Supervised and Unsupervised Alignments for Spoofing Behavioral Biometrics

TL;DR

This paper analyzes vulnerabilities in embedding-based behavioral biometrics to template reconstruction attacks when the attacker has no access to the encoder. It introduces supervised Procrustes and unsupervised Wasserstein Procrustes rotational alignments to bridge attacker and target embedding spaces, enabling reconstruction for handwriting and speech systems via decoders (LSTM-MDN for handwriting and AutoVC-based speech decoding). Key findings show that unsupervised alignments can achieve spoofing performance close to oracle/supervised bounds, revealing significant security risks for stolen templates. The work highlights the need for stronger defenses, such as bio-hashing, and suggests future exploration of non-linear alignments and additional behavioral modalities to robustify biometric systems.

Abstract

Biometric recognition systems are security systems based on intrinsic properties of their users, usually encoded in high dimension representations called embeddings, which potential theft would represent a greater threat than a temporary password or a replaceable key. To study the threat of embedding theft, we perform spoofing attacks on two behavioral biometric systems (an automatic speaker verification system and a handwritten digit analysis system) using a set of alignment techniques. Biometric recognition systems based on embeddings work in two phases: enrollment - where embeddings are collected and stored - then authentication - when new embeddings are compared to the stored ones -.The threat of stolen enrollment embeddings has been explored by the template reconstruction attack literature: reconstructing the original data to spoof an authentication system is doable with black-box access to their encoder. In this document, we explore the options available to perform template reconstruction attacks without any access to the encoder. To perform those attacks, we suppose general rules over the distribution of embeddings across encoders and use supervised and unsupervised algorithms to align an unlabeled set of embeddings with a set from a known encoder. The use of an alignment algorithm from the unsupervised translation literature gives promising results on spoofing two behavioral biometric systems.

Figures (4)

• Figure 1: 4 handwritten digits drawings. The blue point marks the start of the drawing.
• Figure 2: Schematic of the threat model considered. The datasets $\mathcal{D}$ are in red, the embeddings set $\mathcal{E}$ are in blue, encoders are in purple, decoders are in yellow, and the alignments are in green. Here, the target datasets and the target encoder are not accessible to the attacker, so they are grayed out.
• Figure 3: 4 digits reconstructed by different decoders after being computed by different encoders. The first line is the raw drawings. Each drawing starts with a blue point.
• Figure 4: 4 digits reconstructed by the $Dec_{MDN}$ decoder after being computed by the $Enc_{target}$ encoder. The first line is the raw drawings. Each drawing starts with a blue point.