In the context of network security, a spoofing attack refers to a technique whereby an unauthorized human or software entity masquerades as an authorized entity, thereby gaining an illegitimate advantage.
A particular example is an unauthorized entity masquerading as a particular user so as to gain improper access to the user's personal information held in a notionally secure data store, launch an attack on a notionally secure system by masquerading a system administrator, or gain some other form of access to a notionally secure system which they can then exploit to their benefit.
“Liveness detection” refers to techniques of detecting whether an entity, which may exhibit what are ostensibly human characteristics, is actually a real, living being or is a non-living entity masquerading as such.
One example of liveness detection is the well-known CAPTCHA test; or to give it its full name “Completely Automated Public Turing test to tell Computers and Humans Apart”. The test is based on a challenge-response paradigm. In the broadest sense, a system presents an entity with a test that is designed to be trivial for a human but difficult for robot software. A typical implementation is requiring an entity to interpret a word or phrase embodied in an image or audio file. This is an easy task for a human to interpret, but it is a harder task for robot software to interpret the word/image as it is in a non-text format. Variations of this technique include distorting the word or phrase, with the intention of making it even less susceptible to interpretation by software.
Another example of liveness detection is in the context of a system that is notionally secured based on biometrics (e.g. facial, fingerprint, or voice verification). Such a system may require a user wishing to gain access to the system to present one of their biometric identifiers i.e. distinguishing human features (e.g. their face, fingerprint, or voice) to the system using a biometric sensor (e.g. camera; fingerprint sensor; microphone). The presented biometric identifier is compared with biometric data of users who are authorized to access the system, and access is granted to the presenting user only if the biometric identifier matches the biometric data of one of the authorized users.
Such systems can be spoofed by presenting fake biometric samples to the biometric sensor, such as pre-captured or synthesized image/speech data, physical photographs, or even physical, three dimensional models of human features, such as accurate face or finger models. In this context, a robust liveness detection technique needs to be able to reliably distinguish between a real biometric identifier, i.e. captured directly from a living being who wishes to access the system, and a fake biometric identifier, i.e. that has been pre-captured or synthesised.
To date, research into more advanced liveness detection based on biometric data have mostly focussed on machine learning techniques. Machine learning techniques tend to be relatively expensive to implement (in terms of processing resources), and require some form of offline and/or online model training.