Targeted impersonation as a tool for the detection of biometric system vulnerabilities

This paper argues that biometric verification evaluations can obscure vulnerabilities that increase the chances that an attacker could be falsely accepted. This can occur because existing evaluations implicitly assume that an imposter claiming a false identity would claim a random identity rather than consciously selecting a target to impersonate. This paper shows how an attacker can select a target with a similar biometric signature in order to increase their chances of false acceptance. It demonstrates this effect using a publicly available iris recognition algorithm. The evaluation shows that the system can be vulnerable to attackers targeting subjects who are enrolled with a smaller section of iris due to occlusion. The evaluation shows how the traditional DET curve analysis conceals this vulnerability. As a result, traditional analysis underestimates the importance of an existing score normalisation method for addressing occlusion. The paper concludes by evaluating how the targeted false acceptance rate increases with the number of available targets. Consistent with a previous investigation of targeted face verification performance, the experiment shows that the false acceptance rate can be modelled using the traditional FAR measure with an additional term that is proportional to the logarithm of the number of available targets.

[1]  Azriel Rosenfeld,et al.  Face recognition: A literature survey , 2003, CSUR.

[2]  Anil K. Jain,et al.  Performance evaluation of fingerprint verification systems , 2006, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[3]  John Daugman,et al.  Score Normalization Rules in Iris Recognition , 2009, Encyclopedia of Biometrics.

[4]  Douglas A. Reynolds,et al.  SHEEP, GOATS, LAMBS and WOLVES A Statistical Analysis of Speaker Performance in the NIST 1998 Speaker Recognition Evaluation , 1998 .

[5]  J. Fierrez-Aguilar,et al.  Hill-Climbing and Brute-Force Attacks on Biometric Systems: A Case Study in Match-on-Card Fingerprint Verification , 2006, Proceedings 40th Annual 2006 International Carnahan Conference on Security Technology.

[6]  A. Ross,et al.  Multispectral Iris Analysis : A Preliminary Study , 2006 .

[7]  Mark S. Nixon,et al.  Targeted biometric impersonation , 2013, 2013 International Workshop on Biometrics and Forensics (IWBF).

[8]  Ranju Grover RECOGNITION OF HUMAN IRIS PATTERNS FOR BIOMETRIC IDENTIFICATION , 2014 .

[9]  P. Jonathon Phillips,et al.  Improvements in Video-based Automated System for Iris Recognition (VASIR) , 2009, 2009 Workshop on Motion and Video Computing (WMVC).

[10]  J. L. Wayman,et al.  Best practices in testing and reporting performance of biometric devices. , 2002 .

[11]  Anil K. Jain,et al.  Attacks on biometric systems: a case study in fingerprints , 2004, IS&T/SPIE Electronic Imaging.

[12]  John Daugman,et al.  How iris recognition works , 2002, IEEE Transactions on Circuits and Systems for Video Technology.

[13]  Satoshi Hoshino,et al.  Impact of artificial "gummy" fingers on fingerprint systems , 2002, IS&T/SPIE Electronic Imaging.

[14]  Almantas Kakareka,et al.  What is Vulnerability Assessment , 2013 .

[15]  Arun Ross,et al.  Multispectral Iris Analysis: A Preliminary Study51 , 2006, 2006 Conference on Computer Vision and Pattern Recognition Workshop (CVPRW'06).

[16]  Ton van der Putte,et al.  Biometrical Fingerprint Recognition: Don't Get Your Fingers Burned , 2001, CARDIS.

[17]  Matti Pietikäinen,et al.  Can gait biometrics be Spoofed? , 2012, Proceedings of the 21st International Conference on Pattern Recognition (ICPR2012).

[18]  Rob Jenkins,et al.  Stable face representations , 2011, Philosophical Transactions of the Royal Society B: Biological Sciences.

[19]  Susan Snedakar Vulnerability Assessment Tools , 2007 .