Table of Contents
Fetching ...

On the Insecurity of Keystroke-Based AI Authorship Detection: Timing-Forgery Attacks Against Motor-Signal Verification

David Condrey

TL;DR

This work interrogates keystroke-based AI authorship detectors that rely solely on motor timing signals to infer content provenance. It defines copy-type and timing-forgery attacks and proves a formal non-identifiability bound for timing-only observations, showing that provenance information cannot be recovered from keystroke timing alone. Empirical validation on 13,000 human sessions and 2,000 attack sessions demonstrates near-perfect evasion (≥99.8%) across five classifiers, with AUC = 1.000 for motor-present vs motor-absent cases, while the attacks imitate human motor patterns so closely that they defeat timing-based thresholds. The authors argue that secure provenance requires content-binding or semantic-aware defenses (e.g., revision history, challenge-response) rather than additional timing features, since keystroke timing alone can only attest that a human operated the keyboard, not that the human originated the text.

Abstract

Recent proposals advocate using keystroke timing signals, specifically the coefficient of variation ($δ$) of inter-keystroke intervals, to distinguish human-composed text from AI-generated content. We demonstrate that this class of defenses is insecure against two practical attack classes: the copy-type attack, in which a human transcribes LLM-generated text producing authentic motor signals, and timing-forgery attacks, in which automated agents sample inter-keystroke intervals from empirical human distributions. Using 13,000 sessions from the SBU corpus and three timing-forgery variants (histogram sampling, statistical impersonation, and generative LSTM), we show all attacks achieve $\ge$99.8% evasion rates against five classifiers. While detectors achieve AUC=1.000 against fully-automated injection, they classify $\ge$99.8% of attack samples as human with mean confidence $\ge$0.993. We formalize a non-identifiability result: when the detector observes only timing, the mutual information between features and content provenance is zero for copy-type attacks. Although composition and transcription produce statistically distinguishable motor patterns (Cohen's d=1.28), both yield $δ$ values 2-4x above detection thresholds, rendering the distinction security-irrelevant. These systems confirm a human operated the keyboard, but not whether that human originated the text. Securing provenance requires architectures that bind the writing process to semantic content.

On the Insecurity of Keystroke-Based AI Authorship Detection: Timing-Forgery Attacks Against Motor-Signal Verification

TL;DR

This work interrogates keystroke-based AI authorship detectors that rely solely on motor timing signals to infer content provenance. It defines copy-type and timing-forgery attacks and proves a formal non-identifiability bound for timing-only observations, showing that provenance information cannot be recovered from keystroke timing alone. Empirical validation on 13,000 human sessions and 2,000 attack sessions demonstrates near-perfect evasion (≥99.8%) across five classifiers, with AUC = 1.000 for motor-present vs motor-absent cases, while the attacks imitate human motor patterns so closely that they defeat timing-based thresholds. The authors argue that secure provenance requires content-binding or semantic-aware defenses (e.g., revision history, challenge-response) rather than additional timing features, since keystroke timing alone can only attest that a human operated the keyboard, not that the human originated the text.

Abstract

Recent proposals advocate using keystroke timing signals, specifically the coefficient of variation () of inter-keystroke intervals, to distinguish human-composed text from AI-generated content. We demonstrate that this class of defenses is insecure against two practical attack classes: the copy-type attack, in which a human transcribes LLM-generated text producing authentic motor signals, and timing-forgery attacks, in which automated agents sample inter-keystroke intervals from empirical human distributions. Using 13,000 sessions from the SBU corpus and three timing-forgery variants (histogram sampling, statistical impersonation, and generative LSTM), we show all attacks achieve 99.8% evasion rates against five classifiers. While detectors achieve AUC=1.000 against fully-automated injection, they classify 99.8% of attack samples as human with mean confidence 0.993. We formalize a non-identifiability result: when the detector observes only timing, the mutual information between features and content provenance is zero for copy-type attacks. Although composition and transcription produce statistically distinguishable motor patterns (Cohen's d=1.28), both yield values 2-4x above detection thresholds, rendering the distinction security-irrelevant. These systems confirm a human operated the keyboard, but not whether that human originated the text. Securing provenance requires architectures that bind the writing process to semantic content.
Paper Structure (37 sections, 1 theorem, 13 equations, 1 figure, 7 tables)

This paper contains 37 sections, 1 theorem, 13 equations, 1 figure, 7 tables.

Key Result

Theorem 1

Let $\mathcal{F}$ be the class of feature extractors operating on keystroke timing. Under assumptions A1--A3, for any $f \in \mathcal{F}$ and typist $u$: where $\mathop{\mathrm{Provenance}}\nolimits \in \{\textit{composed},\, \textit{copied}\}$ and $s$ is the character sequence.

Figures (1)

  • Figure 1: Distribution of $\delta$ across conditions. The threshold $\delta = 0.269$ perfectly separates human from automated but admits all attacks.

Theorems & Definitions (4)

  • Definition 1: Copy-Type Attack
  • Definition 2: Timing-Forgery Attack
  • Theorem 1: Structural Non-Identifiability Under Timing-Only Observation
  • proof