This document evaluates the robustness of multimodal biometric systems against realistic spoof attacks on all traits. It finds that while multimodal systems are more robust than unimodal ones under attack, their performance is still worsened significantly, showing they can be cracked by spoofing all traits. The study also finds that the common assumption of a "worst-case scenario" is not a good approximation of realistic attacks, and a new method is needed to properly evaluate system robustness under attack without constructing spoofed data sets.

1. Robustness of Multimodal Biometric
Systems under Realistic Spoof Attacks
against All Traits
Zahid Akhtar, Battista Biggio, Giorgio Fumera, Gian Luca Marcialis
Pattern Recognition and Applications Group
P R A G Department of Electrical and Electronic Engineering
University of Cagliari, Italy

2. Outline
• Multimodal biometric system
• Evaluation of robustness of multimodal systems under spoof attacks
• Some experimental results

3. Biometric systems
• Unimodal Biometrics System
score ≥ Threshold Genuine
Sensor Feature Matcher Decision
Extractor score < Threshold Impostor
Database
• Multimodal Biometrics System
Sensor and
scorefingerprint
Fingerprint
Feature Ext. Matcher
score ≥ Threshold Genuine
Score Fusion Rule Decision
Database f(scorefingerprint , scoreface) score < Threshold Impostor
Sensor and scoreface
Face
Feature Ext. Matcher
3

4. Spoof attacks
• Spoof attack : attacks at the user interface
• Presentation of a fake biometric trait
• Solutions:
• Liveness Detection Methods
• Increase of false rejection rate (FRR)
• Multimodal biometric Systems  “intrinsically” robust?
4

5. Aim of our work
• State-of-the-art:
• Fabrication of fake traits is a cumbersome task
• Robustness evaluation of multimodal systems using simulated attacks1,2
• Substantial increase of false acceptance rate (FAR) under only one trait spoofing
• Hypothesis: worst-case scenario1,2
• the attacker is able to fabricate exact replica of the genuine biometric trait
• match score distribution of spoofed trait is equal to one of the genuine trait
• Need of investigation of robustness against realistic (non-worst case) spoof
attacks
1 R. N. Rodrigues, L. L. Ling, V. Govindaraju, “Robustness of multimodal biometric fusion methods against spoof attacks”, JVLC, 2009.
2 P. A. Johnson, B. Tan and S. Schuckers, “Multimodal Fusion Vulnerability To Non-Zero Effort (Spoof) Imposters”, WIFS, 2010.
5

6. Aim of our work
• Main goal:
• Robustness evaluation methods under spoof attacks in realistic scenarios
without fabrication of fake biometric traits
• Aim of this paper:
• To investigate whether a realistic spoof attacks against all modalities
can allow the attacker to crack the multimodal system
• and whether the worst-case assumption is realistic
6

7. Experimental setting
• Data set:
• Two separate data sets of faces and fingerprints
• Chimerical multimodal data set
• Live:
• No. of clients: 40
• No. of samples per client: 40
• Spoofed (Fake):
• No. of clients: 40
• No. of samples per client: 40

8. Experimental setting
• Spoofed (Fake) traits production
• Fake fingerprints by “consensual method”
• mould: plasticine-like material
• cast: two-compound mixture of liquid silicon
!!!!!!!!!!!!!!!!
Live Spoofed (Fake)
!!!!!!! !!
!
• Fake faces by “photo attack”
• photo displayed on a laptop screen to camera !
!!!!!!! !! !!
Live Spoofed (Fake)
!
8
!

9. Experimental setting
• Score fusion rules:
• Sum : scorefused = scorefingerprint + scoreface
• Product : scorefused = scorefingerprint × scoreface
• Weighted sum : scorefused = w × scorefingerprint + (1-w) × scoreface
• Likelihood ratio (LLR) :
p(scorefingerprint |Genuine) × p(scoreface |Genuine)
p(scorefingerprint |Impostor) × p(scoreface | Impostor)
9

10. Experimental Results
• Detection Error Trade-off (DET) curves:
• False Rejection rate (FRR) vs. false acceptance rate (FAR)
Sum LLR
2 2
10 10
1 1
10 10
FRR (%)
FRR (%)
fing.+face fing.+face
fing. fing.
face face
0 0
10 10
−1 −1
10 −1 10 −1 0 1 2
0 1 2
10 10 10 10 10 10 10 10
FAR (%) FAR (%)
• Performance of multimodal systems improved under no spoofing attacks with
the exception of Sum rule
10

11. Experimental Results
Sum LLR
2 2
10 10
1 1
10 fing.+face 10 fing.+face
fing.+face spoof fing.+face spoof
FRR (%)
FRR (%)
fing. fing.
fing. spoof fing. spoof
0
face 0
face
10 face spoof 10 face spoof
−1 −1
10 −1 10 −1 0 1 2
0 1 2
10 10 10 10 10 10 10 10
FAR (%) FAR (%)
• spoof attacks worsen considerably the performance of individual systems,
allowing an attacker to crack them
• spoof attacks against both traits also worsen the performance of the multimodal
systems
• however the considered multimodal systems are more robust than unimodal
ones, under attack
11

12. Experimental Results
Sum LLR
2 2
10 10
1 1
10 10
FRR (%)
FRR (%)
fing.+face fing.+face
fing.+face spoof fing.+face spoof
FAR=FRR FAR=FRR
0 0
10 10
−1 −1
10 −1 10 −1 0 1 2
0 1 2
10 10 10 10 10 10 10 10
FAR (%) FAR (%)
• the performance of multimodal systems under attack is worsen considerably,
which confirms that they can be cracked by spoofing all traits
• the worst-case assumption is not a good approximation of realistic attacks
12

13. Conclusions
• State-of-the-art: “worst-case” scenario
• Evidence of two common beliefs under spoof attacks:
• Multimodal systems can be more robust than unimodal systems
• Multimodal systems can be cracked by spoofing all the fused traits
even when the attacker does not fabricate worst-case scenario
• Worst-case scenario is not suitable for evaluating the performance under attack
• Ongoing works:
• development of methods for evaluating robustness, without constructing
data sets of spoof attacks
• development of robust score fusion rules
13

14. Thank you
14