Biometric Authentication Revisited: Understanding the Impact of Wolves in Sheep’s clothing in Sheep’s clothing Lucas Ballard, Fabian Monrose, Daniel Lopresti Presented by : Anuj Sawani 1
Biometrics • What is it? – identifying, or verifying a person based on • Physiological characteristics • Behavioral characteristics – Examples? Examples? • Biometric Authentication vs Identification – “Am I who I claim to be?” – “Who am I?” • Better than passwords? 2
Handwriting as a biometric • Offline – 2-D bitmap • Online – Real-time data Real-time data • Signatures as a biometric? Feature extraction Hash/Key 3
So, what’s with the menagerie? • Sheep – Easily accepted by the system • Goats – Exceptionally unsuccessful at being accepted Exceptionally unsuccessful at being accepted • Lambs – Exceptionally vulnerable to imitations • Wolves – Exceptionally successful at imitations 4
The Threat Model • Exploiting poorly protected template databases • Eavesdropping communication between Eavesdropping communication between sensor and the system • Presenting artificially created samples to the sensor 5
A neat idea – Concatenation attack • Samples of user’s handwriting from other contexts • General samples of the style of writing • Feature analysis … Feature analysis … • Generate the user’s handwriting synthetically! 6
Performance Statistics Equal Error Rate (ERR) False Accept Rate (FAR) False Reject Rate (FRR) 7
Forgery styles • Naïve – Use other users’ writing as it was naturally rendered to forge the passphrase • Naïve* Naïve* – Similar to Naïve, but uses similar writing styles • Static – Forgery using an image of the passphrase • Dynamic – Real-time rendering of the passphrase 8
Grooming the sheep into wolves • 11,038 handwriting samples • Incentives awarded to consistent writers, “dedicated forgers” • Three Rounds Three Rounds 1. Collect the samples 2. Static and Dynamic forging 3. Selected “trained” forgers 9
Handwriting features • How difficult is the feature to forge? • Signals – t, x(t), y(t), p(t) • For every feature f – r f � missed by legitimate users – r f � missed by legitimate users – a f � missed by forgers • Quality metric – Q = (a f - r f + 1)/2 • Q = 0 – never reliably reproduced by users • Q = 1 – never reproduced by forgers 10
The winning features • The probability that the i th stroke of c 1 connects c 2 • Median gap between the adjacent characters • Median time between end of c 1 and beginning Median time between end of c and beginning of c 2 • Pen-up velocity • A total of 36 good features out of 144 11
Algorithm to generate a known passphrase • Select n -grams from different context such that – g 1 || g 2 || … ||g k = passphrase • Normalize t , x(t) and y(t) – match baselines • Spatial adjustment of x(t) – Use median gap feature • Fabricate p(t) Fabricate p(t) – Use probability of connection feature – Delayed strokes pushed into stack • Executed after each pen-up • Add time delays – Use median time feature – Use pen-up velocity and distance between strokes 12
The system at work… • Used small sample set of 15 samples of user’s writing – Each character from passphrase exists in set – Does not include passphrase Does not include passphrase • Also, used 15 samples of similar writing style • The algorithm caused an EER of 27.4% – Forgers caused an EER of 20.6% • n-gram length < 2 • Used 6.67 of the samples on average 13
Conclusion • Handwriting as a reliable biometric? – Refutable • Adversary has been under-estimated till now • Generative approach produces better Generative approach produces better forgeries than trained humans 14
Take away Watch out for the next generation of wolves! 15
Recommend
More recommend
