Biometric Authentication Revisited: Understanding the Impact of ...

licoricebedsSecurity

Feb 22, 2014 (3 years and 10 months ago)

89 views

Biometric Authentication Revisited:
Understanding the Impact of Wolves
in Sheep’s clothing
in Sheep’s clothing
Lucas Ballard, Fabian Monrose, Daniel Lopresti
Presented by : AnujSawani
1
Biometrics
•What is it?
–identifying, or verifying a person based on
•Physiological characteristics
•Behavioral characteristics

Examples?

Examples?
•Biometric Authentication vsIdentification
–“Am I who I claim to be?”
–“Who am I?”
•Better than passwords?
2
Handwriting as a biometric
•Offline
–2-D bitmap
•Online

Real
-
time data

Real
-
time data
•Signatures as a biometric?
Feature extraction
Hash/Key
3
So, what’s with the menagerie?
•Sheep
–Easily accepted by the system
•Goats

Exceptionally unsuccessful at being accepted

Exceptionally unsuccessful at being accepted
•Lambs
–Exceptionally vulnerable to imitations
•Wolves
–Exceptionally successful at imitations
4
The Threat Model
•Exploiting poorly protected template
databases

Eavesdropping communication between

Eavesdropping communication between
sensor and the system
•Presenting artificially created samples to the
sensor
5
A neat idea –Concatenation attack
•Samples of user’s handwriting from other
contexts
•General samples of the style of writing

Feature analysis …

Feature analysis …
•Generate the user’s handwriting synthetically!
6
Performance Statistics
False Accept Rate (FAR)False Reject Rate (FRR)
Equal Error Rate (ERR)
7
Forgery styles
•Naïve
–Use other users’ writing as it was naturally
rendered to forge the passphrase

Naïve*

Naïve*
–Similar to Naïve, but uses similar writing styles
•Static
–Forgery using an image of the passphrase
•Dynamic
–Real-time rendering of the passphrase
8
Grooming the sheep into wolves
•11,038 handwriting samples
•Incentives awarded to consistent writers,
“dedicated forgers”

Three Rounds

Three Rounds
1.Collect the samples
2.Static and Dynamic forging
3.Selected “trained” forgers
9
Handwriting features
•How difficult is the feature to forge?
•Signals –t, x(t), y(t), p(t)
•For every feature f

r
f
￿
missed by legitimate users

r
f
￿
missed by legitimate users
–af
￿missed by forgers
•Quality metric
–Q = (a
f
-r
f
+ 1)/2
•Q = 0 –never reliably reproduced by users
•Q = 1 –never reproduced by forgers
10
The winning features
•The probability that the i
th
stroke of c
1
connects c
2
•Median gap between the adjacent characters

Median time between end of c
and beginning

Median time between end of c
1
and beginning
of c
2
•Pen-up velocity
•A total of 36 good features out of 144
11
Algorithm to generate a known
passphrase
•Select n-grams from different context such that
–g1
|| g
2
|| … ||g
k
= passphrase
•Normalize t, x(t)and y(t) –match baselines
•Spatial adjustment of x(t)
–Use median gap feature

Fabricate
p(t)

Fabricate
p(t)
–Use probability of connection feature
–Delayed strokes pushed into stack
•Executed after each pen-up
•Add time delays
–Use median time feature
–Use pen-up velocity and distance between strokes
12
The system at work…
•Used small sample set of 15 samples of user’s
writing
–Each character from passphrase exists in set

Does not include passphrase

Does not include passphrase
•Also, used 15 samples of similar writing style
•The algorithm caused an EER of 27.4%
–Forgers caused an EER of 20.6%
•n-gram length < 2
•Used 6.67 of the samples on average
13
Conclusion
•Handwriting as a reliable biometric?
–Refutable
•Adversary has been under-estimated till now

Generative approach produces better

Generative approach produces better
forgeries than trained humans
14
Take away
Watch out for the next generation
of wolves!
15