Fingerprint Presentation Attacks: Tackling the Ongoing Arms Race in Biometric Authentication Roberto Casula roberto.casula@unica.it 0 Antonio Galli antonio.galli@unina.it 1 Michela Gravina michela.gravina@unina.it 1 Stefano Marrone stefano.marrone@unina.it 1 Domenico Mattiello do.mattiello@studenti.unina.it 1 Marco Micheletto marco.micheletto@unica.it 0 Giulia Orrù giulia.orru@unica.it 0 Gian Luca Marcialis marcialis@unica.it 0 Carlo Sansone carlo.sansone@unina.it 1 University of Cagliari , Cagliari , Italy University of Naples, Federico II , Naples , Italy

The widespread use of Automated Fingerprint Identification Systems (AFIS) in consumer electronics opens for the development of advanced presentation attacks, i.e. procedures designed to bypass an AFIS using a forged fingerprint. As a consequence, AFIS are often equipped with a fingerprint presentation attack detection (FPAD) module, to recognize live fingerprints from fake replicas, in order to both minimize the risk of unauthorized access and avoid pointless computations. The ongoing arms race between attackers and detector designers demands a comprehensive understanding of both the defender's and attacker's perspectives to develop robust and eficient FPAD systems. This paper proposes a dual-perspective approach to FPAD, which encompasses the presentation of a new technique for carrying out presentation attacks starting from perturbed samples with adversarial techniques and the presentation of a new detection technique based on an adversarial data augmentation strategy. In this case, attack and defence are based on the same assumptions demonstrating that this dual research approach can be exploited to enhance the overall security of fingerprint recognition systems against spoofing attacks.

 eol>Fingerprint Presentation Attack Detection Convolutional Neural Networks Adversarial Perturbation Data Augmentation 1. Introduction

a set of algorithms designed to mislead a target CNN by means of a specifically crafted noise. Using the same principle, in [ 7 ], we introduced ALD (Adversarial Liveness Detector), whose core idea is to exploit adversarial ifngerprint [ 5, 6 ] as a way to perform data augmentation in order to increase the model generalization ability.

2. Fingerprint Liveness Detection Competition

60 50 40 ()R30 % E C P A20 10 To support the research and development of increasingly sophisticated presentation attack detectors on a common experimental protocol, in 2009 the first Liveness Detec- Figure 2: Comparison between mean APCER on the consention (LivDet) Competition1 [8] was started through the sual test set (C) and ScreenSpoof test set (SS) for LivDet2021. collaboration of the University of Cagliari and Clarkson University. LivDet is a biennial competition in which participants from both academia and industry are challenged to identify spoofs from live samples [9]. Each For this purpose, starting from LivDet 2019, the evaluaedition has its own distinctive set of challenges that com- tion of integrated systems has also been introduced. This petitors must overcome, such as the presence of diferent is a critical step since anti-spoofing algorithms are not materials for the training and test sets (never-seen-before expected to work independently, and the integration may materials) and the integration of FPADs into AFIS. These significantly influence the recognition system’s perforchallenges have highlighted the arms race nature of fin- mance2 [11]. In this respect, the LivDet competition is gerprint presentation attack detection. For example, a crucial in identifying diferent algorithms’ strengths and new spoof fabrication technique, called ScreenSpoof [10], weaknesses and guiding the development of more robust was introduced in LivDet2021, which highlighted the and eficient integrated systems. Designers can then use ongoing vulnerability of modern FPADs to never-before- the knowledge resulting from each edition to improve seen-before attacks, i.e. attacks unknown in the training their solutions. phase of the classification model (Figure 2). The LivDet competition is therefore based on the concept that to 3. Fingerprint Adversarial design a robust and eficient FPAD system, both the defender’s and attacker’s perspectives must be considered: Presentation Attack in the the organizers put themselves in the shoes of the attack- Physical Domain ers, allowing the competitors to assess the efectiveness of the presented algorithms by simulating real-world at- Digital adversarial attacks have proven efective against tacker scenarios. Another key point in the design of a modern AFISs, even when protected with an FPAD modreliable FPAD is considering its integration with an AFIS. ule. In particular, this type aims to deceive the AFIS/FPAD module using adversarial perturbations, i.e. small

1https://livdet.diee.unica.it/ 2https://livdet.pythonanywhere.com/

we took part in the LivDet 2021 [12] competition, submitting a methodology to recognize counterfeit biometry changes added to the fingerprint image designed to mis- from live ones and obtaining first place out of 23 parlead the system without being visually noticeable to a ticipants in the “Liveness Detection in Action track”. In human observer. However, these digital attacks typically particular, the idea of the proposed solution is to leverage assume access to the internal modules of the system, mak- adversarial fingerprints as a way to force the designed ing them unrealistic. For this reason, we explored the CNN-based liveness detector to focus only on the most threat level of physical adversarial attacks in a realistic important portions of the fingerprint, with the aim of scenario where attackers cannot directly feed a digitally reducing the chance of it being misled by minor details. perturbed image to the FPAD and they have to create a Indeed, adversarial perturbations are very suited for this physical replica to breach the system through the sensor goal, as they tend to highlight such minor details that [ 5 ]. Figure 3 shows the process of creating the adver- tend to mislead the pad. To maximize this efect, it is consarial presentation attack. Starting from the image of venient to use a gradient-based adversarial perturbation a fake fingerprint it is possible to inject noise to obtain algorithm, in order to exploit the gradient with respect an adversarial image considered live by a classifier. The to the input of the used CNN-based FPAD. Among all the PA is obtained by printing the digital adversarial image ifngerprints adversarial algorithms, we made use of the negative on a translucent sheet using a standard laser modified version of DeepFool [ 13] based on an eficient printer and casting a silicone material on top of it (Figure iterative approach exploiting the network gradient of a 4). We evaluated the percentage of successful fingerprint locally linearized version of the loss. More in detail, we adversarial presentation attacks on both white-box and further modified the perturbation strategy by not interblack-box systems, with white-box systems referring to rupting the attack as soon as the target liveness detector AFISs and FPADs in which the attacker has complete recognized a fake fingerprint as live with a probability knowledge of the system architecture and parameters ≥ 70% and by amplifying the perturbation at each iterand black-box systems referring to those in which the at- ation by a magnification factor of 103. As a result, we tacker has no prior knowledge of the underlying system. obtained an attack success rate ≥ 99%, with every single These experiments have highlighted the feasibility and fingerprint able to fool the FPAD with a confidence of at danger of the attack. least 70%.

However, using adversarial fingerprints as an ad-hoc data augmentation strategy is not trivial, as a target CNN4. Adversarial Liveness Detector based FPAD is needed to craft the adversarial fingerprints and it is important to not cause the final model to be overALD represents the deep learning-based fingerprint live- iftted to the adversarial samples. In ALD, we designed ness detection proposed in [ 7 ], whose aim is to exploit the an iterative training procedure consisting of three main experience matured as attackers to design an ad-hoc ad- steps: we first train a CNN-based FPAD on the clean versarial data augmentation strategy intended to increase (i.e. non adversarially perturbed) fingerprint data, we the efectiveness of CNN-based presentation attack detec- then generate the adversarial fingerprints as described tion. To test the efectiveness of the proposed approach, above by using the target CNN FPAD as LD, and repeat 5. Conclusions the training by also adding the adversarial fingerprint to the training data with their original label (i.e. the preperturbation class), as we want to make the FPAD more Fingerprint Presentation Attack Detection (FPAD) is conrobust. The result is an adversarial data augmentation sidered an arms race problem due to the continuous and schema, summarized in Figure 5, where adversarial at- dynamic struggle between attackers who develop novel tacks are exploited to improve the network generalization techniques to deceive fingerprint recognition systems ability. and defenders who design and improve FPAD methods

The performance obtained in the LivDet 2021 [12] in- to counter these threats. For this reason, the dual apternational competition proved the efectiveness of the proach that considers the two points of view during the methodology proposed in [ 7 ] and highlighted the signifi- design of FPADs and their integration into AFIS is crucant contribution of adversarial perturbation techniques cial to discover unknown vulnerabilities and fix them. to the generalization capacity of the CNNs considered as Our experience in the international competition LivDet FPAD. In future works we will further investigate the use as organizers, for the University of Cagliari, and as parof adversarial fingerprints in the context of both liveness ticipants, for the University of Naples Federico II, has detection and subject matching, trying to understand allowed us to highlight this aspect. Moreover, in this whether this experience can be used also to support or paper, we have presented a case of dual approach in the against impersonification attacks. FPAD related to the exploitation of spoofs obtained with adversarial processes: we have shown that it is possible to start from the analysis of the danger deriving from a new attack technique, in this case the adversarial presentation attack, a defence technique can be designed. [8] G. L. Marcialis, F. Roli, Liveness detection competition 2009, Biometric Technology Today 17 (2009) 7–9. [9] M. Micheletto, G. Orrù, R. Casula, D. Yambay,

G. L. Marcialis, S. Schuckers, Review of the Fingerprint Liveness Detection (LivDet) Competition Series: From 2009 to 2021, Springer Nature Singapore, Singapore, 2023, pp. 57–76. URL: https://doi. org/10.1007/978-981-19-5288-3_3. doi:10.1007/ 978-981-19-5288-3_3. [10] R. Casula, M. Micheletto, G. Orrú, G. L. Marcialis,

F. Roli, Towards realistic fingerprint presentation attacks: The screenspoof method, Pattern Recognition Letters (2022). URL: https://www.sciencedirect. com/science/article/pii/S0167865522002653. doi:https://doi.org/10.1016/j.patrec.

2022.09.002. [11] M. Micheletto, G. L. Marcialis, G. Orrù, F. Roli, Fingerprint recognition with embedded presentation attacks detection: are we ready?, IEEE Transactions on Information Forensics and Security 16 (2021) 5338–5351. [12] R. Casula, M. Micheletto, G. Orrù, R. Delussu,

S. Concas, A. Panzino, G. L. Marcialis, Livdet 2021 ifngerprint liveness detection competition-into the unknown, in: 2021 IEEE International Joint Conference on Biometrics (IJCB), IEEE, 2021, pp. 1–6. [13] S.-M. Moosavi-Dezfooli, A. Fawzi, P. Frossard,

Deepfool: a simple and accurate method to fool deep neural networks, in: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2016, pp. 2574–2582.

 [1] S. Marcel , M. S. Nixon , J. Fiérrez , N. W. D. Evans (Eds.), Handbook of Biometric Anti-Spoofing - Presentation Attack Detection , Second Edition, Advances in Computer Vision and Pattern Recognition, Springer, 2019 . doi: 10 .1007/ 978-3- 319 -92627-8. [2] Z. Akhtar , C. Micheloni , G. L. Foresti , Biometric liveness detection: Challenges and research opportunities , IEEE Security & Privacy 13 ( 2015 ) 63 - 72 . [3] L. Ghiani , D. A. Yambay , V. Mura , G. L. Marcialis , F. Roli , S. A. Schuckers , Review of the fingerprint liveness detection (livdet) competition series: 2009 to 2015, Image and Vision Computing 58 ( 2017 ) 110 - 128 . [4] T. Chugh , K. Cao , A. K. Jain , Fingerprint spoof buster: Use of minutiae-centered patches , IEEE Transactions on Information Forensics and Security 13 ( 2018 ) 2190 - 2202 . [5] S. Marrone , C. Sansone , Adversarial perturbations against fingerprint based authentication systems , in: 2019 International Conference on Biometrics (ICB) , IEEE, 2019 , pp. 1 - 6 . [6] S. Marrone , C. Sansone , On the transferability of adversarial perturbation attacks against fingerprint based authentication systems , Pattern Recognition Letters 152 ( 2021 ) 253 - 259 . [7] A. Galli , M. Gravina , S. Marrone , D. Mattiello , C. Sansone , Adversarial liveness detector: Leveraging adversarial perturbations in fingerprint liveness detection , IET Biometrics ( 2023 ).