Cancelable Templates for Sequence-Based Biometrics with ... - ATVS

MAIORANA et al.: CANCELABLE TEMPLATES FOR SEQUENCE-BASED BIOMETRICS 531error-correcting code selection has also been introduced.The implementation of a security scalable recognition systemby exploiting watermarking-based techniques has been studiedin [15], [52], and [53]. No template-transformation-based approachhas been proposed so far for the protection of signaturebiometrics.VI. APPLICATION TO AN ON-LINE SIGNATURERECOGNITION SYSTEMThe effectiveness of the proposed protection scheme forsequence-based biometrics is here applied to the protection ofon-line signature templates. In Section VI-A, it is discussedhow to extract a sequence-based template R F from an acquiredsignature, while the employed classifier, based on HMM, isdescribed in Section VI-B.A. Feature Extraction StageDuring the employed feature extraction stage, the horizontalx[n] and vertical y[n] position trajectories, together with thepressure signal p[n],n=1,...,N, are acquired from each onlinesignature through a digitizing tablet. We consider that thesignals x[n] and y[n] are already normalized both in position,with respect to their center of mass, and in rotation, with respectto their average path tangent angle. Other four discrete-time sequencesare derived from the pair {x[n],y[n]}, namely, the pathtangent angle θ[n], the path velocity magnitude v[n], thelogcurvature radius ρ[n], and the total acceleration magnitude a[n].Specifically, in our experiments, we consider the following setof F =14sequences:{R 14 = x[n],y[n],p[n],θ[n],v[n],ρ[n],a[n],ẋ[n], y[n], ˙ p[n], ˙ ˙θ[n],}˙v[n], ˙ρ[n], ȧ[n] , (14)where the upper dot notation denotes the first-order derivative.B. Signature ModelingIn order to perform signature recognition, a stochastic modelizationbased on HMMs is applied to the transformed signaturetemplates.An HMM is characterized by the following elements:1) the number H of hidden states {S 1 ,S 2 ,...,S H } of themodel. The state at discrete time n is indicated as q n ;2) the state transition probability A = {a i,j }, where a i,j =P [q n+1 = S j |q n = S i ],i,j =1,...,H;3) the observation symbol probability distributions ineach state j, indicated with B = {b j (o)},j =1,...,H.The observation processes are represented using mixturesof M multivariate Gaussian distributions: b j (o) =∑ Mm=1 α j,mp μj,m ,Σ j,m(o),j =1,...,H, where μ j,mand Σ j,m indicate the mean and the diagonal covariancematrix of each Gaussian component, respectively. Thecoefficients α j,m are selected by respecting the conditionof normalization ∑ Mm=1 α j,m =1,j =1,...,H;4) the initial state distribution π = {π j } = {p[q 1 =S j ]},j =1,...,H.Following the proposed approach, during the enrollmentphase, the client model λ = {π, A, B} is estimated consideringE enrollment signatures of the subject at hand, according to theiterative strategy presented in [5].The obtained model λ is stored in a database and used inthe authentication phase, where a similarity score is calculatedas (1/K) log P (O|λ) using the Viterbi algorithm [54]. Specifically,the Viterbi algorithm is employed to estimate, given anobservation sequence O and a model λ, the sequence Q ofhidden states corresponding to O. The criterion followed by theViterbi algorithm is to maximize the probability P (Q|O,λ),which is equivalent to maximizing P (Q, O|λ). The Viterbiprocedure can be efficiently represented by a lattice structure,where each node, at a given instant, represents the hidden stateof the model. The computational complexity of the algorithmis reduced when maximizing the log likelihood, with respectto the likelihood of the test sample path given the model. Theratio 1/K is taken into account to normalize to the obtainedlog likelihood, which decreases when the length of the testsignature increases [55].It is worth pointing out that, when using HMMs for signaturerecognition, also in an unprotected approach, the client modelλ = {π, A, B}, instead of the original signature sequences,is stored in the database. However, if an attacker is able toacquire the client HMM, the statistical properties of the client’ssignatures can be derived from the model and, for example,employed to track the users across multiple databases. Usingthe proposed protection approach, if an attacker succeeds inacquiring the stored models, he can only retrieve informationabout the set of transformed sequences T F , from which it is notpossible to get any information about the original sequencesr (i) [n],i=1,...,F, as discussed in Section IV.VII. EXPERIMENTAL SETUPThe noninvertible transforms, proposed for the protectionof sequence-based biometrics, are tested by verifying boththeir renewability capabilities and the verification performanceachievable in protected systems, with application to on-linesignature biometrics. For the experiments, we use the MCYTon-line signature corpus [57]. This database includes signaturesfrom 330 subjects, with 25 genuine signatures per subject.These genuine signatures have been captured in sets of five,allowing some breaks between the different acquisition sets.For each subject, there are also 25 forgeries performed by fivedifferent forgers for each subject. Forgers have been askedto reproduce without breaks or slowdowns a signature afterhaving observed the static image of the prototype and afterhaving carried out a training stage, which consists of copyingthe prototype at least ten times.In the experiments, we have studied the following key aspectsof the proposed template protection approaches:1) Authentication performancea) performance dependence on HMM parameters, forboth unprotected and protected systems;b) performance variability with respect to thetransformation-defining parameters, for protectedsystems;Authorized licensed use limited to: Univ Autonoma de Madrid. Downloaded on May 06,2010 at 15:31:46 UTC from IEEE Xplore. Restrictions apply.