FEBRUARY 2017 | VOL. 60 | NO. 2 | COMMUNICATIONS OF THE ACM 113
pulse signal. Flexibility of the waveform generator is useful
during the initial design phase and allows us to generate the
required pulse waveforms in the final classifier. To measure the
pulse waveform after the signal passes through a test subject
we used an Agilent digital storage oscilloscope which allows
storage of the waveform data for later analysis. The output
of the waveform generator is connected to a brass handle that
the user holds in the left hand. The other brass handle is connected to the oscilloscope signal input terminal. When a test
subject holds one electrode in each hand the signal travels
from the generator through the body and into the oscilloscope.
To ensure exact triggering, the oscilloscope is connected to the
synchronization output of the waveform generator.
7. 2. Ethics and user safety
Our experimental prototype setup and its safety and methodology have been reviewed and authorized by the Central
University Research Ethics Committee of the University of
Oxford, under approval reference MSD-IDREC-C1-2014-156.
7. 3. Biometric capture procedure
Each subject followed a specific procedure during the biometric measurement process to ensure that only minimal
noise is introduced into the measured data. In the initial
design phase, each test subject was sampled 10 times for
each of the different signal types, for each voltage level and
for various frequencies. Once we selected the pulse signal
with the best results, samples were acquired for two data
sets. The first consisted of 22 samples for each subject, taken
in one measuring sessions, that is, at one point in time. The
second included 25 samples per test person, obtained in five
different sessions, over time. This was done to assess stability of the biometric over time.
The subject population included both males and females
between the ages of 24 and 38. We sampled all test subjects
at different times during the day over the course of several
weeks. We tried to sample subjects in order to end up with
sampling conditions as diverse as possible, for each subject.
The interval between measurement sessions for the same
rounds. This grows to 99.99999997% after 50 rounds. Thus,
not surprisingly, acquisition frequency determines the time
to detect the adversary.
What the very high 99.999+% detection probability is really
saying is that, if you just test enough times, the authentication will eventually fail. It matches very well with our experiments and it is true even for a legitimate user (although
much less frequently). For this reason we need a way to handle false negatives.
6. 4. Handling false negatives
False negatives refer to incorrect detection of adversarial
presence. If the biometric is used as an additional layer of
security during the authentication procedure, this can be
managed simply by restarting the login procedure, if the
first attempt fails. However, in a continuous authentication
setting, where a single (and possibly incorrect) detection
might cause the system to lock up, false negatives have to be
handled more thoughtfully.
One approach is to specify a policy that allows a certain
number of detection events every nth round, without taking
any action. For example, allowing one event every 100 rounds
corresponds to a false negative rate of 1%. Another option is
to integrate a less user-friendly (less transparent) biometric
to deal with ambiguous detection events. For example, after
a few detection events, the user might be asked to confirm
his identity by swiping a thumb on a fingerprint scanner.
Yet another alternative is the gradual ramp up of the severity of actions taken by the CAP, for each successive detection
event. For the first time, displaying a warning might be the
most appropriate action. If detection re-occurs, more and
more severe actions can be taken. It is very unlikely, with a reasonably low false negative rate, to have multiple consecutive
adversary detection events if the original user is still at the terminal. Although the false positive rates we achieve are quite
low, they could certainly be improved with a more advanced
biometrics capture system. In conjunction with a sensible
policy, our continuous authentication system might be appropriate for any organization with high security requirements.
Starting out with the hypothesis that the biometric measurement varies depending on the frequency of the signal transmitted through the human body, we rigorously experimented
with various frequencies, voltage levels and waveforms. We
also assessed several classification algorithms. Our experiments suggested the choice of 100 ns long square pulses at 1 V
as the input signal (see Figure 4) and Support Vector Machines
(SVM) for classifying samples. Hence, the name pulse-response
biometric. Complete analysis can be found in the full version
of this paper. 8
7. 1. Measurement setup
In order to gather stable and accurate pulse-response measurements we build a data acquisition platform consisting of:
( 1) an arbitrary waveform generator, ( 2) an oscilloscope, ( 3) a
pair of brass electrode handles, and ( 4) a desktop computer to
control the apparatus. Figure 3 is a photo of our setup. We use
an Agilent arbitrary waveform generator as the source of the
Figure 3. Proof-of-concept measurement setup. The test subject holds
two brass electrode handles and the pulse signal is generated by an
Agilent 33220A ( 20 MHz) arbitrary waveform generator. The receiver
is an Agilent DSO3062A ( 60 MHz), 1 GSa/s digital storage oscilloscope.