Improving Usability and Testing Resilience to Spoofing of Liveness Testing Software for Fingerprint Authentication Joshua Smith with Advisor Dr. S. Schuckers Honors Program Thesis Proposal March 7 , 2005

highpitchedteamSecurity

Nov 30, 2013 (3 years and 9 months ago)

76 views

Improving Usability and Testing Resilience to Spoofing of Liveness Testing
Software for Fingerprint Authentication


Joshua Smith

with Advisor Dr. S. Schuckers

Honors Program Thesis Proposal

March 7
th
, 2005


Objective:


To improve the speed and usability of

currently existing software that processes
liveness as an anti
-
spoofing measure in fingerprint biometric devices and use the
improved software to experimentally test the resilience of liveness algorithms to spoofing
attempts. The current implementation of

this software is relatively slow (15
-
20 seconds
per fingerprint processed) and configured to process a large quantity of fingerprints at
once. The improved software will reduce the total time it takes from capture of a
fingerprint to feedback to the user,

which facilitates faster experimentation and greater
practicality for commercial applications.


Introduction:


In today’s high
-
speed internet
-
enabled world, millions of transactions occur every
minute: from bidding on an item on an online auction site to
a company negotiating
prices with a contractor. For these transactions, data needs to be readily available for the
people who are meant to have access, and kept securely from those who should not. Data,
the intangible product of the networked world, has be
come a near equivalence to
currency; it holds company trade secrets, consumer credit card numbers, and confidential
military information. Keeping data from the wrong people is in everyone’s best interest.


A common method used to keep data from falling int
o the wrong hands is the use
of passwords of va
rious kinds. The typical
uses of passwords are

in the context of
challenge and response: a user is prompted to identify himself to the system he is trying
to access and supply the password associated with that

identity (typically a login name).
This process is one based on knowledge or possession, that is, if one knows/has the
password then he is granted access. With this system structure, it is easy for
anyone

to
gain access to data if they are given (or can p
ossibly guess) the right information. In
addition, this places a heavy burden on the users of the system: they must create good
(long, “un
-
guessable”) passwords for each system they have access to, and remember
these passwords.


A second method of securing

data and systems is through the use of biometrics.
Biometrics is defined as the “automated use of physiological or behavioral characteristics
to determine or verify identity.”
1

For example, fingerprints, iris, face, or hand geometry
can be used to authent
icate a person. Biometrics shifts the burden of
knowledge/possession off the user and places it on a person’s physical or behavioral
characteristics. In order to access a system that requires the input of biometric data, the
process becomes “something you
are
” rather than “something you
possess.

2

This shift of
burden from possession to some quality of a person directly ties access to data with a
person’s identity over what that person knows. The difference between these two
technologies is illustrated in t
he example that follows.

Say, for example, John Smith is a user of his company’s online paycheck system,
which allows users to access financial information after supplying their password. When
John picked a password he wrote it on a sticky note and stuck i
t underneath his desk,
since he had too many passwords to remember already. When one of the night
-
shift
workers accidentally discovered the note, they could easily pose as John and gain access
to his online paycheck information. As far as the authenticatio
n system is concerned, a
user claimed to be John Smith and presented his password, therefore it must be him.

If the paycheck system instead used biometric data for verification, there would
be no need for a password. After enrollment into the system, John
would simply needs to
present the biometric data required (a fingerprint, iris or signature) to gain access. Since
biometric data is unique among individuals (discussed later) he would not have to worry
about other users accessing his account.

With a biome
tric system, people attempting to gain access cannot guess (or learn)
something that will give them access. Only users who have been enrolled in the system
will be given access after they have presented their biometric data and are verified. This
raises an

obvious question: can one “spoof” a biometric system into allowing access?
Methods such as using play
-
doh or gelatin fingers with the same features as an enrolled
identity have been shown to allow access for unauthorized users. In order to reduce the
chan
ce of unauthorized access, methods of authentication need to be improved to ensure
that the biometric data being presented is being presented by a live authorized person,
who wishes to be authenticated. To address the first of these issues, methods have be
en
proposed to detect the liveness of a person in a non
-
invasive manner.
3
,
4

These algorithms
have been shown to accurately produce results when presented with live, cadaver, and
spoof fingerprints. However, a question has been raised as to whether or not t
he
liveness

detection, an anti
-
spoofing mechanism, can itself be spoofed.

In summary, using biometrics in systems results in a high degree of certainty of a
person’s identity. Additionally, since biometric data cannot be shared there is an increase
in acco
untability for the state of protected data. This confidence and accountability leads
to more security, resulting in cost savings and reduced risk of financial loss for
individuals and companies
.
1

However, potential
exists to exploit biometric systems
through “spoofing.” The purpose of this research is to investigate the resilience of an
existing
liveness detection algorithm
, an anti
-
spoofing measure itself,

to spoofing
attempts.


Background:

Biometric Systems


Types

and Process


All biometric systems fall under two categories, which are familiar to those
involved in security systems: identification and verification. The process, applications,
and challenges are unique for both these categories because of the system
-
l
evel
differences that exist. An identification system is sometimes referred to as “1:N
Matching” because a user presents biometric data to the system and the system attempts
to identify if the user is enrolled in the system and who the person is. A verific
ation
system is referred to as “1:1 Matching” because a person makes a claim to his or her
identity, presents biometric data, and the system compares the presented biometric data to
the data on file only for the claimed identity. A helpful way to distingui
sh between these
two types of authentication is the two different questions that users are essentially asking:
in identification, “Who am I?”; in verification, “Am I who I claim to be?”
1


The process of using a biom
etric system is designed to be as transparent as
possible. To understand what occurs during the verification or identification process, a
few sub
-
processes need to be defined. The overall procedure is shown in
Figure
1
.


Presentation
Enrollment
Presentation
Feature Extraction
Template
Generation
Matching
Stored
Template
Output
Vitality
Detection

Figure
1

-

Biometric System data flow


Presentation

is where the user physically presents to the biometric system the data
required for capture, such as a fingerprint, iris, or hand.


Enrollment

is the process w
hen a user is initially registered for access to a system. This
requires the user to present his or her biometric data (fingerprint, iris, hand, etc.) so that a
template can be formed in the system. This template will serve as a basis for comparison
when a
ttempting to gain access at later times. Since the template will be used many times
in the future, the quality of the biometric data acquired during this stage is critical. This
stage of using a biometric system can be the most tedious.


Feature Extraction

is an automated process of locating and encoding distinctive
characteristics from biometric data to generate a template.
1

For fingerprints a common
method of feature extraction is minutia matching. This is done by
locating ridge endings
and ridge “Y’s” (bifurcation) and recording them with their location and direction,
relative to other distinctive features on the thumb. An example fingerprint with marked
ridge endings and bifurcations is shown below in
Figure
2
.



Figure
2

-

Ridge endings and bifurcations

http://www.east
-
shore.com/tech.html


Templates

are the output of feature extraction and are the saved identity of a person on a
system. The original biometric data

cannot be reproduced from the template; the template
only contains relevant information to differentiate between multiple individuals, such as
the location and direction of ridge endings and bifurcations, mentioned previously. The
size of a typical templa
te (this various from implementation to implementation) is very
small

on the order less than 1 kilobyte, whereas the original image could be a few
hundred kilobytes, depending on the capturing technology and resolution.


Matching

is the process where the p
resented biometric data’s template is “matched” with
either the user’s template in the system, in the case of verification; or with any user of the
system, in the case of identification. It is important to note that after a user enrolls in a
system, later
presentations of biometric data will rarely, if ever, produce the exact same
template. This requires that a system threshold be set for the greatest difference that can
exist between an enrollment template and a generated template to be considered a match.

This tolerance is a critical for system operation to be seamless (low false non
-
match rate),
but the threshold should not be too high, reducing the system’s security and increasing
the false match rate.


Biometric Data


Biometric data is different than a
password that can be guessed or changed
because it relies on a physical or behavioral characteristic of a person. In order for a
biometric system to function well, the qualities of the data taken need to be such that all
users of the system can be uniquely

identified. Fundamental and secondary qualities are
listed below.


Fundamental

Qualities

Universality



Must be some trait that can be taken from many people

Uniqueness



Unique
per

person; quality must not occur in two different individuals

Permanence



Quality must be constant over time (eliminates need for re
-
enrollment)

Collectability



Characteristic must be able to be measured quantitatively


Secondary Qualities

Performance



How well the biometric balances the various requirements of the systems

Acc
eptability



The acceptance of the users to present the biometric data

Circumvention



How easy it is to fool the system


Fingerprints


There are numerous possible candidates for biometric data, each with strengths
and weaknesses in the qualities outlined
above. Common biometrics
includes

fingerprint,
eye, hand, face, voice, and signature. Since fingerprints are being proposed to be used in
this research, the qualities of fingerprints will be explored in detail.


Using fingerprints for identity verification

is the oldest and most widely used
biometric. This is because fingerprints have strong fundamental qualities: nearly
everyone has distinguishable fingerprints (except for those without fingers, or those with
certain skin diseases), fingerprints are unique

from person to person and from finger to
finger offering up to 10 unique prints per person. Fingerprints are formed during
embryonic development and after formed have a high degree of permanence over the
course of a person’s life.
2

Fingerprints are easily captured using various non
-
invasive
techniques including Capacitive AC, Capacitive DC, Optical, Opto
-
electric.
4

Due to the
high degree of uniqueness among fingerprints and t
he accuracy and ease for which they
can be measured, fingerprints offer a good choice of biometric data.


Equipment being used by the researcher includes the Enthentica, Secugen, and
Precise fingerprint scanners.


Current issues with use of fingerprints


W
hile biometric systems can offer greater levels of security, various attacks exist
to gain unauthorized access to a system that is protected by biometric authentication. One
such attack is the type that can occur at the sensor level, such as the presentati
on of an
artificial biometric sample.
4

For a system that uses a fingerprint as its biometric data, it
has been found by multiple groups that the use of “gummy fingers” (artificial fingers
made from gelatin) can
spoof a biometric system. One such study found that it was
possible to create a gummy finger from a latent fingerprint, enroll into the system and
then verify using the same gummy finger against a live enrolled template.
5


Methods have been proposed to mak
e spoofing biometric systems more difficult.
The method that is considered here is the determination of liveness. To determine
whether or not a person is live when they present their biometric data to a system can be a
difficult task to automate in a fashi
on that is acceptable to users, and feasible
to
implement
. Many methods exist, such as temperature sensing, detection of pulse in
fingertip, pulse oximetry, electrocardiogram, dielectric response, and impedance.
4

Each
of these methods have their own challenges in being able to automate and integrate into
systems in the most transparent way possible. For example, the extra equipment required
to perform some of these tests, such as electrocardiogram, can be expensi
ve and
inconvenient for the user.


A method that requires no extra equipment has been proposed by researchers at
West Virginia University and Clarkson University. The foundation of this technique is
detecting active perspiration while biometric data is bei
ng presented. That is, a live finger
will show a temporal change in its reading whereas an artificial (non
-
live) finger will
show no such change. Liveness detection is then a secondary filter to authentication: even
if the fingerprint is verified, the fing
er needs to additionally be detected as “live.”
3


Liveness Detection


This is a summary of the current methods used by the research team at Clarkson
University for liveness detection. The full description of the

process can be found
elsewhere.
3
,
6



The method to determine whether a sample presented for authentication is live or
not is based on three assumptions. First, for live fingers, per
spiration starts from pores on
the fingertips. This will leave a pore completely covered with
perspiration
, or as a dry
spot surrounded by a sweaty area. Second, sweat diffuses along ridges in time. This
means the pore region will remain saturated while mo
isture spreads to drier parts. Third,
perspiration does not occur in cadaver or spoofed (gummy) fingers.


The first of these assumptions creates the rationale for the Static Measures (SMs)
made by the liveness algorithm. The second assumption is the basis
for the Dynamic
Measures (DMs). In terms of the

algorithms used, these measures

are described briefly
below.


SM:

For live fingerprints there is roughly a 10 pixel peak
-
to
-
peak distance which
corresponds to pore
-
to
-
pore distance. The cadaver and spoof prin
ts will not have this. To
quantify this difference, the average Fourier transform of
a

capture at t=0s is performed,
where the energy related to the typical pore spacing is used. Thus, the energy reading of a
cadaver or spoof print is low compared to a liv
e print.


DM1:

Total Swing ratio of the first to the last fingerprint signal
. This compares
how much “fluctuation” there is in the first capture in comparison to the second capture.
The first capture should have greater variations in grey levels because sw
eat has not had
time to diffuse and there are more distinct moist and dry areas.


DM2: Min/max growth ratio of first and last fingerprint signal.

This compares the
max/min signal level ratio. For live fingerprints, the maximums should not increase
because
pores are already saturated. Therefore this ratio should be greater for
a

live finger
than a cadaver or spoof sample.


DM3: Last
-
first fingerprint signal difference mean.

This subtracts the first ridge
signal from the last signal. This difference will be g
reater for a live finger (corresponding
to perspiration pattern) than for a non
-
live finger.


DM4: Percentage change of standard deviations of first and last fingerprint
signals.

This is similar to other measures. If the ridge signal fluctuation is decreas
ing with
respect to the mean then this measure will increase.


DM5: Rate of low cut
-
off region disappearance.
The higher this measure the
faster dry saturation is disappearing.
6


DM6: Rate of high cut
-
off region disappearance.
The higher this measure is, t
he
faster wet saturation is appearing.
6


Research Definition


This research proposes to work on two related areas in liveness detection: first, to
improve the current implementation of software so that it has a
more streamlined
interface and can process data to produce results quickly; second, to use the improved
software to determine whether the
liveness

detection algorithm can be “spoofed,” that is,
can the algorithm that was developed to eliminate spoofing att
empts using “gummy
fingers” be spoofed with additional measures. These two areas are described in more
detail below.


Software Improvement:

The current implementation for liveness detection is relatively slow in multiple
aspects. In order for the user to g
et a response as to the liveness of the sample presented,
the user must capture the data, run the feature extractor, and then run the
liveness

algorithm which uses the output of feature extractor to produce an output. Each of these
steps requires use of se
parate programs, where data needs to be manually moved from
folder to folder so that the subsequent program can process it. Additionally, the time that
it takes to process the data (not including time to move data from folder to folder) is long,
up to 20 s
econds per fingerprint. It has been suggested that in commercial applications
there should be a response for users within 5 seconds.

To decrease the overall time it takes to process data, multiple approaches will be
taken.



Algorithms are currently implemen
ted in MATLAB 7. Translating these into
C/C++ code could offer speed
-
ups in some areas. Determine what areas of the
code are the slowest using MATLAB profiler. Determine if algorithmic
speed
-
ups can be made using MATLAB or other languages.



Integrate captur
e, feature extractor, and vitality detection features into one
interface with a common data area so that the user will not be required to
manually move data among folders. This includes developing a Graphical
User Interface for ease of use.



Diversify data
processing operations. Current implementation only allows for
batch processing of multiple fingerprints. Being able to capture and
immediately receive feedback or capture many fingerprints and then run a
batch process is useful.


In order to achieve these
goals, steps will be taken in the software product life
-
cycle to clearly develop specific steps that will be taken to develop software. The steps of
the software life cycle are briefly outlined below:

1.
Requirements Phase
: “What is needed?”

The needs of t
he end
-
product are
explored and refined in this phase. What is needed by the biometrics research team for
this and future projects will be determined and ways that the current software product can
be improved to better meet this needs will be considered.

2
.
Specification Phase: “What will the product do?”

With the needs of the final
product determined, these needs will be analyzed and formed into a specifications
document. The specification document outlines
what

the product will do in a specific
manner. Th
is is the developer’s chance to outline what he thinks the final product
features will be and receive feedback from the research team.

3.
Design Phase: “How will the product do what it needs to?”

This step requires
the developer to break the product down i
nto components, determine how they interact,
and then develop plans for each of the components (modules) needed to make the final
product. The resulting documents will provide a detailed set of plans which outline
how

the product will do what it is suppose
d to do. Additionally during this phase test plans
will be developed for the components to determine if they are working correctly after
implementation of the design.

4.
Implementation Phase:
Coding and testing of the modules planned in the
design phase oc
curs in this phase. Each module will be debugged and tested against the
test plan formulated in the design phase.

5.
Integration Phase: “Putting it together”

Tested modules are merged together
into a whole product and tested as a whole. The final software
will be presented to the
biometrics research team for acceptance testing.

For this research a product already exists which supports processing batches of
fingerprint data. The fundamental requirements for the functionality of the improved
program are alrea
dy shown in the current software implementation. However, the current
implementation of the product will be assessed and reviewed beginning at these original
requirements to determine how the product might be improved. This process will “front
-
load” much o
f the development work putting in significant time in determining
what

is
required, and
how

to best implement it.



Spoofing
Liveness

Detection Algorithm:


As noted previously, methods such as use of “gummy fingers” have been found
that can “spoof” biometr
ic systems. Knowing the methods/algorithms that the liveness
detection software uses, techniques could be developed that exploits the method used to
determine liveness. For example, since the algorithm is looking for a temporal change in
the fingerprint, v
arying the pressure of a gummy finger during capture or sprinkling the
finger with water prior to capture could possibly spoof the algorithm to produce a “live”
response. It is unknown whether these techniques will fool the liveness algorithm and is
the su
bject of this task. Techniques will be investigated by capturing “spoofed” data and
processing the data to generate a response.


After testing various techniques to spoof the algorithm, documentation of
successful attempts will be made so that the weakness

in the algorithm can be studied and
improved so that these false positives will no longer be accepted. That is, after possible
spoof methods are discovered, these will be documented and then tested using ten casts
previously collected. Each of the documen
ted methods will be tested across the ten casts.



Preliminary Progress:


Research thus far has been cleaning up MATLAB code and investigating methods
for speeding up the existing code such as compiling the MATLAB code, or using C/C++
functions within MATL
AB. All work has been conducted on a copy of the original
program so that quantifiable comparisons can be made at various points in development.


Three separate programs are currently being used for research in liveness
detection. First, a capture program
is used to obtain a raw fingerprint image from one of
three capture devices. Dep
ending on the device being used

different capture software will
be needed
. After capturing a fingerprint, the data needs to be placed in the correct
directory for features extr
action and measures (SM and DM1
-
6) to be done. The current
script that does this, FPVitality, is suited best for batch processing where there may be
multiple capture devices are used for a single fingerprint. After the BatchProcess is run in
FPVitality, me
asures are generated and stored in *.mat files. These need to be manually
moved to another working directory so a separate

MATLAB script
, Outcomes, can
interpret the output results and produce a result from
-
1 to 1 (not live to live).


Below
in
Figure
3

of the data processing and user interaction with the current
implementation of the software.


Biometric Data
Presented
FPVitality
Move
measures
data to
Outcomes
Outcomes
Move
captured
data to
FPVitality
Final Result
(
Live
,
not
Live
)

Figure
3

-

Current Data flow and user interactions



Preliminary work that has been
conducted in regards to this process has been
understanding how this process works, the input that is required, and the output that is
obtained. As previously mentioned, the current software implementation is slow, taking
in the order of a minute to comple
te one fingerprint from input to output, including
processing time and data movement. It is believed that this is due partially to the nature
of the code (inefficiency) and partially to required user interaction.
As outlined in the
section regarding softwa
re improvement, the current implementation will need to be
revisited from the beginning through conferencing with researchers to determine how to
best meet the needs of the team.

Additional features desired, if any, will need to be
specified, and the non
-
e
ssential portions of the code eliminated.


P
reliminary list
of software requirements:

1.

Various modes of operation including “single shot” (one capture with on
-
screen
results), and “batch” (multiple captures with displayed and saved results).

2.

One interface w
hich allows the user to capture, process, and view results.

3.

Software written so that it can be easily integrated with other software (such as
authentication software).

4.

Minimal action required by the user

data flow should be handed automatically
by the soft
ware.

5.

Options should be available to the user to see and save intermediate measures data
in addition to the final output.

6.

Results presented in a responsive manner, which is conductive to performing
repeated trials in order to test the algorithm’s resilienc
e to spoofing.


Timeline:

Finished By:


Task:

End March 2005

Received/developed a set of requirements for improved software

End April 2005

From requirements, develop specifications. Verify with team.

Summer 2005


Design software based on specified requirem
ents.

Early Fall 2005

Module implementation and testing. Integration testing.

Fall 2005


Develop methods of possible spoofing techniques.

Winter 2005


Use implemented software in testing proposed spoofing techniques

January
-
Feb 2006

Time for software revis
ion and additional spoofing techniques.

March 2006


Thesis draft done, develop presentation.

April 2006


Presentation. Thesis final draft.





1

S. Nanavati, M. Thieme, R. Nanavati.
Biometrics: Identity Verification in a Networked World.

John Wiley
and Sons,
Inc. 2002.

2

A. Jain, R. Bolle, S. Pankanti.
Biometrics: Personal Identification in Networked Society.

Kluwer
Academic Publishers. 1999.

3

R. Derakhshani, S.A.C. Shuckers, L. A. Hornak, and L. O’Gorman. “Determination of vitality from a
non
-
invasive biomed
ical measurement for use in fingerprint scanners.”
The Journal of the Pattern
Recognition Society.

No 36, 2003. 383
-
296.

4

S.A.C. Shuckers. “Spoofing and Anti
-
Spoofing Measures,”
Information Security Technical Report.
Vol. 7
No 4, 2002. 56
-
62.

5

T. Matsumo
to, H. Matsumoto, K. Yamada, S. Hoshino, “Impact of Artificial ‘Gummy’ Fingers on
Fingerprint Systems”,
Proceedings SPIE,
vol. 4677, January, 2002.






6

R. Derakhshani. “Perspiration Detection Program’s Quick Guide For the New Enhanced Feature
Extractor”
Cent
er for Identification Technology (CITeR).
Lane Department of Computer Science and
Electrical Engineering, West Virginia University.