http://www.facebook.com/TheNapsterKhan

http://atola.com/?s=haking

Extra 11/2012 4

digest

Identity management for persons using biomet-rics has become a reality mainly because of the biometric passport (e-passport) but also

because of the presence of more and more bio-metric-enabled applications for personal comput-ers such as fingerprint (ThinkPad T42, Toshiba E105_S1602, HP dv6500t) or face (Lenovo Ver-iFace, Asus SmartLogon, Toshiba Face Recog-nition) login application. Although, the market of

Trusted Biometrics under Spoofing Attacks

This article will help you to understand the potential vulnerabilities of biometric systems to spoofing and the need for the development of countermeasures.

BY SÉBASTIEN MARCEL

identity management using biometrics is domi-nated by some key players (Safran Moprho, L-1 Identity Solutions or Cognitec) focusing mainly on high security applications (Business-to-Busi-ness market), new exploitation routes (Business-to-Consumer market) are currently explored by Small and Medium-sized enterprises (KeyLemon, Visidon, Mobbeel, BioID, Biometry) focusing on computer login, universal login for social net-

Figure 1. Vulnerabilities of biometric systems

www.hakin9.org/en 5

Trusted Biometrics under Spoofing Attacks

works or cloud computing solutions. However, these routes are also explored by innovative com-panies, as demonstrated by the recent acquisition of face recognition companies: the acquisition of Face.com by Facebook in 2012, the acquisition of PolarRose by Apple in 2010 and the acquisition of NevenVision, PittPatt, and Viewdle by Google respectively in 2006, 2011 and 2012.

This market of identity management using bio-metrics is thus growing rapidly. Unfortunately, it has been shown recently that conventional bio-metric techniques, such as fingerprint or face rec-ognition, are vulnerable to attacks. These attacks have been already identified in the scientific litera-ture and are depicted in Figure 1.

Vulnerabilities of Biometric SystemsTwo types of attacks are broadly considered: di-rect attacks and indirect attacks. Direct attacks are performed at the sensor level (referred as 1 in Figure 1) outside the digital limits of the system. Therefore, no digital protection mechanisms can be used. In a direct attack, also called spoofing, a person tries to masquerade as another one by falsifying data and gaining an illegitimate advan-tage. Indirect attacks are performed inside the sys-tem and are due to intruders, such as cyber-crimi-nal hackers, by bypassing the feature extractor or the matcher (referred to as 3 and 5 in Figure 1), by manipulating the templates in the database (re-ferred to as 6 in Figure 1), or by exploiting the pos-sible weak points in the communication channels (referred to as 2, 4, 7 and 8 in Figure 1).

SpoofingThese attacks are a major problem for companies willing to market identity management solutions based on biometric technologies. This is particu-larly true for direct attacks. Indeed, indirect attacks require advanced programming skills but direct at-tacks don't require any of those skills. Consequent-ly, the potential number of attackers increases dra-matically. As a matter of fact, it has been shown that biometric systems based on fingerprint and face are vulnerable to direct attacks.

In their famous paper entitled Impact of Artificial Gummy Fingers on Fingerprint Systems, Matsu-moto et al provided recipes for making an artificial finger from a live finger and a residual fingerprint. He demonstrated the vulnerabilities of several fin-gerprint devices. This spoofing attack has been studied extensively and has also been pointed out by the European project FIDIS (Future of Identity in the Information Society) in its deliverable D6.1 Forensic Implications of Identity Management Sys-

tems and, more precisely, section 5.5 page 45. In the same deliverable, the FIDIS project have shown methods for iris spoofing, hand geometry spoofing and hand vascular spoofing. However, no countermeasures to these spoofing attacks have been proposed.

The Security and Vulnerability Research Team of the University of Hanoi (Vietnam) presented a study [4] at the Black Hat 2009, the world's pre-mier technical security conference. This paper ex-plained that a simple photo attack (Figure 2) can fool the face authentication system provided in Lenovo, Asus and Toshiba laptops. This vulnera-bility is now listed in the National Vulnerability Da-tabase of the National Institute of Standards and Technology (NIST) in the US.

CountermeasuresOverall, there is a need for efficient and reliable solutions for detecting and circumventing spoofing attacks.

The typical countermeasure to a spoofing attack is liveness detection that aims at detecting physi-ological signs of life. This can be done in four dif-ferent ways: (1) with available sensors to detect in the signal a pattern characteristic of liveness/spoofing, (2) with dedicated sensors to detect an evidence of liveness, which is not always possible to deploy, (3) with a challenge-response method where a spoofing attack can be detected by ask-ing the user to interact with the system, or (4) with recognition methods intrinsically robust against at-tacks if any.

Another possible countermeasure is multi-modal biometrics. Indeed, voice recognition for instance could be performed jointly to face recognition and would be more robust to an attack on the video stream. Similarly, gait, face and iris recognition could be performed jointly. Additionally, it has been

Figure 2. A example of photo attack

Extra 11/2012 6

digest

shown recently in pioneering work that emerging biometrics such as gait, vein or electro-physiolog-ical signals (Electroencephalography – EEG or Electrocardiography – ECG) are potentially very difficult or impossible to spoof.

Recently, the Idiap research institute (www.idiap.ch) organized an International competi-tion on countermeasures to spoofing attacks in face recognition organized in conjunction to the International Joint Conference on Biometrics in 2011. The research institute released, REPLAY-ATTACK (www.idiap.ch/dataset/replayattack), a public face spoofing database targeting to chal-lenge the most advanced spoofing counter-mea-sures. This database contains diverse spoof-ing attacks (printed photos, displayed photos on a mobile phone or a tablet, replayed videos on a mobile phone or a tablet), but it also provides a unique evaluation protocol to measure the vul-nerability of a face recognition system in addition to the accuracy of countermeasures. Using this database, it has been shown that simple photo attacks can be easily detected but that replayed videos are more challenging.

Despite the progress of research in the devel-opment of countermeasures, new ways to forge spoofing attacks can emerge anytime. For in-

stance, 3D printing technologies allow to replicate realistic mask from pictures or 3D scans. As a mat-ter of fact, it is currently possible to order from the website That’s My Face (www.thatsmyface.com), custom life or wearable masks (Figure 3) by up-loading a frontal and a profile picture of some-ones face. However, studies would need to be per-formed to evaluate the vulnerability of 2D or 3D face recognition systems to these masks.

A Case Study on Spoofing 2D Face RecognitionSpoofing a face recognition system is particular-ly easy to perform: all that is needed is a simple photograph of the user. In [4] it was shown how to successfully spoof a laptop authentication sys-tem using only a printed photograph. Later, one

Figure 3. A custom life mask ordered on the Internet

Figure 4. Examples of attacks publicly available at https://www.idiap.ch/dataset/replayattack

Figure 5. Distribution of the matching scores of a 2D face recognition system. In blue: the matching scores of genuine persons (real accesses). In pink: the matching scores of zero-effort impostors (not spoofing). In grey: the matching scores of spoofing attacks from the REPLAY database

www.hakin9.org/en 7

Trusted Biometrics under Spoofing Attacks

of the first experimental study [1] using a rigorous methodology was carried out. It measured the vulnerability of a 2D face recognition algorithm to printed photograph. This work has been recently extended [2] to replayed photos and videos on an electronic screen (both a mobile phone and a fa-mous tablet) and the captured attacks have been made available publicly (Figure 4) for research purposes.

This study measured the vulnerability of these more elaborated attacks and proposed a set of countermeasures. From a detailed analysis of the matching scores (Figure 5) it was measured that more than 82% of the attacks pass the considered face recognition system [2]. It validates the attacks in REPLAY-ATTACK database as valuable for fur-ther investigation of countermeasures. The study then investigated the potential of texture analysis as a countermeasure to detect a spoofing attack. It has been shown that texture analysis could be used to detect approximately 83% of the spoofing attacks but in this case would reject approximately 17% of real accesses.

Obviously, these results are valid only on the REPLAY-ATTACK face spoofing database, and it is unknown yet how these results could gen-eralize on different face recognition algorithms or different face spoofing attacks. Hence, future

References[1] A. Anjos and S. Marcel, Counter-measures to photo attacks in face recognition: a public database and a baseline,

IEEE IAPR International Joint Conference on Biometrics (IJCB), 2011.[2] I. Chingovska, A. Anjos, and S. Marcel, On the effectiveness of local binary patterns in face anti-spoofing, IEEE In-

ternational Conference of the Biometrics Special Interest Group (BIOSIG), 2012.[3] A. Anjos, L. El Shafey, R. Wallace, M. Günther, C. McCool, and S. Marcel, Bob: a free signal processing and machine

learning toolbox for researchers, In ACM Multimedia 2012 International Conference, 2012.[4] N. M. Duc and B. Q. Minh, Your face is not your password, Black Hat Conference, 2009.

The research project TABULA RASA funded by the European Commission under the Frame-work Program Seven (FP7) is fo-cused on spoofing. The goal of this project is to research, devel-op, evaluate and transfer anti-spoofing solutions. TABULA RA-SA started by analyzing the vul-

nerabilities of existing systems, and then developed appropriate countermeasures. This is solely possible by designing and collecting databases for the analysis of spoofing attacks as well as a basis for establishing the success of countermeasures to these attacks. As a direct outcome of the project, the level of security of existing biometric systems will be increased, and any findings from TABULA RASA will provide an input to standards so essential in widespread adoption.http://www.tabularasa-euproject.org

work is much needed in spoofing to understand better vulnerabilities, and in anti-spoofing to de-velop better and more generic countermeasures. This will be achieved by sharing knowledge and data to allow replicable research. As a matter of fact the above mentioned studies [1,2] allow rep-licable research by using publicly available data and open source code based on the free signal processing and machine learning library BOB [3] (https://www.idiap.ch/software/bob).

SÉBASTIEN MARCELSébastien Marcel (http://www.idiap.ch/~marcel)  re-ceived the Ph.D. degree in signal processing from Uni-versité de Rennes I in France (2000) at CNET, the re-search center of France Telecom (now Orange Labs). He is currently interested in pattern recognition and ma-chine learning with a focus on multimodal biomet-ric person recognition. He is a senior research scien-tist at the Idiap Research Institute (CH), where he leads a research team and conducts research on face recog-nition, speaker recognition and spoofing attacks detec-tion. In 2010, he was appointed Visiting Associate Pro-fessor at the University of Cagliari (IT) where he taught a series of lectures in face recognition. He serves on the Program Committee of several scientific journals and in-ternational conferences in pattern recognition and com-puter vision. Sébastien Marcel is the principal investiga-tor of international research projects including MOBIO (EU FP7 Mobile Biometry), TABULA RASA (EU FP7 Trust-ed Biometrics under Spoofing Attacks) and BEAT (EU FP7 Biometrics Evaluation and Testing).

Follow us: twitter.com/SPTechCon

A BZ Media Event

SPTechCon™ is a trademark of BZ Media LLC. SharePoint® is a registered trademark of Microsoft.

The Best

SharePoint Training!

Get the scoop on

SharePoint 2013!

Register Early and SAVE!

www.sptechcon.com

Choose from over90Classes & Workshops!

How to Install SharePoint 2013 WithoutScrewing It Up Todd Klindt and Shane Young

What IS SharePoint Development?Mark Rackley

SharePoint Performance: Best Practicesfrom the FieldJason Himmelstein

Creating a Great User Experience inSharePoint Marc Anderson

Ten Best SharePoint Features You’ve Never UsedChristian Buckley

Understanding and Implementing Governance for SharePoint 2010Bill English

Building Apps for SharePoint 2013Andrew Connell

SharePoint Solutions with SPServices Marc Anderson

Lists: Used, Abused and UnderappreciatedWes Preston

Planning and Configuring Extranets inSharePoint 2010Geoff Varosky

Creating Simple Dashboards Using Out-of-the-Box Web Parts Jennifer Mason

Integrating SharePoint 2010 and VisualStudio LightswitchRob Windsor

Solving Enterprise Search Challenges withSharePoint 2010Matthew McDermott

Getting Stuff Done! Managing Tasks withSharePoint Designer Workflows Chris Beckett

SharePoint 2013 Upgrade Planning forthe End User: What You Need to Know Richard Harbridge

Ten Non-SharePoint Technical Issues That Can Doom Your Implementation Robert Bogue

SharePoint MoneyBall: The Art of Winningthe SharePoint Metrics Game Susan Hanley

Intro to Branding SharePoint 2010 in theFarm and OnlineRandy Drisgill and John Ross

How to Best Develop Requirements forSharePoint Projects Dux Raymond Sy

Check out these classes, taught by the industry’s best experts!

NEW!

Lots more online!

Check out more than 55 exhibiting companies!

FlashNFlex_Layout 1 11/29/12 11:12 AM Page 1

http://htbridge.ch

PLEASE SEE WWW.UAT.EDU/FASTFACTS FOR THE LATEST INFORMATION ABOUT DEGREE PROGRAM PERFORMANCE, PLACEMENT AND COSTS.

[ GEEKED AT BIRTH. ]

www.uat.edu > 877.UAT.GEEK

LEARN:Advancing Computer ScienceArtificial Life ProgrammingDigital MediaDigital VideoEnterprise Software Development Game Art and AnimationGame DesignGame ProgrammingHuman-Computer InteractionNetwork Engineering

[ IT'S IN YOUR PULSE. ]

You can talk the talk.Can you walk the walk?

Network SecurityOpen Source TechnologiesRobotics and Embedded SystemsSerious Game and SimulationStrategic Technology DevelopmentTechnology ForensicsTechnology Product DesignTechnology StudiesVirtual Modeling and DesignWeb and Social Media Technologies