name></name-alternatives><bio xml:lang="ru"><p>Прокуронов Иван Андреевич, специалист инженерно-криптографического анализа</p><p>127083, Москва, ул. Мишина, д. 56, стр. 2</p><p> </p></bio><bio xml:lang="en"><p>Ivan A. Prokuronov, Cryptographic Analysis Specialist</p><p>56/2, Mishina ul., Moscow, 127083</p></bio><email xlink:type="simple">miltumultik@gmail.com</email><xref ref-type="aff" rid="aff-2"/></contrib></contrib-group><aff-alternatives id="aff-1"><aff xml:lang="ru"><institution>МИРЭА – Российский технологический университет</institution><country>Россия</country></aff><aff xml:lang="en"><institution>MIREA – Russian Technological University</institution><country>Russian Federation</country></aff></aff-alternatives><aff-alternatives id="aff-2"><aff xml:lang="ru"><institution>СФБ Лаборатория</institution><country>Россия</country></aff><aff xml:lang="en"><institution>SFB Laboratory</institution><country>Russian Federation</country></aff></aff-alternatives><pub-date pub-type="collection"><year>2023</year></pub-date><pub-date pub-type="epub"><day>01</day><month>08</month><year>2023</year></pub-date><volume>11</volume><issue>4</issue><fpage>7</fpage><lpage>15</lpage><permissions><copyright-statement>Copyright &amp;#x00A9; Беликов В.В., Прокуронов И.А., 2023</copyright-statement><copyright-year>2023</copyright-year><copyright-holder xml:lang="ru">Беликов В.В., Прокуронов И.А.</copyright-holder><copyright-holder xml:lang="en">Belikov V.V., Prokuronov I.A.</copyright-holder><license xml:lang="ru" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>Данная работа распространяется под лицензией Creative Commons Attribution 4.0.</license-p></license><license xml:lang="en" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>This work is licensed under a Creative Commons Attribution 4.0 License.</license-p></license></permissions><self-uri xlink:href="https://www.rtj-mirea.ru/jour/article/view/730">https://www.rtj-mirea.ru/jour/article/view/730</self-uri><abstract><sec><title>Цель</title><p>Цель. Аутентификация с использованием паролей является одним из наиболее распространенных способов проверки подлинности в компьютерных системах. Существующие атаки на пароли, включающие в себя, в т.ч. атаки перебора и атаки по словарю, требуют не только защиты учетных данных пользователя на этапе эксплуатации паролей, но и определения требований к паролю, позволяющих повысить стойкость пароля к атакам, минимизируя возможность их реализации злоумышленником. Важной задачей при этом становится разработка верификатора, осуществляющего проверку пароля на стойкость и позволяющего исключить задание пользователем паролей, подверженных взлому. Построение верификатора с использованием методов машинного обучения позволяет алгоритмам самим формулировать требования к сложности пароля в произвольно комплексной форме, отталкиваясь только от инцидентов, имеющихся для каждой категории стойкости списков известных паролей.</p></sec><sec><title>Методы</title><p>Методы. Предложены алгоритмы машинного обучения с учителем: метод опорных векторов, случайный лес, бустинг, рекуррентная LSTM (long short-term memory) нейронная сеть. В эксперименте для предобработки данных применены метод простой индексации символов с последующей обработкой embedding-слоем и метод TF-IDF (term frequency-inverse document frequency). Для выбора гиперпараметров алгоритмов была использована кроссвалидация.</p></sec><sec><title>Результаты</title><p>Результаты. Проведен анализ рекомендаций и требований к паролям в международных и отечественных стандартах и возможности их реализации в виде верификатора стойкости пароля в различных операционных системах. Приведены результаты эксперимента на существующем наборе помеченных по уровню стойкости паролей. Проведена их оценка с использованием macro f1-меры.</p></sec><sec><title>Выводы</title><p>Выводы. Использование рекуррентной LSTM нейронной сети выделено как одно из наиболее перспективных направлений для построения верификатора стойкости пароля.</p></sec></abstract><trans-abstract xml:lang="en"><sec><title>Objectives</title><p>Objectives. One of the most commonly used authentication methods in computer systems, password authentication is susceptible to various attacks including brute-force and dictionary attacks. This susceptibility requires not only the strict protection of user credentials, but also the definition of criteria for increasing a password’s strength to minimize the possibility of its exploitation by an attacker. Thus, an important task is the development of a verifier for checking passwords for strength and prohibiting the user from setting passwords that are susceptible to cracking. The use of machine learning methods to construct a verifier involves algorithms for formulating requirements for password complexity based on lists of known passwords available for each strength category.</p></sec><sec><title>Methods</title><p>Methods. The proposed supervised machine learning algorithms comprise support vector machines, random forest, boosting, and long short-term memory (LSTM) recurrent neural network types. Embedding and term frequency–inverse document frequency (TF-IDF) methods are used for data preprocessing, while cross-validation is used for selecting hyperparameters.</p></sec><sec><title>Results</title><p>Results. Password strength recommendations and requirements from international and Russian standards are described. The existing methods of password strength verification in various operating systems are analyzed. The experimental results based on existing datasets comprising passwords having an associated level of strength are presented.</p></sec><sec><title>Conclusions</title><p>Conclusions. A LSTM recurrent neural network is highlighted as one of the most promising areas for building a password strength verifier.</p></sec></trans-abstract><kwd-group xml:lang="ru"><kwd>компьютерная безопасность</kwd><kwd>стойкость пароля</kwd><kwd>машинное обучение с учителем</kwd><kwd>рекуррентная нейронная сеть</kwd><kwd>LSTM</kwd></kwd-group><kwd-group xml:lang="en"><kwd>cybersecurity</kwd><kwd>password strength</kwd><kwd>supervised machine learning</kwd><kwd>recurrent neural network</kwd><kwd>LSTM</kwd></kwd-group></article-meta></front><back><ref-list><title>References</title><ref id="cit1"><label>1</label><citation-alternatives><mixed-citation xml:lang="ru">Conklin A., Dietrich G., Walz D. Password-based authentication: a system perspective. In: Proceedings of the 37th Annual Hawaii International Conference on System Sciences. 2004; IEEE. https://doi.org/10.1109/HICSS.2004.1265412</mixed-citation><mixed-citation xml:lang="en">Conklin A., Dietrich G., Walz D. Password-based authentication: a system perspective. In: Proceedings of the 37th Annual Hawaii International Conference on System Sciences. 2004; IEEE. https://doi.org/10.1109/HICSS.2004.1265412</mixed-citation></citation-alternatives></ref><ref id="cit2"><label>2</label><citation-alternatives><mixed-citation xml:lang="ru">Dell’Amico M., Michiardi P., Roudier Y. Password strength: An empirical analysis. In: 2010 Proceedings IEEE INFOCOM. 2010; IEEE. https://doi.org/10.1109/INFCOM.2010.5461951</mixed-citation><mixed-citation xml:lang="en">Dell’Amico M., Michiardi P., Roudier Y. Password strength: An empirical analysis. In: 2010 Proceedings IEEE INFOCOM. 2010; IEEE. https://doi.org/10.1109/INFCOM.2010.5461951</mixed-citation></citation-alternatives></ref><ref id="cit3"><label>3</label><citation-alternatives><mixed-citation xml:lang="ru">Chakrabarti S., Singhal M. Password-based authentication: Preventing dictionary attacks. Computer. 2007;40(6): 68–74. https://doi.org/10.1109/MC.2007.216</mixed-citation><mixed-citation xml:lang="en">Chakrabarti S., Singhal M. Password-based authentication: Preventing dictionary attacks. Computer. 2007;40(6): 68–74. https://doi.org/10.1109/MC.2007.216</mixed-citation></citation-alternatives></ref><ref id="cit4"><label>4</label><citation-alternatives><mixed-citation xml:lang="ru">Shay R., Komanduri S., Kelley P.G., Leon P.G., Mazurek M.L., Bauer L., Christin N., Cranor L.F. Encountering stronger password requirements: user attitudes and behaviors. In: Proceedings of the Sixth Symposium on Usable Privacy and Security. 2010; Article 2. https://doi.org/10.1145/1837110.1837113</mixed-citation><mixed-citation xml:lang="en">Shay R., Komanduri S., Kelley P.G., Leon P.G., Mazurek M.L., Bauer L., Christin N., Cranor L.F. Encountering stronger password requirements: user attitudes and behaviors. In: Proceedings of the Sixth Symposium on Usable Privacy and Security. 2010; Article 2. https://doi.org/10.1145/1837110.1837113</mixed-citation></citation-alternatives></ref><ref id="cit5"><label>5</label><citation-alternatives><mixed-citation xml:lang="ru">Селифанов В.В. Оценка эффективности системы защиты информации государственных информационных систем от несанкционированного доступа. Интеграция науки, общества, производства и промышленности: сборник статей Международной научно-практической конференции. 2016. С. 109–113. [Selifanov V.V. Evaluation of the efficiency of the information protection system of state information systems from unauthorized access. In: Integration of Science, Society, production and Industry: Collection of Articles of the International Scientific and Practical Conference. 2016. P. 109–113 (in Russ.).]</mixed-citation><mixed-citation xml:lang="en">Селифанов В.В. Оценка эффективности системы защиты информации государственных информационных систем от несанкционированного доступа. Интеграция науки, общества, производства и промышленности: сборник статей Международной научно-практической конференции. 2016. С. 109–113. [Selifanov V.V. Evaluation of the efficiency of the information protection system of state information systems from unauthorized access. In: Integration of Science, Society, production and Industry: Collection of Articles of the International Scientific and Practical Conference. 2016. P. 109–113 (in Russ.).]</mixed-citation></citation-alternatives></ref><ref id="cit6"><label>6</label><citation-alternatives><mixed-citation xml:lang="ru">Ferreira J.F., Johnson S.A., Mendes A., Brooke P.J. Certified password quality: a case study using Coq and Linux pluggable authentication modules. In: Integrated Formal Methods. IFM 2017. Lecture Notes in Computer Science. V. 10510. Springer International Publishing; 2017. P. 407–421. https://doi.org/10.1007/978-3-319-66845-1_27</mixed-citation><mixed-citation xml:lang="en">Ferreira J.F., Johnson S.A., Mendes A., Brooke P.J. Certified password quality: a case study using Coq and Linux pluggable authentication modules. In: Integrated Formal Methods. IFM 2017. Lecture Notes in Computer Science. V. 10510. Springer International Publishing; 2017. P. 407–421. https://doi.org/10.1007/978-3-319-66845-1_27</mixed-citation></citation-alternatives></ref><ref id="cit7"><label>7</label><citation-alternatives><mixed-citation xml:lang="ru">Alshare K.A., Lane P.L., Lane M.R. Information security policy compliance: a higher education case study. Information &amp; Computer Security. 2018;26(1):91–108. https://doi.org/10.1108/ICS-09-2016-0073</mixed-citation><mixed-citation xml:lang="en">Alshare K.A., Lane P.L., Lane M.R. Information security policy compliance: a higher education case study. Information &amp; Computer Security. 2018;26(1):91–108. https://doi.org/10.1108/ICS-09-2016-0073</mixed-citation></citation-alternatives></ref><ref id="cit8"><label>8</label><citation-alternatives><mixed-citation xml:lang="ru">AlSabah M., Oligeri G., Riley R. Your culture is in your password: An analysis of a demographically-diverse password dataset. Computers &amp; Security. 2018;77: 427–441. https://doi.org/10.1016/j.cose.2018.03.014</mixed-citation><mixed-citation xml:lang="en">AlSabah M., Oligeri G., Riley R. Your culture is in your password: An analysis of a demographically-diverse password dataset. Computers &amp; Security. 2018;77: 427–441. https://doi.org/10.1016/j.cose.2018.03.014</mixed-citation></citation-alternatives></ref><ref id="cit9"><label>9</label><citation-alternatives><mixed-citation xml:lang="ru">Ji S., Yang S., Wang T., Liu C., Lee W.H., Beyah R. Pars: Auniform and open-source password analysis and research system. In: ACSAC’ 15: Proceedings of the 31st Annual Computer Security Applications Conference. 2015. P. 321–330. https://doi.org/10.1145/2818000.2818018</mixed-citation><mixed-citation xml:lang="en">Ji S., Yang S., Wang T., Liu C., Lee W.H., Beyah R. Pars: Auniform and open-source password analysis and research system. In: ACSAC’ 15: Proceedings of the 31st Annual Computer Security Applications Conference. 2015. P. 321–330. https://doi.org/10.1145/2818000.2818018</mixed-citation></citation-alternatives></ref><ref id="cit10"><label>10</label><citation-alternatives><mixed-citation xml:lang="ru">Aizawa A. An information-theoretic perspective of TF–IDF measures. Information Processing &amp; Management. 2003;39(1):45–65. https://doi.org/10.1016/S0306-4573(02)00021-3</mixed-citation><mixed-citation xml:lang="en">Aizawa A. An information-theoretic perspective of TF–IDF measures. Information Processing &amp; Management. 2003;39(1):45–65. https://doi.org/10.1016/S0306-4573(02)00021-3</mixed-citation></citation-alternatives></ref><ref id="cit11"><label>11</label><citation-alternatives><mixed-citation xml:lang="ru">Bishop C.M. Pattern Recognition and Machine Learning. New York: Springer; 2006. 738 p.</mixed-citation><mixed-citation xml:lang="en">Bishop C.M. Pattern Recognition and Machine Learning. New York: Springer; 2006. 738 p.</mixed-citation></citation-alternatives></ref><ref id="cit12"><label>12</label><citation-alternatives><mixed-citation xml:lang="ru">Lever J., Krzywinski M., Altman N. Classification evaluation: It is important to understand both what a classification metric expresses and what it hides. Nat. Methods. 2016;13(8):603–604. https://doi.org/10.1038/nmeth.3945</mixed-citation><mixed-citation xml:lang="en">Lever J., Krzywinski M., Altman N. Classification evaluation: It is important to understand both what a classification metric expresses and what it hides. Nat. Methods. 2016;13(8):603–604. https://doi.org/10.1038/nmeth.3945</mixed-citation></citation-alternatives></ref><ref id="cit13"><label>13</label><citation-alternatives><mixed-citation xml:lang="ru">Medsker L.R., Jain L.C. (Eds.). Recurrent Neural Networks. Design and Applications. CRC Press; 2001. P. 64–67.</mixed-citation><mixed-citation xml:lang="en">Medsker L.R., Jain L.C. (Eds.). Recurrent Neural Networks. Design and Applications. CRC Press; 2001. P. 64–67.</mixed-citation></citation-alternatives></ref><ref id="cit14"><label>14</label><citation-alternatives><mixed-citation xml:lang="ru">Imambi S., Prakash K.B., Kanagachidambaresan G.R. PyTorch. In: Prakash K.B., Kanagachidambaresan G.R. (Eds.). Programming with TensorFlow. EAI/Springer Innovations in Communication and Computing (book series). Springer; 2021. P. 87–104. https://doi.org/10.1007/978-3-030-57077-4_10</mixed-citation><mixed-citation xml:lang="en">Imambi S., Prakash K.B., Kanagachidambaresan G.R. PyTorch. In: Prakash K.B., Kanagachidambaresan G.R. (Eds.). Programming with TensorFlow. EAI/Springer Innovations in Communication and Computing (book series). Springer; 2021. P. 87–104. https://doi.org/10.1007/978-3-030-57077-4_10</mixed-citation></citation-alternatives></ref><ref id="cit15"><label>15</label><citation-alternatives><mixed-citation xml:lang="ru">Yu Y., Si X., Hu C., Zhang J. A review of recurrent neural networks: LSTM cells and network architectures. Neural Comput. 2019;31(7):1235–1270. https://doi.org/10.1162/neco_a_01199</mixed-citation><mixed-citation xml:lang="en">Yu Y., Si X., Hu C., Zhang J. A review of recurrent neural networks: LSTM cells and network architectures. Neural Comput. 2019;31(7):1235–1270. https://doi.org/10.1162/neco_a_01199</mixed-citation></citation-alternatives></ref><ref id="cit16"><label>16</label><citation-alternatives><mixed-citation xml:lang="ru">Jartelius M. The 2020 Data Breach Investigations Report–a CSO’s perspective. Network Security. 2020;2020(7): 9–12. https://doi.org/10.1016/S1353-4858(20)30079-9</mixed-citation><mixed-citation xml:lang="en">Jartelius M. The 2020 Data Breach Investigations Report–a CSO’s perspective. Network Security. 2020;2020(7): 9–12. https://doi.org/10.1016/S1353-4858(20)30079-9</mixed-citation></citation-alternatives></ref><ref id="cit17"><label>17</label><citation-alternatives><mixed-citation xml:lang="ru">Sarkar S., Nandan M. Password Strength Analysis and its Classification by Applying Machine Learning Based Techniques. In: 2022 Second International Conference on Computer Science, Engineering and Applications (ICCSEA). IEEE, 2022. P. 1–5. https://doi.org/10.1109/ICCSEA54677.2022.9936117</mixed-citation><mixed-citation xml:lang="en">Sarkar S., Nandan M. Password Strength Analysis and its Classification by Applying Machine Learning Based Techniques. In: 2022 Second International Conference on Computer Science, Engineering and Applications (ICCSEA). IEEE, 2022. P. 1–5. https://doi.org/10.1109/ICCSEA54677.2022.9936117</mixed-citation></citation-alternatives></ref><ref id="cit18"><label>18</label><citation-alternatives><mixed-citation xml:lang="ru">Sakya S.S., Mauparna M.N. Building a Multi-class Password Strength Generator and Classifier Model by Augmenting Supervised Machine Learning Techniques. Preprint. 2022. https://doi.org/10.21203/rs.3.rs-1820885/v1</mixed-citation><mixed-citation xml:lang="en">Sakya S.S., Mauparna M.N. Building a Multi-class Password Strength Generator and Classifier Model by Augmenting Supervised Machine Learning Techniques. Preprint. 2022. https://doi.org/10.21203/rs.3.rs-1820885/v1</mixed-citation></citation-alternatives></ref><ref id="cit19"><label>19</label><citation-alternatives><mixed-citation xml:lang="ru">Murmu S., Kasyap H., Tripathy S. PassMon: A Technique for Password Generation and Strength Estimation. J. Network Syst. Manage. 2022;30(1):13. https://doi.org/10.1007/s10922-021-09620-w</mixed-citation><mixed-citation xml:lang="en">Murmu S., Kasyap H., Tripathy S. PassMon: A Technique for Password Generation and Strength Estimation. J. Network Syst. Manage. 2022;30(1):13. https://doi.org/10.1007/s10922-021-09620-w</mixed-citation></citation-alternatives></ref><ref id="cit20"><label>20</label><citation-alternatives><mixed-citation xml:lang="ru">Tran L., Nguyen T., Seo C., Kim H., Choi D. A Survey on Password Guessing. arXiv preprint arXiv:2212.08796. 2022. https://doi.org/10.48550/arXiv.2212.08796</mixed-citation><mixed-citation xml:lang="en">Tran L., Nguyen T., Seo C., Kim H., Choi D. A Survey on Password Guessing. arXiv preprint arXiv:2212.08796. 2022. https://doi.org/10.48550/arXiv.2212.08796</mixed-citation></citation-alternatives></ref><ref id="cit21"><label>21</label><citation-alternatives><mixed-citation xml:lang="ru">Xiao Y., Zeng J. Dynamically generate password policy via Zipf distribution. IEEE Transactions on Information Forensics and Security. 2022;17:835–848. https://doi.org/10.1109/TIFS.2022.3152357</mixed-citation><mixed-citation xml:lang="en">Xiao Y., Zeng J. Dynamically generate password policy via Zipf distribution. IEEE Transactions on Information Forensics and Security. 2022;17:835–848. https://doi.org/10.1109/TIFS.2022.3152357</mixed-citation></citation-alternatives></ref></ref-list><fn-group><fn fn-type="conflict"><p>The authors declare that there are no conflicts of interest present.</p></fn></fn-group></back></article>
