Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Movement- and Traffic-based User Identification in Commercial Virtual Reality Applications: Threats and Opportunities

Sara Baldoni, Salim Benhamadi, Federico Chiariotti, Michele Zorzi, Federica Battisti

TL;DR

Addressing the problem of identifying VR users from movement and traffic traces, the paper uses the Questset dataset to show that joint movement and traffic features can fingerprint users across four commercial VR games. It evaluates several supervised learners and finds that Extra Trees and a soft-voting ensemble achieve high accuracy, while cross-game transfer is limited. The study highlights privacy risks from traffic-based fingerprinting and the opportunity for passwordless personalization in cloud-based VR, noting that traffic alone can reach about $80$% accuracy and that longer observation windows push performance toward $>95$% for most cases. It concludes with a discussion of threat modeling, potential countermeasures, and directions for future work including larger, multi-session deployments and authentication extensions.

Abstract

With the unprecedented diffusion of virtual reality, the number of application scenarios is continuously growing. As commercial and gaming applications become pervasive, the need for the secure and convenient identification of users, often overlooked by the research in immersive media, is becoming more and more pressing. Networked scenarios such as Cloud gaming or cooperative virtual training and teleoperation require both a user-friendly and streamlined experience and user privacy and security. In this work, we investigate the possibility of identifying users from their movement patterns and data traffic traces while playing four commercial games, using a publicly available dataset. If, on the one hand, this paves the way for easy identification and automatic customization of the virtual reality content, it also represents a serious threat to users' privacy due to network analysis-based fingerprinting. Based on this, we analyze the threats and opportunities for virtual reality users' security and privacy.

Movement- and Traffic-based User Identification in Commercial Virtual Reality Applications: Threats and Opportunities

TL;DR

Addressing the problem of identifying VR users from movement and traffic traces, the paper uses the Questset dataset to show that joint movement and traffic features can fingerprint users across four commercial VR games. It evaluates several supervised learners and finds that Extra Trees and a soft-voting ensemble achieve high accuracy, while cross-game transfer is limited. The study highlights privacy risks from traffic-based fingerprinting and the opportunity for passwordless personalization in cloud-based VR, noting that traffic alone can reach about % accuracy and that longer observation windows push performance toward % for most cases. It concludes with a discussion of threat modeling, potential countermeasures, and directions for future work including larger, multi-session deployments and authentication extensions.

Abstract

With the unprecedented diffusion of virtual reality, the number of application scenarios is continuously growing. As commercial and gaming applications become pervasive, the need for the secure and convenient identification of users, often overlooked by the research in immersive media, is becoming more and more pressing. Networked scenarios such as Cloud gaming or cooperative virtual training and teleoperation require both a user-friendly and streamlined experience and user privacy and security. In this work, we investigate the possibility of identifying users from their movement patterns and data traffic traces while playing four commercial games, using a publicly available dataset. If, on the one hand, this paves the way for easy identification and automatic customization of the virtual reality content, it also represents a serious threat to users' privacy due to network analysis-based fingerprinting. Based on this, we analyze the threats and opportunities for virtual reality users' security and privacy.

Paper Structure

This paper contains 13 sections, 2 equations, 5 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Dataset and Machine Learning Algorithms
  4. Dataset
  5. Data pre-processing and feature selection
  6. Supervised learning approaches
  7. Experimental results
  8. Threats and opportunities
  9. Impact of the time window and number of users
  10. Feature importance
  11. Inter-activity identification
  12. Limitations and future extensions
  13. Conclusions

Figures (5)

  • Figure 1: Confusion matrix for Medal of Honor using only movements and movements and traffic for the classifier.
  • Figure 2: Confusion matrices for all games using only traffic with the best performing models.
  • Figure 3: Impact of the number of users on the identification accuracy. The best individual model was selected for each game. The results for fewer than $30$ users are averaged over $6$ possible subgroups, shuffling units of $5$ users.
  • Figure 4: Performance with varying number of voting windows. The best individual model was selected for each game. Performance is averaged over a rolling window.
  • Figure 5: Feature importance based on the Shapley values for the different games, using traffic and movements with normalized height. The best performing individual classifier has been considered for each game.