Synopsis on
The Knowledge based Intrusion Detection and
Prevention Model for Biometric System
By
(Ms. Maithili Vijay Arjunwadkar)
Faculty of Computer Studies
Submitted
In fulfilment of the requirements of the degree of
Doctor of Philosophy to the
SYMBIOSIS INTERNATIONAL UNIVERSITY, PUNE
April 2013
Under the guidance of
Prof. Dr. R.V.Kulkarni
Professor
Chhatrapati Shahu Central Institute of Business and Research
(SIBER) , Kolhapur-416004
A b s t r a c t
A wide spread use of e-commerce has increased the necessity of protecting the
system to a very high extent. Given the spectacular rise in incidents involving identity
thefts and various security threats, it is necessary to have reliable identity
management systems. Modern biometric technologies claim to provide alternative
solution to traditional authentication processes. While there are various advantages
of biometric authentication process, the biometric authentication process is
vulnerable to attacks, which can decline its security. To enhance the security of
biometric process, Intrusion detection and prevention techniques are significantly
useful. The intrusion detection is an essential supplement of traditional security
system. This security system needs the robust automated auditing, intelligent
reporting mechanism and robust prevention techniques. Intrusion detection systems
are increasingly becoming a key part of systems defence. Various approaches to
intrusion detection are currently being used for computer security, network security,
and web security, but no such system is effectively available for biometrics system.
Artificial Intelligence plays an important role in security services. Various AI
techniques like expert system, fuzzy logic, genetic algorithm, artificial neural network
and data mining are used for intrusion detection and prevention system.
Combinations of these can also be used.
Authors have suggested rule based intelligent intrusion detection and prevention
model for biometric system. This model contains detectors to detect normal or
abnormal activity. If activity is normal regular alarm is raised and if activity is
abnormal then alert like alarming and reporting is executed. If abnormal activity is
found the rule engine fires the rule to detect intrusion point and type of intrusion. The
model also contains an expert system to detect source of intrusion and suggest best
possible prevention technique and suitable controls for different intrusions. This
model is also used for security audit as well as alarming and reporting mechanisms.
The malicious activity database is stored for future intrusion detection. To detect
source tracking backward chaining approach is used. The rules are defined and
stored in the Rule engine of the system.
For this purpose authors have designed multi-agent system which contains three
intelligent agents. The first agent which is developed by authors can be implemented
on biometric template database. Here authors have considered biometric template
database stored in central repository system. It performs intrusion detection using
Operating System’s audit trail, and RDBMS audit trail. The system consists of a user
interface module, an inference engine, a knowledgebase of illegal transactions and
audit trail of ORACLE database. Second intelligent agent can be deployed on
biometric System where Feature Extraction and Matching (Decision) modules are
stored. Plenty of IDS/IPS are already available to detect the computer system and
network attacks which can be suitable as the second agent. The third intelligent
agent as knowledge based Biometric Device Intrusion Detection tool which is an
innovative design. This intelligent agent can be located on the Biometric device. It
performs intrusion detection using Operating System’s audit trail and device manager
information. The system consists of a user interface module, an inference engine, a
knowledgebase of illegal transactions and certified biometric devices and status of
liveness detection.
A detected intrusion from first agent is used to decide priorities of detected intrusion
which can assist security administrator or database administrator to to take some
preventive as well as corrective actions. A Neuro-Fuzzy approach is used to decide
priorities for detected intrusions in biometric template storage to implement
preventive or corrective actions. Authors have used FuzzyJess and Java to achieve
this prioritization. Priority table is produced as output which is useful to security
administrator to implement preventive actions for detected intrusion in biometric
template storage.
Inference engine is implemented using JESS which is a Java based Expert System
and user interface is developed using Java.
The biometric template needs protection so as to prevent attackers from
circumventing the controls provided by security administrator, e.g. by modifying the
biometric template, deleting biometric template, replaying biometric template etc.
Different schemes to protect biometric template is available. Here authors have
developed biohashing or salting technique using session key. This session key is
generated using Chaos phenomenon. Authors have developed algorithm for
encryption of biometric template using generated session key. Same key is used for
decryption. The session key which is generated using chaotic phenomenon can not
be repeated and therefore difficult to guess. Authors prove that this technique of
protection is robust technique by generating 1,00,000 session keys.
i
T a b l e o f C o n t e n t s
Contents Page No
Abstract
1 Introduction 1-3
1.1 Introduction
1.2 Use of Biometrics System
1.3 Challenges of Biometrics System
1.4 Aim and Objectives of the Research
1.5 Scope of the Research
1.6 Organization of the Thesis
Concluding Remark
2 Review of the Literature 4-14
2.1 Introduction
2.2 Overview of Biometric System
2.2.1 About biometric System
2.2.2 Functioning of biometric System
2.2.3 Vulnerabilities in biometric System
2.3 Overview of Intrusion Detection and Prevention
models
2.3.1 IDS and IPS concepts
2.3.2 Why IDS/IPS Tool?
2.3.3 Available IDS/IPS System
2.4 Overview of Artificial Intelligent Techniques
2.4.1 Knowledge based system: AI Technique
2.4.2 Benefits of Knowledge based systems
2.4.3 Available Artificial Intelligent Techniques for
IDP/IPS
Concluding Remark
3 Knowledge Based Intelligent Intrusion Detection Multi-
Agent System Design
15-22
3.1 Introduction
3.2 Intrusion Detection System
ii
3.3 Knowledge based System
3.4 Proposed IDPS Model
3.4.1 Architecture of IDPS
3.4.2 IDP model as Ruled-based Expert system
3.4.3 Multi-agent IDPS Architecture
3.5 Expert System shell Used
3.5.1 Java Expert System Shell (JESS)
3.5.2 Architecture of a Java Expert system Shell
(JESS)
3.5.3 Rete Algorithm
3.5.4 Integration of Java and Jess
3.6 Steps to Implementation of Model
Concluding Remark
4 Agent 1: The biometric Template Storage Intrusion
Detection Assistant
23-28
4.1 Introduction
4.2 Biometric storage
4.2.1 Biometric Template
4.2.2 Available biometric template storage
4.2.3 Vulnerabilities in a Biometric Template
Storage
4.3 Auditing used for Intrusion detection
4.4.1 Overview of audit concept
4.4.2 Auditing : Tool for Intrusion detection
4.4.3 Auditing using RDBMS
4.4 Proposed System
4.4.1 Architecture of proposed system
4.4.2 Logic used to develop the proposed system
4.4.3 Back tracing used for source detection
4.4.4 Encode the Rules used for this agent
4.5 Findings of Agent 1
4.6 Prevention Technique suggested
Concluding Remark
iii
5 Prioritization Of Detected Intrusion In Biometric Template
Storage For Prevention Using Neuro-Fuzzy Approach
29-32
5.1 Introduction
5.2 Neuro-Fuzzy concepts
5.2.1 Concept of Artificial Neural Network
5.2.2 Concept of Fuzzy Logic
5.2.3 Overview of Neuro-Fuzzy Logic
5.3 Fuzzy inference engine
5.4 Proposed system
5.4.1 Architecture of Neuro-Fuzzy design
5.4.2 Logic used for Fuzzification
5.4.3 FuzzyJess used for Logic development
5.4.4 Encoding of the Rules used for Prioritization
5.5 Findings of this approach
Concluding Remark
6 Agent 2: Intelligent Agent for Intrusion Detection at Feature
Extraction and Matcher Module
33-36
6.1 Introduction
6.2 Feature Extraction Module and Matcher Module
6.2.1 About feature extraction module
6.2.2 About Matcher module
6.2.3 Threshold context
6.2.4 Vulnerabilities in feature extraction and
matcher module
6.3 Overall Attacks on Feature extractor and Matcher
Module
6.3.1 Trojan Horse
6.3.2 Replay attacks
6.4 Available IDS/IPS to detect those attacks
6.4.1 Snort
6.4.2 TripWire
6.4.3 Ciso IDS
6.4.4 Network Flight Recorder
Concluding Remark
iv
7 Agent 3: Intelligent Agent for Intrusion Detection at
Biometric device
37-41
7.1 Introduction
7.2 Biometric Device
7.2.1 Working of biometric device
7.2.2 Vulnerabilities in biometric device
7.2.3 Concept of Certified Device
7.2.4 Liveness detection concept
7.3 Proposed System
7.3.1 Logic used for proposed system
7.3.2 Jess used to develop this module
7.4 Findings of Module
7.5 Prevention Technique suggested
Concluding Remark
8 Robust Model for Biometric Template Security Protection
using Chaos Phenomenon
42-44
8.1 Introduction
8.1.1 Why Protection?
8.1.2 Biometric template Protection Schemes
8.2 Chaos Phenomenon
8.3 Proposed Model
8.3.1 Role of session key to protect biometric
template
8.3.2 Architecture of proposed module
8.3.3 Logic used to develop this module
8.4 Findings of this module
Concluding Remark
9 Conclusion and Scope of further Research 45-46
9.1 Conclusion
9.2 Scope of further Research
Publications
References
1
CHAPTER - ONE
Introduction
P R E V I E W
This chapter introduces biometrics systems, uses of biometrics system.
Biometrics system challenges are discussed in this chapter and aim as well as
objective of the research is also discussed. It also includes scope of the study
and finally states the organization of this thesis report.
1.1 Introduction
With the rise of large-scale computer networks like Internet, the use of applications
like e-commerce, e-governance is increasing in number. Establishing the identity of
an individual is of vital importance in these applications where errors in recognition
can undermine the integrity of system. Reliable user authentication is becoming an
increasingly important task in both the online and offline worlds. An effective
authentication system can help both worlds to reduce fraud and promote the legal
enforceability of their electronic agreements and transactions.
The problem of designing a high-security user-authentication system is still unsolved.
The traditional way of identification by means of a password and personal
identification number is easy to guess, observe or can be forgotten. Hence,
biometrics is more suitable as most of the biometric characteristics of an individual
are unique and do not change with time.
1.2 Use of Biometrics System
During the 19th century, criminologists used fingerprints to help identify habitual
criminals.
Following are the few examples where biometrics has the largest impact on societies
Authentication
Access and attendance control
Travel control
Financial and other transactions requiring authorization
Remote voting (authorization)
2
Use of automatic working devices
Even though there are various advantages of biometric system, it is vulnerable to
attacks which can decline its security. New emerging technology like Intrusion
Detection System (IDS) is the best method that can be used to design robust
biometric security techniques.This security system needs the robust automated
auditing, intelligent reporting mechanism and robust detection and prevention
techniques.
1.3 Challenges of Biometrics System
Security of information related to people is necessary to provide protection against its
misuse and tampering. To achieve this, access to facilities needs to be authenticated
based on answers to questions like "Is person really who he/she claims to be" or "Is
this person authorized to use this facility". Specifically, authentication can be viewed
as one of these tasks:
Positive authentication or verification one to one: to prove, “you are
who you say you are”
Negative authentication or identification - one to many: to prove, “you
are not who you say you are not”.
1.4 Aim and Objectives of the Research
Traditionally, research on computer security has focused on helping developers of
systems to prevent security vulnerabilities in the systems they know, before the
systems are released to customers.
The Knowledge Based Intrusion Detection and Prevention Model generally aims at
detecting as well as preventing attacks against biometric system. The basic task of
this model is used to monitor such systems by detecting as well as preventing any
unlawful incidents, which leads the systems to insecure state. This monitoring is
done by checking different logs against identified intrusions rule set which is stored in
the model.
The major objectives of this research are:
To study different vulnerabilities at different points of biometric
system.
3
To formulate detector and report alarm modules.
To design rule set for vulnerabilities at different point of biometric
system.
To detect source of intrusion using backward chaining approach of
expert system.
To design different preventive controls using intelligent models or
phenomenon.
Artificial Intelligent disciplines like expert system, fuzzy logic, artificial neural network
etc. are used to design this knowledge based system. The overall objective of this
Intrusion Detection and Prevention model research is to find efficient and robust
model to improve the security of existing and future systems.
1.5 Scope of the Research
The intrusion detection is an essential supplement for traditional security system.
This security system needs:
Robust automated auditing
Intelligent reporting mechanism
Robust detection and prevention techniques.
This system is divided into 3 sub systems:
Intrusion detection
Backtracking of intrusion source
Prevention techniques.
The basic task of this model is used to monitor such systems; by detecting as well as
preventing any unlawful incidents which leads the systems to insecure state.
1.6 Organization of the Thesis
The body of the thesis is divided into 9 chapters.
4
CHAPTER - TWO
Review of the Literature
P R E V I E W
This chapter covers the functioning of biometric system in detail.
Vulnerabilities in the process of enrolment and authentication and
highlights such Intrusion points in those processes. This chapter also
discusses available intrusion detection and prevention models for
information security and study of what different artificial intelligence
techniques are used to develop different intrusion detection and
prevention models.
2.1 Introduction
The traditional authentication method, is based on password, which is “something
you know,” (which might be forgotten), or tokens, which are “something you have”
(which might be lost). The system thus uses Knowledge-based security (PINs or
Password) and Token based security (ID cards) to validate the identity of individuals.
However these methods are easily targeted by the intruders or attackers. Biometric
System claims to provide a better alternative for traditional authentication systems.
These systems are more reliable as biometric data can’t be lost, forgotten, or
guessed and, are more user-friendly, because we don’t need to remember or carry
anything. The increasingly widespread use of biometrics increases the need for a set
of commonly identified risks and security controls to ensure that biometric solutions
are implemented, used and controlled properly.
2.2 Overview of Biometric System
2.2.1. About biometric System
The word “biometrics” comes from the Greek words “bio” and “metric,” meaning “life
measurement.” The uniqueness of an individual’s physiological and behavioural
characteristics is the basis for the science of biometrics.
Typical physiological features measured include an individual’s fingerprints, face,
retina, iris, DNA and hand geometry. Behavioural characteristics are learned and not
5
inherited. Typical behavioural features that can be measured include voice patterns,
handwriting, signature and keystroke dynamics.
They improve the authentication accuracy; the system parameters can be tuned so
that the probability of illegal use of the system can be reduced. Further, the cost of
incorporating biometric components into an authentication system is continually
decreasing, whereas the cost of relying on traditional authentication mechanisms is
increasing.
2.2.2. Functioning of biometric System
Biometric systems are used in two separate modes namely enrolment and
verification mode.
During the enrolment process which is used for each new user, physiological and
behavioural characteristics of the user are captured by the sensor in the form of
image. The different feature extractors are used to extract data from that sample
image to create biometric template. The template is stored in an accessible
repository during enrolment process to be compared to the one produced during
verification process in the future. The stored template and the one produced during
verification process are compared by a matching algorithm that produces matching
result of response (Yes/NO). The match response is then sent to the application, on
which a decision algorithm is implemented for granting or denying access to the user
Biometric Evaluation Methodology (BEM) supplement, August 2002.
There are three main media namely local storage within the biometric reader device,
remotely in a central repository, on a portable token such as a smart card where the
reference templates can be stored. Each of these locations is appropriate for different
systems, depending on the requirements.
The locations of the components decide the architecture of a biometric system on
open networks (Edward C.Driscoll, 2008). The biometric authentication systems are
used in either centralized or distributed architectures, or some combined thereof.
They mostly differ by how the processing steps for biometric authentication system
are divided between different machines.
2.2.3. Vulnerabilities in biometric System
Vulnerabilities are weakness of a system that could be accidently or intentionally
exploited to damage assets. Assets include hardware, software, and data. Even
though there are various advantages of biometric process, it is vulnerable to attacks,
which can decline its security.
6
Ratha and Connell (Anon., 2002) analysed these attacks, and grouped them into
eight classes. The figure 1 shows vulnerabilities in biometric system. (Kaur, et al.,
July 2010)
Figure 1: Vulnerabilities in a biometric system
Type 1 - This point of attack is known as “Attack at the scanner (biometric
device)” In this attack, the attacker can present a fake biometric trait (sample)
such as synthetic fingerprint, face, iris etc. to the sensor, or collecting and
submitting biometric sample from unauthorised biometric device.
Type 2 - This point of attack is known as “Attack on the channel between the
scanner and the feature extractor” or “Replay attack”. In this attack, the
attacker intercepts the communication channel between the scanner and the
feature extractor to steal biometric sample and store it somewhere. The
attacker can then replay the stolen biometric sample to the feature extractor
to bypass the scanner.
Type 3 - This point of attack is known as “Attack on the feature extractor
module”. In this attack, the attacker can replace the feature extractor module
with a Trojan horse. Trojan horses in general can be controlled remotely.
Therefore, the attacker can simply send commands to the Trojan horse to
send to the matcher module feature values selected by him.
Type 4 - This point of attack is known as “Attack on the channel between the
feature extractor and matcher module”. This attack is similar to the attack
Type 2. The difference is that the attacker intercepts the communication
channel between the feature extractor and the matcher to steal feature values
of a legitimate user and replay them to the matcher at a later time.
Type 5 - -This point of attack is known as “Attack on the matcher module”.
This attack is similar to the attack Type 3. The attacker can send commands
7
to the Trojan horse to produce high matching scores and send a “yes” to the
application to bypass the biometric authentication mechanism. The attacker
can also send commands to the Trojan horse to produce low matching scores
and send a “no” to the application all the time causing a denial of service.
Type 6 - This point of attack is known as “Attack on the system database”. In
this attack, the attacker compromises the security of the database where all
the templates are stored. Compromising the database can be done by
exploiting vulnerability in the database software or cracking an account on the
database. In either way, the attacker can add new templates, modify existing
templates, delete templates or copy existing template and use in other
application.
Type 7 - This point of attack is known as “Attack on the channel between the
system database and matcher module”. In this attack, the attacker intercepts
the communication channel between the database and matcher module to
either steal and replay data or alter the data.
Type 8 - This point of attack is known as “Attack on the channel between the
matcher module and the application”. In this attack, the attackers intercept the
communication channel between the matcher module and the application to
replay previously submitted data or alter the data.
(Dimitriadis, 2004) proposed baseline methodology for evaluation of performance of
biometric system. (Bhattacharyya, et al., 2009) reviewed on the biometric
authentication techniques and some future possibilities in this field by comparing
different techniques and their advantages and disadvantages.
(Liu, 2008) discussed several controversial legal problems in the biometric context.
(S.Schimke, et al., 2005) explored possible vulnerabilities of potential biometric
passport systems. (Jain, et al., 2005 & Jain, et al., 2008) (Ambalakat, n.d.) (Uludag &
Jain, 2004), described various threats that can be encountered by the biometric
process. (LENISKI, et al., 2003) proposed a structured methodology with a full
vulnerability analysis of the general biometric model outlined by Mansfield and
Wayman (2002).
(Ratha, et al., 1999 & 2001) presented inherent strengths of a fingerprint-based
authentication scheme and described security holes in the system.
(Rila, 2002) discussed how denial of access may impact on all major aspects of a
biometric system.(A.K.Mohapatra & Sandhu, 2010) proposed novel algorithm in
which neither the secret key nor the original trait is stored for the biometric template
8
encryption.(Sun, et al., 2007) suggested key-mixed template (KMT) technique, which
mixes a user’s template with secret key to generate another form of template.
(Kant, et al., n.d.), (Kaur, et al., 2010) (Islam, et al., 2008) (Abhilasha, et al., 2010)
(Baca & Antoni, 2005) (Teoha, et al., 2008) focused on template and data base
security in biometrics system presented different algorithms to reliably generate
biometric identifiers from a user's biometric image using different encryption
algorithms, and different techniques like steganography, watermarking, biohashing
etc.
(Matsumoto, et al., 2002) reported that using the gummy fingers, how anybody can
fool the fingerprint devices. (Bromme, Janaury 2006) presented a systematic
approach for a holistic security risk analysis of biometric authentication technology.As
per this literature review, authors have concluded that biometric process must require
Intrusion Detection and Prevention techniques to detect attacks and some preventive
measures to make it robust.
2.3 Overview of Intrusion Detection and Prevention models
2.3.1. IDS and IPS concepts
Intrusion is a set of actions aimed to compromise the security goals, namely Integrity,
confidentiality, or availability, of a computing and networking resource.
Intrusion detection is a form of auditing that looks for break-ins and attacks. Intrusion
Detection System is software for detecting intrusions and reporting them accurately
to the proper authority.
An intrusion prevention system (IPS) is software that has all the capabilities of an
intrusion detection system and can also attempt to stop possible incidents.
Intrusion detection requires that a great number of security-relevant events are
collected and recorded in order to be analysed. The role of an intrusion detection and
prevention system (IDS/IPS) is to monitor system activities to detect malicious
actions, identify unauthorized and abusive uses and solution to stop them.
2.3.2. Why IDS/IPS Tool?
IDPS (IDS/IPS) are primarily focused on identifying possible incidents. Intrusion
Detection and Prevention Systems (IDPS) are primarily focused on identifying
possible incidents, logging information about them, attempt to stop them and
reporting them to security administrators.
9
This security system needs a robust automated auditing, intelligent reporting
mechanism, and robust prevention techniques.
2.3.3. Available IDS/IPS System
Intrusion detection systems are increasingly becoming a key part of systems
defence. Intrusion detection is the process of monitoring the events occurring in a
computer system or network and analysing them for signs of possible incidents,
which are violations or imminent threats of violation of computer security policies,
acceptable use policies, or standard security practices. As per literature review,
various approaches to intrusion detection are currently being used, those are mostly
network based / host based techniques, but they are relatively ineffective for
biometric system. The biometric system requires separate intrusion detection and
prevention system to detect eight types of attacks.
(Faysel & Haque, 2010) provided a comprehensive review of the current research in
intrusion detection and prevention systems. (Sherif & Dearmond, 2002) reviewed a
state of the art and state of the applicability of intrusion detection systems, models
and classification of literature pertaining to intrusion detection.
(Fuchsberger, 2005) have reviewed intrusion detection as well as intrusion
prevention system through literature. (Sahul & K.Shandilya, 2010) surveyed various
intrusion detection techniques in mobile ad hoc network (MANET) and analysed their
fruitfulness.
(POPA, 2009) highlighted the security vulnerabilities in web applications and the
processes of their detection. (Adam, et al., August 2003) described Storage-based
intrusion detection. (S.Clibert Nancy, 2010) proposed range based Intrusion
Detection system. (Carrier & Shields, August 2004) presented a new Session Token
Protocol (STOP), that can assist in the forensic analysis of a computer involved in
malicious network activity which can help to automate the process of tracing
attackers who log on to a series of hosts to hide their identity.
(Nikolova & Jecheva, 2007) presented a methodology for the attacks recognition
during the normal activities in the system which uses the graphical representation
method applying the junction tree algorithm (JTA).
(Jianping Zeng, May 2009) proposed an agent-based IDS that can be smoothly
integrated into the applications of enterprise information systems which is distributed
over the internet. (Victor, et al., August 2010) designed an operational model of IDS
10
for minimization of false positive alarms, including recurring alarms by security
administrator.
(Biscotti, et al., May 2009) designed an IPS for web applications that combines
anomaly detection, misuse detection, and a prevention module which provides a
solution to produce a number of false positives and false negatives which is less than
traditional solutions and also able to update the misuse and anomaly model
according to feedback received by the security manager.
(Singh, 2009) exploited the artificial neural network to develop more secure means of
authentication. Apart from protection, perfect security had taken place by adding the
feature of intrusion detection along with protection. (Pervez, et al., 2006) analysed
various Artificial Neural Networks (ANN) techniques being used in the development
of effective Intrusion Detection Systems for computer systems and computer
networks by comparative study.
(Maxion & Townsend, 2002) developed a technique for detecting masquerades.
(Syurahbil, et al., 2009) proposed novel method to find intrusion characteristic for IDS
using decision tree machine learning of data mining technique, in which decision
rules are generated by using ID3 algorithm of decision tree and implement those
rules in the firewall policy rule as prevention.
(Maath. K. Al-anni, February. 2009) described Intrusion detection system in which
rules are based on genetic algorithm and related detection technique. (Molina &
Cukier, 2009) defined Host Intrusion detection System (HIDS).
(Chebrolu, et al., 2004) developed hybrid architecture using different feature
selection algorithms for real world intrusion detection. (Abidin, et al., 2009) proposed
that chaotic function used for the symmetric key cryptography is being used for
secure communications. (Samsudin & Alia, 2008)proposed a new hash function
(CHA-1) based on chaos, which produces 160- bit hash digest, accepts message
length less than 280 bits, and has a security factor 280 of brute-force attack.
(Truong Quang Dang Khoa, 2007) proposed novel algorithm based on the chaotic
sequence generator with the highest ability to adapt and reach the global optima
which applied to optimize training Multilayer Neural Networks.
(Shihab, 2006) presented an efficient and scalable technique for computer network
security. (Bridges & Vaughn, 2000) developed a prototype intelligent intrusion
11
detection system (IIDS) to demonstrate the effectiveness of data mining techniques
that utilize fuzzy logic and genetic algorithms (Choudhary & Swarup, 2009) proposed
a neural network approach to improve the alert throughput of a network and making it
attack prohibitive using IDS. (S. Selvakani, 2007) presented the method of learning
the Intrusion Detection rules based on genetic algorithms.
(Hollebeek & Waltzman, 2005) used deductive reasoning combined with expert
knowledge about system behaviour, potential attacks and evidence, and patterns of
suspicion to link individual clues together in an automated way.
(Moradian & Hakansson, 2006) described about Web Services security and security
concerns together with analysis of possible attacks. (Bashah, et al., 2005) proposed
hybrid system that combines anomaly; misuse and host based detection by using
simple Fuzzy rules which allow constructing if-then rules that reflect common ways of
describing security attacks.
As per literature review various approaches to intrusion detection are currently being
used, those are mostly network based, host based techniques, but they are relatively
ineffective for biometric system. The authors could not find any intrusion detection
and prevention technique available for biometric process. The biometric system
requires separate intrusion detection and prevention system to detect eight types of
attacks.
2.4 Overview of Artificial Intelligent Techniques
2.4.1. Knowledge based system: AI Technique
Knowledge based System (KBS) is one of the major family members of the AI group.
Artificial Intelligence is a branch of Computer Science concerned with Manipulation of
Symbols rather than data.
Knowledge based systems are artificial intelligent tools that provide intelligent
decisions with justification. Knowledge is acquired and represented using various
knowledge representation techniques, rules, frames and scripts. The basic
advantages offered by such system are documentation of knowledge, intelligent
decision support, self learning, reasoning and explanation. KBS can act as an expert
on demand without wasting time, anytime and anywhere. KBS can save money by
leveraging expert, allowing users to function at higher level and promoting
consistency. One may consider the KBS as productive tool, having knowledge of
more than one expert for long period of time.
12
2.4.2. Benefits of Knowledge Based Systems
Knowledge based systems offer an environment where the good capabilities of
experts and the power of computers can be incorporated. Knowledge based systems
increase the probability, frequency and consistency of making appropriate decision. It
also helps distribute human expertise. It facilitates real-time, low cost expert level
decision by non-expert. It enhances the utilization of most of the available data,
allows objectivity by evaluating evidence without bias and without regard for the
user’s personal and emotional reactions and Permit vitality through modularity of
structure.
2.4.3. Available Artificial Intelligent Techniques for IDS/IPS
Artificial Intelligence plays an important role in security services. Artificial Intelligence
could make use of Intrusion Detection model a lot easier than it is today. Various AI
techniques like expert system, fuzzy logic, genetic algorithm, artificial neural network
and data mining are used for intrusion detection and prevention system.
Combinations of these can also be used.
Expert systems are the most common form of AI applied today in intrusion detection
system. Expert system uses a rule base that describes activities that represent
known security violations. Rule based systems are comprised of a database of
associated rules. Rules are conditional program statements with consequent actions
that are performed if the specified conditions are satisfied. The knowledge of the
expert is captured in a set of rules, each of which encodes a small piece of the
expert’s knowledge.
Knowledge-based intrusion detection techniques apply the knowledge accumulated
about specific attacks and system vulnerabilities. When such an attempt is detected,
an alarm is triggered. Therefore, the accuracy of knowledge-based intrusion
detection systems is considered good. However, their completeness (i.e. the fact that
they detect all possible attacks) depends on the regular update of knowledge about
attacks.
(Gasser, 1992) suggested the Distributed Artificial Intelligence (DAI) concept which
consists of a group of individual agents that have distributed environments. Each
agent cooperates and communicates with other agents. Combined knowledge and
experience of the agent with the information coming from adjacent agents permits the
agent to make the best (optimum in some sense) decision.
13
(Kussul, et al., n.d.) proposed an intelligent agent approach based on a neural
network to develop intelligent intrusion detection system which allows detecting
known type of attacks and anomalies in user activity and computer system
behaviour. (Sodiya, et al., 2007) designed a fuzzy logic-based threat modelling
technique which involves the fuzzification of input variables that is based on six major
categories of threats like Spoofing, Tampering, Repudiation, Information Disclosure,
Denial of Service, and Elevation of Privilege etc, rule evaluation, and aggregation of
the rule outputs.
(Jeya & K.Ramar, 2007) proposed a rule based expert system in which GA
generated more effective standard rules for detecting intrusion using crossover and
mutation. (Yuan & Guanzhong, 2007) designed Intrusion detection fact based expert
system for files and directories which matches and categorizes audit data with fact
base components.
(Tseng, 2007) concluded that the inherent capability of Neuro-fuzzy techniques in
handling vague, large-scale, and unstructured data is an ideal match for internet
related problems.
Expert systems are the most common form of AI applied today in intrusion detection
system. Expert system uses a rule base that describes activities that represent
known security violations. Rule based systems are comprised of a database of
associated rules. Rules are conditional program statements with consequent actions
that are performed if the specified conditions are satisfied. Rule-based systems differ
from standard procedural or object-oriented programs in that there is no clear order
in which code executes. Instead, the knowledge of the expert is captured in a set of
rules, each of which encodes a small piece of the expert’s knowledge.
(O'Leary & P.R.Watkins, 1989) reviewed different expert systems used for auditing.
(Morgenstren, n.d.) established a framework for studying these inference control
problems, describe a representation for relevant semantics of the application,
develop criteria for safety and security of a system to prevent these problems, and
outline algorithms for enforcing these criteria.
(Fett & Georage, 1990) described an expert system to assist internal auditors for
auditing data communications (DCA). Intrusion Detection Expert System (IDES)
(Lunt., 1993) encodes an expert’s knowledge of known patterns of attack and system
vulnerabilities as if-then rules.
14
(Hentea, 2007) discussed that there is a need for the increase of automated auditing
and intelligent reporting mechanisms for the cyber trust. Intelligent systems are
emerging computing systems based on intelligent techniques that support continuous
monitoring, controlling and decision making by providing mechanisms to enhance the
active construction of knowledge about threats, policies, procedures, and risks. She
also focused on requirements and design issues for the basic components of the
intelligent system.
Knowledge-based intrusion detection techniques apply the knowledge accumulated
about specific attacks and system vulnerabilities. The intrusion detection system
contains information about these vulnerabilities and looks for attempts to exploit
these vulnerabilities. When such an attempt is detected, an alarm is triggered. In
other words, any action that is not explicitly recognized as an attack is considered
acceptable. Therefore, the accuracy of knowledge-based intrusion detection systems
is considered good. However, their completeness (i.e. the fact that they detect all
possible attacks) depends on the regular update of knowledge about attacks.
Advantages of the knowledge-based approaches are that they have the potential for
very low false alarm rates, and the contextual analysis proposed by the intrusion
detection system is detailed, making it easier for the security officer using this
intrusion detection system to take preventive or corrective action.
Drawbacks include the difficulty of gathering the required information on the known
attacks and keeping it up to date with new vulnerabilities and environments.
Maintenance of the knowledge base of the intrusion detection system requires
careful analysis of vulnerability and is therefore a time-consuming task.
15
CHAPTER - THREE
Rule Based Intelligent Intrusion Detection Multi-
Agent System Design
P R E V I E W
This chapter is divided into four primary sections. The first section provides an
overview of issues of biometric system and intrusion detection fundamentals.
The second section describes the architecture of rule based intrusion
detection and prevention model. The third section provides how Jess is used
as expert system shell to develop this model. Fourth section describes the
steps to implementation of this model.
3.1 Introduction
Even though there are various advantages of biometric process, it is vulnerable to
attacks, which can decline its security. The intrusion detection is a necessary
supplement of traditional security protection measures such as firewalls, data
encryption, because it can provide real protection against internal attacks, external
attacks and abuse.
Intrusion detection system aim at detecting attacks against computer system and
networks or in general against information systems. Indeed it is difficult to probably
provide secure information systems and to maintain them in such secure state during
their lifetime and utilization.ce modules of IDSs to compare against logs (monitiring
data) to detect any misuse.
Knowledge based intrusion detection mechanism applies the knowledge
accumulated about specific attacks and system vulnerabilities. The Intrusion
detection system contains information about these vulnerabilities and looks for
attempts to exploit them. When such an attempt is detected, an alarm is raised.
Therefore the accuracy of knowledge based intrusion detection systems is
considered good. However, their completeness depends on the regular update of
knowledge about attacks.
16
3.2 Intrusion Detection system
Intrusion detection involves determining that some entity, an intruder, has attempted
to gain, or worse, has gained unauthorized access to the system. None of the
automated detection approaches of which we are aware seeks to identify an intruder
before that intruder initiates interaction with the system. Intrusion detection systems
are used in addition to such preventative measures. It is also assumed that intrusion
detection is not a problem that can be solved once; continual vigilance is required.
A Rule-based is most of the widely used approch for intrusion detection systems.
Such systems are built on a number of conditional if-then rules for their detection
techniques. Rules are developed by analyzing attacks or misuses by experts and
then transfering them into conditional rules which are later used by inference
modules of IDSs to compare against logs (monitiring data) to detect any misuse.
3.3 Knowledge based System
The knowledge based systems are systems based on the methods and techniques of
Artificial Intelligence. There core components are the knowledge base and the
inference mechanisms. The scientific goal of Artificial intelligence is to understand
intelligence by building computer programs that exhibit intelligent behavior. It is
concerned with the concepts and methods of symbolic inference, or reasoning, by a
computer, and how the knowledge is used to make those inferences will be
represented inside the machine.
To build the knowledge based systems two ways are available. One way is they can
be built from scratch and another way is they can be built using a piece of
development software known as a ‘tool’ or a ‘shell’. Building knowledge based
systems by using shells offers significant advantages. A system can be built to
perform a unique task by entering into a shell all the necessary knowledge about the
task domain. The inference engine that applies the knowledge to the task at hand is
built into the shell. Here authors have used Java Expert system Shell (JESS) to build
the proposed knowledge based system.
3.4 Proposed Intrusion Detection and Prevention (IDP) Model
3.4.1. Architecture of IDPS
To design robust security system, it fulfils the objectives of security like authenticity,
confidentiality, integrity, availability and non-repudiation. IDPS (Intrusion detection
17
and Prevention System) contains modules to detect intrusion, filtering intrusion, trace
back of intrusion origin, and prevention mechanism for theses intrusions.
This security system needs the robust automated auditing and intelligent reporting
mechanism and robust prevention techniques. The authors suggest security system
using intelligent models for biometric protection approach.
This system is divided into 3 processes that are:
Intrusion detection
Backtracking of intrusion source
Prevention techniques
The Rule based intelligent intrusion detection and prevention model for biometric
system contains detectors to detect normal or abnormal activity by comparing activity
database. If activity is normal then standard alarming and reporting would be
executed. If abnormal activity is found then the rule engine checks the rule to detect
intrusion point and type of intrusion. The model also contains an expert system to
detect source of intrusion and suggests best possible prevention technique and
suitable controls for different intrusions.
With the help of Knowledge Base the inference engine reports the solution to the
user along with the reasoning. The stored expertise about a problem area can be
represented as a rule set or rule base. In this proposed model we collected
knowledge which is available in literature like journal papers, Conference
proceedings, Technical reports, books etc.
This model also uses security audit as well as alarming and reporting mechanisms.
The malicious activity database is stored for future intrusion detection. Expert system
evaluates that data with known malicious activity database and detects the source
using backward chaining approach.
3.4.2. IDP model as Rule-based Expert system
Rule-based expert systems have played an important role in modern intelligent
systems and their applications in fault monitoring, diagnosis and so on. Conventional
rule-based expert systems use human expert knowledge to solve real-world
problems that normally would require human intelligence. Expert knowledge is often
represented in the form of rules, or as data within the computer. Knowledge
representation in expert systems may be rule-based or encapsulated in objects. The
rule-based approach uses IF-THEN type rules and it is the method currently used in
18
constructing expert systems. The modern rule-based expert systems are based on
the Newel and Simon model of human problem solving in terms of long-term memory
(rules), short-term memory (working memory) and cognitive processor (inference
engine). A knowledge-based system may be dependent on the knowledge commonly
available; a true ‘expert’ system will be based on unwritten expertise, acquired from a
human expert. In the conditions where no algorithm is available to solve a particular
problem, a reasonable solution is the best we can expect from an expert (system or
human).
These rules are used by the system to make conclusions about the security-related
data from the intrusion detection system. Expert system permits the incorporation of
an extensive amount of human experience into a computer application and then
utilizes that knowledge to identify activities that match the defined characteristics of
misuse and attack. Expert system detects intrusions by encoding intrusion scenarios
as a set of rules. These rules replicate the partially ordered sequence of actions that
include the intrusion scenario. Some rules may be applicable to more than one
intrusion scenario.
Rule-based programming is one of the most commonly used techniques for
developing expert systems. Rule based analysis relies on sets of predefined rules
that can be repeatedly applied to a collection of facts and that are provided by an
administrator, automatically created by the system or both. Facts represent
conditions that describe a certain situation in the audit records or directly from system
activity monitoring and rules represent heuristics that define a set of actions to be
executed in a given situation and describe known intrusion scenario(s) or generic
techniques. The rule then fires. It may cause an alert to be raised for a system
administrator.
Alternatively, some automated response, such as terminating that user’s session,
blocking user’s account will be taken. Normally, a rule firing will result in additional
assertions being added to the fact base. They in turn, may lead to additional rule-fact
bindings. This process continues until there are no more rules to be fired.
3.4.3. Multi-agent IDPS Architecture
The concept of Distributed Artificial intelligence (DAI) was defined, at the beginning of
the Seventies, to find solutions to specific AI problems. The purpose of DAI is to
extend the AI field in order to distribute the intelligence among several agents not
subject to a centralized control.
19
The agent is a program module that functions continuously in a particular
environment. It is able to carry out activities in a flexible and intelligent manner that is
responsive to change in the environment (real or virtual).
The multi-agent system is a system that consists of multiple agents that can interact
together to learn or to exchange experiences jointly to take actions or to solve
problems.
Building the IDS using the agent technology has several advantages.
1. As agents are running separately; they can be added or removed from the
system without altering other agents.
2. The agents can be reconfigured or upgraded to newer versions without
disturbing other agents.
The authors design Multi-agent Intrusion Detection model which contains three
agents. Implementation details of those agents are as follows:
Agent 1
This intelligent Agent can be implemented on biometric template database.
Here we consider biometric template database store in central repository
system. It performs intrusion detection using Operating System’s audit trail,
and RDBMS audit trail. The system consists of a user interface module, an
inference engine, a knowledgebase of illegal transactions and audit trail of
ORACLE database.
Agent 2
This intelligent agent can be deployed on biometric System where Feature
Extraction and Matching (Decision) modules are stored. Plenty of IDS/IPS
agents are already available to detect the above attacks. Few examples are
TripWire, Snort (open source and rule based), Symantec Network Security
SecureNet, iPolic, eTrust Intrusion Detection, Cisco IPS.
Agent 3
This intelligent agent can be located on the Biometric device. It performs
intrusion detection using Operating System’s audit trail and device manager
information. The system consists of a user interface module, an inference
engine, a knowledgebase of illegal transactions and certified biometric
devices.
These three agents are developed using Java, Jess and integration of both. The user
interface is developed in Java and rules are developed in Jess.
20
3.5 Expert System Shell and Other Tools Used
3.5.1. Java Expert System Shell (JESS)
Jess, the Java Expert System Shell is a general-purpose rule engine, developed at
Sandia National Laboratories. Written in the Java programming language, Jess offers
easy integration with other Java-based software. Jess is a rule-based language for
specifying expert systems. The Jess engine can be invoked as an interactive
interpreter, where Jess language strings can be typed into a shell and invoked in
real-time, or in batch mode, where one or multiple files of Jess code can be executed
at once. The Jess engine is implemented in Java, and as well as the shell or
interpreter mode, it can also be invoked from Java code at runtime. Jess code is able
to call other Java code, or be executed in a Java object.
3.5.2. Architecture of a Java Expert system Shell (JESS)
An expert system shell is just the inference engine and other functional parts of an
expert system with all the domain-specific knowledge removed. Most modern rule
engines can be seen as more or less specialized expert system shells, with features
to support operation in specific environments or programming in specific domains. A
typical rule engine contains:
An inference engine
The inference engine is the central part of a rule engine. The inference
engine controls the whole process of applying the rules to the working
memory to obtain the outputs of the system. Usually an inference engine
works in discrete cycles with three different components like pattern
matcher, agenda and execution engine. All the rules are compared to
working memory (using the pattern matcher) to decide which ones should be
activated during this cycle. This unordered list of activated rules, together
with any other rules activated in previous cycles, is called the conflict set.
The conflict set is ordered to form the agenda. The agenda is the list of rules
whose right-hand sides will be executed, or fired. The process of ordering
the agenda is called conflict resolution. To complete the cycle, the first rule
on the agenda is fired (possibly changing the working memory) and the
entire process is repeated. This repetition implies a large amount of
redundant work, but many rule engines use sophisticated techniques to
avoid most or all of the redundancy. In particular, results from the pattern
matcher and from the agenda’s conflict resolver can be preserved across
cycles, so that only the essential, new work needs to be done.
21
A rule base
The rule engine will obviously need to store rules somewhere. The rule base
contains all the rules the system knows. They may simply be stored as
strings of text, but most often a rule compiler processes them into some
form that the inference engine can work with more efficiently. Jess’s rule
compiler builds a complex, indexed data structure called a Rete network. A
Rete network is a data structure that makes rule processing fast.
The working memory
It is needed to store the data which rule engine will operate on. In a typical
rule engine, it is the working memory, sometimes called the fact base. A fact
is much like a database record; it consists of a number of named slots,
which would be stored in the columns of a table. The working memory can
hold both the premises and the conclusions of the rules. Typically, the rule
engine maintains one or more indexes, similar to those used in relational
databases, to make searching the working memory a very fast operation.
Jess supports both forward and backward chaining, but Jess’s version of backward
chaining is not transparent to the programmer.
The rules of jess allow one to build systems. However these facts and rules cannot
capture any uncertainty or ambiguity which is present in the domain. But extension of
Jess that allows some form of uncertainty to be captured and represented using
fuzzy sets and fuzzy reasoning. The NRC FuzzyJ Toolkit can be used to create Java
programs that encode fuzzy operations and fuzzy reasoning.
3.5.3. Rete Algorithm
Jess uses a very efficient version of this idea, known as the Rete algorithm. Rete is
Latin for net (it’s pronounced “ree-tee”). The Rete algorithm is implemented by
building a network of interconnected nodes.
Briefly, the Rete algorithm eliminates the inefficiency in the simple pattern matcher by
remembering past test results across iterations of the rule loop. Only new or deleted
working memory elements are tested against the rules at each step. Furthermore,
Rete organizes the pattern matcher so that these few facts are only tested against
the subset of the rules that may actually match.
22
3.5.4. Integration of Java and Jess
There are two main ways in which Java code can be used with Jess: Java can be
used to extend Jess, and the Jess library can be used from Java. In general, all
extracted code would need to appear inside a “try” block, inside a Java method,
inside a Java class, to compile; and all Java source files are expected to include the
"import jess.*;" declaration. To use Jess as a library from Java programs, the
file jess.jar (in the lib directory) must either be on your class path, be installed as a
standard extension, or your development tools must be set up to recognize it.
3.4 Steps to Implementation of Model
A detailed procedural analysis was carried out. After going through the analysis, the
procedure which was adopted to develop a model is mentioned below.
Detail study of biometric system , Knowledge based(rule based) system
Study of JESS, Java concepts and Integration
Analysis of possible attack points
Design agents and required logs
The framing of rules using the Intrusion knowledge and incorporation into
JESS
Develop user interface and agents using JESS and Java
Testing of agents
23
Chapter - FOUR
Agent 1: The Biometric Template Storage
Intrusion Detection Assistant
P R E V I E W
This Chapter is divided into four primary sections. The first section provides
an overview of biometric template, biometric template storage and
vulnerabilities in biometric storage. The second section describes audit
concept, auditing used in intrusion detection system and how auditing can be
done with Oracle. The third section provides the architecture of proposed
intelligent agent which can be implemented on biometric template storage,
logic used to develop this Knowledge based agent and rules used to detect
intrusion. Fourth section explains output of this proposed agent which acts as
intelligent assistant tool for security administrator.
4.1 Introduction
The biometric authentication systems are used either in centralized or distributed
architecture. They mostly differ by how the processing steps for biometric
authentication system are divided between different machines.
The attacks on stored biometric templates can decline security of the application.
4.2 Biometric template storage
4.2.1. Biometric Template
Biometric Templates contain very sensitive information used to identify people which
are bound to them. A template represents a set of salient features that summarizes
the biometric data (signal) of an individual. Each individual’s reference template
must be stored in an accessible repository which can be compared to the user’s
biometric sample at the time of verification. Due to its compact nature, it is commonly
assumed that the template cannot be used to elicit complete information about the
original biometric signal.
A Biometric Template can be stored in a table column as RAW data type, Simple
Object data type, XML data type, Full Common Biometric Exchange File Format
compliant (CBEFF) data type.
24
For the proposed system the author considers Biometric Template stored in the form
of RAW data type.
4.2.2. Available biometric template storage
The biometric template storage can be located remotely within a Central Repository,
a Local Storage with-in the Biometric Reader Device, or on a portable token such as
smart card. Each of these locations is appropriate for different systems, depending
on the requirements.
Authors consider biometric template stored within a Central Repository. Central
repositories allow users to enrol at a central location and be recognized at any
networked biometric device. Central repositories allow for easy auditing of
authentication attempts.
4.2.3. Vulnerabilities in a Biometric Template Storage
One of the most potentially damaging attacks on a biometric system is against the
biometric templates stored in the system database.
Attacks on the template can lead to the vulnerabilities like insertion of a fake
template, modification of an existing template, removal of an existing template, and
replicate the template which can be replayed to the matcher to gain unauthorized
access. The Attacks can be done by authorized or unauthorized users. The users
abuse their rights and privileges to do unauthorized activities and to obtain
unauthorized access.
The authors consider two main categories of users as, normal user and a user with
DBA role that intentionally or unintentionally damage the system
4.3 Auditing used for Intrusion Detection
4.3.1. Overview of Audit Concept
Auditing is the monitoring and recording of selected user database actions. Auditing
is normally used to investigate suspicious activity as well as monitor and gather data
about specific database activities. Audit records can contain different types of
information, depending on the events audited and the auditing options set.
The recording of audit information can be enabled or disabled. This functionality
allows any authorized database user to set audit options at any time, but reserves
control of recording audit information for the security administrator
25
4.3.2. Auditing : Tool for Intrusion detection
A fundamental tool for intrusion detection is the audit record. Some record of ongoing
activity by users must be maintained as input to an IDS. Auditing tracks the activity of
users and processes by recording selected types of events in the logs of a server or
workstation. It will provide information required to spot attempted attacks, to
investigate what happened when an incident occurred, and to possibly provide
evidence in support of an investigation.
4.3.3. Auditing using Oracle
Securing the database against inappropriate activity is only part of total security
package. Oracle offers the security administrator on the Oracle database. The other
major component of the Oracle security architecture is the ability to monitor database
activity to find out suspicious or inappropriate use. Oracle provides this functionality
via the use of database auditing.
In order to begin capturing audit information, DBA enables auditing by setting
AUDIT_TRAIL initialization parameter in the database's initialization parameter file.
The database audit trail is a single table named SYS.AUD$ in the SYS schema of
each Oracle database's data dictionary. Several predefined views such as
DBA_AUDIT_TRAIL and DBA_ROLE_PRIVS are provided to use the information in
this table.
It includes information such as the user name, the session identifier, the terminal
identifier, the name of the schema object accessed, the operation performed or
attempted, the completion code of the operation, the date and time stamp, the
system privileges used the operation that was audited.
The operating system audit trail is encoded and not readable, but it is decoded in
data dictionary files and error messages.
4.4 Proposed System
4.4.1. Architecture of proposed system
Authors designed and developed one of the agents of multi-agent system called
Biometric Template Storage Intrusion Detection Assistant. Our architecture consists
of a user interface module, an inference engine, a knowledgebase of illegal
transactions and audit trail of ORACLE database
Authors consider the simple reflex agent to distinguish the input from their
environment i.e. DBA audit trail and interpret it to a state that matches the rules. This
26
approach consists in detecting intrusions exploiting well-known system
vulnerabilities. It is based on the fact that any known attack produces a specific trace
in the audit trail or in the network data. This approach works as follows:
Attacking scenarios are collected,
These scenarios are translated into facts using some predefined rules.
Extracted knowledge is utilized to take some decision, an alarm can be
raised.
Using backward chaining approach, source of intrusion can be found out.
Automatic security content updates target specific vulnerabilities and are acquainted
with unknown exploits and take preventive action. This intelligent agent is located on
the Biometric Template storage database.
4.4.2. Logic used to develop the proposed system
Authors consider two main categories of users as, normal user and user with DBA
role that, intentionally or unintentionally damage the system. Authors collect
suspicious data from DBA_AUDIT_TRAIL by firing SQL query on
DBA_AUDIT_TRAIL and DBA_ROLE_PRIVS views. The database is accessed using
the JDBC (Java Database Connection). The result set is asserted into facts. In
addition to the facts, rules are defined. Authors design different rules for suspicious
transactions like insert, modify, remove and copy the biometric template storage. A
suspicious knowledge is stored as a form of facts and rules in a JESS knowledge
base. It is somewhat similar to a relational database, especially in that the facts must
have a specific structure. Authors design the rules in such a way that when rules are
fired some new facts are asserted for counting of the suspicious transactions,
suspicious users, suspicious hosts and some facts are modified. Java and Jess are
used for development.
4.4.3. Back tracing used for source detection
In a backwards chaining system, rules are still if..then statements, but the engine
seeks steps to activate rules whose preconditions are not met. This behavior is often
called "goal seeking". JESS supports both forward and backward chaining. Authors
use back tracing for post mortem of the intrusion to find source of intrusion. They use
Defquery construct for back tracing, which displays detail knowledge about OS
username, username, object name, owner of object, time stamp, session-id and so
on. Facts generated by rules fired during this run may appear as part of the query
results.
27
4.4.4. Encoding the Rules used for this agent
As per Literature review authors have defined rules for vulnerabilities in biometric
template storage like insertion of a fake template, modification of an existing
template, removal of an existing template, and replicate the template which can be
replayed to the matcher to gain unauthorized access. A sample of the design rule is
as follows:
If action name is insert Then modify action message as Illegal Insertion and increase
count of insert actions and assert counted value into facts and assert username who
did insert action into facts and assert hostname from which Insert action take place
into facts.
Defrule can search knowledge base to find relationships between facts, and rules
can take actions based on the contents of one or more facts. Rules are defined in
JESS using the Defrule construct.
The following is the JESS language representation of the above rule.
Similarly they defined rules for suspicious transactions like modify, remove and copy
the biometric template for both normal user and DBA role user.
4.5 Findings of Agent 1
The Biometric Template Storage Intrusion Detection Assistant which displays two
tables namely User Intrusion which contains suspicious activities of normal users and
DBA intrusion which contains suspicious activities of DBA. A text pane is used to
display detail information of selected suspicious activity. Three tables which show top
intruders, top suspicious hosts and top suspicious DBA hosts. These tables are used
to find out most suspicious user or host and that knowledge is used for taking any
preventive actions. One bar graph shows which transaction is done repeatedly as
suspicious activity by normal user while another one that of DBA.
If user selects any row from normal user suspicious activity table or DBA suspicious
activity table, then details about name of the user whose action were audited,
(defrule insert_rule ?r1<-(Trans ( action_name ?*actname*)(username ?un)….) ?r2<-(Cnt_action( …)) ?c1<-(accumulate(bind ?*cnt* 0) (bind ?*cnt*(+ ?*cnt* 1)) ?*cnt* (Trans(action_name ?a&: (…..)))) => (modify ?r1 (actmessage \"Illegal-Insertion\" )) modify ?r2 (cnt ?*cnt*)) (assert(Cnt_user(…. ))) (assert(Cnt_host(…. ))));
28
operating system login username of the user whose actions were audited, client host
machine name, Numeric ID of each ORACLE session, Name of the object affected
by action, Timestamp of the creation of the audit trail entry in Universal Time
Coordinated (UTC) zone will display on the screen.
4.6 Prevention Technique suggested
1. Proper database security techniques and triggers for transactions to block
suspicious user or suspicious host can be used.
2. Use techniques like encryption to avoid the misuse of stored biometric
template.(encryption technique is described in chapter 8)
3. A security administrator finds priorities of detected intrusion. It is very easy to
him/her to prevent those suspicious actions, suspicious users and suspicious
hosts.(Priorities for prevention is depicted in chapter 5)
.
29
Chapter - FIVE
Prioritization of Detected Intrusion in
Biometric Template Storage for Prevention
Using Neuro-Fuzzy Approach
P R E V I E W
This Chapter is divided into five primary sections The first section provides an
overview of biometric template storage. The second section describes concept
of Artificial neural network, Fuzzy logic and Neuro-Fuzzy approach. The third
section provides principle of Fuzzy Inference engine with the FuzzyJess.
Fourth section explains the architecture of proposed Neuro-Fuzzy approach for
prioritization of detected intrusion at biometric template storage, logic used for
Fuzzification, how FuzzyJess used for Logic development and rules used to
set priorities. Fifth section explains output of this proposed Neuro-Fuzzy
approach which helps security administrator to decide priorities of detected
intrusion to take preventive action.
5.1 Introduction
The biometric template is stored in smart card, central repository, sensing device.
Attacks on the biometric template storage can lead to the vulnerabilities like insertion
of a fake template, modification of an existing template, removal of an existing
template, and replicate the template which can be replayed to the matcher to gain
unauthorized access. A security administrator requires assistant to prevent those
vulnerabilities. In this chapter, authors proposed an intelligent agent which assists to
decide the priority for prevention of intrusion in the biometric template storage using
Neuro-Fuzzy approach.
5.2 Neuro-Fuzzy concepts
5.2.1. Concept of Artificial Neural Network
Artificial Neural network commonly referred to as neural networks is an adaptive
system that changes its structure based on internal and external information that
flows through the network. It is an interconnected group of artificial neurons that uses
mathematical model or computational model for information processing based on a
30
connectionist approach to computation. It can learn from data but cannot interpret; it
is black box to the user.
5.2.2. Concept of Fuzzy Logic
Fuzzy logic creates the ability to mimic the human mind to effectively employ modes
of reasoning that are approximate rather than exact. It is a multi-valued logic, that
allows intermediate values to be defined between conventional evaluations (crisp
values) like true/false, yes/no, high/low etc. Fuzzy logic systems address the
imprecision of the input and output variables by defining fuzzy numbers and fuzzy
sets that can be expressed in linguistic variables such as ‘VERY HIGH’,'HIGH',
'MEDIUM', 'LOW’, ‘VERY LOW’. A fuzzy system consists of interpretable linguistic
rules but they cannot learn.
5.2.3. Overview of Neuro-Fuzzy Logic
A Neuro-Fuzzy system is a fuzzy system that uses a learning algorithm derived from
or inspired by neural network theory to determine its parameters (fuzzy sets and
fuzzy rules) by processing data samples. A Neuro-Fuzzy system can be viewed as a
3-layer feed forward neural network. The learning algorithms can learn both fuzzy
sets, and fuzzy rules, and can also use prior knowledge. Membership functions can
either be chosen by the user arbitrarily, based on the user’s experience (MF chosen
by two users could be different depending upon their experiences, perspectives, etc.)
Or be designed using machine learning methods (e.g. artificial neural networks,
genetic algorithms, etc.) There are different shapes of membership functions;
triangular, trapezoidal, piecewise-linear, Gaussian, bell-shaped, etc.
5.3 Fuzzy inference engine
The inference engine makes use of FuzzyJess to evaluate fuzzy logic rules. The
inputs to the Fuzzy Inference Engine are Fuzzification of the input Variables i.e.
FuzzyVariable in FuzzyJess, The fuzzy rules fired within the FuzzyJess environment
and the records, which are asserted as facts in FuzzyJess. FuzzyJess can be
configured to use Mamdani or Larsen inference mechanisms to compute the firing
strength of each rule applied to each fact. The evaluation of rules begins with the
analysis of the antecedent. Rules fire until no more rules match the facts in working
memory. Only one rule fires per cycle. The inference engine will match the facts
against fuzzy rules, fire rules and execute the associated actions.
31
5.4 Proposed system
5.4.1. Architecture of Neuro-Fuzzy design
Using this intelligent assistant tool, we got user role (either DBA or normal user),
suspicious user name and number of times that user tried for intrusion, suspicious
host machine name and number of times that host machine was used for intrusion
and data about how many times any user tried transactions like modify existing
biometric template, Insert a fake biometric template, delete existing biometric
template and copy the biometric template for another use. All these values are
already stored in facts and retrieve these values from fact to decide priorities of
detected intrusions in biometric template storage for preventive actions.
1. Identity the four parameters like type of user (DBA or other normal user),
Suspicious Host frequency (number of times intrusion made from suspicious
host machine), Suspicious User frequency (number of times intrusion made
by suspicious user), Type of transaction (intrusion made by using Update,
Delete, Insert or Copy).
2. Classify the parameters USERTYPE and TRANSACTION, both are crisp
variables because values are of crisp nature and SUSPICIOUS HOST
FREQ and SUSPICIOUS USER FREQ are the fuzzy variables because of
uncertainty.
3. Once the parameters are classified use fuzzy logic for modelling the
uncertain parameters referred as fuzzification. Classify SUSPICIOUS HOST
FREQ and SUSPICIOUS USER FREQ fuzzy variables in VeryLow, Low,
High, VeryHigh fuzzy values as linguistic expressions. The ranges are
decided by automated learning method with the help of algorithm authors
design. Authors use RFuzzySet for VeryLow two TriangularFuzzySet for
Low and High and LFuzzySet for VeryHigh (corresponding to names defined
in the Fuzzy Jess Library).
4. Encode FuzzyRules after fuzzification of uncertain variables.
As per literature survey, authors developed more than 128 fuzzy rules to decide
priorities for preventive actions.
5.4.2. Logic used for Fuzzification
All suspicious frequencies collected into array. After finding minimum number (min)
and maximum number (max) of array, difference between min and max is calculated.
And using this difference, ranges of fuzzy variables are decided.
32
5.4.3. FuzzyJess used for Logic development
The NRC FuzzyJ Toolkit can be used to create Java programs that encode fuzzy
operations and fuzzy reasoning. However, a rule based expert system shell (Jess)
provides a convenient and suitable way to encode many types of applications. Fuzzy
logic programs fit nicely into the rule based paradigm. An integration of the FuzzyJ
Toolkit and Jess is FuzzyJess. As identical fuzzy facts are asserted from different
rules the contribution from each rule is accumulated. A fuzzy rule fires in Jess when
the fuzzy (and crisp) patterns on the left hand side of the rule match. The fuzzy
matching is controlled by the use of the fuzzy-match function. However when the
right hand side of the rule is executed it is often necessary to know what fuzzy values
matched the fuzzy patterns specified in the fuzzy match function calls. In particular,
this information is required when a fuzzy fact is being asserted since the shape of the
fuzzy value being asserted depends on the degree of matching of the fuzzy patterns
on the right hand side.
5.4.4. Encoding of the Rules used for Prioritization
Sample of rule and fuzzy rule is as follows:
If type of user is DBA and suspicious host frequency is in range of very high and
suspicious user frequency is in range of very high and transaction is modification
then priority of intrusion is very high.
The above rule converted in Jess is
5.5 Findings of this Approach
The output screen shows table which contains column like Priority, type of User,
Username, Suspicious User Frequency, Host Name, Suspicious Host Frequency and
Transaction type. This table will display as intelligent agent which can be notified by
security administrator to implement preventive actions. The priority column shows
values like VeryLow, Low, Medium High and VeryHigh. Table can be sorted on any
column. As per organization policy, security administrator can implement preventive
action using triggers for transactions to block suspicious user or suspicious host.
(defrule pr1 ?a1<-(crispval2 ?ut &:(eq ?ut \"DBA\")) ?b1<-(crispval3 ?an&:(eq ?an \"UPDATE\")) ?c1<-(shostf ?t&:(fuzzy-match ?t "VeryHigh")) ?d1<-(suserf ?t1&:(fuzzy-match ?t1 "VeryHigh")) => (modify ?*pl*(priority "VeryHigh")) (retract ?a1 ?b1 ?c1 ?d1))
33
Chapter - SIX
Agent 2: Intelligent Agent for Intrusion Detection at Feature Extraction and Matcher
Module
P R E V I E W
This Chapter is divided into four primary sections. The first section provides
introduction about feature extraction and matcher module. The second section
describes details about functioning of feature extraction and matcher module,
context of threshold and Vulnerabilities in feature extraction and matcher
module. In third section authors describes what is exactly Trojan horse and
replay attacks which are main attacks on those modules. In the fourth section
authors describes the available intrusion detection systems which can be
implemented as second intelligent agent in our proposed module.
6.1 Introduction
Biometric systems are essentially pattern recognition systems that read as input
biometric data, extract a feature set from such data, and finally compare it with a
template set stored in database.
6.2 Feature Extraction and Matcher Module
6.2.1. About feature extraction module
The feature extractor module is responsible for extracting feature values of a
biometric trait. This module operates on the signal sent by the scanner module to
extract a feature set that represents the given signal. The extracted feature set is
sent to the matcher for processing. If hand geometry would be used as a biometric
trait then feature values would include width of fingers at various locations, width of
the palm, thickness of the palm, length of fingers etc.
6.2.2. About Matcher module
The matcher module in a biometric system is the main module in such system. The
matcher receives a feature set from the feature extractor module and compares with
the templates stored in the database. A match attempt results in a score which, in
most systems, is compared against a threshold. If the score exceeds the threshold,
the result is a match; if the score falls below the threshold, the result is a non-match.
34
The matcher module is considered the main module in a biometric system because
it’s the part that makes the decision (“yes” if there is a match or “no” if there is no
match).
6.2.3. Threshold Context
Threshold Value is a predefined value; which determines when a match is declared.
The biometric match threshold is the point at which it becomes reasonably certain
that a biometric sample matches a particular reference template. It is often controlled
by a biometric system administrator, which establishes the degree of correlation
necessary for a comparison of biometric templates to be deemed a match. Typically,
a biometric match is never exact; the administrator must choose a measure of
similarity at which a match may be declared. If the score resulting from template
comparison exceeds the threshold, the templates are a “match” (though the
templates themselves are not identical).
6.2.4. Vulnerabilities in Feature Extraction and Matcher module
Attacker can intercept the communication channel between the scanner and
feature extractor to bypass the scanner – Replay Attack
The attacker can replace the feature extractor module with a Trojan Horse.
Attacker can intercept the communication channel between the feature
extractor and matcher to steal feature values of legitimate user – Replay
Attack
The attacker can replace the matcher module (threshold value) with a Trojan
Horse.
Attacker can intercept the communication channel between the database
and matcher to intercept biometric template -Replay Attack
Attacker can intercept the communication channel between the matcher and
Application to intercept (override) final decision(Yes/No) – Replay Attack
6.3 Overall Attacks on Feature extractor and Matcher Module
6.3.1. Trojan Horse
Trojan horse attacks pose one of the most serious threats to computer security.
Trojans are an executable program that is not a translation of the original program
but was added later, usually maliciously, and comes into the system disguised as the
original program. E.g. Intruder can replace a matcher module by a Trojan horse
program that always outputs high verification scores.
35
6.3.2. Replay attacks
Replay attacks are "Man in the middle" attacks that involve intercepting data packets
and replaying them, that is, resending them as is (with no decryption) to the receiver.
The Attacker intercepts communication channel to steal biometric trait from sender
and store it somewhere. The attacker can then replay the stolen biometric traits to
the receiver.
6.4 Available IDS/IPS to detect those attacks
6.4.1. Snort
Snort® is an open source network intrusion prevention and detection system
(IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol,
and anomaly-based inspection, Snort is the most widely deployed IDS/IPS
technology worldwide. SNORT is a widely used open source signature-based
network IDS, which is used for performing real-time traffic logging and analysis over
IP networks. Currently, SNORT has an extensive database of over a thousand attack
signatures.
6.4.2. TripWire
Tripwire is an integrity checking program which permits a system administrator to
monitor system files for addition, deletion, or modification. Tripwire verifies system
integrity. Tripwire does provide valuable information for the process of detecting
attacks on a system. Tripwire is designed for the UNIX operating system
environment. It automatically calculates cryptographic hashes of all key system files
or any file that is to be monitored for modifications. The Tripwire software works by
creating a baseline snapshot of the system. It periodically scans those files,
recalculates the information, and sees whether any of the information has changed. If
there is a change, the software raises an alarm.
6.4.3. NetRanger
NetRanger an IDS developed at Cisco that provides complete intrusion protection
and is a component of a SAFE BluePrint Cisco security system. It delivers
comprehensive, pervasive security solution for combating unauthorized intrusions,
malicious Internet worms.
36
6.4.4. Network Flight Recorder
Network Flight Recorder (NFR) is an Intrusion detection System that gives the users
a powerful tool for the war against illegal access to your network.
Other IDS/IPS are Armana Security - Sourcefire Intrusion Sensors, Barbedwire
Technologies, CyberTrace Intrusion Detection, eTrust Intrusion Detection, ipANGEL
Adaptive IDS/IPS , Xintegrity. Here authors have mentioned only few IDS/IPS for
network intrusion detection which can used to detect internet or network based
possible intrusions including Trojan horse and replay attack.
37
Chapter - SEVEN
Agent 3: Intelligent Agent for Intrusion Detection at Biometric Device
P R E V I E W
This Chapter is divided into five primary sections. The first section provides
introduction about biometrics device. The second section describes details
about working of biometric device, Vulnerabilities in biometric device, concept
of certified device and Liveness detection concept. The third section describes
the logic used for proposed module and how JESS is used to develop this
proposed module. The fourth section explains output of this proposed
intelligent agent for Intrusion Detection at Biometric Device and fifth section
provides few prevention techniques which are suggested by authors.
7.1 Introduction
The biometric authentication is the automatic identification or verification of an
individual using a biological feature they possess such as fingerprints, iris
recognition, retina scan, facial features, hand geometry, voice, signature etc. A
Biometric Device identifies an individual by examining a unique physical or
behavioural characteristic such as the individual’s fingerprints, hand geometry, eye
patterns, voice, or dynamic signature etc.
7.2 Biometric Device
7.2.1. Working of biometrics device
Biometrics device (sensor or reader) is the device that works to actually read or
capture biometric characteristics. It is defined as the automatic capture or
measurement of the physiological or behavioural characteristic(s) of a person. The
device may include processes that enhance the quality of the acquired sample, such
as user interface (UI) feedback or using a number of acquisitions to produce the
sample. Each device type will have certain criteria and procedures defined for the
capture process, both for enrolment and for verification. For example, in a fingerprint
device, the capture may have to include the centre part of the fingerprint to ensure
the maximum number of characteristic features of the print. For facial recognition
devices, some require the person to be in a standard position directly facing the
38
capture device. For other devices, other criteria and procedures must be clearly
defined to ensure a standard, repeatable capture process.
7.2.2. Vulnerabilities in biometric device
Attacks on the biometric device can be segregated into different scenarios. The
different scenarios are as follows:
Forcibly compelling a registered user to enrol and verify or identify.
Presenting a registered demised person or dismembered body part
Using genetic clone
Fake or artificial biometric samples or spoofing.
Collecting or submitting biometric sample from unauthorised biometric
device
7.2.3. Concept of Certified Device
The biometric system is flexible regarding device used; the system still needs to
make sure that the device is an authorised (certified) device and not fake device
which causes fake readings. Consequently, some form of identification mechanism
for the device is required.
7.2.4. Liveness detection concept
A spoof is a counterfeit biometric that is used in an attempt to circumvent a biometric
sensor. Although spoofing techniques vary with biometric technologies, one thing
they have in common is that they all involve presenting a fake biometric sample to
the device. Therefore, it is necessary to capture a biometric sample from a legitimate
user. The artificially recreated data is used to attack physiological biometric
technologies, for instance, by using a fake finger, substituting a high-resolution iris
image, or presenting a facemask. Besides the artefact, mimicry is often used to spoof
behavioral biometric technologies. Spoof detection can occur before biometric data is
collected or during data processing.
One method for anti-spoofing is called “liveness detection”. Liveness detection is a
technique which is used to determine the collected or submitted biometric sample
taken from live person or fake sample. Liveness detection is based on the principle
that additional information can be collected for biometric sample which is submitted
at the time of enrolment and verification process. Liveness detection uses either
hardware based system or software based system coupled with the authentication
program to provide additional security. Hardware system uses additional sensor to
39
gain measurements outside of the biometric sample itself to detect liveness. Liveness
detection in incorporated into a system through the extra hardware components with
the capture device that can search through temperature, pulse, blood pressure, skin
deformation, pores, , Heartbeat, Skin Resistance, Facial thermograms etc. Software-
based systems use image processing algorithms to collect information directly from
the collected biometric sample to detect liveness which is integrated into the system.
7.3 Proposed System
7.3.1. Logic used for proposed system
In proposed system, authors develop an intelligent agent to assist intrusion detection.
Biometric process or biometric encryption process is divided into two processes
namely enrolment and authentication process. Authors consider few possible threats
that are mentioned below.
At the time of legitimate enrolment, the accuracy of the biometric data is
essential. If identity is faked, the enrolment data will be an accurate
biometric of the individual but identity will be incorrectly matched. Once
registered, the system will validate a false identity, and with it illegal access
of application
At the time of legitimate enrolment and verification, the data should be from
the living person.
On the basis of above threats and policies, authors have developed intelligent agent
which can check collected sample from authenticated biometric device and from a
living person. The ability to authenticate a biometric device to the system is a
significant step towards a secure biometric process. A packet containing the
biometric sample - UserId, The Capture Time Stamp, The Device Serial Number,
Device Model Number, Status of Liveness Detection and Process Name for which
sample is captured can be collected from the system to validate device.
7.3.2. Jess used to develop this module
The knowledge like make, model and serial number of authentic device is stored as a
form of facts and rules in a JESS knowledge base. Authors design different rules for
finding out fake device which is not certified by authorities. The knowledge is
represented as the following rule.
(defrule authorisedevice_rule1 ?r1<- (ActualDeviceInfo(make ?mk )(model ?md)(serialNo ?sn)" + "(capturePurpose ?*apurpose1*)(LivenessDetection ?*ld2*))" + "?r11<- (…..))" + " => (modify ?r1 (authoriseDevice \" Authentic Device \" )(…)))");
40
The above rule says that if the capture purpose is enrolment and sample collected
from biometric device having make, model and serial number contains not in
knowledgebase then device is fake device means it is not authentic device, then
modify device is fake device and increase fake device count and new value asserts
into facts. Similarly we defined rules for detection for authentic device, liveness
detection status active or not active; to decide whether biometric sample can be
accepted or not.
Authors use Defquery construct for back tracing which displays detail knowledge
about device status, make, model, serial number, userId, capture purpose, liveness
detection, and time stamp. Similarly we backtrack for fake device, authentic but
inactive liveness detection for enrolment and verification process.
7.4 Findings of Module
Our resultant screen shows five different tables which display information about
device status at Enrolment, device status at Verification, list of device which failed in
liveness detection at Enrolment, list of fake device and list of device which failed in
liveness detection at Verification. It also displays different graphs which depict how
many transactions are attempted through fake devices, devices where liveness
detection failed and authentic device where liveness detection was active. It displays
two different lists on the screen, containing message, UserId and Capture time and
for enrolment and verification process. User can select any row from table and see
the details which contain Capture purpose is Enrolment or verification, User ID,
device make, device model device serial no, liveness detection status and capture
time of capture sample. List of Liveness detection fails at authentic devices at
enrolment process.
7.5 Prevention Technique suggested
Authors suggested few Prevention techniques that can be implemented using
following policies with this intelligent agent to avoid biometric device intrusion at
enrolment and verification process as follows:
Off-line and on-line system enrolment or verification should be in the
presence of legitimate person. In both cases enrolment data entry screen
should contain signature or any other identity of that legitimate person.
Either hardware or software based Liveness detection is used for on-line
and off-line systems. In both cases enrolment or verification data entry
screen should contain check status that sample comes from device having
41
any liveness detection technique, signature and any other identity of that
legitimate person.
42
CHAPTER - EIGHT
Robust Model for Biometric Template
Security Protection using Chaos
Phenomenon
P R E V I E W
This Chapter is divided into four primary sections. The first section provides
an overview of necessity of protection, vulnerabilities in travelling biometric
template. The second section explains about chaos phenomenon. The third
section provides the role of session key to protect biometric template,
architecture of proposed protection scheme and logic used to develop this
module. The fourth section explains output of this proposed protection
scheme using chaos phenomenon.
8.1 Introduction
8.1.1. Why Protection?
“An ounce of prevention is worth a pound of detection”. In response to rapid growth
of biometric system attacks, detection system by itself is not adequate but taking
appropriate response at the same time have proven to be promising in protecting
those threats.
8.1.2. Biometric template protection schemes.
To protect the biometric template from imposter, different schemes are used. The
template protection schemes proposed in the literature can be broadly classified into
two categories namely feature transformation approach and Biometric cryptosystem.
The feature transform schemes can be further categorized as invertible and non-
invertible transforms. In invertible transforms, an adversary gains access to the key
and the transformed template, it can recover the original biometric template (or a
close approximation of it). Hence, the security of the invertible scheme is based on
the secrecy of the key or password. On the other hand, non-invertible transformation
schemes typically apply a one-way function on the template and it is computationally
hard to invert a transformed template even if the key is known.
43
Biometric cryptosystems were originally developed for the purpose of either securing
a cryptographic key using biometric features or directly generating a cryptographic
key from biometric features, so known as helper data-based methods.
Bio-hashing or salting is one of the invertible transformation biometric protection
scheme approaches, in which user specific key or password is used for
transformation. In this approach key needs to be stored securely or password needs
to be remembered by the user and present during authentication.
Cancelable biometrics refers to the intentional and systematically repeatable
distortion of biometric features in order to protect biometric template. Cancelable
biometrics is non- invertible approach. Even if the transformation function is known &
the resulting transformed biometric data are known, the original (undistorted)
biometrics cannot be recovered.
Steganography is the science of hiding information. Steganography based
techniques can be suitable for transferring critical biometric information from template
storage to the matcher.
A Watermarking technique can be used for protecting database as well as
transferring on channel. Watermarking is technique in which one pattern is
embedded or inserted into another pattern for example finger print data can be
embedded with face data.
8.2 Chaos Phenomenon
Chaos variables are usually generated by the well-known logistic map. The logistic
map is a one-dimensional quadratic map defined by:
Xn+1= μ Xn(1-Xn)
Where 0<=X(n)<=1 „μ‟ is a control parameter. For μ=3.99 or μ=4, generates chaotic
evolutions.
Chaotic system is deterministic and sensitive to the initial values. According to this
feature, it has complex active action, which can be used to protect data content. For
example, the random sequence produced by chaotic phenomenon can be used to
encrypt data in secret communication. This property makes the initial value suitable
for the key that controls the data encryption or decryption.
44
8.3 Proposed Model
8.3.1 Role of session key to protect biometric template
A session key is an encryption and decryption key that is randomly generated
to ensure the security of a communications session. Session key can be
created using chaotic phenomenon as a result no chance of value of session
key getting duplicated.
8.3.2 Architecture of proposed module
Authors consider session key which is generated using chaos phenomenon and
biometric template. Using hash function and permutation function of keys, authors
created encrypted biometric template. Hash function H() uses simple X-OR function
and F() functions uses permutations of bits of keys.
This encrypted biometric template is decrypted using session key.
8.3.3 Logic used to develop this module
BT: Biometric Template generated from Biometric process or Biometric Encryption
Process
SK: Session key can be created using chaotic phenomenon. As a result no chance of
value of session key getting duplicated.
PSK: Permuted session Key. To generate this expanded permuted transformation of
SK ,F(SK) function is used.
EBT: Encrypted Biometric template. To generate this encrypted template hash
function H(BT,PSK) is used.
PEBTPSK: Permuted encrypted BT and permuted SK To generate this final
concatenated Biometric template F(EBT,PSK) is used.
Same Session Key and functions are used for decryption of encrypted biometric
template
8.4 Findings of this module
This invertible protection technique uses session key to encrypt biometric template
and same session key can be used to decrypt biometric template. Authors generated
100000 session keys using chaotic phenomenon which are not repeated. The
session key generated using this approach, makes this model robust to avoid risk of
guessing of session key.
45
Chapter - NINE
Conclusion and Scope of further Research
9.1 Conclusion
Given the spectacular raise in incidents involving identity thefts and various security
threats, it is necessary to have reliable identity management systems. Biometric
based authentication process offers several useful advantages over knowledge and
possession based methods such as password or PIN based system. Biometric
systems are being widely used to achieve reliable user authentication which is a
crucial component in identity management. When biometric process is implemented
in security critical applications, and more so unattended remote applications, the
biometrics based authentication systems should be designed to resist different
sources of security attacks on the system. However biometric systems themselves
are vulnerable to a variety of attacks aimed at discouragement of the integrity of
authentication process. These attacks are intended to either circumvent the security
offered by the system or to deter the normal functioning of the system.
Intrusion prevention is the process of performing intrusion detection and attempting
to stop detected possible incidents. Intrusion detection and prevention systems
(IDPS) are primarily focused on identifying possible incidents, logging information
about them, attempting to stop them, and reporting them to security administrators.
Intrusion detection and prevention techniques are used in network systems,
computer systems, web systems. But intrusion detection and prevention technique is
not available in biometric process.
However detection of intrusion and prevention techniques to avoid such type of
intrusion has become of paramount importance. With proper utilization of knowledge
available with experts, the knowledge based intrusion detection systems can
increase efficiency and effectiveness of biometric system.
In distributed host based intrusion detection knowledge based intelligent agent is
located on the different locations like Biometric Device, biometric template storage
and the system where feature extractor and matcher module is stored. The intrusion
detection is executed in background. When it detects suspicious or illegal activities, it
notifies the security administrator.
46
The intelligent agent located at biometric template storage performs intrusion
detection using Operating System’s audit trail, RDBMS audit trail. This type of
intelligent agent also suggests priorities to detected intrusion and to take preventive
action for security administrator.
The intelligent agent located at biometric device performs intrusion detection using
device manager and Operating System’s audit trail.
The intelligent agent which is available in market like Snort, Tripwire etc. can be
implemented at location where feature extractor and matcher module is stored.
The protection scheme like bio-hashing has been developed to protect biometric
template. The session key which is generated by chaotic phenomenon is used to
encrypt biometric template. The session key generated using chaotic phenomenon,
makes this model robust to avoid risk of guessing of session key.
9.2 Scope of further Research
For this research authors have considered single model biometrics system. Our
research can be extended in
Study Multi-model Biometrics techniques
Develop Expert system for multi-model biometrics.
Develop different techniques to protect multi-model biometrics template like
steganography, cancellable biometrics, watermarking techniques etc.
Publications
a) Papers Published
1. Published research paper “Robust Security Model for Biometric Template
Protection Using Chaos Phenomenon” in International Journal Of
Computer Application in June 2010, Volume 3-Number 6 (ISBN: 978-93-
80746-33-3 ISSN 0975 - 8887. doi : 10.5120/737-1036).
2. Published research paper “Rule Based Intrusion Detection and
Prevention Model for Biometric System” in the Journal of Emerging
Trends in Computing and Information Science in October 2010, Volume 1-
Number 2 (E-ISSN 2218-6301).
3. Published research paper “A Review: The knowledge Based Intrusion
Detection and Prevention Model for Biometric System” in the
International Journal Of Computational Intelligence and Information security,
in June 2011 Volume 2 No.6 (ISSN 1837-7823).
4. Published research paper “The Intelligent Intrusion Detection Tool for
Biometric Template Storage” in the International Journal of Artificial
Intelligence in Jan 2012 Volume 3-Number 1 (ISSN: 2229–3965 (Print) & E-
ISSN:2229–3973 (Online))
Impact factor value: ICV: 4.89
5. Published research paper “Biometric Device Assistant Tool: Intelligent
Agent for Intrusion Detection at Biometric Device using JESS” in the
International Journal of Computer Science Issues, in November 2012,
Volume 9 No.6 (ISSN 1694-0814).
6. Published research paper “Prioritization of detected intrusion for
preventive action is developed using Nero-Fuzzy approach” in the
Journal of Computing, in December 2012, Volume 4 No.12 (ISSN: 2151-9617
(registered with the Library of Congress, USA) eISSN 2151-9617)
b) Citation
1. Cited our research paper “Rule Based Intrusion Detection and Prevention
Model for Biometric System” in the Journal of Emerging Trends in Computing
and Information Science in October 2010, Volume 1-Number 2. in “A Novel
approach of Intrusion Detection and Prevention for fingerprints” by Vuda
Sreenivasrao in the International Journal Computer Science and Technology
in Dec 2010 Volume 1-Number 2
c) Financial Assistance from UGC
1. UGC granted financial assistance of Rs. 1,35,000/- under the scheme of
minor projects for my research topic entitled “Knowledge Based Intrusion
Detection and Prevention Model for Biometric Process” (File No 47-
1846/11(WRO))
References
[1] A.K.Mohapatra & Sandhu, M., Janaury . 2010. Biometric Template
Encryption. International Journal of Advanced Engineering and Application.
[2] Abhilasha, B.-S.et al., 2010. Biometrics based identifiers for digital identity
management. Gaitherburg MD.
[3] Ahamad, S., M., Z., & Abdulla, N. (2009). Intrusion Preventing System using
intrusion detection system decision tree data mining. American J. of
Engineering and Applied Science, 2(4), 721-725.
[4] Ambalakat, P. (2005). Security of Biometric Authentication Systems. 21st
Computer Science Seminar SA1-T1-1. Hartford: Department of Computer and
information science.
[5] Baca, M., & Antoni, M. (2005). Upgrading Existing Biometric Security
Systems by Implementing the Concept of Cancelable Biometrics. scientific
project (Methodology of biometrics characteristics evaluation 016-0161199-
1721).
[6] Badawczo-Produkcyjne, P. (2006). Future of biometrics. Retrieved from
http://www.optel.pl/article/future%20of%20biometrics.pdf
[7] Badiru, A. (n.d.). Fuzzy Engineering Expert.
[8] Baldisserra, D., Franco, A., Maio, D., & Maltoni, D. (2005). Fake Fingerprint
Detection by Odor Analysis. (pp. 265-272.). In D. Zhang and A.K. Jain (Eds.)
[9] Bashah, N., Shanmugam, I. B., & Ahmed, A. M. (2005). Hybrid Intelligent
Intrusion Detection System. World Academy of Science, Engineering and
Technology.
[10] Benattou, M., & K.Tamine. (2005). Intelligent Agents for Distributed
Intrusion Detection System. World Academy of Science, Engineering and
Technology.
[11] Bhattacharyya, D., Ranjan, R., Alisherov, A., & Choi, M. (September 2009).
Biometric Authentication: A Review. International Journal of u- and e-
Service Science and Technology, 2(3).
[12] Biometrics Wikipedia. (n.d.). Retrieved from
http://en.wikipedia.org/wiki/Biometrics.
[13] Crosbie, M., & H.Spafford, E. (1995). Active Defense of a Computer System
usingAutonomous Agents ,. Purdue University, Computer science. Technical
report CSD-TR-95-008.
[14] Kaur, M., Sofat, D. S. & Saraswat, D., July 2010. Template and Database
Security in Biometrics Systems: A Challenging Task. International Journal of
Computer Applications, 4(5).
[15] Maath. K. Al-anni, V. S., February. 2009. Detecting a denial of service using
artificial intelligent tools,genetic algorithm. Indian Journal of Science and
Technology , 2(2).
[16] Molina, J. & Cukier, M., 2009. Evaluating Attack Resiliency for Host
Intrusion Detection Systems. Information Assurance and Security, Volume 4,
pp. 1-9.
[17] Morgenstren, M., 1987. Security and inference in Multilevel Database and
Knowledge-base Systems. ACM, 16(3).
[18] Matsumoto, T., Matsumoto, H., Yamada, K., & Hoshino, S. (2002). Impact of
Artificial "Gummy" Fingers on Fingerprint Systems. published in Optical
Security and Counterfeit Deterrence Techniques IV.
[19] O'Leary, D. & Watkins, P., 1989. Review of Expert Systems in Auditing.
Journal of Exper System Review.
[20] Pervez, S., Ahmad, I., Akram, A. & Swati, S. U., 2006. A Comparative
analysis of Artificial Neural Network Technologies in Intrusion detection
Systems. Lisbon,Portugal.
[21] Ratha, N., H.Connell, J. & Bolle, R. M., n.d. Enhancing security and privacy
in biometrics based authentication systems. IBM Systems Journal - End-to-end
security, 40(3).
[22] S. Selvakani, R., November 2007. Genetic Algorithm for framing rules for
Intrusion Detection. International Journal of Computer Science and Network
Security, 7(11).
[23] S.Haque, Faysel, M. A. & Syed, July 2010. owards Cyber defence: Research
in Intrusion detection and intrusion prevention system. International Journal of
computer science and Network Security, 10(7).
[24] S.Jeya & K.Ramar, 2007. Rule based Network Intrusion Detection System
based on Crossover and Mutation. Ashian Journal of Information Security,
6(8), pp. 896-901.
[25] Samsudin, M. M. A. B. & Alia, M. A., February 2008. New Hash Function
Based on Chaos Theory (CHA-1). International Journal of Computer Science
and Network Security, 8(2).
[26] Shihab, K., 2006. A Backpropagation Neural Network for Computer Network
Security. Journal of Computer Science , 2(9).
[27] Singh, M. K., 2009. Password based a generalize robust security system
design using neural network. International Journal of computer science issues ,
4(2).
[28] Sodiya, S., Onashoga, S. & B.OladunJoye, 2007. Threat Modeling Using
Fuzzy Logic Paradigm. Information Science and Information Technology,
Volume 4.
[29] Strauss, M., 2007. The Java Expert System Shell.
[30] Teoha, A. B., Kuanb, Y. & Leea, S., 2008. Cancellable biometrics and
annotations on BioHash. the Journal of Pattern Recognition society, pp. 2034-
44.
[31] Tseng, H., 2007. Internet Applications with Fuzzy Logic and Neural networks:
A survey. Journal of engineering, computing and architecture, 1(2).
[32] Uludag, U. & Jain, A. K., January 2004. Attacks on biometric systems: a case
study in fingerprints. San Jose CA, s.n.
Ms. Maithili Arjunwadkar Prof. (Dr.) R V Kulkarni
Signature (Student) Signature (Guide)
Date :