biometric-based user authentication in mobile ad hoc networks

SECURITY AND COMMUNICATION NETWORKSSecurity Comm. Networks. 2008; 1:5–16Published online 4 February 2008 in Wiley InterScience(www.interscience.wiley.com) DOI: 10.1002/sec.6

Biometric-based user authentication in mobile ad hocnetworks

F. Richard Yu1∗,†, Helen Tang2, Victor C. M. Leung3, Jie Liu1 and Chung-Horng Lung1

1Department of Systems and Computer Engineering, Carleton University, Ottawa, ON, Canada2Defense R&D Canada, Ottawa, ON, Canada3Department of Electrical and Computer Engineering, The University of British Columbia, Vancouver, BC,Canada

Summary

As the front line of defense, user authentication is crucial for integrity and confidentiality. Mobile ad hoc networks(MANETs) impose a number of non-trivial challenges to user authentication such as lack of central coordinationand limited resources. In high security MANETs, continuous authentication is desirable so that a system can bemonitored for the duration of the session to reduce the vulnerability. Biometrics provides some possible solutionsto the authentication problem in MANETs, since it has direct connection with user identity. In this paper, weintroduce some biometric technologies and their applications in the authentication problem. Multimodal biometricscan be used to exploit the benefits of one biometric while mitigating the inaccuracies of another. We propose anoptimal multimodal biometric-based continuous authentication scheme in MANETs. Some numerical results showthe effectiveness of the proposed scheme. Copyright © 2008 John Wiley & Sons, Ltd.

KEY WORDS: security; mobile ad hoc networks; biometrics; authentication

1. Introduction

Mobile ad hoc networks (MANETs) enable wirelessdevices to dynamically establish networks withoutnecessarily using a fixed infrastructure. In such aself-organized network, each wireless node can passinformation and control packets from one neighbor toanother. Nodes rely on each other to keep the networkconnected. In recent years, MANETs have become apopular subject for research due to their potential easeof deployment. Military tactical and other security-sensitive operations are important applications ofMANETs.

*Correspondence to: F. Richard Yu, Department of Systems and Computer Engineering, Carleton University, School ofInformation Technology, 1125 Colonel By Drive, Ottawa, ON, Canada K1S 5B6.†E-mail: richard [email protected]

MANETs introduce different security risks thanthose for fixed networks due to system constraintsin mobile devices and the dynamic nature ofad hoc networks. Although there are many securityissues in MANETs, as the front line of defense,user authentication is crucial for integrity andconfidentiality [1]. Authentication is the process ofconfirming the identity claimed by a user and ensuringthe resources are accessed by an authentic user.Authentication can be performed by using one or moreof the validation factors: what you know, such as apassword; what you have, such as a token and whatyou are, a user’s biometrics, such as a fingerprint.

Copyright © 2008 John Wiley & Sons, Ltd.

6 F. R. YU ET AL.

Passwords are simple and easy to use, but it is difficultto distinguish an authentic user from impostors sincethere is no direct connection between a user and apassword. With tokens, in addition to no connectionbetween a user and a token, it is easy for them to belost or be counterfeited.

Biometrics is the technique commonly understoodas the automatic identification or verification of anindividual by his or her physiological or behavioralcharacteristics [2]. Common physiological biometrictraits include fingerprints, iris, facial images, whilecommon behavioral biometric traits include voice andsignature. Biometrics provides some possible solutionsto authentication in MANETs, since it has a directconnection with user identity. Moreover, biometricscan be continuously monitored, and does not requireconstant user interruption. Recent developments haveled to more accurate biometric algorithms and lessexpensive biometric sensors that are small enoughto fit in mobile devices. It has been implemented inmany security related systems, such as mobile cellularnetworks [3] and MANETs [2].

Each biometric technology has its own strengthsand weaknesses. Currently, there is no best biometricmodality since it depends on the environment applied.Unimodal biometrics faces several challenges such asnoise in sensed data, intra-class variations, inter-classsimilarities, etc [4]. Multimodal biometric systemspresent more reliable authentication methods due tothe combination of statistically independent biometrictraits [5]. This system can exploit the benefits of onebiometric and mitigate the shortcomings of anotherbiometric.

Most systems work by authenticating a user duringlogin and then operating under the assumption that thesystem is secure from that time forward. However, inhostile environment where the chances of a node beingcaptured are relatively high, continuous authentication,or re-authentication is desirable so that a system can bemonitored for the duration of the session to reduce thevulnerability [6]. In other words, authentication is notmerely used to authenticate a user at the initial login,but it is also used continuously to verify the presenceof the authentic user.

There is some work in the literature studyingbiometric-based continuous authentication. DynamicBayesian Networks are used in Reference [7] forcontinuous authentication. The authors of Refer-ence [6] propose several new metrics for multimodalbiometrics used in continuous verification. However,there are few reports in the literature about howto optimally schedule different biometrics taking

into account the system’s security requirements andresource constraints in MANETs. System resourceconstraints are important issues in MANETs. Someexamples of the constraints include limited batterypower, low-power microprocessor, low bandwidth,and small memory. The design of optimal biometric-based continuous authentication schemes that considersystem security requirements and resource constraintsin MANETs has rarely been addressed in previouswork.

In this paper, we first review the authenticationproblem in MANETs. Then, we introduce somebiometric technologies and their applications in theauthentication problem in MANETs. A biometric-based continuous authentication scheme in MANETsis proposed. Specifically, we model the continuousauthentication problem as a partially observedMarkov decision process (POMDP). Optimal dynamicprogramming-based hidden Markov model (HMM)scheduling algorithms are presented. Some numericalexamples show the effectiveness of the proposedscheme.

The rest of the paper is organized as follows.Section 2 describes the authentication problemin MANETs. Section 3 presents biometric-basedauthentication schemes. Our proposed biometric-basedcontinuous authentication scheme is presented inSection 4. Finally, we conclude this study in Section 5.

2. Authentication in Mobile Ad HocNetworks

2.1. Mobile Ad Hoc Networks

In recent years, MANETs have become a popularsubject because of their self-configuration and self-organization capabilities. Wireless nodes can establisha dynamic network without the need of a fixedinfrastructure. A node can function both as a networkrouter for routing packets from the other nodes andas a network host for transmitting and receivingdata. MANETs are particularly useful when a reliablefixed or mobile infrastructure is not available. Instantconferences between notebook PC users, militaryapplications, emergency operations, and other security-sensitive operations are important applications ofMANETs due to their quick and easy deployment.

Due to the complete lack of centralized control,MANTETs nodes cooperate with each other toachieve a common goal. The major activitiesinvolved in self-organization are neighbor discovery,

Copyright © 2008 John Wiley & Sons, Ltd. Security Comm. Networks. 2008; 1:5–16

DOI: 10.1002/sec

BIOMETRIC-BASED USER AUTHENTICATION IN MANETs 7

topology organization, and topology reorganization.Through periodically transmitting beacon packets, orpromiscuous snooping on the channels, the activitiesof neighbors can be acquired. By exchanging local orentire network information, the topology in a MANETcan be updated when the network changes such asarrival or departure of a node, failure of nodes andlinks, etc. Therefore, self-organization is a continuousprocess that has to adapt to a variety of changes orfailures.

2.2. Security and Constraints in MANETs

The security in MANETs is very important, especiallyin military environments. Unlike the wireline networks,MANETs are inherently insecure because of thelack of any central authority and shared wirelessmedium. The major security threats that exist inad hoc wireless networks are as follows: denial ofservice, resource consumption, host impersonation,information disclosure, and interference. The uniquecharacteristics of MANETs present some newchallenges to security design [8].

� Shared wireless broadcast radio: a node can receiveand transmit data from and to all the nodes within itsdirect transmission range.

� Lack of central coordination: there is no centralizednetwork management functionality in MANETs.Existing security solutions for wired networkscannot be applied directly to the MANETs domain.

� Lack of association: because of the dynamiccharacteristic of MANETs, it is difficult to finda proper authentication mechanism to use whenassociating nodes with a network.

� Limited resource availability: bandwidth, batterypower, and computational power are scarce inMANETs.

In tactical scenarios, military units (e.g., soldiers,tanks, and helicopters) equipped with wirelesscommunication devices can form a tactical MANETon a battlefield. In tactical MANETs, there are someextra characteristics that challenge security design:

� Insecure operation environment: MANETs mayoperate in harsh environments. Nodes frequentlymove in and out of hostile enemy territory. Thechances of a node being captured are high in suchenvironments, which requires re-authentication.

� High security requirement: since MANETs inthese environments sometimes need to transmit

some critical information, security is of paramountimportance.

� User multitasking: on battlefields, user interventionshould be minimized.

2.3. Authentication in Mobile Ad HocNetworks

A complete security scheme should encompass allthree security components of prevention, detection,and reaction [9]. Authentication is the process ofconfirming the identity claimed by a user. As thefront line of defense, user authentication is crucial forintegrity and confidentiality [1]. Authentication canbe performed by using one or more of the validationfactors [2].

� Knowledge factor: the knowledge factor refers tosomething that a user knows such as a passwordor a Personal ID Number (PIN). Passwords can besimple and easy to use; however, there is no directbinding between the user identity and the password.As a result, a legitimate user and an impostor,who fraudulently acquires the user password, areindistinguishable to the system.

� Possession factor: the possession factor refers tosomething that a user has, such as a token or asmart card, which contains some secret informationthat can be more complicated than a password. Theessence of this factor is that the user must possess thetoken or smart card in order to log onto the device.Like the knowledge factor, the possession factor doesnot provide direct binding between the user and thetoken. Authentication cards and tokens may be lostor stolen.

� Biometric factor: biometrics technology uses mea-surable physiological or behavioral characteristicsto reliably distinguish one person from another.Common physiological biometric traits includefingerprint, iris, facial image, and odor, whilecommon behavioral biometric traits include voiceand signature. The biometric factor provides directbinding between the user and his/her trait. Moreover,biometrics can be continuously monitored, and needslittle user interruption. Recent developments haveled to more accurate biometric algorithms and lessexpensive biometric sensors that are small enoughto fit in mobile devices. It has been implemented inmany security related systems such as mobile cellularnetworks and MANETs.


DOI: 10.1002/sec

8 F. R. YU ET AL.

Table I. Desired properties of user authentication in tactical MANETs.

Desired Properties Knowledge Possession Biometrics

Direct user binding No No YesNon-disruptive re-authentication No Yes YesAccuracy High High Low to highEnergy consumption Low Low to high Low to highComputation complexity Low Low to high Low to high

We distinguish two classes of user authenticationsin MANETs: user-to-device and user-to-network. Auser has to authenticate himself or herself to the devicebefore he or she can use it. User-to-network authen-tication denotes that user needs to be authenticated tothe network before it communicates with other users oruses wireless applications. In tactical MANETs, userand device are generally tightly coupled. If the user-to-device authentication fails, it means that the device isnot in the right hands and appropriate measures shouldbe taken. Therefore, attacks such as reading or modi-fying data stored in the device or further accessing to anetwork resource can be prevented. We will concentrateon user-to-device authentication in this paper.

By convention, most authentication systems do notusually require the user to do re-authentication for con-tinued access to the protected resources [6]; however,for MANETs that work in hostile environment, the rateof node capture is high and it is critical to track theuser continuously during the lifetime of a node. In otherwords, authentication is not merely used to authenticatea user at the initial login, but it is used to continuouslyverify the presence of the authentic user. The frequencyof re-authentication depends on the severity of the sit-uation in which the MANET has been established andthe resource constraints of the network. As the portabledevices become more advanced, the resources (e.g.,battery) demand is expected to increase significantly.Therefore, resources are limited in MANETs. This isespecially true with tactical MANETs due to the harshenvironment in tactical scenarios.

A user authentication scheme designed for tacticalMANETs should have the following properties:

� direct user binding for sufficient security,� non-disruptive re-authentication,� high accuracy with low false rejection rate,� low energy consumption,� low computational complexity.

Among the three authentication factors, biometricsis the only one that can provide direct userbinding and simultaneously support non-disruptive

re-authentication in tactical MANETs where userinteraction should be minimized. In Table I, wecompare the three authentication factors against theabove five requirements. As shown, the biometricfactor has the potential to meet all five properties.Thus, exploring its potential applications for userauthentication in tactical MANETs has merit.

3. Biometric-Based Authentication

Biometrics is the technique commonly understoodas the automatic identification or verification of anindividual by his or her physiological or behavioralcharacteristics. There are two main objectives ofbiometric systems: identification and authentication[10]. Biometric identification is the task of associatinga biometric sample with one of N templates thatare available from a set of registered individuals. Atemplate is a mathematical extract of a biometricsample. Identification is also known as a one-to-many(specifically, one-to-N) search and the output of thismode of operation is normally a sorted list of candidatesbased on their degree of similarity with respect tothe sample. Identification mode is mainly used fordatabase searching in law enforcement. Biometricauthentication is the task of verifying that a biometricsample matches the enrolled template of a specificuser. Thus, only one biometric template is retrieved andcompared with the sample submitted. This techniqueis also known as a one-to-one match. The output ofthis mode of operation is a binary decision (acceptor reject), which is usually based on comparison ofthe matching score, between the input sample andthe enrolled template, with a decision threshold. Mostbiometric systems in commercial applications operateunder authentication mode because the one-to-onecomparison addresses a specific security concern: isthe user who he/she claims to be? Figure 1 illustratesa generic biometric authentication system. Biometricsprovides some possible solutions to authentication usedin MANETs, since it has direct connection with useridentity and needs little user interruption [2,3].


DOI: 10.1002/sec


Fig. 1. A generic biometric authentication system.

3.1. Biometrics

This section provides a brief description of commonbiometric modalities for user authentication. Modal-ities are divided into physiological traits, includingfingerprints, iris, face images, and behavioral traitsincluding voice and signature. Readers are referred toReference [11] for a more detailed review on biometricssystems.

3.1.1. Fingerprint

Fingerprints have been used for civilian identificationfor more than 100 years. They are the most understoodand extensively studied biometric measurement. Afingerprint is the pattern of ridges and valleys found onthe surface of a fingertip. Most fingerprint readers takea fingerprint image and detect the interruption pointsin the normal flow of the ridges. These key pointsare called minutiae, which are the characteristics orfeatures used to identify the fingerprint.

Recent research has focused on the developmentof liveness detection in order to prevent the spoofingof fingerprint devices, especially since Japanesecryptographer Tsutomu Matsumoto demonstrated‘gummy fingers’ in 2002 [12]. For example, Lumidigmis promoting a new biometric sensor technologycalled the ‘Multispectral Imager’ [13]. In addition tocapturing fingerprint ridges, the sensor is designed tocollect features that exist below the surface of the skinin order to defeat gummy fingers.

3.1.2. Iris

The iris is the colored ring of the eye surrounding thepupil. Iris scanning utilizes a camera to capture aniris image from approximately 10–20 inches away. Torepresent an iris pattern, a series of concentric circularzones are established, and the textural informationalong the circumference of each zone is extracted.Since the furrows, crypts, and other structures of the irisdo not change significantly through a person’s lifetime

and even the irises of identical twins are different,iris scanning has the potential to achieve higher thanaverage template matching performance [14].

The template stored within a database requires512 bytes of memory per iris image. The real benefitof iris recognition is in a very low false reject rate.However, since the iris is quite small, and requiresprecise focus, it is difficult to get a good image of it,especially for registration.

3.1.3. Face

Facial images are probably the most natural biometricmeasurement as they are used by humans to makea personal identification. A typical facial recognitionsystem captures images with a camera and processesthe images to generate a template. The template isconstructed based on the fact that a face is made up ofpeaks and valleys at different latitudes and longitudes.Most of facial recognition technologies are designed tocompensate for glasses, hats, and beards.

The template stored within a database requiresapproximately 1 Kbytes of memory per facial template,compared with 150–300 Kbytes for a facial image.Facial recognition has been used in differentapplications such as driver verification and airportsecurity. With the increasing use of digital camerason mobile devices, facial recognition may play a veryimportant role in user authentication for MANETs.However, it should be pointed out that ‘the problems oflighting and pose variation and the similarity of facesmake this biometric less reliable than fingerprints’[15]. In order to solve these problems and makefacial recognition available under varying illuminationand poses, research efforts are moving toward thedevelopment of approaches to 3D facial recognition.

3.1.4. Voice

Voice recognition is viewed by users as another naturalform of biometric technology because it is not intrusive


DOI: 10.1002/sec

10 F. R. YU ET AL.

and requires no physical contact with a system reader.Voice recognition can be broken down into two typesof technology: voice scan and speech recognition.Voice scan aims to authenticate a user based onthe speaker’s voice sample, while speech recognitiondetects words and sentences from an incoming audiosignal. The voice characteristics of human speech aredetermined by speech patterns, which are unique foreach individual [15]. These speech patterns are formedby a combination of both physiological and behavioralfactors.

A voice template needs 2–10 Kbytes of memorystorage varied from different applications. In general,voice is captured through a dedicated microphonebecause the quality of the device has a big influence onits accuracy. This is especially important in a wirelessenvironment where the signal needs to be transmittedthrough the open air with the possibility of interference.Poor quality and ambient noise as well as the emotionaland physical state of the speaker can affect the accuracyof voice recognition. The improvements in quality ofthe newer digital cellular technology have made the cellphone a suitable capture device of voice biometrics.

3.1.5. Signature

People have used signatures for centuries toauthenticate paper documents. Signature verificationsystems usually include a special pen and tablet.The verification can be accomplished by analyzingcharacteristics such as the position, speed, velocity,and pressure of pen strokes [15]. Each person has aunique style of signature and no two signatures arealike. The challenge of signature verification is due tothe variations in an individual’s signature, while theadvantage of signature verification rests on the wideacceptance of signatures as traditional form of identityverification. If signature verification methods improve,a wireless device with a touch screen could easily adoptsignature verification for user authentication.

3.1.6. ECG

The Electrocardiogram (ECG also called EKG) isfrequently used to monitor someone’s health. However,research has shown that electrical activity as recordedby ECG expresses cardiac features that are uniqueto an individual [16]. In addition, as a biometric,heartbeat data are difficult to disguise, reducing thelikelihood of success of applying falsified credentialsto an authentication system.

The ECG trace contains a wealth of information.In order to perform any identification/authenticationprocess, feature parameters must be extracted from theECG. Research sponsored by DARPA [16] proposed anextensive set of ECG descriptors including informationabout the physiology of an individual’s heart andapplied advanced digital signal processing. They alsostudied the impact of anxiety state on the classificationperformance.

3.2. Comparison of Biometric Technologies

As discussed above, every biometric technology hasits own advantages and disadvantages. The choice ofbiometric technologies for authentication depends ontheir applications. For instance, voice recognition isperhaps the least expensive to implement in a mobilecommunication system, where most of the necessaryhardware is already in place, but it is potentiallythe least accurate biometric technology. Iris scan, bycontrast, is accurate but expensive to implement ina mobile communication system because it requiresextra equipment. Signature authentication is easy touse; however, it is not a mature technology and isless accurate than others. Authentication based onodor is not invasive to the mobile user; however, it isexpensive to implement and is relatively less accurateand mature. Face and fingerprint authentication areaccurate enough for most mobile communicationsystems; however, facial recognition requires relativelyeven and consistent lighting conditions. With digitalcameras embedded into more and more mobiledevices, authentication based on facial recognition maybecome more available in the near future. Fingerprintidentification is the most established, reliable, andacceptable biometric technology for most applicationsof user authentication. However, dedicated fingerprintsensors increase the costs of mobile devices. Table IIsummarizes the comparison of the six biometricmodalities with respect to accuracy and cost [11].

Multimodal biometrics can exploit the benefits ofone biometric and mitigate the shortcomings of anotherbiometric. Furthermore, randomly selecting a subsetof biometric traits further ensures that the authenticuser is presented. The increasing use of multimodalbiometrics has led to the investigation of differentmodes of system operation: serial mode, parallelmode, and hierarchical mode [4]. In serial mode ofoperation, one output of a biosensor will be used atone time. Therefore, multimodal biometric traits do notneed to be acquired simultaneously, and the decisioncould be made before all biometric traits are received.


DOI: 10.1002/sec


Table II. Comparison of biometric technologies.

Biometric technologies Accuracy Cost User acceptance

Fingerprint High Medium HighIris High High MediumFace Medium Low HighVoice Medium Low HighSignature Low Low HighECG Medium High High

The overall recognition time can be reduced, whichis important for MANETs. In the parallel mode ofoperation, multimodal biometric traits have to be usedsimultaneously. The hierarchical mode of operationis suitable for the system using a large number ofbiometric traits. This paper will consider the serialmode of operation since the continuous authenticationis necessary for MANETs.

4. Optimal Biometric-Based ContinuousAuthentication in Mobile Ad Hoc Networks

Although there is some work in the literature studyingbiometric-based continuous authentication, few reportsare available about how to optimally schedule differentbiometrics taking into account the system securityrequirements and resource constraints in MANETs. Inthis section, we propose a scheme to optimally scheduledifferent biometrics for continuous authentication inMANETs. It can optimally control whether or not toperform authentication as well as which biometrics touse to minimize the usage of system resources. Weformulate the problem as a POMDP and use a dynamic-programming-based HMM scheduling algorithm toderive the optimal scheme.

4.1. System Model

The system can be modeled as a discrete-time first orderMarkov chain {Xk}, where k denotes the authenticationtime instant, with S states (e.g., safe and compromised).Note that the state of the system is not directly observed,thus the state of the system is a HMM. The timeaxis is divided into slots of equal duration whichcorrespond to the time interval between two continuousauthentications. We assume that an authenticationsystem is equipped with multiple biosensors and hasthe ability to collect multiple biometrics. The biosensorselecting problem can be modeled as a S-state POMDPas mentioned in Section 1. The state of the device at the

time instant is Xk with state space {e1, . . . , eS}. Here,ei denotes the S-dimensional unit vector with 1 in theith position and zeros elsewhere. The S × S transitionprobability matrix A is defined as

A = [aij]S×S, where aij = P(Xk = ej|Xk−1 = ei),

i, j ∈ {1, . . . , S}

Assume we have L biosensors to be used for contin-uous authentication and one biosensor or no biosensorwill be chosen at one time instant. We can safely extendthis scheme to several biosensors used at the sametime. Let uk ∈ {1, . . . , L} denote the biosensor selectedat time k and yk(uk) denote the observation of thisbiosensor. The observations of the lth biosensor belongto a finite set of symbols {O1(l), O2(l), . . . , OMl

(l)}and |Ml| denotes the number of possible observationsof the lth biosensor. When the system state is ei,the lth biosensor is picked at time k, the probabilityof observation m obtained from the lth biosensor isdenoted as

bi(uk = l, yk = Om(l))

= P(yk(uk) = Om(uk) | Xk = ei, uk = l),

i = 1, 2, . . . , S

Define the observation matrix as

B(uk, Om(uk))

= diag[b1(uk, Om(uk)), . . . , bS(uk, Om(uk))] (1)

which denotes the probabilities of the observationm acquired when the biosensor uk is picked attime k given each state of the Markov chain. Thepossible observations from the biosensors could be‘acceptance’ if the result of authentication is accepted,or ‘rejection’ if the result of authentication is rejected,or ‘nothing’ if no biosensor is applied. Note that thestate of the device is not directly observed, thus thestate of the device is a HMM.


DOI: 10.1002/sec

12 F. R. YU ET AL.

There are costs associated with biosensor usage:the energy consumed for computation, the informationstolen if a wrong authentication result is acquired, etc.

4.2. Information State

We will refer to a probability distribution over statesas an information state and the entire probability space(the set of all possible probability distributions) as theinformation space. An information state is a sufficientstatistic for the history, which means the optimalbiosensor can be chosen based on the informationstate, denoted by πk, where k denotes the time instant.The element of πk is defined as

πk(i) = P(Xk = ei|Y (k)), i = 1, 2, . . . , S

1′Sπ = 1, 0 ≤ π(i) ≤ 1 (2)

where Y (k) = {u1, u2, . . . , uk, y1, y2, . . . , yk} and itrepresents the information available at time k. 1S repre-sents the S-dimensional vector of ones. The importantthing about the information state is that it can be easilyupdated after each state transition to incorporate oneadditional step information into the history [17]:

πk+1 = B(uk+1, yk+1(uk+1))A′πk

1′SB(uk+1, yk+1(uk+1))A′πk

(3)

The initial probability vector of the Markov chain isdenoted as

π0 = [π0(i)]S×1, where π0(i)

= P(X0 = i), i ∈ {1, . . . , S}

By using the connection between the informationstate and the system state, a biosensor can be pickedbased on the information state at each time instantrather than the exact system state.

4.3. System Architecture

With all the information above, the biosensorscheduling procedure can be briefly summarized as thefollowing three steps and illustrated in Figure 2:

� Scheduling: based on the history information Yk, findthe optimal biosensor uk+1 that will be used at thenext horizon for authentication.

� Observation: observe the output of the optimalbiosensor Yk+1(uk+1) at next horizon.

� Update: update the information state πk+1 by usingthe latest observation YK+1, this new informationstate will be used to judge the result of authentication.

4.4. Cost Function

At time k, based on the history information Yk(uk), thebiosensor uk+1 = l is selected. Then the instantaneous

Fig. 2. HMM biosensor scheduling and information state update.


DOI: 10.1002/sec


cost incurred at time k is

ak(l)‖Xk − πk‖D︸︷︷︸Part 1

+ ck(Xk, l)︸︷︷︸Part 2

. (4)

Here ak(l), l = 1, 2, . . . , L are positive scalar weightsand the D is a quantized norm. In this paper, we selectD = l2. Then Part 1 is the square error (Euclideandistance) in the state estimation when biosensor uk+1 isused. In biometric-based authentication, the bigger thestate estimation error, the higher both the false rejectionrate (FRR) and the false acceptance rate (FAR). Part2 is the instantaneous cost of using the biosensoruk+1 when the device state is Xk. In MANETs, weconsider this cost as battery consumption, informationleakage, etc. There are many ways to make the tradeoffbetween immediate costs and long-term costs. Here, weonly consider the expected future discounted cost. Thecumulated cost [17] from time 1 to N can be expressedas

Ju = E

{n−1∑k=0

ak(uk+1)‖Xk − πk‖D

+N−1∑k=0

ck(Xk, uk+1) + aN‖xN − πN‖D

}(5)

For the infinite horizon discounted cost, the cost canbe expressed as

Ju = E

{ ∞∑k=0

βka(uk+1)‖Xk − πk‖D + c(Xk, uk+1)

}

(6)

where the constraint 0 ≤ β < 1 ensures that theexpectation is bounded. What we need to do is tominimize this cost by finding the optimal biosensorschedule (optimal policy).

Considering the information state incorporated intoPOMDP, and for convenience, we define the cost intoa S-dimensional vector

ck(uk+1) = [ck(e1, uk+1), . . . , ck(eS, uk+1)]′

The cumulated cost above can be rewritten as

Ju = E

{n−1∑k=0

Ck(πk, uk+1) + CN (πN )

}(7)

where uk+1 = uk+1(πk). Then,

CN (πN ) = aNg′(πN )πN

Ck(πk, uk+1) = ak(uk+1)g′(πk)πk + c′k(uk+1)πk

k ∈ {0, . . . , N − 1} (8)

In the above equation, the g(πk) denotes the S-dimensional estimation error vector

g(πk) = [‖e1 − πk‖D, . . . , ‖eS − πk‖D] (9)

4.5. Optimal Algorithm

There are several algorithms for solving finitehorizon POMDP such as Sondik’s algorithm [18],incremental pruning, Cheng’s linear support algorithm,the witness algorithm, etc. The detailed explanation andcorresponding programming code for these algorithmsare presented in Reference [19]. All algorithms havethe same basic framework and the only difference isthe way they compute a single dynamic programmingstep. The code of the incremental pruning algorithmfrom Reference [19] will be used in our examples. Thedesired solutions to the POMDP are represented by aset of vectors, together with the optimal actions, andvalue function can be rewritten as

Jk(π) = mini∈�k

γ∗′i,k(u∗

i,k)π for all π ∈ P (10)

From this equation, each vector γ is connected with anoptimal biosensor, a specific biosensor for our problem.Therefore, we can solve our problem with two steps:

� Run off-line dynamic programming: using anyPOMDP algorithm to compute the �k = γ∗

k,i

together with the optimal biosensors u∗k,i. Here, i ∈

1, 2, . . . , |�k|.� Real time scheduling: find the �k for specific

information state π(k), then the optimal biosensoris selected since each vector is connected with anoptimal biosensor.

4.6. Numerical Results

We consider a device used by a soldier who usesiris biosensor for user-to-device authentication. In thissystem, we have a two-state HMM problem with twobiosensors. The first one is the iris biosensor. In thesecond one, no biosensor will be used, and we estimatethe system state using the HMM state predictor. Here,


DOI: 10.1002/sec

14 F. R. YU ET AL.

we call it the prediction biosensor. At any time k, (uk =iris, prediction) denotes which biosensor will be used.

The state space comprises the status of the device:safe or compromised. The transition probability matrixof Xk is

A =(

0.7 0.3

0.1 0.9

)(11)

We assume that the safe device can be compromisedwith probability 0.3, but the compromised device canbe snatched back with low probability 0.1.

When using the iris biosensor, the observationsymbols from the iris biosensor at each time k consistof the result O1 = acceptance, or O2 = rejection.Since the predict biosensor will incur nothing, wewill add one more observation symbol, O3 = nothing.We define Buk

= [Bij(uk)] = P{yk(uk) = Oj|Xk =ei}. So we can assign the observation matrix B(uk) as

B(uk = iris) =(

0.9 0.1 0

0.1 0.9 0

)(12)

where we assume that FRR = FAR = 0.1.

B(uk = predict) =(

0 0 1

0 0 1

)(13)

The cost function comprises two components:

� Biosensor costs:

c(Xk = ei, uk+1 = iris) = ρiris + riris

c(Xk = ei, uk+1 = predict) = ρpredict + rpredict

We assume ρiris = 10 and ρpredict = 7.5, meaningthat the cost of using the iris biosensor ishigher than the prediction biosensor. r denotes theinformation that leaks by using the biosensor. Forexample, if the current information state is [0.2,0.8], it means that we 80% believe that the deviceis compromised. In this situation, the biosensor withhigher accuracy will be preferred for authentication,or, FAR would be higher and more information willbe captured by the attackers. We set the values as

riris(Xk = 0) = 0.5, riris(Xk = 1) = 2

rpredcit(Xk = 0) = 1, rpredict(Xk = 1) = 5

where 0 means safe state and 1 means compromisedstate.

� Estimation error cost: for the component of l2 normestimation error,

g′(πk)πk = ak(1 − π′kπk) (14)

Here, we take ak = 3. In order to reduce thecomputational complexity, we use Lovejoy’s upperbound approximation [20]. The basis of thisapproximation is randomly picking a numberof points in information state simplex S, andapproximating the estimation error with thepiecewise linear interpolation comprising of tangentsto g′(π)π at these points. After some computations,the tangent at point πr is the linear segment

g′r(πr) = (1 + π′

rπr)1S − 2πr (15)

With the above setup, we use the POMDPprogram available from Reference [19] to optimallysolve the HMM biosensor scheduling problem. The‘Incremental Pruning’ algorithm was used. All ournumerical examples were run on Redhat Linux. TheKenel version is 2.4.20 − 31.9. We consider theinfinite horizon with a discounted cost function (seeEquation (6)), here β = 0.9. The POMDP program forthe previous parameters was run over a horizon of N =200. It is reasonable to use N = 200 to approximate theproblem with infinite horizons.

The initial state is ( 0.5 0.5 ) since we assume thatwe do not know the status of the device. Figure 3 showsthe costs incurred for the optimal biosensor scheduleversus the probability P = 1 − FRR = 1 − FAR. Herewe, assume that FRR = FAR. The costs of using

Fig. 3. Cost over infinite horizons with probability P = 1 −FAR = 1 − FRR.


DOI: 10.1002/sec


Fig. 4. Biosensor usage over information space, P = 1 − FAR = 1 − FRR.

the prediction biosensor or using the iris biosensoralone are also shown. It can be inferred that when theprobability P of the iris biosensor is low 0.5 < P <

0.67, using the prediction biosensor is better than usingthe iris biosensor. The reason for this is that an irisbiosensor with a low P will incur a higher estimationerror. However, as the probability P increases, the costof iris biosensor will decrease since the estimationerror incurred will be reduced. Our optimal biosensorschedule always has the lowest cost.

Figure 4 shows the stationary scheduling policy onthe information state simplex. For a two-state HMM,the information simplex is a 1D line. The thicknessof the line helps with later clarification. The darkregion denotes the information space π for which itis optimal to use the iris biosensor, while the grayregion denotes where the prediction biosensor will beoptimally selected. In other words, no biosensor willbe used; we only predict the system state with theHMM state predictor. The bottom line in Figure 4shows that when the iris biosensor probability isP = 0.90, the iris biosensor is selected over moreinformation space. This result makes sense since ahigher accuracy biosensor helps to distinguish thestatus of the device. With the increase of the probabilityP , the use of the iris biosensor will grow accordingly.The reason for this is that the iris biosensor is now moreaccurate and the estimation error is lower than the casewith P = 0.55.

Transition probability matrix A defined in Equa-tion (11) denotes the safety of system. The larger

Fig. 5. Using iris over 30 horizons with different transitionprobability.

the value of A11 is, the safer the system willbe. We simulated the cases with different transitionprobabilities and the result is shown in Figure 5. TheY-axis shows the number of using iris biosensor over30 horizons, and the X-axis shows the value of A11.From this figure, we can obviously see a trend that thenumber of using iris biosensor decreases when A11becomes larger. This is reasonable since A11 denotesthe status of the system. In a safe environment, thefrequency of using iris biosensor will be less than thatin a dangerous environment.


DOI: 10.1002/sec

16 F. R. YU ET AL.

5. Conclusions and Future Work

In this paper, we reviewed the authentication problemin MANETs and a few biometric technologies,which are continuously advancing toward commercialimplementation in mobile devices. Since biometricshas a direct connection with user identity, it providespossible solutions to the authentication problem inMANETs. Each biometric technology has its ownstrengths and weaknesses. Multimodal biometricsystems can exploit the benefits of one biometric traitand mitigate the shortcomings of another. Moreover,the computation and comparison of biometrics usuallyrequire much more computational resources thaneither password or token verification. Therefore,biometric-based authentication in MANETs shouldbe carefully designed to consider the system’ssecurity requirements and resource constraints. Weproposed an optimal multimodal biometric-basedcontinuous authentication scheme in MANETs. Wehave formulated the problem as a POMDP problem: thesystem state (safe or compromised) cannot be observeddirectly and hence the decision will be based on theresults from the biosensors. Each biosensor is used withsome energy consumed and estimation errors. By usingthe POMDP formulation, continuous authenticationturns into an optimal biosensor scheduling problem.Dynamic-programming-based algorithms have beenpresented to derive the optimal schemes. Withthe optimal biosensor scheduling algorithms, thecontinuous authentication process can select thebiosensor dynamically at each time instant accordingto the system status. We also presented some numericalexamples to show the effectiveness of the proposedscheme.

Further study is in progress to consider other securityschemes, such as intrusion detection and encryption, inthis framework.

Acknowledgments

We thank the reviewers for their detailed reviews andconstructive comments, which have helped to improvethe quality of this paper. This work is supported byNatural Science and Engineering Research Council ofCanada and Defence R&D Canada.

References

1. Weimerskirch A, Thonet G. A distributed light-weightauthentication model for ad-hoc networks. Lecture Notes inComputer Science, Vol. 2288, 2001; 341–354, ISBN: 3-540-43319-8.

2. Xiao Q. A biometric authentication approach for high securityad-hoc networks. In Proceedings of IEEE Information AssuranceWorkshop, West Point, NY, June 2004.

3. Koreman J, Morris AC, Wu D, et al. Multi-modal biometricsauthentication on the securephone PDA. In Proceedings ofthe Second Workshop on Multimodal User Authentication,Toulouse, France, May 2006.

4. Ross A, Jain AK. Multimodal biometrics: an overview. InProceedings of 12th European Signal Processing Conference,Vienna, Austria, 2004.

5. Ross A, Jain AK. Information fusion in biometrics. PatternRecognition Letters, Vol. 24, September 2003; 2115–2225.

6. Sim T, Zhang S, Janakriaman R, Kumar S. Continuousverification using multimodal biometrics. IEEE Transactions onPatten Analysis and Machine Intelligence 2007; 29: 687–700.

7. Muncaster J, Turk M. Continuous multimodal authenticationusing dynamic bayesian networks. In Proceedings of the SecondWorkshop on Multimodal User Authentication, Toulouse,France, May 2006.

8. Murthy CSR, Manoj BS. Ad Hoc Wireless Networks:Architectures and Protocols. Prentice-Hall: Upper Saddle River,NJ, 2004.

9. Yang H, Luo HY, Ye F, Lu SW, Zhang L. Security in mobilead hoc networks: challenges and solutions. IEEE WirelessCommunications 2004; 11: 38–47.

10. Ortega-Garcia J, Bigun J, Reynolds D, Gonzalez-RodriguezJ. Authentication get personal with biometrics. IEEE SignalProcessing Magazine 2004; 21(2): 50–62.

11. Hong J, Yun E, Cho S. A review of performance evaluationfor biometrics systems. International Journal of Images andGraphics 2004; 5(3): 501–536.

12. Matsumoto T, Matsumoto H, Yamada K, Hoshino S. Impact ofartificial gummy fingers on fingerprint systems. Optical securityand counterfeit deterrence techniques IV. In Proceedings ofSPIE, Vol. 4677, 2002.

13. Rowe RK, Nixon KA, Corcoran SP. Multispectral fingerprintbiometrics. In Proceedings of IEEE SMC Information AssuranceWorkshop, West Point, NY, June 2005.

14. Daugman J. How iris recognition works. IEEE Transactions onCircuits and Systems for Video Technology 2004; 13(1): 21–30.

15. Chirillo J, Blaul S. Implementing Biometric Security. WileyPublishing: Indianapolis, IN, 2003.

16. Israel S, Irvine J, Cheng A, Wiederhold M, Wiederhold B. ECGto identify individuals. Pattern Recognition 2005; 38: 133–142.

17. Krishnamurthy V. Algorithms for optimal scheduling andmanagement of hidden Markov model sensors. IEEETransactions on Signal Processing 2002; 50: 1382–1397.

18. Smallwood R, Sondik E. Optimal control of partially observableMarkov processes over a finite horizon. Operations Research1973; 21: 1071–1088.

19. Cassandra AR. Tony’s POMDP webpage.http://www.cs.brown.edu/research/ai/pomdp/index.html

20. Lovejoy W. Computationally feasible bounds for partiallyobserved Markov decision processes. Operations Research1991; 39: 162–175.


DOI: 10.1002/sec

biometric-based user authentication in mobile ad hoc networks

Documents