Biometrics & Biostatistics

Biometric system is vulnerable to a variety of attacks aimed at undermining the integrity of the authentication process. More importantly template security is of vital importance in the biometric systems because unlike passwords, stolen biometric templates cannot be revoked. In this paper we describe the various threats that can be encountered by a biometric system. We specifically focus on attacks designed to elicit information about the original biometric data of an individual from the stored template. A few algorithms presented in the literature are discussed in this regard. We also examine techniques that can be used to deter or detect these attacks. Furthermore, we provide experimental results pertaining to a biometric system combining biometrics with cryptography, that converts dorsal hand vein templates into novel cryptographic structure called fuzzy vault. Initially, the pre-processing steps are applied to dorsal hand vein images for enhancement, smoothing and compression. Subsequently, thinning and binary encoding techniques are employed and then feature extracted. Then the biometric template and the input key are used to generate the fuzzy vault. For decoding, biometric template from dorsal hand vein image is constructed and it is combined with the stored fuzzy vault to generate the final key. The experimentation was conducted using dorsal hand vein databases and the FNMR and FMR values are calculated with and without noise.


Introduction
Personal identity refers to a group of attributes that are linked with an individual such as name, social security number etc. Trustworthy identity management machinery is at once required to battle the scourge expansion in identity theft and to have the improved security need in a diversity of utilizations varying from international border crossing to having personal information [1]. Substitute representations of identity such as passwords and ID cards can be effortlessly mislaid, shared or stolen. Passwords can also be simply guessed using social engineering [2] and dictionary attacks [3] and gives very little security. Biometric authentication, or rather biometrics, gives a likely and consistent answer to the quandary of identity revelation by making use of the identity of a person [4]. Biometric systems by design find out or confirm a person's identity based on his anatomical and behavioral features such as fingerprint, face, iris, voice and gait and these traits cannot be easily lost or forgotten or shared or forged. Since biometric systems need the user to be in attendance at the time of authentication, it can also daunt users from making false denial claims [5]. A typical biometric system comprises of several modules. The sensor module acquires the raw biometric data of an individual in the form of an image, video, audio or some other signal. The feature extraction module operates on the biometric signal and extracts a salient set of features to represent the signal; during user enrolment the extracted feature set, labeled with the user's identity, is stored in the biometric system and is known as a template. The matching module compares the feature set extracted during authentication with the enrolled template(s) and generates match scores. The decision module processes these match scores in order to either determine or verify the identity of an individual [6]. Thus, a biometric system may be viewed as a pattern recognition system whose function is to classify a biometric signal into one of several identities (viz., identification) or into one of two classes -genuine and impostor users (viz., verification) [6]. While a biometric system can enhance user convenience and bolster security, it is also susceptible to various types of threats as discussed below [7,8].

Circumvention:
An intruder may gain access to the system protected by biometrics and peruse sensitive data such as medical records pertaining to a legitimately enrolled user. Besides violating the privacy of the enrolled user, the impostor can also modify sensitive data.

Repudiation:
A legitimate user may access the facilities offered by an application and then claim that an intruder had circumvented the system. A bank clerk, for example, may modify the financial records of a customer and then deny responsibility by claiming that an intruder could have possibly stolen her biometric data.

Covert acquisition:
An intruder may surreptitiously obtain the raw biometric data of a user to access the system. For example, the latent fingerprints of a user may be lifted from an object by an intruder and later used to construct a digital or physical artifact of that user's finger.

Collusion:
An individual with wide super user privileges (such as an administrator) may deliberately modify system parameters to permit incursions by an intruder.

Coercion:
An impostor may force a legitimate user (e.g., at gunpoint) to grant him access to the system.

Denial of Service (DoS):
An attacker may overwhelm the system resources to the point where legitimate users desiring access will be refused service. For example, a server that processes access requests can be flooded with a large number of bogus requests, thereby overloading its computational resources and preventing valid requests from being processed.
Ratha et al. [9] identified several different levels of attacks that can be launched against a biometric system ( Figure 1): (i) a fake biometric trait such as an artificial finger may be presented at the sensor, (ii) illegally intercepted data may be resubmitted to the system, (iii) the feature extractor may be replaced by a Trojan horse program that produces predetermined feature sets, (iv) legitimate feature sets may be replaced with synthetic feature sets, (v) the matcher may be replaced by a Trojan horse program that always outputs high scores thereby defying system security, (vi) the templates stored in the database may be modified or removed, or new templates may be introduced in the database, (vii) the data in the communication channel between various modules of the system may be altered, and (viii) the final decision output by the biometric system may be overridden.
The UK Biometric Working Group (UK-BWG) lists several factors that can affect the integrity of the template [10]: (i) accidental template corruption due to a system malfunction such as a hardware failure, (ii) deliberate alteration of an enrolled template by an attacker, and (iii) substitution of a valid template with a bogus template for the purpose of deterring system functionality.
In this paper, we discuss the second factor given above i.e. how deliberate alterations of an enrolled template by an attacker can be prevented?

Need for Template Protection
A template is essentially a compact representation (a set of invariant features) of the biometric sample that is stored in system database. If the security of stored templates is compromised, the attacker can fabricate physical spoof samples to gain unauthorized access. Such efforts have been detailed in [11], [12] and [13]. The stolen templates can also be abused for other unintended purposes, e.g. performing unauthorized credit-card transactions or accessing health related records. Figure  2(c) shows an example of a reconstructed fingerprint image from its minutiae representation (b), which is typically employed for fingerprint templates.
One of the most vital harmful attacks on a biometric system happens when it is against the biometric templates. Attacks on the templates can direct to grave vulnerabilities where a template can be replaced by an impostor's template to achieve unlawful access, or a physical spoof can be fashioned from the template [14,15] to achieve unauthorized access to the system, or the stolen template can be replayed to the matcher to have unauthorized access. Hence, biometric templates should not be stored in plaintext form and fool-proof methodologies are essentially needed to securely store the templates such that both the safety of the application and the users' solitude are not compromised by adversary attacks.

Why Dorsal Hand Vein Pattern?
Hand veins: The pattern of blood vessels hidden underneath the skin is quite distinct in individuals, even among identical twins and stable over long period of time. The primary function of veins is to carry blood from one part of the body to another and therefore vascular pattern is spread throughout the body. The veins that are present in hands, i.e. palm, finger and palm dorsal surface, are easy to acquire (using near infrared illumination) and have been employed for the biometric identification [16]. In this paper we have examined using the dorsal hand vein pattern. The vein patterns are generally stable for adults (age of 20-50 years). The reason for choosing vein recognition in this paper can be well understood from the table 1 given below.
There is no known large scale vascular biometric system. This could be primarily due to concerns about the system cost and lack of large scale studies on vein individuality and stability [17]. On the plus side, these vascular systems are touchless which often appeals to the user [17] and another important it cannot be spoofed easily as that of a fingerprint or palm print or any other traits and also it detects the liveness of the person being authenticated or identified which is very essential for today's world.

Related Works
Several methods that have been suggested in the literature to protect biometric templates some of them have been discussed below. In order to prevent the Hill-Climbing Attack from successfully    converging, Soutar [18] has suggested the use of coarsely quantized match scores by the matcher. However, Adler [11] demonstrated that it is still possible to estimate the unknown enrolled image although the number of iterations required to converge is significantly higher.
Yeung and Pankanti [19] describes an invisible fragile watermarking technique to detect regions in a fingerprint image that have been tampered by an attacker. In this scheme, a chaotic mixing procedure is employed to transform a visually perceptible watermark to a randomlooking textured image in order to make it resilient against attacks. This "mixed" image is then embedded in a fingerprint image. The authors show that the presence of the watermark does not affect the feature extraction process. The use of a watermark also imparts copyright capability by identifying the origin of the raw fingerprint image.
Jain and Uludag [20] suggest the use of steganography principles to hide biometric data (e.g., fingerprint minutiae) in host images (e.g., faces). This is particularly useful in distributed systems where the raw biometric data may have to be transmitted over a non-secure communication channel. Embedding biometric data in an innocuous host image prevents an attacker from accessing sensitive template information. The authors also have discussed a novel application wherein the facial features of a user (i.e., eigen-coefficients) are embedded in a host fingerprint image (of the user). In this scenario, the watermarked fingerprint image of a person may be stored in a smart card issued to that person. At an access control site, the fingerprint of the person possessing the card will first be compared with the fingerprint present in the smart card. The eigen-coefficients hidden in the fingerprint image can then be used to reconstruct the user's face thereby serving as a second source of authentication. But this system needs the person to carry a smart card with him during authentication.
Ferri et al. [21] propose an algorithm to embed dynamic signature features into face images present on ID cards. These features are transformed into a binary stream after compression (used in order to decrease the amount of payload data). A computer generated hologram converts this stream into the data that is finally embedded in the bluechannel of a face image. During verification, the signature features hidden in the face image are recovered and com-pared against the signature obtained online. Ferri et al. [21] report that any modification of the face image can be detected, thereby disallowing the use of fake ID cards.
Since the biometric trait of a person cannot be easily replaced (unlike passwords and PINs), a compromised template would mean the loss of a user's identity. Ratha et al. [22] propose the use of distortion functions to generate biometric data that can be canceled if necessary. They use a non-invertible transformation function that distorts the input biometric signal (e.g., face image) prior to feature extraction or, alternately, modifies the extracted feature set (e.g., minutiae points) itself. When a stored template is compromised, then the current transformation function is replaced with a new function thereby "canceling" the current (compromised) template and generating a new one. This also permits the use of the same biometric trait in several different applications by merely adopting an application specific transformation function. But matching is not clearly defined in the transformed domain.
In the dominion of template transformation, the so called biometric cryptosystems are in advance popularity. These systems combine biometrics and cryptography at a level that allows biometric matching to effectively take place in the cryptographic domain, hence exploiting the associated higher security. For example, Uludag et al. [23] convert fingerprint templates (minutiae data) into point lists in 2D space, which implicitly hide a given secret (e.g., a 128-bit key). The list does not reveal the template data, since it is augmented with chaff points to increase security. The template data is identified only when matching minutiae data from an input fingerprint is available (    time when the image is taken where as in touchless; the direct contact is not there. In this mode the hand is kept at a distance when the image is taken.
The input dorsal hand vein images are pre-processed and subsequently, thinning and binarization techniques are employed and features are extracted. The extracted features from the dorsal hand vein form the biometric template. The biometric template and the input key that is generated using an algorithm are used to create the fuzzy vault. For decoding, the biometric template from dorsal hand vein images will be constructed and it is combined with the stored fuzzy vault to generate the final key. Figure 3 shows the block diagram of the proposed technique [24].

Initial preprocessing
All the input images are initially preprocessed to enhance the quality. The preprocessing consists of the following operations listed as follows

Feature extraction
After the initial preprocessing, feature is extracted from the images of hand vein. Here for every person, four images are given as input and for all images initial process is carried out. The common unique coordinates (points) to all the four figures are found out and random points are selected for an individual.

Fuzzy vault generation
The secret key along with the concatenated feature vector give rise to the fuzzy vault which provide template security. Points corresponding to the secret key are plotted along with feature vector points to yield the fuzzy vault. Number of points for the secret number will be the number of bits in the secret number. Here the points corresponding to the secret key are made by having x co-ordinate value of the secret number bit and y co-ordinate value of the prime number which comes next to the secret number bit.
The feature vector of the th i individual is given by 1

Decoding module
The hand vein image of an individual is compared with the database fuzzy vault which in turn generates the secret key if matched. Here the images are initially processed and feature extracted. This feature vector is compared to the fuzzy vault database in order to generate the secret key (Table 3).
Let the feature vector of the images be represented by E which is compared to the database b D having the fuzzy vaults 1 2 , ,..., K Fv Fv Fv .
If it is such that all the points of the test image feature vector match with the vault, the corresponding images are said to be matched and x coordinate of the remaining three points in the vault will give the secret key. Hence the secret key is successfully and securely retrieved from the fuzzy vault and the hand vein template is secured from attackers.

Dataset description
Hand vein: Hand vein dataset [15] sample consists of images of 100 hands where each hand has 5 images, hence totaling to 500 images. Each has 5 images per person per each hand and hence it is associated to 50 distinct person for left and right hands of which the first 50 are for the right hands, the last 50 are for the left hand of the same person hand. So 1 in first set is RH HV and 51 is left hand to same person 1 in RH. This dataset is for both females and males in the range of 16-65 years age. Subjects are of healthy conditions and are from all folks of life including students, professors, engineers workers, house wives, etc.

Experimental results
In this section, we have given the images at different levels of execution of our proposed technique. The input image is shown by Figure 4 which is filtered to obtain the filtered hand vein image and is shown in Figure 5. The morphological image is shown in Figure 6 and the extracted hand vein image is shown in Figure 7.

Performance analysis
In this section, we analyze the performance of the proposed technique by finding out the evaluation metrics which consists of values of FNMR and FMR. Here the analysis is carried out in two phases and in the initial phase, the secret key size is varied and in phase two, we consider the noise effects ( Figure 8).

Effect of various key sizes
In this phase the secret key length is varied and corresponding evaluation metric values are found out. The key word size is varied in powers of two ( Figure 9).

Effect of noise
In this phase, we consider the dataset under noise conditions. Here also we calculate the evaluation metrics for varying key size ( Figure  10,11).

Conclusion
The proposed technique aims to improve the template security by the use of fuzzy vault. The inputs are the hand vein which is initially processed in order to smoothen the image and make it fit for feature extraction. Subsequently feature extraction is carried to have the feature vector. The feature vector along with the key forms the fuzzy vault which is stored in the database. In the testing phase, the features of the test image are extracted and compared to the vault in the database. If all the points in the test image feature match, then the secret key is released which is found out from the points which remain unmatched in the respective vault.