One of the biggest security exposures today is unauthorized user access to data, systems and networks. User authentication is a critical aspect of information systems security which is essential to the confidentiality, integrity and availability of data, systems and networks. Biometric access control security systems, that measure a user's unique physiological and behavioral traits, have been developed to provide protection by allowing authorized access only to users who pass a biometric identification or verification test. The information systems security community defines biometrics as ‘something you are’ that can be used as a factor of authentication for identification purposes and thereby has particular value when used as a counter measure against computer security exposures and identity fraud.
Biometrics used for security purposes measure a person's physiological and/or behavioral traits that are unique to an individual user and different from other users. The underlying methodology to perform biometric verification for security purposes, in its simplest form, is as follows. Prior to biometric verification, an authentic user's biometric model is created and stored through an enrollment process which registers the user's biometric features. To verify the identity of a claimed user, the system extracts the claimed user's biometric features during verification and matches the features to the user's biometric model on file. If the features match those of the enrolled user's biometric model, biometric verification passes. If the features do not match the enrolled user's biometric model, biometric verification does not pass.
Biometric data is subject to theft throughout the information security architecture of the biometrics system. The user's raw biometric input can be public and nefariously acquired from other sources or could be stolen at the input biometric sensor, during transmission or if stored. Similarly, the user's biometric features can be stolen at input, during transmission, or if stored. A hacker could fool a biometric security system into thinking the authentic user is present by inserting the user's stolen biometric data. This is known as a replay or spoofing attack. Though the biometric verification process may pass, the authentic ‘live’ user was not present and an imposter has spoofed the biometric security aspect of the authentication system. Replay or spoofing and related vulnerabilities during biometric verification provide an avenue for impostors to invoke a manual or automated method to commit identity fraud.
N Dimensional Biometric Security System
A biometrics security system in which spoofing is not viable needs to address this problem and acknowledge that raw biometrics data is public, often found on the internet today, and can be used for the purpose of spoofing. To combat spoofing, the parent application introduces the concept of an n-dimensional biometric system. This type of biometric security system is described as one in which biometric verification is tightly coupled with the human input (raw biometric data) of a ‘dynamic biometric’ which can vary n times where n can be so large that, through a challenge response methodology, the biometric raw input data and its associated biometric features may be calibrated to reduce repetition of a challenge response within a predefined set of parameters. A ‘dynamic biometric’ is defined as one that has the characteristics of being highly flexible and fluid with a cognitive and behavioral component that lends itself to an intuitive human interface. Examples of dynamic biometrics are text independent voice, hand gesture or handwriting biometrics. A dynamic biometric is unlike an iris biometric, for example, which is fixed and non-intuitive. Secondly, upon initial enrollment of an n-dimensional biometric (which does not need to exceed five minutes), there is the immediate capability to vary verification challenges to be one-time if desired. An n-dimensional biometric has no requirement for biometric input (raw training data) used during enrollment to correlate specifically with the input (raw data) used during a verification challenge.
One major benefit of biometric verification based on the n-dimensional concept is that one-time input cannot be anticipated at the time of verification and is not subject to learning attacks. The inability for an attacker to anticipate the human challenge provides for robust anti-spoofing. One implementation defined broadly in the parent application and improved upon in this continuance utilizes text independent voice biometrics whereby a one-time challenge phrase is randomly generated on-the-fly by the system, repeated by the user and the user utterance is verified by the system through a simultaneous yet independent speaker and speech recognition process. If an attacker were to collect publicly known raw biometrics data or attempt a learning attack by collecting previous challenge-response biometric raw input or features during verification, the attacker could not anticipate a one-time challenge. Additionally, if intricate knowledge of the dynamic biometric model on file were obtained by unauthorized persons, this does not mean that the individual's biometric can no longer be used (i.e., stolen) because each instance of the biometric authentication is unique and controlled by the proposed security system during a unique authentication session. That is, biometric verification is realized through biometric security tokens unique to the authentication session. This biometric security token concept is broadly introduced in the parent application using voice biometrics and is expanded upon in this continuance in detail with additional patent features.
An added benefit of an n-dimensional biometric is that a security system can incorporate an intuitive and managerial aspect to biometric authentication through user or organization control of biometric verification input. The tight coupling of a dynamic biometric with the imposed structure of the challenge response makes this possible. This user control and management concept is broadly introduced in the parent application using voice biometrics and is expanded upon in this continuance in detail with additional patent features. For example, the concept of language sets are introduced whereby a user can select to have their one-time challenge pass phrases be generated from a pre-designated subject area, such as ‘sports’ for their personal Google accounts and applications or ‘IBM’ for their work account and enterprise applications.
Limitations to Prior Biometric Systems Associated with Spoofing
Prior art biometric security systems lack in ‘liveness detection’ and are prone to spoofing, theft and/or related attacks.
Many biometric security implementations are one-dimensional systems that use a biometric like a tag; a system where there is one biometric associated with one person such as a fingerprint or one text dependent voice password or pass phrase. If implemented securely, one-dimensional biometric security systems can improve security greatly over password systems and are simple to use but are subject to privacy concerns, theft fears and big-brother trepidation. A one-dimensional fixed biometric system, such as one voice pass phrase, faces the problem of the stringent need to protect and keep secret the raw data and/or associated features that comprise the fixed one-dimensional biometric. This data can be stolen either from an alternate source or through sniffing of an established verification system as described previously and replayed by an imposter to fool a biometric authentication security system. Adequate protection of the fixed biometric data on a public network, such as the internet, is not realistic given the fact that biometric raw data is often public and freely attainable by would be hackers. In the case of a biometrics voice pass phrase, a hacker can sniff the verification audio or voice features input or steal audio associated with words available in digital form publicly or through automated or targeted voice phishing attacks. The stolen audio could then be replayed as input to the voice biometric process or otherwise inserted at vulnerable components. Further, in the case of a biometrics voice pass phrase and similar to the attack verification attack just described, a hacker can sniff the enrollment audio or voice features input or steal audio associated with the pass phrase words available in digital form publicly or through automated or targeted voice phishing attacks. These attacks are easily demonstrable and known to exist. These attacks are applicable if the system uses a universal voice pass phrase for all users and/or permits individual pass phrases.
In other prior art biometrics security systems, systems are completely free form with little or no structure imposed upon them during verification. For example, text independent speaker verification can be used free form where the user says anything when prompted to verify. These systems are prone to easy spoofing attacks as well since a hacker could copy a block of spoken audio of the user speaking from other sources on the internet or previous verification attempts and then replay the copied audio to fool the system.
Limitations to Prior Challenge Response Systems Associated with Spoofing
Previous biometric security systems attempt to go beyond the single biometric approach and incorporate a challenge response method as a means to provide randomness and address spoofing but are limited and therefore fail to adequately combat a rigorous spoofing attack.
One such previous challenge response approach is to randomly select from a small set (few in number) of biometrics variations like a multiple fingerprint system limited to ten fingers or a multiple text dependent voice biometric password or pass phrase system where the user has enrolled in five pass phrases. These systems are more robust than a single biometric system but are still prone to theft and replay attacks. The attacker can employ the same hacking techniques identified in the single fixed biometric system for each instance of the enrolled biometric. The barrier to spoofing is somewhat higher but easily overcome as the imposter is ready with any of the few possibilities.
Another example of a limited challenge response approach is to use a random security scheme involving voice biometrics. “Speaker Verification Using Randomized Phrase Prompting” by A. Higgins et al, discloses a randomized, locker-style, numeric combination. This system uses a numeric lock scheme whereby users enroll in a small set (6 to 12) of multiple words/numbers (not just single digits) using text dependent speaker verification. During verification the system interchanges combinations of the words creating a larger set of challenge pass phrases without making users directly enroll in all combinations of numbers. This approach aids somewhat in reducing the overhead of user enrollment to get a larger set of enrolled words for randomized challenges but is still prone to theft and learning attacks since biometrics data associated with the set number of words can be stolen as described previously.
Another method seeks to offer randomness while minimizing storage requirements but is still vulnerable to automated learning and subsequent spoofing attacks because each word needs to be enrolled and will be used again in the future (e.g., U.S. Pat. No. 6,094,632 (Hattori)).
There also exists a security scheme that uses speaker recognition along with verbal information verification where the user provides information, which contains private information that supposedly only he or she knows. For example, what high school did you attend? This is not as secure or private for the applications intended because the user has to supply and say aloud his or her private information, which could be overheard. Secondly, the verbal information can be information known from other sources such as social networking sites and then used as a basis for a hacker to collect user audio associated with the verbal information. An example of using personal information to confirm identification is described in U.S. Pat. No. 5,897,616, which automates a question/answer pair in a call center environment (e.g., asking the caller which college they attended).
Therefore, based on the foregoing, there is a need in the art for a more robust, security n-dimensional biometric security system.