Download presentation
Presentation is loading. Please wait.
1
Thwarting Attacks Dr. Pushkin Kachroo
2
Introduction Biometrics can help convenience and security Might remove or strengthen some weak points but get new ones too
3
Pattern Recognition Pattern Recognition: Stages A, B, C, D Enrollment: E, F Input Device/ Sensor Template Extractor Matcher Application Enrollment Template Database 1 2 3 4 5 6 7 8 9 10 11
4
Attacking Biometric Identifiers Mimicking another person Distorting One’s own Appearance Changing Data stored in the System
5
Threat 1: CA Coercive Attack: True Biometric is presented in an unauthorized way (e.g. under duress, forced a genuine person by an intruder. Detection could use stress analysis of the user, video monitoring etc.) Biometric could involve physical removal of the biometric from the real owner. Detection could use by using “liveness” detection, e.g. temperature, electrical activity, eye movement etc.)
6
Threat 1: IA Impersonation Attack: The attacker changes her/his own biometric (face, voice etc.) –Positive: Imitate someone else’s voice –Negative: Surgically remove one’s own finger prints Use multiple biomerics
7
Threat 1: RA Replay Attack: Recording of true data is presented to the sensor –e.g. recorder speech, can be detected by changing the text; –Photograph for face recognition, detect by asking for changing expressions, angle etc.
8
Front End Attacks Threat 2: Channel between sensor and biomeric system, i.e. introduce signal (digital/analog) past the sensor system. Threat 3: The feature extractor can be attacked so that it produces a pre-selected feature at some given time, or under some specific condition. Threat 4: Communication channel between feature extractor and matcher; e.g. send minutiae to a remote matcher. Threat 5: Matcher is attacked directly to produce a favorable score.
9
Circumvention Threat 6: Overriding the output of the matcher –Collusion: Where a super-user has the ability to overrule the system results
10
Back End Attacks Threat 7: Change the representation between the database and the matcher. Threat 8: Enrollment has similarities to authentication, hence similar attacks as 1 to 6. Threat 9: Between enrollment and database. Threat 10: Attack on database itself Threat 11: Bugs in the application itself
11
Other Attacks Password attacks (intrinsic error ate or bit strength of a password/biometric), generally at points 2 and 4, but other places too. Hill Climbing Attack: repeated submissions and using error metrics and gradients. Swamping Attack: Brute force attack, e.g. using hundreds of minutiae. Piggy-back Attack: Gain access simultaneously with a legitimate user. Illegitimate Enrollment.
12
Smartcard with Biometric Smart cards with stored biometric of the user – Good for privacy –Distributed database Even if card lost, it is safe because card and actual biometric is needed. Data is protected on the card using hardware/software encryption.
13
Challenge and Response Dynamic protocol where the user is challenged to produce different responses
14
Cancelable Biometrics Use morphing or non-invertible transformation of the data, e.g. for finger printing, iris patterns etc. –Differ from image compression because in cancelable biometrics much of the local geomery is retained. –Different from encryption, because non-invertible –Also, legacy system can deal with cancelable biometrics.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.