為了應對模板老化(template aging)的問題，具有模板或模型更新機制之自適應生物辨識系統(adaptive biometric recognition system)被提出作為應對資料中組內變化問題的解決方案。儘管這些更新機制解決了傳統系統中所面臨的問題，但卻也引入了潛在的漏洞。利用這些更新機制，攻擊者得以透過投毒攻擊(poisoning attack)來對儲存在系統中的模板或隱藏的模型進行間接破壞。本文針對一自適應心電辨識系統進行了安全性之研究。其中，目標系統為一修改自現有一最先進的基於深度學習之心電辨識系統。本研究中，我們提出了一種具有針對性之投毒攻擊框架。攻擊者目標對一選定之使用者進行冒充，從而獲得系統訪問權限，同時阻止該使用者訪問系統。為了評估本研究所提出的方法之有效性，我們同時考慮了白盒(white-box)與黑盒(black-box)兩種情境。這兩種情境取決於攻擊者對模型結果的了解程度。實驗結果表明，本研究之方法在白盒以及黑盒兩種情境下均取得了顯著的成果。其中兩情境中，57% 與34%的攻擊組合，能夠在維持系統中其他註冊者之完整性下，使攻擊者之FPIRa 超過50%，證明了本研究之攻擊框架具有高度針對性的特點。

Adaptive biometric recognition systems have been proposed as a solution to mitigate template aging issues by auto-updating templates or models to account for the intra-class variations of the data. While these updating mechanisms offer a promising solution to address the limitations of traditional systems, they also introduce a potential vulnerability, allowing adversaries to exploit them and initiate poisoning attacks to indirectly compromise the stored templates or the model hidden in the system. In this study, we investigate the security of an adaptive biometric recognition system based on electrocardiograms (ECGs), modified from a state-of-the-art deep learning-based system. We proposed a targeted black-box poisoning attack framework, wherein the adversary's objective was to impersonate a specific subject, thereby gaining access to the system while simultaneously preventing the target subject from accessing it. To comprehensively evaluate our proposed method’s effectiveness, we assess its performance in both white-box and black-box scenarios, depending on the adversary’s level of knowledge regarding the model structure. Our experimental results demonstrate that the proposed approach achieved notable success in both white-box and black-box scenarios. While maintaining the integrity of the other subjects in the system, 57% and 34% of the attack pairs demonstrated FPIRas of the adversaries exceeding 50%, indicating the highly targeted nature of our attack framework.

摘要 i
Abstract ii
致謝 iii
Contents iv
Table Captions v
Figure Captions vi
Chapter 1 Introduction 1
Chapter 2 Adaptive ECG Recognition System 6
2.1 Deep Learning-Based ECG Recognition System 6
2.2 Adaptive System Modifications 7
Chapter 3 Poisoning Attack 9
3.1 Attack Assumptions 9
3.2 Poisoning Sample Generation 9
3.3 Poisoning Sample Injection 12
3.4 Black-Box Attack 16
Chapter 4 Experiments and Discussion 18
4.1 Dataset and Preprocessing 18
4.2 System and Attack Implementation 19
4.2.1 System Implementation 19
4.2.2 Poisoning Attack Implementation 19
4.2.3 Substitute Model Training 20
4.3 Attack Performance Evaluation 21
4.3.1 Open-Set Identification 21
4.3.2 The Effect of the Smoothness Factor 23
4.3.3 Influence Factors to the Attack Results 27
Chapter 5 Conclusions and Future Works 32
Reference 33

[1] S.-C. Wu, S.-Y. Wei, C.-S. Chang, A. L. Swindlehurst, and J.-K. Chiu, "A Scalable Open-Set ECG Identification System Based on Compressed CNNs," IEEE Transactions on Neural Networks and Learning Systems, 2021.
[2] WHO. "Coronavirus Disease (COVID-19) Pandemic." https://www.who.int/emergencies/diseases/novel-coronavirus-2019 (accessed August 10, 2023).
[3] A. A. Al-Qudah, M. Al-Okaily, G. Alqudah, and A. Ghazlat, "Mobile payment adoption in the time of the COVID-19 pandemic," Electronic Commerce Research, pp. 1-25, 2022.
[4] R. Wash, E. Rader, R. Berman, and Z. Wellmer, "Understanding password choices: How frequently entered passwords are re-used across websites," in Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), 2016, pp. 175-188.
[5] B. Ives, K. R. Walsh, and H. Schneider, "The domino effect of password reuse," Communications of the ACM, vol. 47, no. 4, pp. 75-78, 2004.
[6] G. Lovisotto, S. Eberz, and I. Martinovic, "Biometric backdoors: A poisoning attack against unsupervised template updating," in 2020 IEEE European Symposium on Security and Privacy (EuroS&P), 2020: IEEE, pp. 184-197.
[7] Z. Akhtar, A. Ahmed, C. E. Erdem, and G. L. Foresti, "Biometric template update under facial aging," in 2014 IEEE Symposium on Computational Intelligence in Biometrics and Identity Management (CIBIM), 2014: IEEE, pp. 9-15.
[8] K. Hajari and K. Bhoyar, "A review of issues and challenges in designing Iris recognition Systems for noisy imaging environment," in 2015 International Conference on Pervasive Computing (ICPC), 2015: IEEE, pp. 1-6.
[9] K. W. Bowyer, S. E. Baker, A. Hentz, K. Hollingsworth, T. Peters, and P. J. Flynn, "Factors that degrade the match distribution in iris biometrics," Identity in the information Society, vol. 2, pp. 327-343, 2009.
[10] H. Kang, B. Lee, H. Kim, D. Shin, and J. Kim, "A study on performance evaluation of fingerprint sensors," in Audio-and Video-Based Biometric Person Authentication: 4th International Conference, AVBPA 2003 Guildford, UK, June 9–11, 2003 Proceedings 4, 2003: Springer, pp. 574-583.
[11] I. Odinaka, P.-H. Lai, A. D. Kaplan, J. A. O'Sullivan, E. J. Sirevaag, and J. W. Rohrbaugh, "ECG biometric recognition: A comparative analysis," IEEE Transactions on Information Forensics and Security, vol. 7, no. 6, pp. 1812-1824, 2012.
[12] A. Tsymbal, "The problem of concept drift: definitions and related work," Computer Science Department, Trinity College Dublin, vol. 106, no. 2, p. 58, 2004.
[13] J. Harvey, J. Campbell, and A. Adler, "Characterization of biometric template aging in a multiyear, multivendor longitudinal fingerprint matching study," IEEE Transactions on Instrumentation and Measurement, vol. 68, no. 4, pp. 1071-1079, 2018.
[14] S. P. Fenker and K. W. Bowyer, "Analysis of template aging in iris biometrics," in 2012 IEEE Computer Society Conference on Computer Vision and Pattern Recognition Workshops, 2012: IEEE, pp. 45-51.
[15] F. Agrafioti, F. M. Bui, and D. Hatzinakos, "Secure telemedicine: Biometrics for remote and continuous patient verification," Journal of Computer Networks and Communications, vol. 2012, 2012.
[16] R. D. Labati, V. Piuri, R. Sassi, F. Scotti, and G. Sforza, "Adaptive ECG biometric recognition: a study on re-enrollment methods for QRS signals," in 2014 IEEE symposium on computational intelligence in biometrics and identity management (CIBIM), 2014: IEEE, pp. 30-37.
[17] Apple. "About Touch ID Advanced Security Technology." https://support.apple.com/en-us/HT204587 (accessed October 10, 2023).
[18] Apple. "Face ID Security." https://images.apple.com/business/docsFaceID (accessed October 31, 2022).
[19] D. Wen, H. Han, and A. K. Jain, "Face spoof detection with image distortion analysis," IEEE Transactions on Information Forensics and Security, vol. 10, no. 4, pp. 746-761, 2015.
[20] A. Rattani, W. J. Scheirer, and A. Ross, "Open set fingerprint spoof detection across novel fabrication materials," IEEE Transactions on Information Forensics and Security, vol. 10, no. 11, pp. 2447-2460, 2015.
[21] Y.-X. Guo, "Security Analysis of A Deep Learning-Based ECG Biometric Recognition System under Template Reconstruction Attacks," National Digital Library of Theses and Dissertations in Taiwan, 2021. [Online]. Available: https://hdl.handle.net/11296/v5265a
[22] G. Mai, K. Cao, P. C. Yuen, and A. K. Jain, "On the reconstruction of face images from deep face templates," IEEE transactions on pattern analysis and machine intelligence, vol. 41, no. 5, pp. 1188-1202, 2018.
[23] K. Cao and A. K. Jain, "Learning fingerprint reconstruction: From minutiae to image," IEEE Transactions on information forensics and security, vol. 10, no. 1, pp. 104-117, 2014.
[24] I. J. Goodfellow, J. Shlens, and C. Szegedy, "Explaining and harnessing adversarial examples," arXiv preprint arXiv:1412.6572, 2014.
[25] T. Gu, B. Dolan-Gavitt, and S. Garg, "Badnets: Identifying vulnerabilities in the machine learning model supply chain," arXiv preprint arXiv:1708.06733, 2017.
[26] E. Bursztein. "Attacks against machine learning - an overview." https://elie.net/blog/ai/attacks-against-machine-learning-an-overview/ (accessed September 12, 2023).
[27] O. Schwartz, "In 2016, Microsoft’s racist chatbot revealed the dangers of online conversation," IEEE Spectrum, vol. 11, 2019.
[28] B. Biggio, B. Nelson, and P. Laskov, "Poisoning attacks against support vector machines," arXiv preprint arXiv:1206.6389, 2012.
[29] B. Biggio, L. Didaci, G. Fumera, and F. Roli, "Poisoning attacks to compromise face templates," in 2013 International Conference on Biometrics (ICB), 2013, pp. 1-7.
[30] M. Xue, C. He, J. Wang, and W. Liu, "LOPA: a linear offset based poisoning attack method against adaptive fingerprint authentication system," Computers & Security, vol. 99, p. 102046, 2020.
[31] S. Wang, S. Nepal, C. Rudolph, M. Grobler, S. Chen, and T. Chen, "Backdoor attacks against transfer learning with pre-trained deep learning models," IEEE Transactions on Services Computing, vol. 15, no. 3, pp. 1526-1539, 2020.
[32] T. Belkhouja, A. Mohamed, A. K. Al-Ali, X. Du, and M. Guizani, "Salt generation for hashing schemes based on ECG readings for emergency access to implantable medical devices," in 2018 International Symposium on Networks, Computers and Communications (ISNCC), 2018: IEEE, pp. 1-6.
[33] A. Raza, S. Li, K.-P. Tran, and L. Koehl, "Detection of poisoning attacks with anomaly detection in federated learning for healthcare applications: A machine learning approach," arXiv preprint arXiv:2207.08486, 2022.
[34] A. Krizhevsky, I. Sutskever, and G. E. Hinton, "Imagenet classification with deep convolutional neural networks," Communications of the ACM, vol. 60, no. 6, pp. 84-90, 2017.
[35] P. E. McSharry, G. D. Clifford, L. Tarassenko, and L. A. Smith, "A dynamical model for generating synthetic electrocardiogram signals," IEEE transactions on biomedical engineering, vol. 50, no. 3, pp. 289-294, 2003.
[36] B. W. Silverman, Density estimation for statistics and data analysis. Routledge, 2018.
[37] B. Biggio, G. Fumera, F. Roli, and L. Didaci, "Poisoning Adaptive Biometric Systems," in Structural, Syntactic, and Statistical Pattern Recognition, Berlin, Heidelberg, G. Gimel'farb et al., Eds., 2012: Springer Berlin Heidelberg, pp. 417-425.
[38] P. H. Pisani et al., "Adaptive biometric systems: Review and perspectives," ACM Computing Surveys (CSUR), vol. 52, no. 5, pp. 1-38, 2019.
[39] A. Rattani, B. Freni, G. L. Marcialis, and F. Roli, "Template update methods in adaptive biometric systems: A critical review," in International Conference on Biometrics, 2009: Springer, pp. 847-856.
[40] B. Biggio, P. Russu, L. Didaci, and F. Roli, "Adversarial biometric recognition: A review on biometric system security from the adversarial machine-learning perspective," IEEE Signal Processing Magazine, vol. 32, no. 5, pp. 31-41, 2015.
[41] I. Romero, "PCA-based noise reduction in ambulatory ECGs," in 2010 Computing in Cardiology, 2010: IEEE, pp. 677-680.
[42] N. Papernot, P. McDaniel, and I. Goodfellow, "Transferability in machine learning: from phenomena to black-box attacks using adversarial samples," arXiv preprint arXiv:1605.07277, 2016.
[43] N. Papernot, P. McDaniel, I. Goodfellow, S. Jha, Z. B. Celik, and A. Swami, "Practical black-box attacks against machine learning," in Proceedings of the 2017 ACM on Asia conference on computer and communications security, 2017, pp. 506-519.
[44] R. Bousseljot, D. Kreiseler, and A. Schnabel, "Nutzung der EKG-Signaldatenbank CARDIODAT der PTB über das Internet," 1995.
[45] C. Levkov, G. Mihov, R. Ivanov, I. Daskalov, I. Christov, and I. Dotsinsky, "Removal of power-line interference from the ECG: a review of the subtraction procedure," Biomedical engineering online, vol. 4, pp. 1-18, 2005.
[46] J. Pan and W. J. Tompkins, "A real-time QRS detection algorithm," IEEE transactions on biomedical engineering, no. 3, pp. 230-236, 1985.
[47] S.-C. Wu, P.-L. Hung, and A. L. Swindlehurst, "ECG Biometric Recognition: Unlinkability, Irreversibility, and Security," IEEE Internet of Things Journal, vol. 8, no. 1, pp. 487-500, 2021, doi: 10.1109/jiot.2020.3004362.
[48] I. J. Goodfellow, M. Mirza, D. Xiao, A. Courville, and Y. Bengio, "An empirical investigation of catastrophic forgetting in gradient-based neural networks," arXiv preprint arXiv:1312.6211, 2013.