pith. sign in

arxiv: 2604.21001 · v1 · submitted 2026-04-22 · 💻 cs.CR

VRSafe: A Secure Virtual Keyboard to Mitigate Keystroke Inference in Virtual Reality

Yijun Yuan , Na Du , Adam J. Lee , Balaji Palanisamy This is my paper

Pith reviewed 2026-05-09 23:55 UTC · model grok-4.3

classification 💻 cs.CR
keywords virtual realitykeystroke inferencevirtual keyboardpassword securityfalse positive insertionmalicious login detectionauthentication defense
0
0 comments X

The pith

VRSafe is a virtual keyboard that inserts false keystrokes to prevent attackers from inferring passwords in VR environments.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces VRSafe, a modified QWERTY keyboard for VR that deliberately adds extra keystroke signals to the data an attacker might observe. This makes it much harder for inference algorithms to reconstruct the true password from the observed sequence. The system also includes a detector for malicious logins based on inferred credentials. If this approach works, it would allow users to type passwords safely in VR without needing to change their habits much. The evaluation shows reduced attack success rates with only small increases in typing time and errors.

Core claim

The authors claim that by carefully inserting false positive keystrokes into the typing stream observed by potential attackers, VRSafe significantly lowers the accuracy of keystroke inference attacks on VR keyboards, while a companion malicious login detector identifies bad login attempts with high accuracy and low overhead.

What carries the argument

The false-positive keystroke insertion strategy, which adds decoy taps at specific positions to obscure the real sequence without disrupting the user's intended input.

If this is right

  • Attackers using standard inference methods will have lower success rates in guessing the password.
  • The malicious login detector can flag unauthorized attempts quickly with minimal resource use.
  • Usability remains acceptable as typing speed and accuracy drop only modestly.
  • This defense can be implemented on existing VR platforms without major hardware changes.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • If effective, this approach could extend to other VR input methods like gesture-based entry.
  • It might shape secure input designs in related areas such as augmented reality or mobile devices.
  • Attackers may need more advanced models that detect and remove inserted noise.
  • Wider adoption could increase user confidence in using VR for tasks involving sensitive credentials.

Load-bearing premise

The inserted false keystrokes will continue to confuse inference attacks even as attackers develop better methods to filter noise, and users will tolerate the small extra effort in typing.

What would settle it

A user study or simulation where a new keystroke inference attack, trained on VRSafe data, achieves high accuracy in recovering the original passwords.

Figures

Figures reproduced from arXiv: 2604.21001 by Adam J. Lee, Balaji Palanisamy, Na Du, Yijun Yuan.

Figure 1
Figure 1. Figure 1: VRSafe architecture. (1) Normal user interacts with VRSafe keyboard, the original password should remain un￾changed for successful authentication and "noisy" password will be forwarded to detector. (2) Server adds the "noisy" pass￾word to detector if the original password matches the record in database(i.e. a legitimate login). (3) A keystroke inference attacker captures the user’s keystroke on VRSafe keyb… view at source ↗
Figure 2
Figure 2. Figure 2: VRSafe will maintain a state variable to indicate whether the input is a ghost character or a real character, and only real characters will be forwarded to the textbox. Ghost Password Generation. Many models such as RNN-based seq2seq model [45], transformer based LLM models [1, 46] are capable of generating a similar password sequence based on a given password. However, they are inadequate for this task as… view at source ↗
Figure 4
Figure 4. Figure 4: The green arrows depict the cursor’s trajectory in [PITH_FULL_IMAGE:figures/full_fig_p005_4.png] view at source ↗
Figure 3
Figure 3. Figure 3: VRSafe Ghost Character(Highlighted) Simulated Login Page Other Keys(Disabled) Tracked Hand *For user study [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗
Figure 5
Figure 5. Figure 5: The average guessing accuracy for randomness level [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Password guessing accuracy for passwords in 6 categories, for each contains curves under 2 different ghost password [PITH_FULL_IMAGE:figures/full_fig_p009_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Password entry time of all participants in all 10 tasks. [PITH_FULL_IMAGE:figures/full_fig_p011_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Camera setup for video-based keystroke inference [PITH_FULL_IMAGE:figures/full_fig_p013_8.png] view at source ↗
read the original abstract

Password-based authentication is one of the most commonly used methods for verifying user identities, and its widespread usage continues in virtual reality (VR) applications. As a result, various forms of attacks on password-based authentication in traditional environments such as keystroke inference and shoulder surfing, are still effective in VR applications. While keystroke inference attacks on virtual keyboards have been studied extensively, few efforts have developed an effective and cost-efficient defense strategy to mitigate keystroke inferences in VR. To address this gap, this paper presents a novel QWERTY keyboard called \textit{VRSafe} that is resilient to keystroke inference attacks. The proposed keyboard carefully introduces false positive keystrokes into the information collected by attackers during the typing process, making the inference of the original password difficult. \textit{VRSafe} also incorporates a novel malicious login detector that can effectively identify unauthorized login attempts using credentials inferred from keystroke inference attacks with high detection rate and minimal time and memory cost. The proposed design is evaluated through both simulation experiments and a real-world user study, and the results show that \textit{VRSafe} can significantly reduce the accuracy of keystroke inference attacks while incurring a modest overhead from a usability standpoint.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The paper proposes VRSafe, a modified QWERTY virtual keyboard for VR that inserts false-positive keystrokes during password entry to degrade keystroke inference attacks, paired with a malicious-login detector that flags unauthorized attempts inferred from such attacks. It claims the design is evaluated via simulation experiments and a real-world user study, showing significant reductions in attack accuracy alongside modest usability overhead.

Significance. If the false-positive insertion strategy holds against adaptive attackers, the work would address a clear gap in VR authentication defenses, where keystroke inference remains effective but few practical mitigations exist. The dual evaluation (simulation plus user study) is a strength, as is the low-overhead claim for the detector. However, the current evidence base limits how far the significance can be assessed.

major comments (3)
  1. [Evaluation] Evaluation section: the simulation experiments report accuracy reductions from false-positive insertion but provide no indication that the inference models were retrained or adapted after observing VRSafe outputs (e.g., via timing, spatial, or statistical signatures of the insertions). This is load-bearing for the central resilience claim, as non-adaptive baselines do not test whether an attacker who knows or infers the defense can filter the noise.
  2. [User Study] User study and results: the reported reductions in inference accuracy lack error bars, statistical significance tests, exact false-positive rates, and per-participant variance. Without these, it is impossible to verify whether the modest usability overhead is accompanied by reliable security gains or whether the gains are driven by a small number of outliers.
  3. [Design] Design of the insertion strategy (Section 3): the false-positive rate and placement rules appear to be free parameters tuned for the reported experiments; the paper does not demonstrate that these choices remain effective when the attacker can optimize against the known insertion pattern, undermining the claim of broad resilience.
minor comments (2)
  1. [Abstract] Abstract: the claim of 'high detection rate' for the malicious login detector is stated without any quantitative value, threshold, or comparison baseline.
  2. [Throughout] Notation: the paper uses 'false positive keystrokes' without consistently distinguishing them from the detector's false-positive rate, which could confuse readers.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive and detailed comments, which help strengthen the paper. We address each major comment point-by-point below, committing to revisions where the feedback identifies gaps in the current evaluation or reporting. Our responses focus on clarifying the existing design and evaluation while proposing targeted additions to address the concerns about adaptive attackers and statistical rigor.

read point-by-point responses

  1. Referee: [Evaluation] Evaluation section: the simulation experiments report accuracy reductions from false-positive insertion but provide no indication that the inference models were retrained or adapted after observing VRSafe outputs (e.g., via timing, spatial, or statistical signatures of the insertions). This is load-bearing for the central resilience claim, as non-adaptive baselines do not test whether an attacker who knows or infers the defense can filter the noise.

    Authors: We acknowledge that the current simulation results primarily evaluate VRSafe against non-adaptive inference models trained on standard keystroke data. The false-positive insertions are generated probabilistically using timing and spatial heuristics that mimic natural typing variations, which inherently introduces noise that is not easily filtered without knowledge of the exact insertion model. However, we agree this does not fully address an adaptive attacker who observes VRSafe outputs and retrains. In the revised manuscript, we will add a new subsection in the evaluation with experiments simulating adaptive attackers: (1) retraining the inference model on datasets augmented with VRSafe-style insertions, and (2) testing statistical filtering techniques based on timing anomalies. This will provide direct evidence on whether the resilience holds or degrades under adaptation. revision: yes

  2. Referee: [User Study] User study and results: the reported reductions in inference accuracy lack error bars, statistical significance tests, exact false-positive rates, and per-participant variance. Without these, it is impossible to verify whether the modest usability overhead is accompanied by reliable security gains or whether the gains are driven by a small number of outliers.

    Authors: We agree that the user study reporting can be improved for transparency and verifiability. The current results aggregate accuracy reductions and usability metrics across participants, but we did not include per-participant breakdowns or formal statistical tests in the submitted version. In the revision, we will: add error bars (standard deviation or 95% CI) to all accuracy and overhead plots; report exact false-positive insertion rates per condition; include per-participant variance via box plots or tables; and perform statistical significance tests (e.g., Wilcoxon signed-rank or paired t-tests) comparing VRSafe vs. baseline conditions. These additions will confirm that security improvements are consistent and not outlier-driven while preserving the modest usability overhead claim. revision: yes

  3. Referee: [Design] Design of the insertion strategy (Section 3): the false-positive rate and placement rules appear to be free parameters tuned for the reported experiments; the paper does not demonstrate that these choices remain effective when the attacker can optimize against the known insertion pattern, undermining the claim of broad resilience.

    Authors: The insertion strategy in Section 3 is not a fixed deterministic pattern but a probabilistic model: false positives are inserted at rates and positions drawn from distributions calibrated to real typing data (e.g., dwell times and spatial offsets), with parameters chosen to balance security and usability based on pilot data. This design aims to avoid easily detectable signatures. That said, we recognize the value of evaluating against an attacker who knows the general strategy and attempts to optimize (e.g., via pattern matching or machine learning to filter insertions). In the revision, we will expand Section 3 with a sensitivity analysis of the parameters and add simulation results assuming a known insertion model, showing attack accuracy under attempted filtering. If needed, we will also clarify the tuning process and any constraints on parameter choice. revision: partial

Circularity Check

0 steps flagged

No significant circularity; design and evaluation are independent

full rationale

The paper presents VRSafe as a novel keyboard design that inserts false-positive keystrokes to degrade inference attacks, paired with a malicious login detector. Evaluation relies on separate simulation experiments and a user study reporting accuracy reductions and usability metrics. No equations, fitted parameters, or self-referential derivations appear in the provided text; claims rest on empirical outcomes rather than reducing to inputs by construction. Self-citations are absent from the abstract and description, and no load-bearing uniqueness theorems or ansatzes are invoked. The derivation chain is self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

2 free parameters · 0 axioms · 0 invented entities

The design rests on standard assumptions about attacker observation capabilities in VR and typical user typing behavior; no new entities or ad-hoc axioms are introduced beyond the proposed mechanism itself.

free parameters (2)
  • false-positive insertion rate
    Rate at which incorrect keystrokes are added; must be chosen to balance security gain against usability cost.
  • malicious-login detection threshold
    Threshold tuned for high detection rate with low overhead; value not specified in abstract.

pith-pipeline@v0.9.0 · 5520 in / 1084 out tokens · 38007 ms · 2026-05-09T23:55:57.581369+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

63 extracted references · 63 canonical work pages · 1 internal anchor

  1. [1]

    Josh Achiam, Steven Adler, Sandhini Agarwal, Lama Ahmad, Ilge Akkaya, Floren- cia Leoni Aleman, Diogo Almeida, Janko Altenschmidt, Sam Altman, Shyamal Anadkat, et al. 2023. Gpt-4 technical report.arXiv preprint arXiv:2303.08774 (2023)

    work page internal anchor Pith review Pith/arXiv arXiv 2023

  2. [2]

    Abdullah Al Arafat, Zhishan Guo, and Amro Awad. 2021. Vr-spy: A side-channel attack on virtual key-logging in vr headsets. In2021 IEEE Virtual Reality and 3D User Interfaces (VR). IEEE, 564–572

    work page 2021

  3. [3]

    Hattan Althebeiti, Ran Gedawy, Ahod Alghuried, Daehun Nyang, and David Mohaisen. 2024. Defending AirType Against Inference Attacks Using 3D In-Air Keyboard Layouts: Design and Evaluation. InInformation Security Applications, Howon Kim and Jonghee Youn (Eds.). Springer Nature Singapore, Singapore, 159–174

    work page 2024

  4. [4]

    Burton H Bloom. 1970. Space/time trade-offs in hash coding with allowable errors.Commun. ACM13, 7 (1970), 422–426

    work page 1970

  5. [5]

    Fadi Boutros, Naser Damer, Kiran Raja, Raghavendra Ramachandra, Florian Kirchbuchner, and Arjan Kuijper. 2020. Iris and periocular biometrics for head mounted displays: Segmentation, recognition, and synthetic data generation. Image and Vision Computing104 (2020), 104007

    work page 2020

  6. [6]

    John Brooke et al. 1996. SUS-A quick and dirty usability scale.Usability evaluation in industry189, 194 (1996), 4–7

    work page 1996

  7. [7]

    Lee J Cronbach. 1951. Coefficient alpha and the internal structure of tests. psychometrika16, 3 (1951), 297–334

    work page 1951

  8. [8]

    Patrick Cronin, Xing Gao, Chengmo Yang, and Haining Wang. 2021. {Charger- Surfing}: Exploiting a power line {Side-Channel} for smartphone information leakage. In30th USENIX Security Symposium (USENIX Security 21). 681–698

    work page 2021

  9. [9]

    Fred D. Davis. 1989. Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology.MIS Quarterly13, 3 (1989), 319–340. http://www.jstor.org/stable/249008

    work page 1989

  10. [10]

    Dinei Florencio and Cormac Herley. 2007. A large-scale study of web password habits. InProceedings of the 16th international conference on World Wide Web. 657–666

    work page 2007

  11. [11]

    Claes Fornell and David F Larcker. 1981. Evaluating structural equation models with unobservable variables and measurement error.Journal of marketing research 18, 1 (1981), 39–50

    work page 1981

  12. [12]

    Sindhu Reddy Kalathur Gopal, Diksha Shukla, James David Wheelock, and Nitesh Saxena. 2023. Hidden reality: Caution, your hand gesture inputs in the immersive virtual world are visible to all!. In32nd USENIX Security Symposium (USENIX Security 23). 859–876

    work page 2023

  13. [13]

    National Research Group. 2022. Beyond reality: Is the VR revolution on the horizon? https://www.nrgmr.com/our-thinking/technology/the-vr-revolution- might-finally-be-on-the-horizon/. Accessed: 2025-04-10

    work page 2022

  14. [14]

    Haritabh Gupta, Shamik Sural, Vijayalakshmi Atluri, and Jaideep Vaidya. 2018. A side-channel attack on smartphones: Deciphering key taps using built-in microphones.Journal of computer security26, 2 (2018), 255–281

    work page 2018

  15. [15]

    Zonghao Huang, Lujo Bauer, and Michael K. Reiter. 2024. The Impact of Exposed Passwords on Honeyword Efficacy. In33rd USENIX Security Symposium, USENIX Security 2024, Philadelphia, PA, USA, August 14-16, 2024, Davide Balzarotti and Wenyuan Xu (Eds.). USENIX Association. https://www.usenix.org/conference/ usenixsecurity24/presentation/huang-zonghao

    work page 2024

  16. [16]

    Ari Juels and Ronald L. Rivest. 2013. Honeywords: making password-cracking detectable. In2013 ACM SIGSAC Conference on Computer and Communications Security, CCS’13, Berlin, Germany, November 4-8, 2013, Ahmad-Reza Sadeghi, Virgil D. Gligor, and Moti Yung (Eds.). ACM, 145–160. doi:10.1145/2508859. 2516671

    work page doi:10.1145/2508859 2013

  17. [17]

    Patrick Gage Kelley, Saranga Komanduri, Michelle L Mazurek, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez

    work page

  18. [18]

    In2012 IEEE symposium on security and privacy

    Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In2012 IEEE symposium on security and privacy. IEEE, 523–537

    work page

  19. [19]

    Naveen Kumar. 2025. Virtual Reality Statistics 2025: Users & Trends. https: //www.demandsage.com/virtual-reality-statistics/. Accessed: 2025-07-26

    work page 2025

  20. [20]

    Jiyeon Lee, Hyosu Kim, and Kilho Lee. 2023. VRKeyLogger: Virtual keystroke inference attack via eavesdropping controller usage pattern in WebVR.Computers & Security134 (2023), 103461

    work page 2023

  21. [21]

    Yan Li, Yao Cheng, Weizhi Meng, Yingjiu Li, and Robert H Deng. 2020. Designing leakage-resilient password entry on head-mounted smart wearable glass devices. IEEE Transactions on Information Forensics and security16 (2020), 307–321

    work page 2020

  22. [22]

    Zhen Ling, Zupei Li, Chen Chen, Junzhou Luo, Wei Yu, and Xinwen Fu. 2019. I know what you enter on gear vr. In2019 IEEE Conference on Communications and Network Security (CNS). IEEE, 241–249

    work page 2019

  23. [23]

    Shiqing Luo, Xinyu Hu, and Zhisheng Yan. 2022. Holologger: Keystroke inference on mixed reality head mounted displays. In2022 IEEE Conference on Virtual Reality and 3D User Interfaces (VR). IEEE, 445–454

    work page 2022

  24. [24]

    Shiqing Luo, Anh Nguyen, Hafsa Farooq, Kun Sun, and Zhisheng Yan. 2024. Eavesdropping on controller acoustic emanation for keystroke inference attack in virtual reality. InThe Network and Distributed System Security Symposium (NDSS)

    work page 2024

  25. [25]

    Shiqing Luo, Anh Nguyen, Chen Song, Feng Lin, Wenyao Xu, and Zhisheng Yan

    work page

  26. [26]

    In2020 Network and Distributed System Security Symposium (NDSS)

    OcuLock: Exploring human visual system for authentication in virtual reality head-mounted display. In2020 Network and Distributed System Security Symposium (NDSS)

    work page

  27. [27]

    Jerry Ma, Weining Yang, Min Luo, and Ninghui Li. 2014. A study of probabilistic password models. In2014 IEEE Symposium on Security and Privacy. IEEE, 689–704

    work page 2014

  28. [28]

    Anindya Maiti and Kirsten Crager. 2017. Randompad: Usability of randomized mobile keypads for defeating inference attacks. InProceedings of the IEEE Euro S&P Workshop on Innovations in Mobile Privacy & Security (IMPS)

    work page 2017

  29. [29]

    Anindya Maiti, Murtuza Jadliwala, and Chase Weber. 2017. Preventing shoulder surfing using randomized augmented reality keyboards. In2017 IEEE interna- tional conference on pervasive computing and communications workshops (PerCom Workshops). IEEE, 630–635

    work page 2017

  30. [30]

    Henry B Mann and Donald R Whitney. 1947. On a test of whether one of two random variables is stochastically larger than the other.The annals of mathematical statistics(1947), 50–60

    work page 1947

  31. [31]

    William Melicher, Blase Ur, Sean M Segreti, Saranga Komanduri, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2016. Fast, lean, and accurate: Modeling password guessability using neural networks. In25th USENIX Security Symposium (USENIX Security 16). 175–191

    work page 2016

  32. [32]

    Meta. 2024. https://developers.meta.com/horizon/documentation/native/ android/ts-adb/ Accessed: 2024-10-30

    work page 2024

  33. [33]

    Inc Meta Platforms. 2025. Locomotion types. Retrieved Dec 2, 2025 from https://developers.meta.com/horizon/design/locomotion-types/

    work page 2025

  34. [34]

    Ülkü Meteriz-Yıldıran, Necip Fazıl Yıldıran, Amro Awad, and David Mohaisen

    work page

  35. [35]

    In2022 IEEE Conference on Virtual Reality and 3D User Interfaces (VR)

    A keylogging inference attack on air-tapping keyboards in virtual envi- ronments. In2022 IEEE Conference on Virtual Reality and 3D User Interfaces (VR). IEEE, 765–774

    work page

  36. [36]

    Microsoft. 2024. https://github.com/microsoft/MixedRealityToolkit-Unity https: //github.com/microsoft/MixedRealityToolkit-Unity

    work page 2024

  37. [37]

    Tao Ni, Yuefeng Du, Qingchuan Zhao, and Cong Wang. 2024. Non-intrusive and Unconstrained Keystroke Inference in VR Platforms via Infrared Side Channel. arXiv preprint arXiv:2412.14815(2024)

    work page arXiv 2024

  38. [38]

    Alex Nosenko, Yuan Cheng, and Haiquan Chen. 2023. Password and passphrase guessing with recurrent neural networks.Information Systems Frontiers25, 2 (2023), 549–565

    work page 2023

  39. [39]

    Bijeeta Pal, Tal Daniel, Rahul Chatterjee, and Thomas Ristenpart. 2019. Beyond credential stuffing: Password similarity models using neural networks. In2019 IEEE Symposium on Security and Privacy (SP). IEEE, 417–434

    work page 2019

  40. [40]

    CFE Ron Cresswell, J.D. 2021. The COMB Data Leak: What You Should Know. Retrieved August 28, 2025 from https://www.acfe.com/acfe-insights-blog/blog- detail?s=comb-data-leak-what-you-should-know

    work page 2021

  41. [41]

    Mohd Sabra, Anindya Maiti, and Murtuza Jadliwala. 2020. Zoom on the keystrokes: Exploiting video calls for keystroke inference attacks.arXiv preprint arXiv:2010.12078(2020)

    work page arXiv 2020

  42. [42]

    Yiran Shen, Hongkai Wen, Chengwen Luo, Weitao Xu, Tao Zhang, Wen Hu, and Daniela Rus. 2018. GaitLock: Protect virtual and augmented reality headsets using gait.IEEE Transactions on Dependable and Secure Computing16, 3 (2018), 484–497

    work page 2018

  43. [43]

    Carter Slocum, Yicheng Zhang, Nael Abu-Ghazaleh, and Jiasi Chen. 2023. Going through the motions: {AR/VR} keylogging from user head motions. In32nd USENIX Security Symposium (USENIX Security 23). 159–174

    work page 2023

  44. [44]

    Robert L Solso, Paul F Barbuto, and Connie L Juel. 1979. Bigram and trigram frequencies and versatilities in the English language.Behavior Research Methods & Instrumentation11, 5 (1979), 475–484

    work page 1979

  45. [45]

    Jayesh Soni and Nagarajan Prabakar. 2021. KeyNet: enhancing cybersecurity with deep learning-based LSTM on keystroke dynamics for authentication. In International Conference on Intelligent Human Computer Interaction. Springer, 761–771

    work page 2021

  46. [46]

    Sophie Stephenson, Bijeeta Pal, Stephen Fan, Earlence Fernandes, Yuhang Zhao, and Rahul Chatterjee. 2022. Sok: Authentication in augmented and virtual reality. In2022 IEEE symposium on security and privacy (SP). IEEE, 267–284

    work page 2022

  47. [47]

    Jingchao Sun, Xiaocong Jin, Yimin Chen, Jinxue Zhang, Yanchao Zhang, and Rui Zhang. 2016. Visible: Video-assisted keystroke inference from tablet backside motion.. InNDSS

    work page 2016

  48. [48]

    Ilya Sutskever, Oriol Vinyals, and Quoc V Le. 2014. Sequence to sequence learning with neural networks.Advances in neural information processing systems27 (2014)

    work page 2014

  49. [49]

    Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N Gomez, Łukasz Kaiser, and Illia Polosukhin. 2017. Attention is all you need.Advances in neural information processing systems30 (2017)

    work page 2017

  50. [50]

    Tingjie Wan, Liangyuting Zhang, Yunxin Xu, Zixuan Guo, Boyu Gao, and Hai- Ning Liang. 2024. Analysis and Design of Efficient Authentication Techniques for Password Entry with the Qwerty Keyboard for VR Environments.IEEE Transactions on Visualization and Computer Graphics(2024)

    work page 2024

  51. [51]

    Ding Wang, Zijian Zhang, Ping Wang, Jeff Yan, and Xinyi Huang. 2016. Targeted online password guessing: An underestimated threat. InProceedings of the 2016 ACM SIGSAC conference on computer and communications security. 1242–1254

    work page 2016

  52. [52]

    Ding Wang, Yunkai Zou, Qiying Dong, Yuanming Song, and Xinyi Huang. 2022. How to Attack and Generate Honeywords. In43rd IEEE Symposium on Security and Privacy, SP 2022, San Francisco, CA, USA, May 22-26, 2022. IEEE, 966–983. doi:10.1109/SP46214.2022.9833598

    work page doi:10.1109/sp46214.2022.9833598 2022

  53. [53]

    Ding Wang, Yunkai Zou, Yuan-An Xiao, Siqi Ma, and Xiaofeng Chen. 2023. {Pass2Edit}: A {Multi-Step} Generative Model for Guessing Edited Passwords. In32nd USENIX Security Symposium (USENIX Security 23). 983–1000

    work page 2023

  54. [54]

    Hongbo Wang, Jingyang Hu, Tianyue Zheng, Jingzhi Hu, Zhe Chen, Hongbo Jiang, Yuanjin Zheng, and Jun Luo. 2024. MuKI-Fi: Multi-person keystroke inference with BFI-enabled Wi-Fi sensing.IEEE Transactions on Mobile Computing (2024)

    work page 2024

  55. [55]

    Hanqiu Wang, Zihao Zhan, Haoqi Shan, Siqi Dai, Maximilian Panoff, and Shuo Wang. 2024. GAZEploit: Remote Keystroke Inference Attack by Gaze Estimation from Avatar Views in VR/MR Devices. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. 1731–1745

    work page 2024

  56. [56]

    Ke Coby Wang and Michael K. Reiter. 2024. Bernoulli Honeywords. In31st Annual Network and Distributed System Security Symposium, NDSS 2024, San Diego, California, USA, February 26 - March 1, 2024. The Internet Society. https: //www.ndss-symposium.org/ndss-paper/bernoulli-honeywords/

    work page 2024

  57. [57]

    Matt Weir, Sudhir Aggarwal, Breno De Medeiros, and Bill Glodek. 2009. Password cracking using probabilistic context-free grammars. In2009 30th IEEE symposium on security and privacy. IEEE, 391–405

    work page 2009

  58. [58]

    Yi Wu, Cong Shi, Tianfang Zhang, Payton Walker, Jian Liu, Nitesh Saxena, and Yingying Chen. 2023. Privacy leakage via unrestricted motion-position sensors in the age of virtual reality: A study of snooping typed input on virtual keyboards. In2023 IEEE Symposium on Security and Privacy (SP). IEEE, 3382–3398

    work page 2023

  59. [59]

    Edwin Yang, Song Fang, Ian Markwood, Yao Liu, Shangqing Zhao, Zhuo Lu, and Haojin Zhu. 2022. Wireless training-free keystroke inference attack and defense. IEEE/ACM Transactions on Networking30, 4 (2022), 1733–1748

    work page 2022

  60. [60]

    Jiahong Yang, Wenting Li, Haibo Cheng, and Ping Wang. 2025. Targeted Password Guessing Using Neural Language Models. InICASSP 2025-2025 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). IEEE, 1–5

    work page 2025

  61. [61]

    Zhuolin Yang, Yuxin Chen, Zain Sarwar, Hadleigh Schwartz, Ben Y Zhao, and Haitao Zheng. 2023. Towards a general video-based keystroke inference attack. In32nd USENIX Security Symposium (USENIX Security 23). 141–158

    work page 2023

  62. [62]

    Fan Zhang, Valentin Bazarevsky, Andrey Vakunov, Andrei Tkachenka, George Sung, Chuo-Ling Chang, and Matthias Grundmann. 2020. Mediapipe hands: On-device real-time hand tracking.arXiv preprint arXiv:2006.10214(2020)

    work page arXiv 2020

  63. [63]

    Yicheng Zhang, Carter Slocum, Jiasi Chen, and Nael Abu-Ghazaleh. 2023. It’s all in your head (set): Side-channel attacks on {AR/VR} systems. In32nd USENIX Security Symposium (USENIX Security 23). 3979–3996. Ethics Statement All data collection procedures were reviewed and approved by IRB (STUDY24120080) to ensure that no personally identifiable informa- t...

    work page 2023