Lecture 3

Ambient Intelligence (AmI)

Electronic environments that are sensitive and responsive to the presence of people.

Internet of Everything (IoE)

A self‐configuring wireless network of sensors whose purpose would be to interconnect all
things

Smart Nation:
People are empowered by technology to lead meaningful and fulfilled lives. Through
harnessing the power of networks, data and info‐comm technologies, we seek to improve
living, create economic opportunity and build a closer community. Cyber Security is key!

Biometrics
Many different types: Handwriting, face recognition (2D and 3D), vein, fingerprints, hand
geometry, retinal scans, iris scans, etc.

Problems
False positive: incorrectly identifies someone as a match, e.g. a terrorist, an authorized user, etc.
False negative: incorrectly not identifying someone as a match

The Future of ATM ‐ Biometrics:

The computer in a biometric ATM can identify a bank customer and scan their iris even from
2 meters. The camera inside the machine takes a focused photo of the eye in black & white,
while the system then measures the structure of the iris, and how light and dark areas fall upon
it, a successful ID generates a code which is essentially the customers PIN.

Palm Vein Recognition

 Consist of Near‐IR light source and imaging module.
- Deoxidized haemoglobin in the palm’s veins is a better absorber of Near‐IR light
compared to surrounding flesh tissue.
- Creates an unique pattern of dark vein patterns against a lighter background pigment

 Advantages of Palm Vein:

- No hair to block scan
- No pigment to change colour

Spoof Attack on Palm Vein Scanner

Spoofing attack was done on ver.1 of software. User is first enrolled using his live palm and the
resulting palm vein image is screen‐captured. Using the Screen capture image and a laser
printer, the palm vein image is printed out on plain paper. Printed palm vein image is
subsequently used and successfully identified by the system. “Identification Successful”
indicates the successful spoofing of the system

Retina Scan
Retina scan works off the blood vessels on the back of the eye. Pattern is different even for
twins. Eye is situated within 0.5 inch of the capture device and the users looks at a rotating
green light. > 400 points taken (fingerprint is 30‐40 points). Very accurate. Low False Accept
rate 0.0001%. It’s not popular, as it is costly (overtaken by iris)
Lecture 3

Iris Recognition:
Iris recognition is one of the top biometrics ID technologies in a study conducted by the
National Physical Laboratory, UK. Achieved 1.8% false rejection rate, compared to 10~25%
for others. Among the fastest in user transaction speed. Only ID technology to achieve close to
0% false acceptance rate.

Example: IRIS Recognition:

 UK Trial (3 cameras used):
- Height Detector required for detecting the correct iris scanner
- “One person only” system does not work perfectly
- Has problem with people who are more than 6 feet high.
- Wheel chaired has problems
- Black people have more problems enrolling
- Blind cannot enrol, specs (bifocal)
- Expensive and complex
- When it fails (1 in 100), don’t know why
 Standards? May be affected by wavelength used, algorithms, schemes etc.
 1:n results on John Daughman's Iris Recognition algorithm
- Possibility of an FAR beyond a search record size of 1.2 million.

Challenges of Biometrics:
 Database to store only just the template, actual image is not reproducible.
 System accuracy, Speed, Scalability
 Security attacks (fake iris, fake fingers, backend storage etc.)
 A fuzzy return, how to make sense and be sure about the results. Biometrics is a science of
providing estimates, but this is not well understood.
 Does it tell more than what we thought? Is it sexist? Racist? (gene monitoring)

More Fears
 Privacy – work site monitoring.
 In some countries, the privacy commission has specific regulations. What are these and am
I in compliance? Big debate.
 Discriminatory? A bad story for the handicapped.
 User Fears – damage to eyes, cultural rejection
Lecture 3

Fake Finger Attacks

How to compare, e.g. Finger Print vs Finger Vein

No contact needed for Finger Vein, hence, no latent prints or hygiene issues
Sometimes harder to forge, not affected by weather or age.
Higher Accuracy for Finger Vein.

Biometrics Comparison Chart

Problems:
Dry fingers are often a problem at immigration counters.
Iris scanners (and other camera based systems) can be affected by motion blur.
Systems affected by cultural issues (can’t do facial recognition for covered women, coal miners
can’t do finger prints, aircraft technicians have fingers with no prints …)
New demand for biometric devices to be connected to mobile phones/ tablets.

Biometrics Glossary
FAR (False Acceptance Rate) Probability of cases for which a biometric system fallaciously
authorizes an unauthorized person. It happens when a biometric system, solution or
application inaccurately matches a biometric input with a stored template, fallaciously returning
a match and granting access to an unauthorized person. It is one of the commonly used metrics
in biometric recognition systems for assessing the performance of the system. False acceptance
is an undesirable result from a biometric system. It is expressed as the percentage of instances
Lecture 3

where system will authorize an unauthorized person. For example, if FAR = 0.1% that means
that in 1 out of 1000 cases, a biometric system, solution of application have probability to grant
access to an unauthorized individual. In systems where the level of security is high, the
existence of false positives is a serious problem; for these systems FAR = 0 is will be a desirable
scenario, i.e. there should be no false positives.

False Rejection Rate (FAR) Probability of cases for which a biometric system fallaciously denies
access to an authorized person. This would be a false negative!

Equal Error Rate (EER) Performance measure used to predetermine the threshold values for
its False Match Rate (FMR) and its False Non‐Match Rate (FNMR). Plotting gets us a point
where two curves generated by FMR and FNMR intersects, at the EER. EER is the point where
false match and false non‐match rates are minimal and optimal. Lower EER value is
considered good for a biometric system. ERR value indicates that the proportion of false
acceptances is equal to the proportion of false rejections. The lower the equal error rate value,
the higher the accuracy of the biometric system.

CIIP: Critical Information Infrastructure Protection

Computers and networks that if they fail, they will have a disastrous impact to the economy,
affecting morale, reputation due to massive inconvenience or loss of human lives. Examples of
critical systems (11): Hospitals, Transportation, e.g. MRT trains, Fund transfer and national
payment systems, Power generation and distribution, Utilities, Critical Supply Chain, etc

CIIP Impact – Just Imagine

No power – food will go bad, elevators will stop, factories will close, no one can work and your
PCs will be down and traffic lights will not work. When all the servers go down, there will be
further cascading effects. All your phones are dead. All ATMs and credit cards are down.

Why is it easy to bring down SCADA systems? Designed long ago, at a time when there’s no
awareness of security. Running non stop, so there’s no opportunity to upgrade them, repair
weaknesses or to patch the systems In some cases, no one knows enough about what needs to
be done, what is installed where, what happens when something is turned off.

* Supervisory control and data acquisition (SCADA) is a system of software and hardware
elements that allows industrial organizations to: Control industrial processes locally or at
remote locations. Monitor, gather, and process real-time data.

Stuxnet
Stuxnet is a computer virus that targets Siemens Control Systems for Supervisory Control And
Data Acquisition (SCADA) system. Root kit on SCADA systems, 4 zero day attack vectors,
capability to reprogram the PLCs and hide its changes. Most sophisticated weapon ever seen so
far. Very selective. By writing code to the PLC, Stuxnet can potentially control or alter how the
system operates. It did damage the Iranian nuclear centrifuges.

Duqu
Precursor to the malware Stuxnet. (there are others: Flame, Gauss …)
Evidence show that it may have been originated from the same parents. One instance of Duqu
attack on Iranian companies. Duqu main aim to gather data on the activities of a series of
activities of Iranian companies and government agencies.
Lecture 3

Advanced Persistent Threat (APT)

APT is the highest end cyber espionage. Attacks are completely targeted, executed by cyber
commando teams, who are well trained and well funded. The end objective is the continuous,
stealthy exfiltration of sensitive data. Typically, malware email that brings you to a malware web
site. On going for many years. (Titan Rain, Pentagon attacks, Tibetan attacks GhostNet, etc.)

Highlighted during the Google attacks in late 2009 and later, many other US companies said
that they too were victims. (Wikileak has a mention):
http://www.wired.com/threatlevel/2010/02/apt‐hacks/
2009 APEC attack when hosted by Singapore: https://www.todayonline.com/singapore/mindef-
internet-system-hacked-personal-data-850-personnel-stolen
Attack are so good that traditional firewalls, anti‐virus and intrusion detection systems will be
bypassed.

Arms Race ! Each country tries to do outdo the other via better cyber weapons, because:
- Cyber weapons are cheap to build and yet extremely potent.
- Attribution (who attacked you) is typically impossible.
- Harmonising global legislation is very difficult.

Terrorism powered by Cyber

Eve of 13th Nov 2015, over 136 innocent civilians were killed in a series of coordinated
terrorist attacks in 6 locations. Armed with assault rifles and explosives, at least seven men
brought the radical and violent islamist ideology to a historically peaceful Paris. The Islamic
State of Iraq and Greater Syria (ISIS) claimed responsibility, prompting a social media frenzy
and free advertising campaign for the world's most notorious terrorist group.

Used soda can bomb to take down Russian airliner over Egypt late Oct 2015, killing more than
200 people. Extremist groups have leveraged the power of the Internet to gain support for
years, ISIS stands in a league of its own. The terrorist organization has seemingly mastered
online propaganda and recruitment, using modern technology to promote a medieval ideology
involving mass killings, torture, rape, and enslavement. Anonymous declared "war" on ISIL in
its largest operation to date, and by the second day, it had taken down 3,824 pro‐ISIL Twitter
accounts and doxxed multiple recruiters. Rumoured that the planning of this terrorist attack
exploited Xbox communications, hence evading intelligence monitoring. (may not be true)

Anyone can be a Hacker !

 Wikileaks APT – a variant, not professional spies but self organised groups like
Anonymous, LulzSec, AntiSec, and local hackers etc. that are getting the limelight.
 Ideology driven, spawning many Al‐Qaeda style, splinter groups.
 And besides the serious, we have the Wikileak supporters, fun lovers, cyber extortionists
and “strange” kids like 19 year old UK hacker, Ryan Cleary (but this kid hacker could be
savant, blessed with Asperger Syndrome).

Economics of Security
Security is complex, because all systems are trending to be highly complex. Software
manufacturers don’t pay for their bugs. You do. A perfect firewall will be bought as your first
and last device. Testing of security products is immature, so can’t tell if the things bought are of
any good. Mostly, fail but can’t return. No one wants to pay for someone else to benefit; e.g.
the cost of security evaluation. Cyber insurance is not readily available and is un‐organised.
Lecture 3

How would you know if a software is trustworthy? Knowing is very expensive and may be often
impossible. (AppStore ok ?)

Innovation and Security

Disruptive innovations are upon us:
Uber and Grabtaxi, AirBnB, Fintech innovations via blockchain, Machine learning cameras,
Drones (Amazon delivery)

Next Gen Drones (Embedded Countermeasures)

 Amazon Prime Air (drone delivery) undergoing remake
- anti‐jamming: null forming GPS anti‐jamming antennae, robust navigation
- anti‐attack issues: fault‐tolerant electronics, autonomous accident/attacker avoidance
 Hardened for bad weather

Speed is vital to keep ahead of the curve; but if security is not handled, the rollout will fail.
Security must be factored in right at the start. Impact: Big Data and new business intelligence
systems, Startups, Cloud Systems, Driverless cars, AI systems replacing humans

Deep Learning (deep neural network)

Branch of machine learning based on a set of algorithms that attempt to model high‐level
abstractions in data by using a deep graph with multiple processing layers, composed of
multiple linear and non‐linear transformations.
https://www.youtube.com/watch?v=CEv_0r5huTY
https://www.youtube.com/watch?v=He4t7Zekob0
Lecture 3

https://www.youtube.com/watch?v=P2HPcj8lRJE#t=303.737
https://www.youtube.com/watch?v=vXMpKYRhpmI (Intuitive understanding, 6 min)

Deep Mind AlphaGo Zero – AI that learns without data from humans

AI (Deep Learning)
Why important to Security?
Security Automation
Detect attacks from logs via abnormality correlation
Superior biometrics
Superior image analysis
Faster response than humans
Automated learning