Escolar Documentos
Profissional Documentos
Cultura Documentos
Anil K. Jain
Michigan State University
jain@cse.msu.edu
http://biometrics.cse.msu.edu
1
Outline
• Introduction
• Biometric System Architecture
• Attacks against Biometric Systems
• Taxonomy of Attacks
• Attack Examples
• Solutions to Attacks
• Liveness Detection
• Challenge/Response
• Watermarking
• Summary
2
Biometric System Operation
• Enrollment: User’s biometric data is captured and a salient
feature set is extracted; these features are associated with the
user identity and stored as a template in a database
• Authentication: User’s biometric data is captured and the
extracted feature set is compared with either (i) all the
templates in the database (identification), or (ii) the templates
associated with a claimed identity (verification)
Enrollment
identity
Authentication
identity
4
Types of Threats
Six major types of threats
1 Sensor
2
3 Feature extractor 6
7
4
5 Matcher Database
8
Decision
8
Attack Examples
Attack 1: Synthetic Biometric Submission
• No detailed system knowledge or access privileges is necessary
• Digital protection mechanisms (e.g., encryption) are not
applicable
Putte, Keuning 2000:
• 6 fingerprint verification systems attacked
• 5 out of 6 accepted the dummy finger in the first attempt
10
Attack 1: Dislocated Biometric Submission
11
Attack 2: Bypass Sensor
Soutar 2002:
• Hill-climbing attack for a simple image recognition system
• Matching: Template images create correlation filters,
these filters are then used with input images.
• Attack: Synthetic images are input to the system:
• At each iteration, randomly alter the gray level (8
bits) of 64 pixels: if matching score improves, keep
the new image
• Continue till the system is compromised
Adler 2003:
• Hill-climbing attack for three well known commercial
face recognition systems
• Attack:
• Select an initial image from a local database,
based on the highest matching score
• At each iteration, successively add an eigenface
multiplied with 6 constants (-3c, -2c, -c, c, 2c,
3c) to the current synthetic image: keep the
change that results in the best matching score
improvement
• Crop the gray scale values if they are outside the
image capacity (8 bit Æ 0-255 values are
allowed)
• Continue till the system is compromised
13
Initial System 1 System 2 System 3 Initial System 1 System 2 System 3
Target Target
14
Attack 4: Bypass Feature Extractor
15
System Block
Diagram Template
Database
Di
Synthetic Ti j Fingerprint S ( Di , Ti j ) Output
Template Matcher
Generator
Attack
Module
⎡ 1ri j 1 j
ci 1 j
θi ⎤
⎢2 j 2 j 2 j
⎥ nij : Number of minutia in Tij
j ⎢ ri ci θi ⎥
Ti = ⎢
# # # ⎥ S ( Di , Ti j ) : Matching score between Di & Tij
⎢ ⎥
⎢ nij r j nij
cij
nij j ⎥
θi ⎦
⎣ i 16
Attack Steps
17
Modifying the Input Template
(A) Perturb an existing minutiae: Pick a minutiae randomly:
• With 0.5 probability, perturb the location (randomly to a
neighboring cell); leave the angle intact
• With 0.5 probability, perturb the angle (randomly to a
neighbor angle quantum); leave the location intact
• We want to see the effect of a single move operation
19
Fingerprint Class Prior Probabilities
• Attacker guesses the class of the target template according
to the prior probabilities:
• P(ATA) = 0.066, P(LL) = 0.338, P(RL) = 0.317, P(W) = 0.279
core
delta
21
Class-conditional Minutiae Presence Probabilities
• Experiment:
• NIST 4 database; contains fingerprint images for 4
classes: LL, RL, W, T
• For each of the 4 classes:
• Find the minutiae locations (r,c)
• Find the core location
• Register images based on core
• Estimate the spatial probability of minutiae by
accumulating the minutiae evidence on a 2D grid,
using registered minutiae sets
22
Minutiae Presence Probabilities for Left Loop
3x3 box filter is used for smoothing the original PDF’ s
24
Minutiae Presence Probabilities for Whorl
25
Minutiae Presence Probabilities for Arch
26
Minutiae Presence Probabilities: 2D images
LL RL
W ATA
27
Fingerprint Orientation Fields
LL
RL
28
Fingerprint Orientation Fields
ATA
29
Experimental Results
operating
point
threshold=12.22
31
Histogram of Number of Attempts
Needed to Crack an Account
Hill 2001:
• Synthetic images generated from reverse engineered
minutiae template data from a commercial (undisclosed)
fingerprint authentication system:
• Author accessed unencrypted template data from a
computer hard drive
• The format of the accessed template discovered by
trial/error and by introducing controlled changes in
input images. For each minutiae, its 2D location,
angle and ridge curvature was found
• Orientation field of the target image estimated based
on core and delta point locations.
• Lines starting at minutiae points are drawn, by
taking into account the orientation field
• Synthetic images are not very realistic, but still they
were accepted as genuine template images
35
Hill 2001:
36
Attack 6 & 7: Generate Biometric from Template Data
37
Ross et al. 2005:
38
Solutions to Attacks
Solution to Attack 1: Fingerprint Liveness Detection
• Hardware-based systems:
• Temperature: The temperature of the epidermis is about
8-10 0C above the room temperature
• Conductivity: Typical skin conductivity is nearly 200 kOhm.
• Dielectric constant: Relative Dielectric Constant of human
skin (in the range 20-50) is different from that of silicon
• Heart Beat: Can be used against fingers from cadavers
40
Derakhshani et al. 2003: Image @ t=0 s. Image @ t=5 s.
Live finger
Cadaver finger
Dummy finger
41
Solution to Attack 2: Eliminate Replay
42
Ratha et al. 2001 (1):
Digital Watermarking:
• Embed extra information (e.g., origin, access level,
destination) into the host data itself.
• Applications: Copyright protection, authentication, data
monitoring, transmission of value-added services …
Traditional Watermarking:
47
Yeung, Pankanti 1999:
48
Soln. to Attacks 6 & 7: Protect Templates via Watermarking
49
Jain, Uludag 2003:
Fingerprint
Fingerprint analysis
image
Watermarked fingerprint
Database
Authentication
Decision 50
Watermark Embedding
⎛ PSD ( i, j ) ⎞ ⎛ PGM ( i, j ) ⎞
PWM ( i, j ) = P ( i, j ) + ( 2s − 1) P ( i, j ) q ⎜⎜1 + ⎟⎟ ⎜⎜ 1 + ⎟⎟ β ( i, j )
⎝ A ⎠⎝ B ⎠
PWM (i, j ) : watermarked pixel value
β (i, j ) : feature factor ([0,1])
P (i, j ) : original pixel value
Locations: generated randomly;
s : watermark bit value ([0,1]) generator is initialized with secret
q : watermark embedding strength key.
Redundancy: every bit is
PSD (i, j ) : standard deviation around (i,j) embedded to multiple locations.
A : weight for SD Reference bits: Two bits (0 & 1)
are also embedded in addition to
PGM (i, j ) : gradient magnitude at (i,j)
watermark data.
B : weight for GM
51
Watermark Decoding
8 ⎝ k =−2 k =−2 ⎠
host image (e.g., fingerprint)
Pˆ (i, j ) : estimated pixel value reconstruction
⎧ δ + δ R1 decoded data
⎪1 if δ > R 0 (e.g., eigen-
sˆ = ⎨ 2 : estimated watermark bit
face
⎪⎩0 otherwise. coefficients)
52
Experimental Results
input face
minutiae
overlaid
reconstructed
fingerprint
minutiae overlaid host reconstructed face
fingerprint
eigen-face
coefficients
watermark face
ridge feature image watermarked image 53
original watermarked Inverted difference
minutiae feature
based - =
ridge feature
based
- =
54
Summary
55
References
• Ratha et al. 2001 (1): N.K. Ratha, J.H. Connell, and R.M. Bolle, “An analysis
of minutiae matching strength”, Proc. AVBPA 2001, pp. 223-228.
• Maltoni et al. 2003: D. Maltoni, D. Maio, A.K. Jain, and S. Prabhakar,
Handbook of Fingerprint Recognition, Springer, 2003.
• Uludag, Jain 2004 (1): U. Uludag and A.K. Jain, “Attacks on biometric
systems: a case study in fingerprints”, Proc. SPIE-EI 2004, Security,
Steganography and Watermarking of Multimedia Contents VI, vol. 5306, pp.
622-633.
• Putte, Keuning 2000: T. Putte and J. Keuning, “Biometrical fingerprint
recognition: don’t get your fingers burned”, Proc. IFIP TC8/WG8.8, Fourth
Working Conf. Smart Card Research and Adv. App., pp. 289-303, 2000.
• Matsumoto et al. 2002: T. Matsumoto, H. Matsumoto, K. Yamada, and S.
Hoshino, “Impact of Artificial Gummy Fingers on Fingerprint Systems”, Proc.
of SPIE, Optical Security and Counterfeit Deterrence Techniques IV, vol. 4677,
pp. 275-289, 2002.
• Soutar 2002: C. Soutar, “Biometric system security”,
http://www.bioscrypt.com/assets/security_soutar.pdf
• Adler 2003: A. Adler, “Sample images can be independently restored from
face recognition templates”, http://www.site.uottawa.ca/~adler/
publications/2003/adler-2003-fr-templates.pdf
56
References
• Uludag, Jain 2004 (2): U. Uludag and A.K. Jain, “Fingerprint Minutiae Attack
System”, The Biometric Consortium Conference, Virginia, September 2004.
• Hill 2001: C.J. Hill, “Risk of masquerade arising from the storage of
biometrics”, B.S. Thesis, http://chris.fornax.net/biometrics.html
• Ross et al. 2005: A. Ross, J. Shah, A. Jain, “Towards Reconstructing
Fingerprints From Minutiae Points”, Submitted to SPIE Biometrics Conference,
2005.
• Derakhshani et al. 2003: R. Derakhshani, S.A.C. Schuckers, L.A. Hornak, and
L.O. Gorman, “Determination of vitality from a non-invasive biomedical
measurement for use in fingerprint scanners”, Pattern Recognition, vol. 36,
pp. 383-396, 2003.
• Ratha et al. 2001 (2): N.K. Ratha, J.H. Connell, and R.M. Bolle, “Enhancing
security and privacy in biometrics-based authentication systems”, IBM
Systems Journal, vol. 40, no. 3, pp. 614-634, 2001.
• Yeung, Pankanti 1999: M.M. Yeung and S. Pankanti, “Verification watermarks
on fingerprint recognition and retrieval,” Proc. SPIE EI 1999, vol. 3657, pp.
66-78.
• Jain, Uludag 2003: A. K. Jain and U. Uludag, “Hiding biometric data”, IEEE
Trans. PAMI, vol. 25, no. 11, pp. 1494-1498, November 2003.
57