Finding Behavioural Biometrics Scripts on the Web Using Dynamic Taint Analysis

Abstract

In an era of escalating cyber threats, behavioural biometrics have emerged as a transformative security mechanism, leveraging user interaction patterns like keystrokes and mouse movements for continuous authentication on the web. However, detecting these scripts at scale remains challenging due to obfuscation, dynamic execution, and overlap with analytics tools. This thesis addresses these challenges through three interconnected contributions: (1) enhancing FoxHound, a dynamic taint analysis tool, to achieve 97% effectiveness in tracking behavioural biometric data flows; (2) developing the first open-source checkout crawler to navigate e-commerce workflows with upwards of 78% accuracy; and (3) creating a machine learning classifier to distinguish behavioural biometric scripts from other tracking scripts. Large-scale analyses reveal that behavioural biometric scripts are deployed on 0.3% of top websites, with significantly higher adoption on sensitive pages (4.55% of banking logins). The work concludes with ethical recommendations to balance security benefits with privacy risks, advocating for transparency, deobfuscation, and regulatory oversight.