In many critical systems and applications, only authorized users should interact with a given system. User authentication, which is the process of verifying the identity claimed by or for a human entity [39], is designed for this purpose. Traditional authentication approaches usually rely either on something the user knows (knowledge-based, e.g., passwords or PINs), or something the user has (e.g., security token). Instead, in the last two decades, research moved onto authentication mechanisms based on biometric characteristics, or rather what each user is or does. The use of biometrics and its implications has been widely explored and expanded in literature [29], [33], [36], [39], and many different biometric characteristics have been proposed.

The adequate biometric characteristic for a given system should be carefully selected according to specific criteria. These criteria usually derive from intrinsic properties of characteristics [29], [36], namely: universality, distinctiveness, permanence, collectability, performance, acceptability, and circumvention. Nevertheless, in some cases it is possible, (and often recommended), to select more (A.2), (A.3), than a single biometric characteristic, originating a multi-modal biometric authentication system [37], [38], [35], [ 40 ].

Clearly, authentication systems based on biometrics may still make mistakes, either authenticating impostors, or preventing legitimate users to interact with the system. In particular, there is a wide range of studies [29], [30], [34], [36], [38] that devise possible threats as presentation or spoofing attacks. As described in [ 42 ], a presentation or sensor spoofing attack is an attempt to circumvent a biometric system by forging the trait of an authorized person and presenting it to the sensor. Most biometric characteristics can be forged with an adequate effort, even if they are hard to circumvent [31], [32], [ 41 ]. This demands for spoofing detection mechanisms tailored according to the biometric characteristic(s) selected for the system.

Depending on the specific biometric characteristic, detecting presentation attacks or, more in general, threats to the biometric sample collection phase, can be very difficult. Therefore, this paper introduces spoofing detectability, an additional property of a biometric characteristic to indicate the easiness of identifying an ongoing presentation attack that overcame the comparison module and the available defenses, regardless of the circumvention value that was assigned to that characteristic. We assume that malicious activities leave some traces in the features extracted from the biometric samples. Observing these alterations contribute to detect spoofing attacks and, consequently, estimate spoofing detectability.

More in detail, we conduct a quantitative estimation of spoofing detectability through anomaly detection [ 9 ], [ 10 ], [ 55 ], recognized as the most suitable answer to detect unknown faults or zero-day attacks to a biometric authentication system. This way, we are estimating the detectability of presentation attacks without assuming any previous knowledge about them. We select different unsupervised anomaly detection algorithms, which we then apply to public datasets comprising feature values of the following biometric characteristics: face, fingerprint, voice, keystroke, heart rate variability, electrodermal activity, human gait, and hand gesture. We collect, analyze, and discuss the results of our experimental campaign, elaborating on the synergy of spoofing detectability and circumvention properties. Ultimately, we show how spoofing detectability can provide runtime support to traditional systems with a module that runs independently from the comparison module, helping to decide on authentication.

The paper develops as follows: Section 2 describes anomaly detection and presents families of unsupervised algorithms before introducing biometric systems. Spoofing Detectability is motivated and defined in Section 3, while Section 4 expands on our experimental campaign. Section 5 presents and discusses experimental results, used then in Section 6 to derive spoofing detectability. The role of spoofing detectability at runtime is debated in Section 7, while Section 8 closes the paper.

In the paper we refer to data point as the values of the features extracted from the biometric samples that the user provides to the sensor. Each data point is composed of f feature values, which are processed to determine whether the data point exhibits anomalies. More in detail, anomalies are rare data points showing patterns that do not conform to a well-defined notion of normal behavior [ 9 ]. Consequently, anomaly detection algorithms target the correct and complete definition of a normal behavior, and then identify anomalies by difference. Note that this detection mechanism – similarly to others – assumes that errors or attacks manifest as observable deviations with respect to the expected behavior [ 10 ], [ 51 ]. If an event happens without observable behavior e.g., perfectly obfuscated attack, anomaly-based detectors will not be able to successfully operate.

Different anomaly detectors may be instantiated depending on the nature of the target system [ 9 ], [ 55 ] and monitored data. If labeled training data is available, (semi-)supervised anomaly detection algorithms may be adopted [ 11 ]. Otherwise, the only option is to use unsupervised anomaly detection [ 10 ], which noticeably allows dealing with unknown, zero-day attacks. The potential to detect previously unknown or unseen attacks i.e., zero day attacks, is a critical asset for anomaly-based detectors, as it permits covering weaknesses of signature-based mechanisms. Consequently, in the remainder of the paper we consider only unsupervised algorithms.

Throughout years, unsupervised algorithms have been studied and compared to derive similarities or differences. They have been grouped by related studies [ 9 ], [ 10 ], [ 8 ] into six main families, namely clustering [17], statistical [12], classification [15], neighbor-based [14], density-based [16], and anglebased [13]. Algorithms belonging to each family have their own peculiar aspects; however, it is worth noticing that there are some unavoidable semantic overlaps among families. A nearest-neighbour search may be embedded into other algorithms e.g., the angle-based FastABOD [13], while density measures may be built on top of clustering procedures i.e., LDCOF [ 43 ]. 2.2.

Traditional authentication mechanisms are either knowledge-based, or possession-based. Instead, a biometric system [36] is “a pattern recognition system that operates by acquiring biometric data from an individual, extracting a feature set from the acquired data, and comparing this feature set against the template set in the database”. Biometric systems are used in verification or identification modes and applied to multiple contexts, as i.e., forensics, authentication, access control.

Biometric characteristics are divided into: i) physiological, which are related to the shape of the body e.g., fingerprint, palm veins, face, DNA, palmprint, hand geometry, iris, and ii) behavioral, related to the behavior of a person, e.g., keystroke, or gait. Each of these characteristics is described through properties [29], [36] as follows.       

Universality: each person should have the characteristic.

Distinctiveness: any two persons should be sufficiently different in terms of the characteristic. Permanence: the characteristic should be sufficiently invariant over a period of time. Collectability: the characteristic can be measured quantitatively Performance, the achievable recognition accuracy and speed, required resources, as well as the operational and environmental factors that affect them; Acceptability, the extent to which people are willing to use the biometric characteristic in their daily lives; Circumvention, which reflects how easily the system can be fooled using fraudulent methods.

These properties drive the selection of the most appropriate characteristic for a given system. We remark that collecting biometric data may raise privacy concerns; recently the GDPR [ 50 ] explicitly stated that biometrics are personal information and therefore must be protected “by design” and “by default”.

As summarized in [ 40 ], a biometric system is called multimodal [36] or multi-biometric if it relies on: i) multiple different characteristics, i.e. face and iris, or ii) multiple acquisitions of the same characteristic, e.g., fingerprint-based systems where the user provides several fingers to the sensor. These systems have various advantages [35]; namely they: i) guarantee better accuracy in recognition, ii) provide redundancy, iii) force attackers to forge multiple characteristics simultaneously. On the other hand, multimodality may reduce usability, and increase computational cost, and resources needed to fulfill the authentication process as well as its duration. 2.3.

Regardless of the multi-modality of a biometric authentication system, attackers may want to impersonate authorized users to gain access to a system [ 61 ]. Most of those presentation attacks are known as sensor spoofing, where the attacker forges biometric samples to fool the authentication system. Those attacks may compromise confidential information in many applications such as video surveillance [ 56 ], biometric identification [ 57 ], face indexing in social media [ 58 ], access to smartphones [ 59 ], iris recognition [31], physical access control through fingerprints [ 41 ], or even recognition of passengers in airports [ 60 ].

As a consequence, sensor spoofing started to be investigated and precisely characterized by surveys. The encyclopedia of biometrics [29] provides a comprehensive reference to concepts, technologies, issues, and trends in the field of biometrics. Particularly, it defines sensor spoofing as a method of attacking biometric systems where an artificial object is presented to the biometric sample acquisition system that imitates the biological properties the system is designed to measure, so that the system will not be able to distinguish the artifact from the real biological target. Different attacks are surveyed in the paper, which also lists common countermeasures as analysis of the resolution of biometric data, measurement of variation in the biometric property over short time durations, simultaneous measurement of a second biometric property (multi-biometrics), and many others. Despite being 20 years old, the paper [ 62 ] still provides another nice overview on the vulnerability of attacks at the sensor level, including the spoof attack or use of an artificial biometric sample to gain unauthorized access. In [30], authors seek to present a broader and more practical view of biometric system attack vectors, placing them in the context of a risk-based systems approach to security and defenses. Similarly, the work [ 42 ] traces attack trees for different spoofing attacks to derive attack paths specific for each malicious activity.

In the last decade, researchers, practitioners and industries started adopting Machine Learning (ML) algorithms as spoofing detectors. Distance-based methods were proven to be effective in analyzing features extracted from biometric samples for detection purposes [34], while One-Class Support Vector Machines were used in [ 63 ] as spoofing detectors. Moreover, deep learners proven to be a suitable answer to detect spoofing attacks either by learning more accurate representations of the biometric sample [ 57 ] or by implementing a complete detector [ 58 ].

In order to protect the system against presentation / sensor spoofing attacks originated by the forgery of biometric characteristics [ 42 ], choosing the characteristics that accounts for low circumvention may not be sufficient.

Conducting a presentation attack by forging a fingerprint e.g., fabricating artificial, “gummy”, fingerprints [ 41 ], or by simulating the voice of an authorized person, can be relatively easy (high circumvention in [36]) and may trick the biometric comparison module. However, these activities leave some traces in the extracted features. To such extent, we propose spoofing detectability, which indicates the easiness of identifying an ongoing presentation attack that overcame the comparison module and available defenses. A categorization into Low (L), Medium (M), High (H) categories from [36] can be obtained as:

{L, M, H} = SpoofingDetactability(ID, met, rf, thrLM, thrMH) We first choose a set of intrusion detectors ID = {id1, id2, …, idN} that will be trained on a (labelled) validation set to collect metric scores M = {m1, m2 ... mN} according to a metric met, e.g., False Positives, False Negatives, or others as in Section 4.5. Individual scores in M are aggregated through a reference function rf into a unique reference value rv = rf(M). Examples of rf are average, median, standard deviation of individual scores, or considering only the algorithm that resulted in the best metric score. Once rv is computed, we identify two thresholds thrLM and thrMH to respectively separate Low (L) from Medium (M) and M from High (H) categories. Poor rv values will lead to L spoofing detectability. When attacks are identified precisely (i.e., rv is almost ideal), spoofing detectability results in the H category.

Circumvention refers to [36] the easiness of fooling the authentication system, and is therefore directly bound to biometric templates and to the comparison module involved in the authentication process. On the other hand, spoofing detectability refers to the ability of suspecting an ongoing attack, independently from templates and comparison. If a given biometric characteristic can easily be circumvented, but spoofing detectability is sufficiently high, the malicious activity is likely to be identified from the anomaly detector. Therefore, even if the attack fools the biometric comparison, a spoofing detector would realise that an attack is ongoing and thus provide this information to the decision module. As a result, the authentication system may consider the user as non-legitimate. Figure 1 depicts combinations of both spoofing detectability and circumvention, with a green-yellow-red scale highlighting combinations from the most desirable to the worst.

Considering a (multi-)biometric authentication system, the contribution of spoofing detectability mainly concerns the two aspects below.  

Design-time. Spoofing detectability builds an additional property with respect to the properties in Section 2.2; hence its introduction can help selecting the appropriate biometric characteristic(s) for a given system (see Section 6).

Runtime. During system operation, spoofing detection can complement biometric comparison. As described in Section 7, once a sensor has acquired the biometric sample and the designated module has extracted the features, the latter are sent both to the comparison module and to the spoofing detection module, which operate independently. Results of the two modules become inputs to the decision module, thus they contribute to the final decision about user legitimacy.

Our experimental campaign applies the methodology described in the following sub-section. Such methodology requires: datasets containing biometric features and attacks according to a comprehensive attack (sensor spoofing) model described in Section 4.2. Then, we report on unsupervised anomaly detection algorithms in Section 4.3, leaving Section 4.4 to report on, experimental setup, metric(s) and supporting tools. 4.1.

The experiments to substantiate our analysis have been structured according to the following steps:  Preparation. Formatting selected datasets in order to standardize/normalize their characteristics, removing textual features and features which have many missing values.  Cropping. With large datasets, processing may require an unreasonable amount of resources.  Injection. We update the datasets injecting the effect of spoofing attacks on data according to our attack model. Further details are provided in Section 4.3.  Splitting Datasets. For each dataset, we create 2 different files, one to be used for feature selection and training, the other for validation.  Experiments. Selected algorithms are exercised through the RELOAD tool on each of the datasets separately, providing results as triples <dataset, algorithm, metric value>.  Data Analysis. Metric values, as well as additional metadata e.g., details of the feature selection process, are aggregated in order to highlight the main findings. 4.2.

We focused on publicly available datasets, shared without constraints except sources referencing. We disregarded datasets containing non-textual information, such as images or audio tracks, which require extracting textual features. The only exception has been fingerprints [25], where we processed the images by using state-of-the-art feature extractors [26]. As shown in Table I, our extensive research process produced 10 datasets related to 8 different biometric characteristics. The datasets include features pertaining to: Fingerprint, Voice, Face, Heart Rate Variability (HRV), Electro Dermal Activity (EDA), human gait (activity recognition), Keystroke, and Hand Gesture.

To quantify the capabilities of anomaly detection algorithms in detecting spoofing attacks [30], [31], [29], [34], [32], [38], we need to i) devise an attack model, and then ii) inject effects of attacks into data. To make this process suitable for all the selected biometric characteristics, we devised an attack model that focuses on alterations of sensor data rather than on alterations related to subsequent phases of the authentication process, as i.e., comparison.

Table II reports on spoofing attacks in [29], [30], [38]. Attacks are aggregated in the table if they share a similar effect on the values of biometric features. For example, reuse of residuals and replay attack will result in resubmitting biometric data which was already presented in the past, or rather providing exact same feature values with respect to a past data point. This allows identifying 4 different categories of effects, namely: Missing, Reuse, Slight Change, and Multiple Slight Changes.

The Missing category groups threats to availability as Denial of Service. The Reuse category aggregates threats where the attacker re-submits data already and legitimately submitted at a previous stage, e.g., reuse of residuals and replay attacks. In the Slight Change category, we include many spoofing attacks that forge biometric characteristics producing samples other than the legitimate ones, and similar enough to circumvent the comparison module. The effects of these attacks on data include slight variations of features values, making this category of attacks, among others, the hardest to identify. Finally, the Multiple Slight Changes category includes attacks (such as brute-force) that forge many biometric samples in short time span.

Datasets selected for this study do not include attacks data; therefore, we simulate such attacks through fault (attack) injection. Briefly, we inject the categories of attacks in Table II in each selected dataset. The injection is activated randomly, with a probability of 5%, and updates feature values V(SIaVplouC(oeRlsfa))es,,psCClIallcaaessss OSEvpaeovroerfsiiddnergoF,peMpaiitnMugr,e, DFBaiFgiloasitemkaelDeBtParhtiiaocy,msIFniecjataekrlciect,, characcTitrhecreuisbmtiiovcmeinsetftrtohirceged to

VII (MiM) Extraction OveErxritdraecFtieoanture authentication system.

A huge amount of slightly different - Brute Force - characteristic data is delivered to the system in

a short time span.

Class III, Out-of-scope Latent Print These attacks are listed in [38], [29], [30] as attacks to (Template e.g., Component Reactivation, the biometric system, but they are either i) specific for Substitution), replacement, False Enrollment, the biometric characteristic, or ii) not related to the V (Replace Hill Climbing, Synthetized presentation of the biometric characteristic and/or the Matcher), VI and Feature Vector, feature extraction process e.g., related to the (Modify DB), Characteristic- Threat Vectors comparison module and/or template DB, and VIII (Override) specific attacks 3.13 – 3.21 [30]. therefore are discarded in our analysis. m data points are generated Multiple according through Slight statistical operations Changes

N/A (and, eventually, injecting additional data points) with the effect that is reported in the last column of the table. More in detail, injecting a Missing attack forces some feature values to 0, or null e.g., Keystroke’s flightTime, which is usually microseconds, may set to 0. Instead, injecting a Reuse repeats a single data point which already appeared in the recent past (randomly chosen amongst the last 20 data points). To inject a Slight Change, we calculate average and standard deviation for each feature by using the 100 data points previous to the injection to define a context. Then we randomly sample some feature values in the range defined by the confidence interval average ± standard deviation. For Multiple Slight Change, this injection is repeated by adding n rows to the dataset, with n randomly chosen in the interval [ 2, 5 ]. Note that all attacks but this last category inject a new row in the dataset, simulating the forgery of the biometric trait for spoofing purposes. After the injection process, the rate between normal data points and anomalies due to attacks in the datasets is around 8%. 4.4.

We employ a set of 9 unsupervised algorithms to estimate the detectability of spoofing attacks to biometric characteristics. First, we select a well-known algorithm for each family in Section 2.1 as follows. We identify the variant [15] for binary classification of Support Vector Machines (One-Class SVM) and DBSCAN [ 46 ] clustering algorithm. Regarding angle and neighbor-based families we select the Outlier Detection using Indegree Number (ODIN, [14]) and the Angle-Based Outlier Detection (ABOD, [13]) algorithms, along with the more recent Histogram-Based Outlier Score (HBOS, [12]) and Sparse Data Observers (SDO, [ 47 ]) algorithms. Unfortunately, we had to discard ABOD due to its high computational complexity (cubic), re-directing our choice to FastABOD [13], which scales down the complexity through a nearest-neighbour search.

Moreover, since algorithms may have semantic overlaps among families, (as happens with FastABOD), in the second phase of the selection process we choose other 3 algorithms which have cross-cutting peculiarities. Neighbours identification is employed to reduce noise and computational complexity in the stochastic ISOS [ 45 ], and in the density-based COF [ 44 ]. Ultimately, we consider LDCOF [ 43 ], which builds a density-based anomaly detector using an internal clustering procedure. 4.5.

We describe here the experimental setup for our study. We downloaded the datasets in Section 4.2 from their repositories shaping them as CSV files. Then, we downloaded the latest release of RELOAD [ 52 ], a tool for evaluation of unsupervised anomaly detectors that is publicly available on GitHub. We used MCC [ 1 ] as target metric to evaluate detection capability of algorithms as it fits also unbalanced datasets [ 5 ], which often happens in the security domain i.e., many normal data and only a few attacks. Then, we select the bet 10 features of each dataset according to their information gain [27]. We also proceeded with a 10-fold sampling of the training set [28]. Metrics [ 2 ] other than MCC are reported for completeness and comparison with the state of the art. We have run experimental campaigns including all the datasets and algorithms considered in this study. The experiments have been executed on a server equipped with Intel Core i7-6700 with four 3.40GHz cores, 24GB of RAM and 100GB of user storage. Overall, executing the experiments reported in this paper, required approximately one month of 24H execution. All the metric scores and files that we used to collect and summarize values are publicly available at [ 53 ].

This section describes and comments on the results of our experimental campaign with the aid of Table III. The table shows, for each dataset, the best algorithm(s), and the metric scores.

For several datasets - namely EDA(SWELL), HRV(WESAD) and Voice – multiple algorithms provided the same detection scores. Despite our selection of heterogeneous algorithms, sometimes algorithms make the same choice, resulting in very similar, if not exactly the same, detection scores. From a general standpoint, accuracy scores achieved by the best algorithm in each dataset always exceed 95%: this indicates that only less than 5% of the biometric samples are being misclassified, either as a False Positive (FP - benign sample interpreted as a tentative of spoofing attack) or as a False Negative (FN - spoofing attack not detected). Additionally, we can observe how Precision scores are overall higher than Recall scores. This indicates that most of the misclassifications are FNs, or rather spoofing attacks that were not detected, representing a potential harm to the system.

Algorithms which appear in the second column of Table III in the majority of the cases are COF – datasets EDA(SWELL), Face, Hand Gesture, HRV(WESAD) – and ODIN, which takes the lead on Fingerprint, HRV(SWELL), Human Gait and Keystroke datasets. Both algorithms are based on nearest-neighbors as well as FastABOD, which shows the best detection scores for the EDA(WESAD). This highlights that for 9 datasets out of the 10, the best algorithm embeds a nearestneighbor search. Our dataset sample is not big enough to prove that this trend is valid in general for

To calculate spoofing detectability we need to instantiate (see Section 3) the parameters ID, met, rf, thrLM, thrMH. The set of intrusion detectors ID = {DBSCAN, HBOS, ODIN, FastABOD, SVM, SDO, ISOS, COF, LDCOF} includes all the algorithms selected in this study, while met = MCC. To provide a complete and solid view on spoofing detectability of biometric properties, we instantiate two functions SDAvg and SDBest: SDAvg considers the average of MCC scores as rf, while SDBest works with maximum absolute value of MCC as reference function.

SDAvg(ID, met, rf=”average”, thrLM=55.3, thrMH=71.8)

SDBest(ID, met, rf=”max_abs” , thrLM=65.0, thrMH=80.0)

For each function SDAvg and SDBest, thrLM and thrMH were arbitrarily chosen to balance results; in fact, these thresholds make at least one biometric characteristic fall in each category L, M, H. We are aware that assigning values to these thresholds heavily affects the outcome of these functions. This study wants to provide a general view on spoofing detectability without domain specific-constraints. For example, in some domains lowering FNs has priority with respect to minimizing FPs, and therefore met other than MCC e.g., FScore with β > 1, should be chosen, while thresholds thrLM, thrMH need to be tuned accordingly.

Table IV shows the outcome of our spoofing detectability property. For each Dataset (first column), we report: the Biometric Characteristic, the average MCC of algorithms for a given dataset and MCC of the Best algorithm on such dataset, the results of Spoofing Detectability, and Circumvention [36]. “Final” Spoofing Detectability is obtained as a combination of SDAvg and SDBest results. If individual results agree, final category is obtained straighforwardly; when different, indvidual results are merged by majority. As a tie-breaker, we looked at MCC scores to decide on the final category. Consequently, face resulted in M and L individual scores, with very similar scores to EDA – especially when considering the SWELL dataset -, and therefore we set the final category value of Face as EDA’s. As a side remark, in many cases the categories obtained by looking at average and best MCC hold, i.e., columns SDAvg, SDBest are the same for half of the datasets.

Looking at Table IV, we can notice how EDA and Face characteristics resulted in L values of spoofing detectability, meaning that may not be trivial to detect attacks directed to the related sensors. The best anomaly detection algorithms will still often make mistakes (i.e., MCC values are lower than 65%) and, more importantly, they will not detect more than 60% of the attacks (see Recall column in Table III). A completely different scenario is exhibited by Keystroke, which has the lowest average MCC scores of 37.9, which almost doubles when considering the best algorithm. This also motivates the M value for spoofing detectability that was assigned to such biometric characteristic, despite it showed the lowest average MCC score. Instead, out of the 8 biometric characteristics considered in this study, only Human Gait was categorized as H spoofing detectability, mainly due to the almost perfect detection capabilities that ODIN – again – showed in detecting spoofing attacks in this particular dataset.

Spoofing detectability was primarily meant to be a property of biometric characteristics to be used at design-time of a system: however, we show here how to setup a runtime support for the final decision about authentication. 7.1.

As shown in Figure 3, typical biometric authentication systems require the user a biometric sample that is acquired by sensors. Then, feature values are extracted and delivered to the comparison module, which computes a score that enables the system to decide on authentication. A Spoofing Detection module can work in parallel with respect to the comparison module, relying on the same inputs but aiming at detecting suspicious feature sets instead than comparing feature values with biometric templates. The Spoofing Detection module runs an anomaly detection algorithm trained or updated when acquiring the biometric templates and uses the model learned during training to decide on anomalies at runtime. This result, alongside with the score produced by the comparison module, is sent to the Final Decision module, which accepts or rejects the user depending on those inputs. 7.2.

An instantiation of the architecture described above was designed – and is currently under implementation – in the scope of the ProtectID [ 54 ] project. One of the goals of this project is to design and implement a cyber-physical system that allows citizens to interact with remote services offered by public administration through commercial devices. The access to their personal data and other sensitive information raises privacy issues [ 50 ] that are mitigated through robust (biometric) authentication strategies. Amongst all the candidate characteristics, project partners, together with the public administrations, selected Fingerprint, Face and Keystroke due to the high availability of related sensors in personal devices. In this context, spoofing detectability could not help in selecting biometric characteristics; however, the introduction of a spoofing detection module can provide runtime support to the recognition of the above-mentioned characteristics, and corroborate or overturn the final decision. A high-level view of ProtectID system is reported in Figure 4. Briefly, if citizens want to use some service provided by public administration, they 1) connect to the web portal. This action generates an authentication request which goes 2) through the authentication server and 3) reaches the citizen device. Now, 4) the user has to provide biometric samples for authentication, which are processed for feature extraction, encrypted and 5) sent back to the server; the latter 6) processes the features extracted from the sample for authentication.

Finally, if the authentication succeeds, 7) a token is generated to 8) let the citizen access the system and, eventually, 9) take advantage of the service(s).

While an extensive description and discussion of the authentication system of ProtectID project is out of the scope of this paper, we point out here the role of spoofing detectability. In particular, the Authentication Server of ProtectID project (see left-side of Figure 4) was equipped with a Spoofing Detection Module, which complements the biometric comparison module, providing an indication of the trustworthiness of the set of feature values obtained from the biometric sample. The Comparison Output co and the Spoofing Detection Output sdo, along with the Spoofing Detectability categories’ values of the Fingerprint (M), Face (L) and Keystroke (M), are used to grant authentication as:

Authentication = Final Decision(co, sdo, <M, L, M>) The Final_Decision function to be implemented in ProtectID is confidential yet. However, the above formula aims at showing the runtime applicability of our solution, but it should be instantiated to suit the specific target system. As a last remark, we want to point out a side effect of our experimental study on spoofing detection of biometric characteristics. As reported in Table III, the ODIN algorithm showed the better performance in detecting spoofing attacks directed to Fingerprint and Keystroke, performing quite well also for the Face characteristic, namely with an MCC of 0.58 (see [ 53 ], tab MainData) compared to the optimum of 0.64 provided by COF (again, see Table III). Therefore, once the ProtectID system will be developed, its Spoofing Detection Module will rely on the neighborbased algorithm ODIN to calculate sdo.

This paper introduced spoofing detectability, an additional property of biometric characteristics that categorizes the probability of detecting an ongoing spoofing or presentation attack to overcome available defenses. The purpose of our study is dual: it i) devises an additional property that can help selecting the most appropriate biometric characteristic(s) for a given system, and ii) provides actionable information to define and implement a spoofing detection module that complements the traditional authentication process at runtime. We conducted experiments to quantitatively estimate spoofing detectability. Detection of spoofing attacks to biometric sensors was realized through anomaly detection, an overall solid answer to unknown or zero-day attacks that the attacker may conduct against a biometric authentication system. We selected different unsupervised anomaly detection algorithms, which were then exercised on public datasets related to face, fingerprint, voice, keystroke, heart rate variability, electrodermal activity, human gait, and hand gesture characteristics.

Results of the experimental campaign were presented and discussed, elaborating: i) average detection scores of algorithms, ii) best algorithms to detect presentation / sensor spoofing attacks targeting a given biometric characteristic, and finally devising iii) categories for the spoofing detectability property based on the outcomes of the experimental campaign. Lastly, we show how to define a spoofing detection module as a runtime support to the traditional biometric authentication process for a given system.

This work has been partially supported by the Italian PON ProtectID (“Processi e tecnologie innovative per la protezione delle identità digitali e delle informazioni personali in rete”) and by the H2020 programme under the Marie Sklodowska-Curie grant agreement 823788 (ADVANCE) projects. Portions of the research in this paper use the CASIA-FingerprintV5 collected by the Chinese Academy of Sciences' Institute of Automation (CASIA). [12] Goldstein, Markus, and Andreas Dengel. "Histogram-based outlier score (hbos): A fast unsupervised anomaly detection algorithm." KI-2012: Poster and Demo Track (2012): 59-63. [13] Kriegel H-P, Zimek A. “Angle-based outlier detection in high-dimensional data”. Proc. of the 14th ACM

SIGKDD Int. Conference on Knowledge discovery and data mining; ‘08. p. 444–452. [14] Hautamaki, V., Karkkainen, I., & Franti, P. (2004, August). Outlier detection using k-nearest neighbour graph. In Pattern Recognition. ICPR 2004. Proceedings of the 17th International Conference on (Vol. 3, pp. 430-433). IEEE. [15] M. Amer, M. Goldstein, and S. Abdennadher, “Enhancing one-class support vector machines for unsupervised anomaly detection,” in Proceedings of the ACM SIGKDD Workshop on Outlier Detection and Description. ACM, 2013, pp. 8–15. [16] Breunig, M. M., Kriegel, H. P., Ng, R. T., & Sander, J. (2000, May). LOF: identifying density-based local outliers. In ACM sigmod record (Vol. 29, No. 2, pp. 93-104). ACM. [17] Schubert, E., Koos, A., Emrich, T., Züfle, A., Schmid, K. A., & Zimek, A. (2015). A framework for clustering uncertain data. Proceedings of the VLDB Endowment, 8(12), 1976-1979. [18] Adams, Warwick R. "High-accuracy detection of early Parkinson's Disease using multiple characteristics of finger movement while typing." PloS one 12.11 (2017): e0188226. [19] Koldijk, S., Sappelli, M., Verberne, S., Neerincx, M., & Kraaij, W. (2014). The SWELL Knowledge Work Dataset for Stress and User Modeling Research. To appear in: Proceedings of the 16th ACM International Conference on Multimodal Interaction (ICMI 2014) (Istanbul, Turkey, 12-16 November 2014) [20] Philip Schmidt, Attila Reiss, Robert Duerichen, Claus Marberger, Kristof Van Laerhoven, "Introducing

WESAD, a multimodal dataset for Wearable Stress and Affect Detection", ICMI 2018, Boulder, USA, 2018 [21] A. Memo, L. Minto, P. Zanuttigh, "Exploiting Silhouette Descriptors and Synthetic Data for Hand Gesture

Recognition", STAG: Smart Tools & Apps for Graphics, 2015 [22] Vajdi, A., Zaghian, M. R., Farahmand, S., Rastegar, E., Maroofi, K., Jia, S., ... & Bayat, A. (2019). Human Gait Database for Normal Walk Collected by Smart Phone Accelerometer. arXiv preprint arXiv:1905.03109. [23] Kaggle - Voice Recognition, Jeganathan Kolappan. https://www.kaggle.com/jeganathan/voice-recognition (online), accessed: 2019-11-20 [24] Kaggle - Face Images with Marked Landmark Points, Omri Goldstein (online).

https://www.kaggle.com/drgilermo/face-images-with-marked-landmark-points, accessed: 2020-11-20 [25] BIT – Biometrics Ideal Test, CASIA-FingerprintV5, http://biometrics.idealtest.org/ [26] MathWorks - FingerPrint Matching: A simple approach, https://it.mathworks.com/matlabcentral/fileexchange/44369-fingerprint-matching-a-simple-approach (online), accessed: 2019-11-20 [27] Azhagusundari, B., and Antony Selvadoss Thanamani. "Feature selection based on information gain."

International Journal of Innovative Technology and Exploring Engineering (IJITEE) 2.2 (2013): 18-21. [28] Moore, Andrew W. "Cross-validation for detecting and preventing overfitting." School of Computer

Science Carneigie Mellon University (2001). [29] Li, Stan Z. Encyclopedia of Biometrics: I-Z. Vol. 2. Springer Science & Business Media, 2009. [30] Roberts, Chris. "Biometric attack vectors and defences." Computers & Security 26.1 (2007): 14-25. [31] Gupta, P., Behera, S., Vatsa, M., & Singh, R. (2014, August). On iris spoofing using print attack. In 2014 22nd International Conference on Pattern Recognition (pp. 1681-1686). IEEE. [32] Biggio, B., Akhtar, Z., Fumera, G., Marcialis, G. L., & Roli, F. (2012). Security evaluation of biometric authentication systems under real spoofing attacks. IET biometrics, 1(1), 11-24. [33] Chingovska, Ivana, Andre Rabello Dos Anjos, and Sebastien Marcel. "Biometrics evaluation under spoofing attacks." IEEE transactions on Information Forensics and Security 9.12 (2014): 2264-2276. [34] Nixon, K. A., Aimale, V., & Rowe, R. K. (2008). Spoof detection schemes. In Handbook of biometrics (pp.

403-423). Springer, Boston, MA. [35] L. Hong, A. K. Jain, S. Pankanti. “Can multibiometrics improve performance?”. In Proceedings AutoID

Vol. 99, pp. 59-64, 1999. [36] A.K.Jain, A. Ross, S. Prabhakar. “An Introduction to Biometric Recognition”. IEEE Transactions on

Circuits and Systems for Video Technology, 2004. [37] A. Azzini, S. Marrara, R. Sassi, F. Scotti. “A fuzzy approach to multimodal biometric continuous authentication”. Fuzzy Optimization and Decision Making, 7(3), 243-256, 2008. [38] W. Dahea, HS Fadewar. “Multimodal biometric system: A review”, International Journal of Research in

Advanced Engineering and Technology, Volume 4; Issue 1; January 2018; Page No. 25-31. [39] Stallings, W., Brown, L., Bauer, M. D., & Bhattacharjee, A. K. (2012). Computer security: principles and practice (pp. 978-0). Upper Saddle River, NJ, USA: Pearson Education.