Know your dataset and be creative: biometric PAD tips offered in EAB talk
Spoofs and presentation attacks are a threat to any biometric modality, but there are some common approaches to developing algorithms to detect them that can be applied across the industry, Andrew Wise of Integrated Biometrics said in the latest virtual lunch talk from the European Association for Biometrics (EAB).
Wise, the company’s director of quality, introduced IB’s technology, including its Light Emitting Sensor, and how it works. The electrical field that is formed when a finger is placed on the scanner, between it and a bottom electrode layer. This property, it turns out, comes in handy for detection of biometric presentation attacks, he says.
He went on to discuss two categories of fingerprint presentation attacks; those with non-conductive materials, which tend to be easier to find and produce fakes with, but not so effective, and those with conductive materials, which are opposite in the above respects. IB has encountered 10 common species of fingerprint biometric spoof materials, half in each category.
Systems performing presentation attack detection also need to be able detect cadavers, Wise points out.
PAD systems tend to be based on either the artifact principle, the color inversion principle, or the conductivity principle, Wise says, though within them there are numerous different approaches. The artifact principle states that copies always inherently contain a characteristic which can give them away, such as the fidelity characteristics that separate a VHS recording to a television show from its original broadcast. The color inversion principle refers to the use of a color highly reflective to the original source, and the conductivity principle is Integrated Biometrics’ specialty.
AI image processing is often used in the fingerprint industry to search for artifacts, according to Wise, but other options include multi-spectral imaging, sub-dermal ridge sensing, and heartbeat sensing. Some of these can themselves be spoofed, and the methods range in practicality.
IB’s presentation attack detection
A video presented shows the effectiveness of IB’s Five-O FAP50 scanner at dealing with various spoofing materials.
“We had to learn the hard way, just about every way not to build one of these systems,” Wise admits.
Observations from that process include that AI models are only as good as the datasets they are trained on. Wise recommends first-hand human inspection of over a hundred thousand images to ensure the dataset’s quality.
He showed some of the mistakes that IB made on the way to developing its current biometric PAD technology.
Another recommendation is to retain historical samples, particularly with chip shortages causing hardware component changes.
Develop relationships with biometric collection services, Wise advises, including dedicated companies, universities and competitions. IB has a large collection of cadaver fingerprints among its reference data.
Perfect, Wise notes can be “the enemy of good enough,” with diminishing returns for near-perfect results. On this same theme, he says that proprietary fingerprint templates, while attractive from a security standpoint, have practical performance trade-offs in the field which outweigh the benefits. In a similar vein, customers do not test PAD systems the same way as academics do, and companies would do well to adopt the kinds of tests their products will be evaluated for purchase based on.
Any PAD system improvements prompt attackers to target a different area of the system, Wise observes, showing a packet analysis of a man-in-the-middle attack on one of Integrated Biometrics’ Kojak scanners. He emphasizes the need for encryption and secure delivery of all software – meaning not through regular email.
“When you start doing PAD right, expect attacks elsewhere,” he warns in another of his dozen tips.
Security, he says, is a matter of attrition, rather than perfection.
The way to ward off a sufficient number of attackers to stay ahead of the cost-benefit curve is with creative thinking and a willingness to experiment.
“Get to know your customers, get to know what their concerns are, and then you build all of the spoofs that they care about into some sort of a standard battery which you’re then using in your testing,” Wise advises.
Doing so has also benefited IB’s business processes, as methods for PAD testing have helped make product validation more efficient.