Quantitative Security Evaluation of a Multi-biometric Authentication System

  • Leonardo Montecchi
  • Paolo Lollini
  • Andrea Bondavalli
  • Ernesto La Mattina
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7613)


Biometric authentication systems verify the identity of users by relying on their distinctive traits, like fingerprint, face, iris, signature, voice, etc. Biometrics is commonly perceived as a strong authentication method; in practice several well-known vulnerabilities exist, and security aspects should be carefully considered, especially when it is adopted to secure the access to applications controlling critical systems and infrastructures. In this paper we perform a quantitative security evaluation of the CASHMA multi-biometric authentication system, assessing the security provided by different system configurations against attackers with different capabilities. The analysis is performed using the ADVISE modeling formalism, a formalism for security evaluation that extends attack graphs; it allows to combine information on the system, the attacker, and the metrics of interest to produce quantitative results. The obtained results provide useful insight on the security offered by the different system configurations, and demonstrate the feasibility of the approach to model security threats and countermeasures in real scenarios.


quantitative security evaluation multimodal biometric authentication modeling ADVISE CASHMA 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Li, S.Z. (ed.): Encyclopedia of Biometrics, 1st edn. Springer Reference (2009)Google Scholar
  2. 2.
    Chen, T., Abu-Nimeh, S.: Lessons from Stuxnet. IEEE Computer 44(4), 91–93 (2011)CrossRefGoogle Scholar
  3. 3.
    FIRB – Fondo per gli Investimenti della Ricerca di Base, CASHMA: Context Aware Security by Hierarchical Multilevel Architectures (2008) Google Scholar
  4. 4.
    LeMay, E., Ford, M., Keefe, K., Sanders, W., Muehrcke, C.: Model-based Security Metrics Using ADversary VIew Security Evaluation (ADVISE). In: 8th International Conference on Quantitative Evaluation of Systems (QEST 2011), pp. 191–200 (2011)Google Scholar
  5. 5.
    Phillips, P.J., Martin, A., Wilson, C.L., Przybocki, M.: An introduction evaluating biometric systems. IEEE Computer 33(2), 56–63 (2000)CrossRefGoogle Scholar
  6. 6.
    Henniger, O., Scheuermann, D., Kniess, T.: On security evaluation of fingerprint recognition systems. In: International Biometric Performance Conference (IBPC 2010), March 1-5. National Institute of Standards and Technology, NIST (2010)Google Scholar
  7. 7.
    Nicol, D.M., Sanders, W.H., Trivedi, K.S.: Model-based evaluation: from dependability to security. IEEE Trans. on Dependable and Secure Computing 1(1), 48–65 (2004)CrossRefGoogle Scholar
  8. 8.
    Dolev, D., Yao, A.C.: On the security of public-key protocols. IEEE Transactions on Information Theory 29(8), 198–208 (1983)MathSciNetzbMATHCrossRefGoogle Scholar
  9. 9.
    Lowe, G.: Casper: a compiler for the analysis of security protocols. In: Proc. 10th Computer Security Foundations Workshop, June 10-12, pp. 18–30 (1997)Google Scholar
  10. 10.
    Ten, C.-W., Liu, C.-C., Govindarasu, M.: Vulnerability Assessment of Cybersecurity for SCADA Systems Using Attack Trees. In: IEEE Power Engineering Society General Meeting, June 24-28, pp. 1–8 (2007)Google Scholar
  11. 11.
    Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: IEEE Symposium on Security and Privacy, pp. 273–284 (2002)Google Scholar
  12. 12.
    Beccuti, M., et al.: Quantification of dependencies in electrical and information infrastructures: The CRUTIAL approach. In: 4th International Conference on Critical Infrastructures (CRIS 2009), pp. 1–8 (2009)Google Scholar
  13. 13.
    LeMay, E., Unkenholz, W., Parks, D., Muehrcke, C., Keefe, K., Sanders, W.H.: Adversary-Driven State-Based System Security Evaluation. In: Proceedings of the 6th International Workshop on Security Measurements and Metrics, MetriSec 2010 (2010)Google Scholar
  14. 14.
    Courtney, T., Gaonkar, S., Keefe, K., Rozier, E.W.D., Sanders, W.H.: Möbius 2.3: An Extensible Tool for Dependability, Security, and Performance Evaluation of Large and Complex System Models. In: DSN 2009, Estoril, Lisbon, Portugal, pp. 353–358 (2009)Google Scholar
  15. 15.
    Matsumoto, T., Matsumoto, H., Yamada, K., Hoshino, S.: Impact of artificial ‘gummy’ fingers on fingerprint systems. In: Proc. SPIE, vol. 4677, pp. 275–289 (2002)Google Scholar
  16. 16.
    Pacut, A., Czajka, A.: A liveness Detection for IRIS Biometrics. In: Proc. of the 40th Int. Carnahan Conference on Security Technology (ICCST 2006), pp. 122–129 (October 2006)Google Scholar
  17. 17.
    Roberts, C.: Biometric attack vectors and defences. Computers & Security 26(1), 14–25 (2007)CrossRefGoogle Scholar
  18. 18.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol – Version 1.2, RFC 5246, IETF Network Working Group (August 2008)Google Scholar
  19. 19.
    Salles-Loustau, G., Berthier, R., Collange, E., Sobesto, B., Cukier, M.: Characterizing Attackers and Attacks: An Empirical Study. In: IEEE 17th Pacific Rim International Symposium on Dependable Computing (PRDC), pp. 174–183 (2011)Google Scholar
  20. 20.
    Montecchi, L., Lollini, P., Bondavalli, A.: ADVISE model for the security evaluation of the CASHMA multi-biometric authentication system, University of Florence, RCL Group, Technical Report RCL120301 (2012),

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Leonardo Montecchi
    • 1
  • Paolo Lollini
    • 1
  • Andrea Bondavalli
    • 1
  • Ernesto La Mattina
    • 2
  1. 1.University of FlorenceFirenzeItaly
  2. 2.Engineering Ingegneria Informatica S.p.A.PalermoItaly

Personalised recommendations