view · edit · print · history

Biometric Study Guide Chapter 6-11

1. What are three dimensions for dynamic analysis of signatures?(CH6)
Position, Pressure and Time.

2. What standard security layer does Keystroke Dynamics work with directly?
Password Authentication - To measure how you typed your password in.

3. Define Biometric Liveness testing.(CH8)
Tests used to determine if samples came from an authentic live human being.

4. What are problems with Liveness Testing?(Page 147-148)

  • Open disclosure of Biomtric countermeasures because of the security risk associated with that disclosure.
  • User Inconvience
  • Increased Time-to-Acquire
  • Increases in False Rejection Rate (FRR)
  • Increases in Costs

5. List and define the three categories of Liveness testing.(Page 143-144) Give some examples of each.

  • Category 1 - Intrinsic Properties of a living body.

Physical/Mechanical - Weight, Density, Elasticty
Electral - Capacitance, Resistance, Impedance, Dielectric Constant
Visual - Color, Capacity, Appearance and Shape of Features
Spectral - Reflectance, Absorbance, Transmittance, Fluorescence
Body Fluid - Oxygen, Blood Constituents, DNA

  • Category 2 - Involuntary signals generated by a living body.

Pulse
Blood Pressure
Heat
Thermal Gradients
Corpuscular Blod Flow
Skin Exudation (Shedding of Dead Skin Cells)
Transpiration of gases
Body Odor
Perspiration
Electrical Signals genereated by the heart (ECG or EKG)
Brain Wave Signals (EEG)

  • Category 3 - To Measure a Bodily Response to Stimulus. Using an image to try to generate a response.

Voluntary - (Behavioral)
Tactile - Respond to feeling something
Visual - Respond to seeing something
Auditory - Respond to hearing something
Involuntary - (Reflexive)
Electromyography (EMG)
Pupil Dilation
Reflex of a knee when struck

6. Although imperfect, what practice should you recommend to thwart most Biometric Liveness spoofing attempts?(Page 148-149)
Supervising Biometric stations and combining biometrics with other authentication technologies.

7. In consideration of implementing a large-scale biometric system, what is the first question which must be answered?(CH9)
The first question that is typically asked in any large-scale biometric systems procurement is 'Which Biomteric ?' Before the question is addressed, you must define your need for a biometric. What is its purpose and how will it add value.

8. What are the four most common reasons to install a biometric system?

  • Providing greater convienence for users
  • Reducing business costs
  • Reducing fraud
  • Increasing the strength of a security access control system.'''

9. What steps would you use to choose the appropriate biometric for implementation? (Page 152-153)

  • 1. Determine whether the problem you are trying to solve is a previously solved problem. In other words, do not reinvent the wheel. For Example, for a problem such as welfare fraud control, studies and experiences have already established that fingerprints are acceptable for of identification. Now you only need to see how others' solutions can be tailored to fit your problem.
  • 2. Determine whether the subects interest are already linked through a biometric to a set of relevant records. A good example is the Immigration and Naturalization Service's Passenger Accelerated Service System (INSPASS), where all applicants are checked using fingerprints because that is the biometric linked to criminal records. Successful applicants are then issued a card linked to their hand geometry for day-today use.
  • 3. Identify the type of application and then eliminate any biometric that is not capable of performing your function (such as surveillance, identification, or just verification). For example, hand geometry cannot perform a surveillance function.
  • 4. Identify any location-of-use constraints. Use outdoors in adverse weather or lighting conditions can degrade performance of many biometrics. For example, extremely cold weather inhibits users of outdoor hand geometry readers without provision of an environmental covering and some heat source.
  • 5. Identify any constraints such as population size and age range. Extremely large populations limit the number of biometrics to the one successfully demonstrated to work with tens of millions of records-- fingerprints. Populations that include very you persons and persons of 55 years of age can pose performance problems for many biometrics.
  • 6. Consider the availability of decision makers in case of a false claim or challenged results and understand the anticipaed numbers of false rejects and false matches that a biometric would likely have on your population and transaction rates. The fallback must be well thought out since people cannot differentiate most biometric samples (even the accuracy of facial comparisons by people has been shown to be less than 90 percent). Thus, secondary check personnel will have to rely on alternative biometric technology, identity documentation, or other information to resolve challenged results.
  • 7. Determine the sensitivity of failures. Biometric performance rates and threshold settings will depend on the purpose of your system. If you are controlling who gets a meal at a college cafeteria, for example, your threshold of pain is lower than if you are controlling access to a nuclear power plant. While both can employ the same biometric, the threshold will be set quite differently. You can tolerate the occasional unauthorized student getting falsely accepted into the cafeteria and getting a "free lunch." You cannot tolerate an unauthorized person gaining access to nuclear materials.
  • 8. Understand which requirement (that is, convenience, business costs, fraud, or security) is your driver. Analyze your performance expectations in light of independent test results, not manufacturers' claims.
  • 9. If none of the above considerations leads to a conclusion, one should follow the "Best Practices" document and run a cross-technology fly-off of different biometrics. This could involve benchmarking existing sites or funding prototype or pilots.

10. How are INCITS, BioAPI Consortium, OASIS and ANSI’s X.9 committee related? (More details than less)(Page 178-179)
X9 Provides specifications for biometric exchange formats, data management, and security. INCITS provides specifications for biometric feature functionality. Both adopted different version of the BioAPI Consortium specifications. OASIS defines XML encodings following X9's specifications.

11. What are some inherent problems with conducting thorough, objective, and solid testing?(Page 183-184)

  • It's expensive and requires careful planning, data collection, execution and documentation
  • Few have the resources and patience to produce them.
  • Training and expertise is also a major limiting factor.

12. Because of these inherent problems, who generally winds up doing objective, solid testing? List the beneficiaries of this process. (Page 184-185)
Government Organizations and Universities, as well as some government laboratories and research centers. Everyone Benefits. As well as informing consumers it gives the development community vital insight on how next-generation systems might be created. Integrators also find this information useful to analyzing test results to calibrate and operate systems.

13. Be able to identify or discuss the following test criteria of “Best Practices”:(Page 186-189)

  • Match Decision Accuracy - The probability of a match or an error occuring. The match threshold is an empiracally determined value such that all match scores greater than or equal to this value are considered positive matches for a given system.
  • Crossover Error Rate - Best Practices suggest that match decision error rates be presented as plots characterizing the error trade space because the threshold might be varied over its entire range for that system. The relationship between the match rate and the false match rate (or alarm rate) is the system's receiver-operating characteristic (ROC). These are the fundamental plots used in signal detection theory. The point where the plot crosses the equal error rate line is its crossover error rate. The crossover error rate is 20 percent. In realit, most systems calibrate their match threshold to operate at either end of the curve; however, the crossover error rate is a useful reference point for comparing systems.
  • Failure to Enroll Rate - The probability that, for whatever reason, and individual is unable to enroll. (including injury, dust, etc.)
  • Failure to Acquire Rate - The probability that, a system is unable t capture or locate an image.
  • Multiple Attempt Error Rates - Refers to the inclusion of the effects of a "best of three" (or best of N) decision policy into the fundamental error rates. Basically sets a lockout policy for so many failed attempts.
  • User Throughput - The number of users that can be processed (or authenticated) per unit time for a given system. User throughput is also expressed in terms of total transaction time for a single user.
  • Matching Algorithm Throughput - The number of comparisons that can be processed per unit time. Match algorithm throughput is also expressed as the raw execution time for unit quantity, say 1000, biometric comparisions.
  • Performances Differences - Metrics that provide a better view or performance differences on a per-user basis for each attempt type. Statistical evidence exists that users exhibit individual performance differences in match rates and nonmatch rates.

14. Define the following types of Testing(Page 190-193)

  • Algorithm Testing - Concerned with understanding and comparing software techniques for acquiring, processing, and comparing biometric data. Primarily focused on pattern-matching technique.
  • Technology Testing - Refer to a family of end-to-end system-level tests or tests of complete software products and devices. These tests are interested in establishing the operating characteristics of the technology and are designed to compare or rate one or more systems under controlled conditions against a similar set of inputs.
  • Scenario Testing - Primarily concerned with the integration of biometric systems into existing business processes and real-world human transactions. A scenario test is the final information point for how well the technology works in the context of the target environment.
  • Vulnerability Testing - have the goal of understanding how systems can be defeated or how they fail on their own. Vulnerability tests also involve statistical studies to assess risk and to estimate the ultimate strength of function for a given system.

References

W3C? http://www.w3.org/

INCITS http://www.ncits.org/tc_home/m1.htm

Biometrics changes · ALL changes
Page last modified on March 27, 2005, at 10:19 PM