Professional Documents
Culture Documents
C1 Cancellable_Template_Design_for_Privacy-Preserving_EEG_Biometric_Authentication_Systems
C1 Cancellable_Template_Design_for_Privacy-Preserving_EEG_Biometric_Authentication_Systems
17, 2022
24 biometric performance. The proposed verification system offers brain-computer interface, neuroscience, and sensor technology 42
25 superior performance than the state-of-the-art, while protecting has created an environment where EEG is readily available 43
26 raw EEG data. Furthermore, we analyze the system’s capacity for biometric applications. Potential advantages of EEG bio- 44
27 for resisting multiple attacks, and discuss some overlooked but metrics include its robustness against circumvention, support 45
28 critical issues and possible pitfalls involving hill-climbing attacks,
29 second attacks, and classification-based verification systems. for liveness detection, continuous verification, and cognitive 46
33 I. I NTRODUCTION she engages with the elicitation protocol, are transmitted to the 52
35 print and face recognition share vulnerabilities in terms with noise and artifacts, it is necessary to preprocess the raw 54
36 of confidentiality and robustness against circumvention [1] data to enhance signal quality. Then discriminant features are 55
37 since these biometric traits are observable and can be illegally extracted from the preprocessed EEG and fed into a decision- 56
38 obtained or forged without the user’s awareness, e.g., via high making module. 57
Manuscript received 24 February 2022; revised 29 June 2022 and 8 improvement of the signal acquisition, feature extraction, and 59
August 2022; accepted 12 August 2022. Date of publication 5 September decision-making modules. The acquisition of EEG biometrics 60
2022; date of current version 29 September 2022. This work was supported
by the Australian Research Council Discovery Grant DP200103207. The requires to specify the corresponding signal elicitation pro- 61
associate editor coordinating the review of this manuscript and approving tocols, among which the resting protocol is favorable due to 62
it for publication was Dr. Issa Traore. (Corresponding author: Jiankun Hu.) its convenience and minimum requirements for data collection. 63
Min Wang and Jiankun Hu are with the School of Engineering and
Information Technology, University of New South Wales, Canberra, ACT Ongoing EEG under the resting state protocol does not involve 64
2612, Australia (e-mail: maggie.wang1@adfa.edu.au; j.hu@adfa.edu.au). external stimulation to or active response from the user during 65
Song Wang is with the School of Computing, Engineering and Mathematical data acquisition, thus minimizing the impact of cognitive state 66
Sciences, La Trobe University, Melbourne, VIC 3086, Australia (e-mail:
song.wang@latrobe.edu.au). changes on signal stability [6], [7]. It also supports operation 67
Digital Object Identifier 10.1109/TIFS.2022.3204222 in a continuous and unobtrusive manner. Alternative protocols 68
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
WANG et al.: CANCELLABLE TEMPLATE DESIGN 3351
69 include the volitional tasks, e.g., the pass-thoughts and various mechanisms. Section III presents the proposed methodology. 127
70 event-related potential (ERP) protocols [8]. The decision- Section IV describes the experimental design, followed by 128
71 making is achieved by template comparison or classification results in Section V and security analysis and discussion in 129
72 based on supervised learning models. Template comparison is Section VI. The conclusion and future directions are summa- 130
73 adopted in many studies as an effective and solid decision- rized in Section VII. 131
77 models, such as discriminant analysis [11], [12], support EEG under the resting state has been investigated for 134
78 vector machines, and neural networks [5], [13]. However, user biometric applications for over a decade and recent studies 135
79 verification is not merely a classification problem, but also on the permanence issue suggested that the resting state pro- 136
80 entails security considerations. Classification accuracy does tocol presents an effective and robust condition for biometric 137
81 not necessarily reflect real biometric performance. Unfortu- recognition [6], [9]. In the resting state elicitation protocol, the 138
82 nately, many studies fail to differentiate the two concepts. user remains relaxed with eyes closed (EC) or eyes open (EO) 139
83 We will discuss this issue in Section VI. without performing any particular task. The rationale behind 140
84 A more serious concern is that EEG biometric systems it, besides its implementation simplicity, is the neurophysio- 141
85 without privacy-preserving mechanisms would pose a huge logical evidence which indicates that ongoing EEG under the 142
86 threat to user privacy. EEG signals contain sensitive infor- resting state carries unique identity information (e.g., those 143
87 mation about the user’s cognitive and emotional states and related to heritability and personality factors) [16]. In addition, 144
88 health conditions [14]. A recent study examining EEG tem- EEG signals present large intra-user variations that could 145
89 plates (features) used in biometric applications confirmed that hinder the biometric performance. In order to improve system 146
90 personal characteristics regarding age and gender, as well performance and robustness, the fusion of multiple elicitation 147
91 as information related to medication intake and neurological protocols is adopted. In many works, this is achieved by 148
92 disorders, can be inferred from the templates [15]. These decision-level fusion through voting schemes [8]. Another way 149
93 findings highlight the need to apply privacy-preserving mecha- for protocol fusion is to mix the EEG data collected under 150
94 nisms to protect user templates when deploying EEG biometric different elicitation protocols to create a data set that contains 151
95 systems. However, the issue of protecting EEG biometric the generalized unique pattern of each user [13]. This strategy 152
96 systems from privacy and security breaches has not been fully has been adopted in many EEG biometrics studies to account 153
97 resolved. The contributions of this study are summarized as for the intra-class variability, especially methods based on 154
99 • A cancellable template design is proposed to attain a Regarding feature extraction, different methods are pro- 156
100 privacy-preserving EEG-based verification system. posed considering the various characteristics of EEG signals. 157
101 • An innovative transformation is designed to generate Based on whether the relationship information between signals 158
102 cancellable templates from EEG features encoded by a of different channels is captured or not, we can categorize 159
103 deep neural network via a non-invertible transform. The EEG features into univariate features and bivariate features. 160
104 proposed transformation is tailored for EEG biometrics The univariate features are extracted from single channels 161
105 allowing for elicitation protocol fusion to enhance verifi- of signals considering signal characteristics in the time and 162
106 cation performance, while providing template protection. frequency domains. Popular ones include the coefficients of 163
107 • A new concept of second attacks is introduced to examine autoregressive (AR) models [9], [17], fuzzy entropy [18], and 164
108 the possibility of breaking into a system using pre- power spectral density (PSD) features [7], [9], which reflect 165
109 obtained solutions after the system has revoked the com- time-dependency, dynamic complexity, and spectral character- 166
110 promised template. istics of EEG, respectively. On the other hand, the bivariate 167
111 • Pre-image and hill-climbing attacks are widely used features are based on brain connectivity which captures the 168
112 criteria to assess cancellable biometrics. We reveal that interactive or structural information between EEG channels. 169
113 these criteria do not fully apply to security assessment of Different statistical and effective metrics have been used for 170
114 cancellable biometrics. Hence, we re-define the concept establishing connectivity between EEG channels, including the 171
115 of pre-image attacks suitable for cancellable biometrics. Pearson’s correlation [5], [19], Granger causality [20], spectral 172
116 • Extensive experiments are carried out to evaluate the coherence [7], and phase synchronization indices [10], [19]. 173
117 effects of pre-image and hill-climbing attacks. The results Moreover, graph features extracted from the brain connec- 174
118 demonstrate that cancellable template design based on tivity networks are also proposed for EEG biometrics [10], 175
119 many-to-one mapping is inherently resistant to these [21]. Recent findings suggest that, compared with univari- 176
120 attacks, which is contrary to the common understanding ate features, bivariate features are more robust against the 177
121 in the field. intra-user variations across sessions, thus improving biometric 178
122 • In-depth analysis is conducted on pitfalls involved in performance [5], [10]. The result also shows that the phase 179
123 the evaluation procedure of supervised learning-based synchronization, especially the ρ index, is a sound metric to 180
124 verification systems. estimate EEG connectivity for biometric applications. Feature 181
125 The rest of this paper is organized as follows. Section II extraction based on deep learning model is also proposed [22], 182
126 reviews the state of the art on EEG biometrics and protection [23], [24]. 183
3352 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
184 For classification in EEG biometrics, existing methods based on EEG are also proposed [29]. Cancellable biometric 240
185 can be categorized into comparison-based classification and templates based on non-invertible transforms offer a solution 241
186 supervised learning-based classification. In verification, the to EEG data protection as well as template revocability [30], 242
187 comparison-based methods predict the class label (genuine [31], [32], [33]. To the best of our knowledge, there has 243
188 user or impostor) of a probe template by calculating its similar- been no cancellable EEG template design reported. In EEG 244
189 ity to one or multiple reference templates of the claimed user. biometric systems, most of the work is based on classification 245
190 The similarity was defined by the Euclidean distance [21], models, where it is infeasible to integrate cancellability. Once 246
191 Mahalanobis distance [7], Manhattan distance [9], cosine the model is compromised, the input can be estimated by 247
192 similarity [9], [17], and cross-correlation [8]. Template com- genetic algorithms so that the system is cracked. 248
205 B. Privacy-Preserving Mechanisms the database. In the verification stage, a probe template is 261
210 cannot retrieve the original biometric data, even if the stored The resting state EEG elicitation protocol is adopted for 265
211 template is compromised. The comparison or classification signal acquisition. To be specific, two conditions are included, 266
212 of the enrolled template and the probe is carried out in the namely the EO and EC states. The user is asked to stay 267
213 transformed domain to protect the original biometric data from relaxed with eyes closed or eyes open, while the spontaneous 268
214 leakage. He et al. [25] studied the potential of hashing EEG EEG signals are recorded. EEG signals present time-varying 269
215 features for verification. Multi-variate autoregressive coeffi- and non-stationary characteristics, and are sensitive to the 270
216 cients were extracted as features from multi-channel EEG cognitive states of the subject, which may affect the bio- 271
217 signals and then hashed by the fast Johnson-Lindenstrauss metric performance. Therefore, in order to improve stability, 272
218 algorithm to obtain compact hash vectors. A naive Bayes researchers often consider elicitation protocol fusion to get a 273
219 probabilistic model was used for decision-making based on the richer dataset that contains signals in diverse states. We adopt 274
220 EEG hash vectors. Applying cryptographic hashing to biomet- the basic idea of elicitation protocol fusion [13]. However, 275
221 rics induces variation, as any slight change to the input would instead of decision-level fusion with majority voting or directly 276
222 completely alter the hash value produced. Bajwa et al. [26] mixing data collected under different protocols to form training 277
223 proposed a key generation method with EEG biometrics. The and testing sets as in the existing research, as shown is 278
224 PSD features were extracted from EEG signals using the Fig. 3 (a) and (b), we embed data fusion naturally in the 279
225 discrete Fourier transform and discrete wavelet transform, transformation process, as illustrated in Fig. 3 (c). The benefits 280
226 followed by a Neurokey generation procedure which involves of our design are twofold: 1) the entropy of extracted fea- 281
227 feature selection, binarization and hashing. The term ‘can- tures increases, thus the reliability of the biometric system is 282
228 cellable’ is used in this study to mean that a user’s Neurokey enhanced, due to the elicitation protocol fusion; and 2) secure 283
229 can be changed by using the EEG collected in a different cog- cancellable templates are generated at the same time without 284
230 nitive task, if the user’s biometric information is compromised. extra computational costs. Details of the transformation is 285
231 However, such ‘cancellable biometrics’ cannot protect raw presented in Section III-C. 286
232 EEG data containing sensitive information. Furthermore, the
233 choice of tasks is limited and different tasks would have vastly
234 different performance [27]. Damaševičius et al. [28] developed B. Feature Extraction 287
235 a cryptographic verification scheme for EEG biometrics using The state-of-the-art feature extraction method [23], [24] is 288
236 fuzzy commitment and the error-correcting Bose-Chaudhuri- adopted in our study, where a siamese CNN model is designed 289
237 Hocquenghem codes. Although this method protects data to derive discriminative features from the raw EEG time series. 290
238 privacy, it is not equipped with cancellability to revoke The siamese network, as illustrated in Fig. 4, contains two 291
239 compromised templates. Cognitive biometric cryptosystems identical CNN subnetworks that share the same architecture, 292
WANG et al.: CANCELLABLE TEMPLATE DESIGN 3353
TABLE I
C ONFIGURATION OF THE CNN S UBNETWORKS
295 of the siamese network is a pair of signals (s1 , s2 ) and the final baseline for distance for which pairs should be classified as 311
296 layers in the subnetworks output encodings (v1 , v2 ), where dissimilar (m=1). The configuration of the CNN subnetworks 312
297 the Euclidean distance between the two encodings, Dv21 ,v2 , is presented in Table I. After training, the model will be used 313
306 (1)
307 where y is the label associated with the input pair, with C. Feature Transformation 324
308 1 meaning a matching pair (two signals are from the same Let v1 and v2 denote the feature vectors extracted from 325
309 subject) and 0 a non-matching pair (two signals are from EEG signals collected under the two elicitation protocols. The 326
3354 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
327 proposed transformation takes the input of v1 and v2 and Algorithm 1 Transform
328 generates a secure cancellable template t, as illustrated in Input : feature vectors from F frames
329 Fig. 3 (c). Both feature vectors have a length of D. v f,1 , v f,2 ∈ R D , f = 1, · · · , F
330 At the enrollment stage, each user is assigned a user key k user identity u
331 (the key is stored along the template in the database), which Output: template t
332 is used as the random seed to generate a random permutation 1 if enrollment then
333 of the integers 1 to D, as follows: 2 initialize a key ku
3 else
334 p = r and per m(k, D), (2)
4 retrieve the key ku
335 where the randperm(seed,integer) is a random permutation 5 end
336 function defined on a Pseudorandom number generator 6 compute p ← r and per m(k u , D)
337 (PRNG) which can adopt any generic PRNG algorithm, 7 compute M ← r and(k u , [D, δ D]), δ ∈ (0, 1)
338 e.g., the Mersenne Twister algorithm. Then a permuted 8 for f = 1 to F do
339 (re-arranged) version of the feature vector v1 is obtained and 9 permutation vf,1 ← v f,1 (p)
340 the Hadamard product of it and v2 is calculated, as follows: 10 Hadamard product c f ← vf,1 ◦ v f,2
341 v1 = v1 (p) (3) 11 projection r f ← c f · M
12 end
342 c = v1 ◦ v2 . (4) F
13 compute r ← ( f =1 r f )/F
343 A vector r is then generated by projecting vector c with a 14 encoding t ← Gr ayCode(r, 8-bit)
344 matrix M, as follows:
345 r = c · M, (5) Algorithm 2 GrayCode
346 where M is a user-specific random projection matrix with Input : real vector r; bit M
347 more rows than columns to form an underdetermined system Output: binary code t
348 of equations, thus making the transformation non-invertible. 1 r ← r/max(r))
349 Finally, the real-valued vector r is encoded into a binary 2 r ← r − mean(r))
350 template t through the 8-bit Gray code. The coding process 3 r ← nor mcd f (r, 0, std(r)))
351 first converts a real vector into a decimal vector which is then 4 r ← r
5 r ← r ∗ (2 )
352 converted into the Gray code according to the code book, as in M
353 Algorithm 2. The binary template t is stored in the system for 6 d ← r ound(r)
7 d(d == 2 ) ← 2 − 1
354 comparison purposes. M M
355 EEG is a continuous signal in nature and a moving win- 8 t ← dec2gc(d, M)
356 dow of short length is usually applied to segment the data
357 sources into frames for preprocessing and feature extraction.
It is natural to use the multiple frames captured during data
compared with a pre-defined threshold θ to make a decision,
358
379
359 collection, instead of a single frame, to generate a more
as follows: 380
360 stable template. Let Fe and Ft denote the number of frames
collected during enrollment and verification, respectively. Each accept, if d H (tq , tr ) ≤ θ
ô = .
361
(7) 381
362 frame corresponds to a vector rf , hence, for F vectors, r f r ej ect, otherwise
363 (where f = 1, · · · , F) are obtained. The final template
In the analysis, the threshold θ is automatically adjusted to 382
364 generated by the transformation module is the Gray encoding
obtain the equal error rate (EER), which is defined as the 383
365 of the average of these vectors. The complete transformation
error rate when the false match rate (FMR) equals the false 384
366 procedure is summarized in Algorithm 1. The number of
non-match rate (FNMR). The FMR reflects the percentage of 385
367 frames is adjustable in accordance with application scenarios
probe templates in which impostors are incorrectly accepted, 386
368 and requirements.
and the FNMR reflects the percentage of probe templates in 387
370 To verify a user, one or more frames of EEG signals are and elegant solution to the generation of secure and cancellable 390
371 captured from the user and a probe template is generated templates. (i) If a template is compromised, the associated 391
372 following the same procedure as in the registration stage. The user key can be replaced and a new template can therefore be 392
373 Hamming distance is used for comparing the probe template generated with this new key. (ii) Every time the user key is 393
374 and the reference template (both are binary representations), updated, the random permutation in (3) and the Hadamard 394
375 as follows: product in (4) provide a different set of variables for the 395
377 where the symbol ⊕ denotes element-wise XOR. Finally, the the computation, making the system resistant to the ARM. 398
378 distance is normalized (percentage of bits that differ) and (iii) The transformation takes advantage of EEG signal 399
WANG et al.: CANCELLABLE TEMPLATE DESIGN 3355
cols, EO and EC, are selected from databases MMIDB and 453
400 elicitation protocol fusion such that the entropy and reliability BED for evaluation. For transformation, when signals under 454
401 of the feature vectors are enhanced. (iv) The encoding proce- two protocols are available, we enable the transformation- 455
402 dure is a quantization process alleviating the impact of EEG embedded protocol fusion scheme, hence, the input of the 456
403 uncertainties associated with the complexity and variability of transformation module, v1 and v2 , are feature vectors extracted 457
404 brain dynamics. under the two protocols, respectively. When only one protocol 458
is applied, the feature vector will be divided into two parts of 459
equal length (first half and second half), v1 and v2 , to fed into 460
405 IV. E XPERIMENTAL D ESIGN
the transformation module. For SEEDiv database, the Neutral 461
406 A. Database and Pre-Processing protocol is selected since the database does not provide data 462
407 Evaluation of the proposed method utilizes three pub- under resting states and Neutral is the most relevant one that 463
408 licly available databases, which are the EEG Motor Move- available in it. 464
409 ment/Imagery Database (MMIDB) [35], BED database [36], 2) Handcrafted Features: We select four representative 465
410 and SEEDiv database [37]. The MMIDB database provides types of handcrafted features for comparison, which are 466
411 EEG signals collected from 109 subjects in two resting the reflection coefficients of AR models, band power, fuzzy 467
412 states, EC and EO, and motor imagery tasks including physi- entropy, and graph features based on the EEG functional 468
413 cally opening/closing fists/feet and imagining opening/closing connectivity networks. These four types of features capture 469
414 fists/feet without actual body movement. Data acquisition the time-dependency, power spectral characteristics, dynamic 470
415 was performed using a BCI2000 system [38] equipped with complexity, the functional connectivity characteristics of EEG 471
416 64 electrodes with a sampling rate of 160 Hz. The recorded signals, respectively. They are classic and important EEG 472
417 signal is referenced to the earlobes. The BED database con- features in time, frequency, and space domains, and have been 473
418 tains EEG recordings from 21 individuals under multiple widely used for EEG biometric applications. In the following 474
419 signal elicitation protocols in three sessions. The signals were analysis, we refer to them as AR, PSD, FuzzEn, and Graph, 475
421 device. The EEG recordings under the resting with eye-open • AR: An AR model describes the time-varying processes 477
422 (EO) and eye-closed (EC) protocols are used in this study. in EEG by specifying that the value of the timeseries 478
423 The SEEDiv database contains EEG recordings of 15 subjects at a certain time depends linearly on its own previous 479
424 while watching movie clips in three sessions. This database p and on a stochastic term (white noise), i.e., s(t) =
values 480
425 was originally collected for EEG-based emotion recognition, i=1 θi s(t − i ) + ε(t), where θ is the coefficients of the 481
426 where the movie clips were used as visual stimuli to induce AR model. In this study, we use an AR model of order 482
427 happiness, sadness, fear and neutral emotions from the sub- 5 to fit the signal timeseries, and derive the reflection 483
428 jects. We selected recordings under the neutral emotion for this coefficients as features using the Burg method [40]. The 484
429 study. Table II summarizes the details of the three databases. final feature vector has a length of 5 × N, where N is the 485
430 For signal preprocessing, we apply the Harvard auto- number of channels. 486
431 mated processing pipeline for EEG (HAPPE) [39] to remove • PSD: We estimate the power spectral density of EEG 487
432 noise and artifacts originating from muscle and eye move- signals using a non-parametric approach based on the fast 488
433 ment. It consists of four standard steps, including filtering Fourier transform. This approach is selected because it 489
434 ([8 30] Hz), bed channel detection and interpolation, arti- directly corresponds to the physical interpretation in terms 490
435 fact component rejection, and common average referencing. of EEG rhythms [7]. Based on the PSD, the average band 491
436 The HAPPE pipeline is adopted due to its effectiveness in power over the delta, theta, alpha, beta, and gamma bands 492
437 preprocessing data that are heavily contaminated with noise are extracted as features. The length of the final feature 493
438 and artifacts. The alpha and beta bands ([8 30] Hz) are vector is 5 × N, where N is the number of channels. 494
439 selected since EEG content in these two bands contains • FuzzEn: Entropy quantifies the amount of uncertainty 495
440 most inter-person discriminative characteristics according to in the EEG amplitudes. Among the existing entropy 496
441 existing findings [10], [23]. A downsampling to 100 Hz, estimation methods such as approximate entropy and 497
442 128 Hz and 80 Hz is also applied for SEEDiv, BED, and sample entropy, we select the FuzzEn [18], which was 498
443 MMIDB respectively, to improve computational efficiency in shown to be a more reliable measure than others for 499
444 the subsequent feature extraction step, considering the Nyquist biological data, since the uncertainty at the boundaries 500
445 Shannon sampling theorem. The preprocessed signal is then between classes can provide a shade of ambiguity [41]. 501
446 segmented into two-second frames, so that each frame contains The final feature vector has a length of N, the number of 502
447 62, 14, and 64 two-second time series, respectively, for the channels. 503
3356 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
538 evaluation uses data collected in one session for enrollment The lost key scenario is considered the worst case as the 560
539 and verification, and the cross-session evaluation tests verifi- user loses his/her parameter key. This means that the attacker 561
540 cation performance using data collected in a different session can take this advantage to penetrate the verification system. 562
541 than the one used for enrollment. The cross-session stability is In order to simulate this scenario, we use the same parameter 563
542 important for practical EEG biometric systems. In the cross- key to generate the permutation vector p in (3) and projection 564
543 session setup, the siamese model is trained using input pairs matrix M in (5) for all users in the transformation module. 565
544 generated within and across sessions in the training subject set, Table III presents within-session verification performance EER 566
545 and the verification performance is evaluated by comparing (%). All methods are with the same frame configuration 567
546 data of each user in the third session against that in the first (Fe = 10 and Ft = 5). Table IV summarizes the cross- 568
547 session. Then through the proposed transformation method, session verification performance EER (%) under the same 569
548 the features extracted from each user during the enrollment frame configuration (Fe = 10 and Ft = 5). The corresponding 570
549 stage (session 1) are transformed into a reference template DET plots are summarized in Fig. 5 and Fig. 6. From the 571
550 which is then stored in the system. During the verification results, we can observe that the proposed cancellable template 572
551 stage (session 3), the same feature extractor and transform are design (DeepExtractor+transformation) demonstrates a supe- 573
552 used to derive probe templates which are compared with the rior verification performance while protecting the raw EEG 574
553 reference templates to compute the EER performance. biometrics. 575
555 Let Fe and Ft denote the number of consecutive frames we can see an improvement in the verification performance for 578
556 involved in a template during enrollment and verification, most of the cases, which shows the effectiveness of embedding 579
557 respectively. The verification performance is measured by the the protocol fusion in the transformation for enhancing the 580
558 EER. verification performance. The results also show that, although 581
WANG et al.: CANCELLABLE TEMPLATE DESIGN 3357
TABLE IV
C ROSS -S ESSION V ERIFICATION P ERFORMANCE EER (%). A LL M ETHODS A RE W ITH THE S AME F RAME C ONFIGURATION ( Fe = 10 AND Ft = 5)
Fig. 5. DET curves of Handcrafted and DeepExtractor in the transformed domain for within-session and cross-session evaluation.
Fig. 6. DET curves of DeepExtractor in both non-transformed and transformed domains under EO and EC protocols for within-session and cross-session
evaluation.
582 the proposed method uses resting state protocols and Deep- 4.19%, and 0.5% for EO, EC, and state fusion on BED 598
583 Extractor features, the transformation itself is not confined database, and 1.42% on SEEDiv database. The results indicate 599
584 to specific signal elicitation protocols or features. In high- that the proposed method works well with high usability (low 600
585 security scenarios, it is often required to have a very low FNMR) when operating at high security level (FMR=0) in the 601
586 FMR. Therefore, we also report the FNMR of the proposed classical user authentication scenario. The corresponding EER 602
587 method when FMR=0 in Table IV. Comparing results in non- is also improved. 603
591 high on the BED database, although it is reasonable on the Biometric verification is essentially a decision task to dis- 605
592 SEEDiv database. This issue can be easily addressed by some criminate the user from impostors. In this analysis, we adopt 606
593 practical approaches, for example, using user-specific models the decidability index d [43] to measure the discriminant 607
594 and thresholds. A significant improvement is observed with capacity of the designed cancellable template. The d is 608
595 user-specific models and comparison thresholds. When the defined as: 609
Fig. 7. Decidability analysis of DeepExtractor with and without transform. Distributions of the genuine distances and impostor distances, and the corresponding
decidability index d .
611 where (m intra , sintra ) and (m int er , sint er ) denote the mean and of the same user. Fig.8 shows the pseudo-impostor distance 643
612 standard deviation of the comparison distances between user distribution of the proposed method, along with the genuine 644
613 samples and the comparison distances between user samples and impostor distance distributions. The results show that the 645
614 and impostor samples, respectively. For each user, we generate pseudo-impostor distance distribution has almost no overlap 646
615 a genuine distance distribution by comparing every possible with the genuine distance distribution, and at the same time, 647
616 pair of the user samples, and an impostor distance distribution having significant overlap with the impostor distance distribu- 648
617 by comparing each user sample with each sample of other sub- tion. In other words, the system satisfies the revocability and 649
618 jects. Fig. 7 presents the distance distributions of the proposed diversity requirements. 650
621 protocol on databases MMIDB and BED, and under Neutral For a cancellable biometric template design, the unlinkabil- 652
622 protocol on database SEEDiv. The results of transformation ity property requires that the transformed templates originated 653
623 without Gray code encoding are also presented to provide from the same EEG data of the same subject are as different as 654
624 a better visual comparison of the corresponding real-valued those from different subjects [45]. To evaluate the unlinkability 655
625 distributions in the non-transformed domain. The observation of the proposed method, we adopted two measures, i.e., the 656
626 is that the proposed transformation enhances system decidabil- score/distance-wise linkability D↔ (d) (a local measure) and 657
sys
627 ity, reducing the overlap between the genuine and impostor system overall linkability D↔ (a global measure) [45], which 658
628 distance distributions. Without the coding component, it still are popular tools for unlinkability assessment in cancellable 659
sys
629 provides the same level of decidability as the original system biometrics research. The calculation of D↔ (d) and D↔ is 660
630 without transformation. based on the mated and non-mated sample score/distance 661
632 The revocability and diversity criteria specify that tem- data using different parameter keys. The non-mated sample 664
633 plates generated from the same biometric features by different score/distance is obtained by comparing two templates gen- 665
634 parameter keys should have no correlation. To evaluate the erated from the EEG of different subjects using different 666
635 capacity of the proposed cancellable template design in terms parameter keys. We followed the same procedure in a recent 667
636 of revocability and diversity, we follow the common practice study [44] and generated six transformed databases using 668
sys
637 in relevant studies [44] and calculate the pseudo-impostor six different keys. The value range of D↔ (d) and D↔ is 669
638 distances. For each user, 50 additional transformed templates [0, 1] with 0 indicating fully unlinkable and 1 indicating 670
639 (i.e., the pseudo-impostor) are generated from the first feature fully linkable. Fig. 9 presents the analysis results, where we 671
640 template using different parameter keys. A pseudo-impostor tested the proposed method ‘DeepExtractor+transformation’ 672
641 distance distribution can then be obtained by comparing the on the three databases. The proposed method provides high 673
642 original user templates with the pseudo-impostor templates unlinkability, with very low global linkability indices around 674
WANG et al.: CANCELLABLE TEMPLATE DESIGN 3359
Fig. 8. Revocability and diversity analysis of DeepExtractor+transform. Distributions of the genuine, impostor, and pseudo-impostor distances.
675 0.01-0.05. With the complete transformation, the mated and the projection matrix M is rank-deficient for every set of 714
676 non-mated distance distributions are highly overlapped. It is variables, it is insufficient to inverse the computation in (5). 715
677 also observed that the Gray code encoding helps reduce Below is a representative example to show how the pro- 716
678 the difference between the mated and non-mated distribu- posed method protects the system from the ARM attack. For 717
679 tions. This is because the scaling and normalization steps in demonstration purposes, we use low dimensional real vectors 718
680 Gray code encoding process enhances data consistency, and v1 = [v 11 , v 12 , v 13 , v 14 ] and v2 = [v 21 , v 22 , v 23 , v 24 ] to repre- 719
681 meanwhile, the coding procedure is a quantization process sent the real-valued feature vectors under protection. Suppose 720
682 alleviating the impact of EEG uncertainties associated with that the feature vectors are v1 = [0.19, 0.54, 0.37, 0.84] and 721
683 the brain dynamics. v2 = [0.59, 0.18, 0.04, 0.92]. Given two transformation para- 722
and M2 = [0.50, 0.17; 0.22, 0.09; 0.20, 0.69; 0.76, 0.95]. 726
685 A. Attacks via Record Multiplicity (ARM)
Applying the proposed transformation, we can get two trans- 727
686 A cancellable biometric template design allows distinct formed templates t1 = [0010001110100010] and t2 = 728
687 transformed templates {y1 , y2 , · · · , yn } to be generated from [1010001000100011], which are the codes of real vectors r1 = 729
688 the same raw biometric template x by applying different [0.22, 0.51] and r2 = [0.31, 0.25], respectively. Now, suppose 730
689 transformation parameters {k1 , k2 , · · · , kn }. ARM refers to the that an adversary gets t1 , t2 , k1 , k2 , knows the transformation 731
690 attack that aims to retrieve the raw biometric template x by function, and wants to retrieve v1 and v2 . The first step taken 732
691 correlating multiple transformed templates {y1 , y2 , · · · , yn }, by the adversary would be to decode the binary templates 733
692 assuming that these transformed templates as well as infor- into the corresponding real values, which can be possible in 734
693 mation about the transformation method F and corresponding the worse case, assuming that the adversary is able to collect 735
694 parameters {k1 , k2 , · · · , kn } are available [46]. massive amounts of encoded data and get the distribution of 736
695 The resistance of the proposed method to the ARM attack the values through statistical tools. Suppose that the estimated 737
696 is guaranteed by the non-invertible transformation with three real vectors are r̂1 = [0.2, 0.5] and r̂2 = [0.3, 0.2], then the 738
697 key points, i.e., random projection, random permutation and key step is to solve the following equations: 739
705 this issue, the random permutation and Hadamard product is no unique solution and the solution is highly sensitive to 742
706 operation is performed before the random projection. Note that changes in the estimated r̂. Using Matlab pseudo-inverse func- 743
707 the input of the random projection is actually the Hadamard tion, we get v̂1 = [0.39, 0, 0.85, 0.16] and v̂2 = [1, 0, 1, 0]. 744
708 product of v2 and permutation of v1 as in c = per m(v1, p)◦v2 , However, the cosine similarity of the estimated value and
745
709 where v1 and v2 are two feature vectors; see (3) and (4). ground truth value is v vv̂ v̂ = 0.44, which indicates that the 746
2 2
710 For different values of k in (3), the random permutation and obtained value is far from the true biometric data. Our analysis 747
711 Hadamard product would produce different sets of variables shows that if a transformed template stored in the database is 748
712 for the random projection-based linear equations, thus a well- compromised, it reveals no clue about the original biometric 749
713 defined system of linear equations cannot be established. Since data. Even in the worst-case scenario where multiple sets of 750
3360 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
Fig. 9. Unlinkability analysis of DeepExtractor+Transformation. The mated and non-mated distance distributions and the linkability measures.
759 that is, given y, it is difficult to find x such that y = cellable biometrics, the hill-climbing attack can be launched 786
760 f (x). Such a definition does not fully apply in the context in two ways, as illustrated in Fig. 10. Case I – the adversary 787
761 of transformation-based (i.e. non-cryptographic) cancellable submits and tries to obtain feature vectors v1 and v2 as in 788
762 design schemes. Strictly speaking, for a transformation-based the conventional non-cancellable context [48]. Case II – the 789
763 cancellable design, it is possible to find an input x given y such adversary submits and tries to obtain template t stored in the 790
764 that y = f (x). However, it will be of little value if the solution system. Hill-climbing attacks are a threat to conventional non- 791
765 x is not the original biometric feature under protection and the cancellable biometric systems as the adversary is able to get 792
766 compromised template is revoked. Considering the properties a synthetic feature vector that is very close to the true feature 793
767 of transformation-based cancellable schemes, we therefore vector and compromise the system with it. However, this is 794
768 redefine the pre-image attack as follows: not necessarily true for cancellable biometric systems. In the 795
769 Given a transformed template y, it is difficult to find a following, we will demonstrate that cancellable biometric 796
770 solution x such that y = f (x, K ) = f (x0 , K ) and x = x0 , systems, especially those based on many-to-one mapping, are 797
771 where f (·) is the transformation function with parameter key naturally resistant to hill-climbing attacks. 798
772 K , and x0 is the original biometric feature. The Nelder-Mead algorithm was used to implement the hill- 799
773 The proposed transformation is a many-to-one mapping climbing attack. It is a downhill simplex method that is among 800
774 function, and we have demonstrated in the ARM attack the most well-known algorithms for derivative-free optimiza- 801
775 analysis that it would be difficult to find the real input tion [48]. The evaluation of the objective function F (·) repre- 802
776 in a systematical way. In the following hill-climbing attack sents the difference between the input probe and the reference 803
777 analysis, Case I can also be considered as a pre-image attack. template. The process ends either when the minimum value of 804
778 We will show that the solution found by the hill-climbing the objective function is equal to or less than the system thresh- 805
779 attack is far away from the real input, and therefore, the old (here we set the threshold to the EER operating point) 806
780 solution becomes insignificant once the compromised template or when the maximum number of attempts is reached (here 807
783 This refers to an adversary exploiting the comparison Nat t , the average number of attempts required to successfully 812
784 scores/distances to generate synthetic biometric data that crack an account. We run the hill-climbing attack on two 813
WANG et al.: CANCELLABLE TEMPLATE DESIGN 3361
TABLE V
R ESULTS FOR ATTACKING THE S YSTEM U SING H ILL -C LIMBING
S OLUTIONS A FTER THE C OMPROMISED T EMPLATES A RE
R EVOKED (G RAPH +T RANSFORMATION )
Fig. 11. The SR and Natt of the hill-climbing attack on the system
(Graph+transform). found, it is unlikely that this fake solution can pass the system 862
844 users (SR=0.899 at operating point of EER) whose original Key Scenario Analysis 892
845 templates were successfully attacked by hill-climbing attacks. Spawned from hill-climbing attacks is a new concept, which 893
846 For each of those 98 users, we replaced the compromised we call Second Attacks. It is defined as an attempt to break 894
847 template with a new one using a new key and tested whether into a system using pre-obtained solutions after the system 895
848 the probe generated from the obtained solution using the new has revoked the compromised templates. Accordingly, the 896
849 key is able to match the new template. To have a reliable Second Attack Rate (SAR) is the success rate of these second 897
850 analysis, we randomly generated 200 keys for each user, attack attempts. Here we examine three ways to obtain a valid 898
851 which yields a total number of 19600 (98 × 200) tests. The solution to break in a user account. 899
852 results in Table V show that it is highly unlikely (0/19600) • Mathematical solutions. Assume that the attacker acquires 900
853 that the t̂1 (generated from the adversary’s obtained solution) the user template t and knows the transformation function 901
854 can match the corresponding true template t1 (generated from F, then it is possible to find a solution x̂ such that 902
855 the true feature vectors) to break in the account. A further t = F(x). 903
856 examination shows that the hill-climbing solution {v̂1 , v̂2 } is • Public data solutions. Assume that the attacker has a 904
857 far away from the true feature vectors {v1 , v2 }, with a very low public database X, then for a system with a non-zero 905
858 similarity score of 0.193 ± 0.004. This is because the proposed FMR, it is likely to find x̂ that can pass the system by 906
859 transformation is a many-to-one mapping and irreversible testing each data. 907
860 function, thus it is hard to hit the true solution through hill- • Computational solutions via hill-climbing attacks. 908
861 climbing. Our results prove that even if a temporary solution is Assume that an attacker can submit x to the system and 909
3362 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
SAR R ESULTS U NDER T HREE T YPES OF S OLUTIONS lowing analysis, we take the LDA and SVM, two popular 955
Algorithm 3.
921 E. Entropy and Brute Force Attacks described above has two major issues. 1) Training a binary 965
922 There are two types of formal proof techniques in data SL model requires samples from both classes, and the way it 966
923 security. One refers to the provable security in cryptography splits train/test sets has provided the model with all intruders’ 967
924 which depends on the reduction into a problem’s complexity. data during the training phase. This is incorrect because no 968
925 The problem in our paper does not belong to this category. data from any test intruder should be seen by the verification 969
926 Another formal proof is related to the information-theoretic system until the system is tested. The correct procedure 970
927 leakage, which is virtually about the conditional probability should separate the intruder set from the user set, as applied 971
928 related to the information leakage. As our feature variables in [11]. Adopting the basic idea of separating user and intruder 972
929 are real numbers in an under-defined system of nonlinear sets, we suggest a more reliable evaluation procedure for 973
930 equations, it has theoretically infinite number of solutions, EEG-based verification system (i.e., Algorithm 4). 2) Verifica- 974
931 leading to the zero conditional probability of finding the tion systems based on SL classification models (e.g., LDA and 975
932 genuine feature. Therefore, we provided a close to the worst- SVM) do not have a system operating threshold. An individual 976
933 case information leakage estimation based on the search space classification model is trained for each user, and the overall 977
934 of the encoded input feature (binary), which is the brute force system performance is embodied as a pair of FMR and FNMR. 978
935 attack-based entropy. The ROC curve and EER are reported in some studies, but 979
936 A brute force attack attempts to guess the elements of the such ROC or EER is a measure to examine the output of the 980
937 original EEG feature vectors v1 and v2 through exhaustive classifier, not the ROC or EER of the verification system. 981
938 search. We analyze the search space to show the likelihood Table VII reports the results of PSD features with LDA and 982
939 of finding the secret successfully from the search space. In the SVM classifiers under the two evaluation procedures in dif- 983
940 proposed system, both v1 and v2 have a length of D × n bits, ferent settings. The first observation is that the standard clas- 984
941 where we have D = 1000 and n = 8 in our experimental sification evaluation procedure gives false high performance, 985
942 setup. Therefore, the number of trials needed to attack the especially the FMR, because it erroneously feeds intruder 986
943 system would be 28000 , which is computationally expensive. data to the model during the training phase. In addition, the 987
944 In actual deployment, the settings of D and n can be adjusted performance of classification-based verification systems relies 988
945 according to the requirements. For example, a larger D can on a good training set. With less training data (a smaller 989
946 further enhance the security level, however, it is worth noting number of users in the system dropped from 80 to 30), 990
947 that a larger D also implies a higher computational cost or the performance would degrade. Another concern is that the 991
948 less efficiency in data collection. There is a trade-off between 80%-20% data split, a very common setup in classification 992
949 performance, security and system efficiency. tasks, may be too lax for testing an verification system. For 993
952 Many papers on EEG biometrics treat verification as a 12 samples are used for positive testing. Our results show 997
953 pure classification problem without considering the differences that reducing the split ratio (from 80% to 33%) also degrades 998
WANG et al.: CANCELLABLE TEMPLATE DESIGN 3363
Learning-Based Verification [1] A. Hadid, N. Evans, S. Marcel, and J. Fierrez, “Biometrics sys- 1027
1 Split database into user set U and intruder set I tems under spoofing attack: An evaluation methodology and lessons 1028
learned,” IEEE Signal Process. Mag., vol. 32, no. 5, pp. 20–30, 1029
2 IntruderTests ← intruder set I Sep. 2015. 1030
3 predictions = [] [2] E. Marasco and A. Ross, “A survey on antispoofing schemes for 1031
4 for u = 1 to U do fingerprint recognition systems,” ACM Comput. Surveys, vol. 47, no. 2, 1032
pp. 1–36, Jan. 2015. 1033
5 re-label data of subject u as 1 (user) [3] N. D. Sarier, “Multimodal biometric authentication for mobile edge 1034
6 re-label data of other subjects as 0 (non-user) computing,” Inf. Sci., vol. 573, pp. 82–99, Sep. 2021. 1035
7 train-test-split (80%, 20%) (or 5-fold cross-validation) [4] Q. Gui, M. V. Ruiz-Blondet, S. Laszlo, and Z. Jin, “A survey on brain 1036
biometrics,” ACM Comput. Surv., vol. 51, no. 6, pp. 1–38, 2019.
SL model ← SL model training on train set
1037
8 [5] M. Wang, H. El-Fiqi, J. Hu, and H. A. Abbass, “Convolutional neural 1038
9 UserTests ← testing data of label 1 networks using dynamic functional connectivity for EEG-based person 1039
10 predictions ← SL model testing on UserTests identification in diverse human states,” IEEE Trans. Inf. Forensics 1040
Security, vol. 14, no. 12, pp. 3259–3272, Dec. 2019.
predictions ← SL model testing on IntruderTests
1041
11 [6] D. La Rocca, P. Campisi, and G. Scarano, “EEG biometrics for 1042
12 end individual recognition in resting state with closed eyes,” in Proc. 1043
13 accuracy ← confusion matrix (predictions, ground truth) Int. Conf. Biometrics Special Interest Group (BIOSIG), Sep. 2012, 1044
pp. 1–12. 1045
[7] D. La Rocca et al., “Human brain distinctiveness based on EEG spectral 1046
coherence connectivity,” IEEE Trans. Biomed. Eng., vol. 61, no. 9, 1047
TABLE VII pp. 2406–2412, Sep. 2014. 1048
R ESULTS (%) U NDER D IFFERENT E VALUATION P ROCEDURES FOR [8] M. V. Ruiz-blondet, Z. Jin, and S. Laszlo, “CEREBRE: A novel method 1049
C LASSIFICATION -BASED S YSTEMS for very high accuracy event-related potential biometric identification,” 1050
IEEE Trans. Inf. Forensics Security, vol. 11, no. 7, pp. 1618–1629, 1051
Jul. 2016. 1052
[9] E. Maiorana, D. La Rocca, and P. Campisi, “On the permanence of EEG 1053
signals for biometric recognition,” IEEE Trans. Inf. Forensics Security, 1054
vol. 11, no. 1, pp. 163–175, Jan. 2016. 1055
[10] M. Wang, J. Hu, and H. A. Abbass, “BrainPrint: EEG biometric 1056
identification based on analyzing brain connectivity graphs,” Pattern 1057
Recognit., vol. 105, Sep. 2020, Art. no. 107381. 1058
[11] A. Riera, A. Soria-Frisch, M. Caparrini, C. Grau, and G. Ruffini, 1059
“Unobtrusive biometric system based on electroencephalogram analy- 1060
sis,” EURASIP J. Adv. Signal Process., vol. 2008, no. 1, pp. 1–8, 1061
Dec. 2007. 1062
[12] S. Yang, F. Deravi, and S. Hoque, “Task sensitivity in EEG biometric 1063
recognition,” Pattern Anal. Appl., vol. 21, no. 1, pp. 105–117, 2016. 1064
999 performance. We hope to use this demonstration to rectify the [13] E. Debie, N. Moustafa, and A. Vasilakos, “Session invariant EEG 1065
signatures using elicitation protocol fusion and convolutional neural 1066
1000 misconception of many existing studies evaluating classifier- network,” IEEE Trans. Dependable Secure Comput., vol. 19, no. 4, 1067
1001 based verification systems. pp. 2488–2500, Jul. 2022. 1068
[14] O. Landau, R. Puzis, and N. Nissim, “Mind your mind: EEG-based 1069
1002 VII. C ONCLUSION brain-computer interfaces and their security in cyber space,” ACM 1070
Comput. Surveys, vol. 53, no. 1, pp. 1–38, Jan. 2021. 1071
1003 In this study, we proposed a cancellable biometrics scheme [15] Y. Höller and A. Uhl, “Do EEG-biometric templates threaten user 1072
1004 for privacy-preserving EEG-based verification systems. To be privacy?” in Proc. 6th ACM Workshop Inf. Hiding Multimedia Secur., 1073
1005 specific, an innovative non-invertible transformation was Jun. 2018, pp. 31–42. 1074
[16] P. Campisi and D. La Rocca, “Brain waves for automatic biometric- 1075
1006 designed to generate cancellable templates from EEG features based user recognition,” IEEE Trans. Inf. Forensics Security, vol. 9, 1076
1007 extracted by a deep learning model while taking advantage no. 5, pp. 782–800, May 2014. 1077
1008 of signal elicitation protocol fusion to enhance biometric per- [17] T. Nakamura, V. Goverdovsky, and D. P. Mandic, “In-ear EEG biomet- 1078
rics for feasible and readily collectable real-world person authentica- 1079
1009 formance. The results demonstrated that the proposed method tion,” IEEE Trans. Inf. Forensics Security, vol. 13, no. 3, pp. 648–661, 1080
1010 provides a superior verification performance than the state-of- Mar. 2018. 1081
1011 the-art, prevents the leakage of the sensitive information con- [18] Z. Mu, J. Hu, and J. Min, “EEG-based person authentication using a 1082
fuzzy entropy-related approach with two electrodes,” Entropy, vol. 18, 1083
1012 tained in the EEG data, and is secure against the ARM attack, no. 12, p. 432, 2016. 1084
1013 pre-image attack, hill-climbing attack, and brute force attack. [19] M. Fraschini, S. M. Pani, L. Didaci, and G. L. Marcialis, “Robustness 1085
1014 In particular, we examined two ways to perform hill-climbing of functional connectivity metrics for EEG-based personal identification 1086
over task-induced intra-class and inter-class variations,” Pattern Recog- 1087
1015 attacks, and demonstrated that the solution found through nit. Lett., vol. 125, pp. 49–54, Jul. 2019. 1088
1016 hill-climbing attacks would fail once the system revokes the [20] B.-K. Min, H.-I. Suk, M.-H. Ahn, M.-H. Lee, and S.-W. Lee, “Individual 1089
1017 compromised template. In other words, cancellable biometric identification using cognitive electroencephalographic neurodynamics,” 1090
IEEE Trans. Inf. Forensics Security, vol. 12, no. 9, pp. 2159–2167, 1091
1018 systems, especially those based on many-to-one mapping, are Sep. 2017. 1092
1019 naturally resilient against hill-climbing attacks. We also intro- [21] M. Fraschini, A. Hillebrand, M. Demuru, L. Didaci, and G. L. Marcialis, 1093
1020 duced the concept of second attacks for cancellable biometric “An EEG-based biometric system using eigenvector centrality in resting 1094
state brain networks,” IEEE Signal Process. Lett., vol. 22, no. 6, 1095
1021 systems. Finally, we discussed the evaluation procedure of pp. 666–670, Jun. 2015. 1096
1022 supervised learning-based verification systems and the pitfalls [22] E. Maiorana, “Deep learning for EEG-based biometric recognition,” 1097
1023 involved. Our future work will further this line of research to Neurocomputing, vol. 410, pp. 374–386, Oct. 2020. 1098
[23] E. Maiorana, “Learning deep features for task-independent EEG-based 1099
1024 explore the possibility of integrating cryptographic schemes biometric verification,” Pattern Recognit. Lett., vol. 143, pp. 122–129, 1100
1025 into verification systems [49]. Mar. 2021. 1101
3364 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022
1102 [24] E. Maiorana, “EEG-based biometric verification using Siamese CNNs,” [45] M. Gomez-Barrero, J. Galbally, C. Rathgeb, and C. Busch, “Gen- 1166
1103 in Proc. Int. Conf. Image Anal. Process. Cham, Switzerland: Springer, eral framework to evaluate unlinkability in biometric template pro- 1167
1104 2019, pp. 3–11. tection systems,” IEEE Trans. Inf. Forensics Security, vol. 13, no. 6, 1168
1105 [25] C. He, X. Lv, and Z. J. Wang, “Hashing the mAR coefficients from pp. 1406–1420, Jun. 2018. 1169
1106 EEG data for person authentication,” in Proc. IEEE Int. Conf. Acoust., [46] C. Li and J. Hu, “Attacks via record multiplicity on cancelable bio- 1170
1107 Speech Signal Process., Apr. 2009, pp. 1445–1448. metrics templates,” Concurrency Comput., Pract. Exper., vol. 26, no. 8, 1171
1108 [26] G. Bajwa and R. Dantu, “Neurokey: Towards a new paradigm of can- pp. 1593–1605, Jun. 2014. 1172
1109 celable biometrics-based key generation using electroencephalograms,” [47] S. Wang and J. Hu, “Alignment-free cancelable fingerprint template 1173
1110 Comput. Secur., vol. 62, pp. 95–113, Sep. 2016. design: A densely infinite-to-one mapping (DITOM) approach,” Pattern 1174
1111 [27] S. Yang and F. Deravi, “On the usability of electroencephalographic Recognit., vol. 45, no. 12, pp. 4129–4137, 2012. 1175
1112 signals for biometric recognition: A survey,” IEEE Trans. Human-Mach. [48] E. Maiorana, G. E. Hine, D. L. Rocca, and P. Campisi, “On the 1176
1113 Syst., vol. 47, no. 6, pp. 958–969, Dec. 2017. vulnerability of an EEG-based biometric system to hill-climbing attacks 1177
1114 [28] R. Damaševicius, R. Maskeliunas, E. Kazanavicius, and M. Wozniak, algorithms comparison and possible countermeasures,” in Proc. IEEE 1178
1115 “Combining cryptography with EEG biometrics,” Comput. Intell. Neu- 6th Int. Conf. Biometrics, Theory, Appl. Syst. (BTAS), Sep. 2013, 1179
1116 rosci., vol. 2018, pp. 1–11, May 2018. pp. 1–6. 1180
1117 [29] E. Maiorana, D. L. Rocca, and P. Campisi, “Cognitive biometric cryp- [49] D. Saríer, “Biometric cryptosystems: Authentication, encryption and 1181
1118 tosystems a case study on EEG,” in Proc. Int. Conf. Syst., Signals Image signature for biometric identities,” Ph.D. dissertation, Fac. Math. Natural 1182
1119 Process. (IWSSIP), Sep. 2015, pp. 125–128. Sci., Rheinische Friedrich-Wilhelms-Univ. Bonn, Bonn, Germany, 2013. 1183
1120 [30] K. Simoens, J. Bringer, H. Chabanne, and S. Seys, “A framework [50] E. Maiorana, G. E. Hine, and P. Campisi, “Hill-climbing attacks on 1184
1121 for analyzing template security and privacy in biometric authentication multibiometrics recognition systems,” IEEE Trans. Inf. Forensics Secu- 1185
1122 systems,” IEEE Trans. Inf. Forensics Security, vol. 7, no. 2, pp. 833–841, rity, vol. 10, no. 5, pp. 900–915, May 2015. 1186
1123 Apr. 2012.
1124 [31] A. Manisha and N. Kumar, “Cancelable biometrics: A comprehensive
1125 survey,” Artif. Intell. Rev., vol. 53, pp. 3403–3446, Oct. 2019.
1126 [32] H. Zhang, W. Bian, B. Jie, D. Xu, and J. Zhao, “A complete user Min Wang (Member, IEEE) received the Ph.D. 1187
1127 authentication and key agreement scheme using cancelable biometrics degree in computer science from the University of 1188
1128 and PUF in multi-server environment,” IEEE Trans. Inf. Forensics New South Wales, Canberra, Australia, in 2020. 1189
1129 Security, vol. 16, pp. 5413–5428, 2021. She is currently a Post-Doctoral Research Fellow 1190
1130 [33] N. D. Sarier, “Practical multi-factor biometric remote authentication,” with the School of Engineering and Information 1191
1131 in Proc. 4th IEEE Int. Conf. Biometrics, Theory, Appl. Syst. (BTAS), Technology, University of New South Wales. Her 1192
1132 Sep. 2010, pp. 1–6. research interests include biometrics, pattern recog- 1193
1133 [34] A. Mansfield, Information Technology—Biometric Performance Testing nition, machine learning, brain–computer interface, 1194
1134 and Reporting—Part 1: Principles and Framework, Standard ISO/IEC and bio-cryptography. 1195
1135 19795-1, 2006.
1136 [35] A. L. Goldberger et al., “PhysioBank, PhysioToolkit, and PhysioNet,”
1137 Circulation, vol. 101, no. 23, Jun. 2000.
1138 [36] P. Arnau-Gonzalez, S. Katsigiannis, M. Arevalillo-Herraez, and
1139 N. Ramzan, “BED: A new data set for EEG-based biometrics,” IEEE Song Wang received the B.Eng. degree in electrical 1196
1140 Internet Things J., vol. 8, no. 15, pp. 12219–12230, Aug. 2021. engineering from Xi’an Jiaotong University, China, 1197
1141 [37] W.-L. Zheng, W. Liu, Y. Lu, B.-L. Lu, and A. Cichocki, “EmotionMeter: in 1991, and the Ph.D. degree in control theory from 1198
1142 A multimodal framework for recognizing human emotions,” IEEE Trans. the University of Melbourne, Australia, in 2001. 1199
1143 Cybern., vol. 49, no. 3, pp. 1110–1122, Mar. 2019. She is currently a Senior Lecturer with the Depart- 1200
1144 [38] G. Schalk, D. J. McFarland, T. Hinterberger, N. Birbaumer, and ment of Engineering, La Trobe University, Australia. 1201
1145 J. R. Wolpaw, “BCI2000: A general-purpose brain-computer inter- She has published many high-quality articles in 1202
1146 face (BCI) system,” IEEE Trans. Biomed. Eng., vol. 51, no. 6, highly ranked journals, such as Pattern Recognition, 1203
1147 pp. 1034–1043, Jun. 2004. IEEE T RANSACTIONS ON I NDUSTRIAL I NFOR - 1204
1148 [39] L. J. Gabard-Durnam, A. S. M. Leal, C. L. Wilkinson, and A. R. Levin, MATICS , and IEEE T RANSACTIONS ON I NFOR - 1205
1149 “The Harvard automated processing pipeline for electroencephalography MATION F ORENSICS AND S ECURITY . Her main 1206
1150 (HAPPE): Standardized processing software for developmental and research interests include biometric security. 1207
1151 high-artifact data,” Frontiers Neurosci., vol. 12, p. 97, Feb. 2018.
1152 [40] P. Campisi et al., “Brain waves based user recognition using the ‘eyes
1153 closed resting conditions’ protocol,” in Proc. IEEE Int. Workshop Inf.
1154 Forensics Secur., Nov. 2011, pp. 1–6. Jiankun Hu (Senior Member, IEEE) is currently a 1208
1155 [41] W. Chen, Z. Wang, H. Xie, and W. Yu, “Characterization of surface EMG Full Professor in cyber security with the School of 1209
1156 signal based on fuzzy entropy,” IEEE Trans. Neural Syst. Rehabil. Eng., Engineering and Information Technology, University 1210
1157 vol. 15, no. 2, pp. 266–272, Jun. 2007. of New South Wales, Canberra, Australia. His main 1211
1158 [42] A. B. J. Teoh, Y. W. Kuan, and S. Lee, “Cancellable biometrics and anno- research interests are in the field of cyber security, 1212
1159 tations on BioHash,” Pattern Recognit., vol. 41, no. 6, pp. 2034–2044, including biometrics security, where he has publi- 1213
1160 2008. cations at top venues, including the IEEE T RANS - 1214
1161 [43] G. O. Williams, “The use of d’ as a ‘decidability’ index,” in Proc. 30th ACTIONS ON PATTERN A NALYSIS AND M ACHINE 1215
1162 Annu. Int. Carnahan Conf. Secur. Technol., 1996, pp. 65–71. I NTELLIGENCE. He has served on the Editorial 1216
1163 [44] Q. N. Tran and J. Hu, “A multi-filter fingerprint matching framework Boards of up to seven international journals, includ- 1217
1164 for cancelable template design,” IEEE Trans. Inf. Forensics Security, ing the IEEE T RANSACTIONS ON I NFORMATION 1218
1165 vol. 16, pp. 2926–2940, 2021. F ORENSICS AND S ECURITY. 1219