Study Finds Keystroke Timing Defenses Ineffective Against AI-Generated Text Attacks

Global: Study Finds Keystroke Timing Defenses Ineffective Against AI-Generated Text Attacks

Researchers have demonstrated that methods relying on keystroke timing signals to differentiate human-written text from AI-generated content can be bypassed with near‑perfect success. The authors report that both copy‑type attacks, where a person transcribes AI‑produced text, and timing‑forgery attacks, which simulate human typing patterns, achieve evasion rates of at least 99.8% against five state‑of‑the‑art classifiers.

Background on Keystroke Timing Defenses

The proposed defenses focus on the coefficient of variation (δ) of inter‑keystroke intervals, assuming that authentic human motor behavior yields distinct statistical signatures compared with automated generation. Prior work suggested that δ values exceeding specific thresholds could reliably flag AI‑originated text.

Attack Strategies Evaluated

Two practical attack classes were examined. In the copy‑type scenario, a human operator types out text generated by large language models, thereby producing genuine motor signals. In timing‑forgery attacks, automated agents sample inter‑keystroke intervals from empirical human distributions using three techniques: histogram sampling, statistical impersonation, and a generative LSTM model.

Experimental Findings and Implications

The study leveraged 13,000 sessions from the SBU corpus to test the attacks. All variants consistently achieved evasion rates of ≥99.8% across the classifier suite. While detectors attained an AUC of 1.000 when confronting fully automated injection, they classified ≥99.8% of attack samples as human with a mean confidence of ≥0.993. The authors also formalized a non‑identifiability result, showing that when a detector observes only timing data, the mutual information between the observed features and the content’s provenance is zero for copy‑type attacks.

Although composition and transcription produce statistically distinguishable motor patterns (Cohen’s d = 1.28), both approaches yield δ values two to four times above the detection thresholds, rendering the statistical distinction practically irrelevant. Consequently, the timing‑based systems can confirm that a human operated the keyboard but cannot determine whether that human originated the text.

The authors conclude that securing provenance will require architectures that explicitly bind the writing process to the semantic content of the text, rather than relying solely on peripheral motor characteristics.

This report is based on information from arXiv, licensed under Academic Preprint / Open Access. Based on the abstract of the research paper. Full text available via ArXiv.