fingerprint access control for wireless insulin pump ... · in this paper, we propose a fingerprint...

Received May 13, 2019, accepted June 1, 2019, date of publication June 5, 2019, date of current version June 24, 2019.

Digital Object Identifier 10.1109/ACCESS.2019.2920850

Fingerprint Access Control for Wireless InsulinPump Systems Using CancelableDelaunay TriangulationsGUANGLOU ZHENG 1, (Member, IEEE), WENCHENG YANG 1, CRAIG VALLI1,RAJAN SHANKARAN 2, HAIDER ABBAS 3, (Senior Member, IEEE), GUANGHE ZHANG4,GENGFA FANG5, JUNAID CHAUDHRY 6, AND LI QIAO 71Security Research Institute, Edith Cowan University, Perth, WA 6027, Australia2Department of Computing, Macquarie University, Sydney, NSW 2109, Australia3Department of Information Security, National University of Sciences and Technology, Rawalpindi 46000, Pakistan4School of Computer and Information Engineering, Jiangxi Normal University, Nanchang 330022, China5School of Electrical and Data Engineering, University of Technology Sydney, NSW 2007, Australia6College of Security and Intelligence, Embry-Riddle Aeronautical University, Prescott, AZ 86301, USA7School of Engineering and Information Technology, University of New South Wales, Canberra, ACT 2610, Australia

Corresponding author: Wencheng Yang ([email protected])

This work was supported by the National Natural Science Foundation of China (NSFC) under Grant 61562043.

ABSTRACT An insulin pump is a small wearable medical gadget which can mimic the way a healthypancreas functions by providing continuous subcutaneous insulin infusion for the patient. However, in thecurrent products, the access to the pump is not securely controlled, rendering the pump insecure to harmfulor even lethal attacks, such as those that lead to the privacy breach of the patient and the delivery of abnormaldosage of insulin to the patient. In a conventional symmetric key-based security solution, how to distributeand manage the key is quite challenging, since the patient bearing an insulin pump may visit any hospitalor clinic to receive treatment from any qualified doctor. In order to prevent malicious access to the pump,in this paper, we propose a Fingerprint-based Insulin Pump security (FIPsec) scheme which requires anentity to first pass the fingerprint authentication process before it is allowed to access the insulin pump.With this scheme, the request from an adversary to access the pump will be blocked thereby protectingthe pump from the possibility of being subjected to serious attacks during the post-request period. In thescheme, a cancelable Delaunay triangle-based fingerprint matching algorithm is proposed for the insulinpump, which has capabilities to resist against nonlinear fingerprint image distortion and the influence ofmissing or spurious minutiae. In order to evaluate the performance of the proposed fingerprint matchingalgorithm, we perform comprehensive experiments on FVC2002 DB1 and DB2 fingerprint databases. Theresults show that the FIPsec scheme can achieve a reasonably low equal error rate and thus becomes a viablesolution to thwarting unauthorized access to the insulin pump.

INDEX TERMS Biomedical informatics, wearable sensors, implantable biomedical devices, insulin pumpsystem, artificial pancreas, cyber security, authentication, access control.

I. INTRODUCTIONAn insulin pump is a small medical gadget which can beeasily carried on the body of a patient with diabetes, e.g., on abelt, inside a pocket, or even attached to a bra [1]–[3]. In otherwords, it facilitates a discreet therapy service that is conve-nient for these patients. Insulin delivery with pumps, also

The associate editor coordinating the review of this manuscript andapproving it for publication was Ilsun You.

known as continuous subcutaneous insulin infusion (CSII),can mimic the way a healthy pancreas functions and deliverprecise doses of rapid-acting insulin 24 hours a day to closelymatch the physiological demands of the body [4], [5]. A typ-ical Insulin Pump System (IPS) is composed of a ContinuousGlucose Monitor (CGM), an insulin pump and an infusionset. The CGM can provide real-time glucose readings to thepump. So, the pump can mimic a healthy pancreas to infusethe insulin accordingly.

VOLUME 7, 20192169-3536 2019 IEEE. Translations and content mining are permitted for academic research only.

Personal use is also permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

75629

https://orcid.org/0000-0002-2307-9562

https://orcid.org/0000-0001-7800-2215

https://orcid.org/0000-0002-9248-4158

https://orcid.org/0000-0002-2437-4870

https://orcid.org/0000-0003-2000-7915

https://orcid.org/0000-0003-1038-9366

G. Zheng et al.: Fingerprint Access Control for Wireless Insulin Pump Systems Using Cancelable Delaunay Triangulations

Nonetheless, the current IPS lacks sufficient securitymechanisms to protect the patients from malicious attacks.In particular, the access to the pump does not have to passany rigorous authentication process, which render the patientinsecure to many harmful or lethal attacks [6], [7]. Firstly,adversaries can gain access to the sensitive information storedin the pump, including the patient’s personal information(name, age, ID, contact number, etc.) and related medi-cal information (insulin infusion recordings, insulin deliveryconfigurations, etc.). Furthermore, this illegal access to thepump can even modify the therapy related settings in thepump, triggering the pump to deliver abnormal dosage ofinsulin to the patient. The overdosage of insulin can resultin low blood glucose levels in the patient’s blood therebycausing hypoglycemia which may lead to dizziness, seizures,loss of consciousness or even death. In contrast, the under-dosage of insulin can cause abnormally high blood glucoselevel in the blood, leading to a condition called hyperglycemiathat can be fatal to the patient. For patient’s safety reasons,the U.S. Food and Drug Administration (FDA) requires theIPS to have preset minimum and maximum dosage and infu-sion rate settings in the pump. Nevertheless, these settingscould be tampered with by attackers via the wireless link.As demonstrated by Barnaby Jack [8], with customized radioequipment and software, the attacker can seize control ofany insulin pump within a radius of 300 feet and subject thepump to unauthorized commands such as dispensing its entirereservoir of insulin to the patient. A conventional symmet-ric key based security solution, in which the key has to bedeployed beforehand, is not viable here. This is because apatient bearing an IPS may need to visit any hospital or clinicfor treatment, especially in a medical emergency scenario.It is quite challenging to distribute the key to the very hospitalor clinic in a timely manner and manage the key securelythereafter [9], [10].

In order to safeguard the therapy related settings in theinsulin pump, Hei et al. [6] proposed a personalized patientinfusion pattern-based access control (PIPAC) scheme inwhich supervised learning approaches are employed to learnthe insulin infusion patterns by performing training on infu-sion logs in the pump. Any attack which aims to deliverabnormal dosage of insulin to the patient will not fit intothe pattern and can be easily be detected. However, the mainpurpose of the PIPAC scheme is to simply detect the abnormaldosage infusion and not to suggest any remedial measures.In this paper, we propose a Fingerprint based Insulin Pumpsecurity (FIPsec) scheme which applies the fingerprint basedauthentication technique to control the direct access to thepump. With this scheme, users who want to change theparameter settings in the pump have to be authenticated firstby using the patient’s finger biometrics. Any attacker whowants to configure the pump maliciously will be blockedfrom accessing it effectively. These configurations includechanging basal rates and bolus dosage settings in the pump.This authentication requirement also protects informationprivacy of the data stored in the pump as only legitimate users

can pass the fingerprint authentication, and retrieve and readinformation. The contributions of the paper are summarizedbelow:• We analyze the security design challenges for theIPS and present the design of the FIPsec scheme inSection II. Through the use of this scheme, any accessto the insulin pump must first undergo a verificationprocess which involves the use of the patient’s finger.

• We propose an improved cancelable Delaunay triangle-based fingerprint matching algorithm to implement theFIPsec scheme in Section III. This matching algorithmis designed to protect the biometric template stored inthe pump, resist against nonlinear fingerprint distortionand conserve pump resources.

• We conduct extensive experiments to evaluate the per-formance of the proposed fingerprint matching algo-rithm in Section IV. Results show that the improvementto the algorithm by reducing the size of query featuresdoes not affect the overall matching performance, and atthe same time it helps to conserve the resources in thepump remarkably.

Section V analyzes the security performance of the FIPsecscheme while Section VI discusses related research progressin this area. The final section summarizes our research withconcluding remarks.

II. FIPSEC SCHEME DESIGNThis section analyzes the security design challenges for theIPS and then presents the design of the FIPsec scheme whichcan support the fingerprint based IPS security solutions.

A. THREAT MODELINGThreat modeling is the prerequisite for designing a securityscheme. Generally the threats facing an IPS can be catego-rized into two main classes:

FIGURE 1. An insulin pump system (IPS) which is composed of acontinuous glucose monitor (CGM), an insulin pump and an infusion set.

1) PASSIVE EAVESDROPPERSA passive eavesdropper wiretaps the wireless channel in aninsulin pump system and captures sensitive information of thepatient which may contain the patient’s ID, contact number,glucose levels, etc. As shown in Fig. 1, real-time glucosereadings could be leaked from the wireless channel betweenthe continuous glucose monitor and the pump. Meanwhile,eavesdroppers could obtain the patient’s personal information

75630 VOLUME 7, 2019


and pump configurations from the wireless channel betweenthe pump and the external USB device.

2) ACTIVE ADVERSARIESActive adversaries have capabilities to launch attacks on theIPS actively. They can obtain the patient’s personal infor-mation by having access to the pump directly. This accessmay even allow the adversaries to make malicious changes tothe pump settings, leading to overdosage or underdosage ofinsulin injection to the patient. Both overdosage and under-dosage of insulin injection are lethal to the patient.

The active adversaries are more harmful to the patientthan passive eavesdroppers. The FIPsec scheme proposed inthis paper has the capability to control access to the pumpso that the active attacks which target at changing injectionsettings in the pump are to be blocked from accessing it.Meanwhile, a fingerprint authentication system is vulnerableto presentation attacks where an artificial replica of the user’sfingerprint can be used to spoof the system. This type ofattacks can be countered by using various liveness detectionmethods. However, considering the restriction of resources inthe pump, the liveness detection function is not adopted in ourFIPsec scheme design.

B. SECURITY DESIGN CHALLENGESThere are three major components in an insulin pump system:a CGM, an insulin pump and an infusion set, as shownin Fig. 1. The function of each component and how theymutually interact are described below.

• CGM and transmitter: The CGM measures the glucoselevels on a continual basis via an indwelling subcuta-neous sensor. It then transmits the glucose data wire-lessly to the insulin pump unit via a transmitter.

• Insulin pump: The insulin pump has a reservoir whichstores insulin. Depending on the patient’s current glu-cose levels, the required dosage of insulin is infusedinto the patient’s body. It receives and displays near-continuous glucose readings from the CGM.

• Wireless link: The wireless link between the CGM andthe insulin pump is responsible for transmitting the glu-cose values from the CGM to the pump.

• USB device: An extra USB device (e.g., the CareLinkUSB from the Medtronic Inc.) is used to configure thepump settings. A doctor uses a computer and the USBto upload the settings to the pump wirelessly.

The pump delivers insulin in two modes: basal rate andbolus dose. With the basal rate, the pump delivers a smallamount of insulin continuously. Meanwhile, when the patientis going to have meals or needs to correct high blood glucoselevels, a bolus dose of insulin can be configured by the patientand injected into his/her body.

Compared to traditional information technology systems,there are significant challenges in the IPS security designwhich stem from its life-saving medical application require-ments, limited resources for wireless communications and

user-friendly interface and operations [11], [12], each ofwhich is discussed below.• Medical applications: The security design for the IPShas to achieve a trade-off between security and medi-cal safety. Any security scheme for the IPS should nothinder its medical applications, such as delivering theprecise dose of insulin to a patient’s body in a timelymanner. If a password is applied to control the accessto the insulin pump, then remembering and enteringthe password is required whenever the patient wants tochange his/her insulin pump settings. Using the pass-word is not convenient and remembering it would bevery challenging and cumbersome, especially for elderlypatients or someone with mental issues.

• Limited resources: The IPS has limited resources inthe CGM and the pump itself. There is a transmitterin the CGM to send the glucose readings to the pumpwirelessly. Ideally, confidentiality and integrity couldbe achieved if the glucose data could be encrypted andits message digest be calculated and appended to themessage before transmission. However, these additionalsecurity mechanisms will place an unacceptably heavyburden on the tiny CGM module and thus are not viablefrom a practical perspective. The insulin pump is alsoan embedded system and powered by a battery. So, anysecurity scheme designed to run on the pump should beenergy efficient.

• Usability:Abasic requirement for a medical device suchas the IPS is that any proposed security mechanism tosafeguard it must be easy to operate with and must workin a correct, safe and timely manner with no room forerrors. Many strong and robust security solutions thatrequire the usage of complicated passwords/operationsare not viable in this scenario.

In summary, the IPS has unique characteristics, e.g., tinyand wireless devices, live-saving applications, extremely lim-ited resources and special usability requirements, which posegreat challenges to its security design. The security issuesof the IPS need to be addressed urgently since any datatampering by adversaries could be life-threateningwith a fatalconsequence to the patients.

C. FIPSEC SCHEME DESIGNIn order to address these design challenges, in this section,we propose a Fingerprint based Insulin Pump security(FIPsec) scheme. This FIPsec hardware needs a fingerprintscanning sensor with a corresponding fingerprint processingalgorithm to be added to the existing IPS hardware. Similar tomost of the other fingerprint design schemes popularly usedin mobile phones, this fingerprint scanner could be integratedwith the round button on the surface of the pump (in Fig. 1)or by using a separate chip processing the fingerprint.

The FIPsec scheme applies a fingerprint-based authentica-tion technique to control the access to the insulin pump. Dif-ferent fingerprint matching approaches can be adopted in theauthentication process, such as image correlation [13], [14],

VOLUME 7, 2019 75631


phase matching [15], skeleton matching [16] and minutiaematching [17]. Because of successful use records in forensicexaminations and storage efficiency in embedded computingsystems,minutiae representation-basedmatching has becomethe most widely used one [17] and is also chosen in ourFIPsec scheme. The scheme includes two phases: the enroll-ment phase and the authentication phase, which are detailedbelow.• In the enrollment phase, the patient’s fingerprint tem-plate is registered in the IPS for use in the authenticationphase. A good quality fingerprint image is captured byusing a fingerprint scanning sensor and then is usedto extract minutiae points. Fingerprint minutiae, includ-ing ridge endings and ridge bifurcations, are the majorfeatures of a fingerprint image. The minutiae are laterused to construct a template with refined discriminatoryfeatures/structures. This template is stored in the mem-ory of the pump. The enrollment process is performedinitially when an IPS is being configured for use for eachpatient. It can be processed once and used in the IPS untilthe end of the IPS lifetime.

• In the authentication phase, fingerprint query is gener-ated and compared against the template stored in thepump. A matching score is calculated to determinethe similarity level between the query and the tem-plate. If the score is larger than a pre-defined threshold,the authentication is deemed to be successful and theaccess to the pump is granted. Otherwise, the accessrequest is rejected. In this phase, the patient’s fingerprintimage is captured and processed by using the same pro-cessing algorithm as the one being used in the enrollmentphase.

When applying the FIPsec scheme, functions and com-ponents that need to be added to an existing insulin pumpinclude (a) a fingerprint scanner, (b) a fingerprint imageprocessing and minutiae extraction function, (c) a fingerprintfeature representation and cancelable transformation func-tion, (d) a fingerprint matching function to compare the queryagainst the template and (e) a fingerprint template stored inthe memory of the insulin pump.

Two fingers from each patient can be registered in his/herIPS profile: one as the primary and the other as the secondary.If the primary one cannot be used for authentication becauseof some reasons (e.g., hurt, burnt), the patient can use his/hersecondary finger to access the insulin pump.

With the FIPsec scheme, whenever the critical settings ofthe insulin pump is to be changed, e.g., increasing or reducingthe basal insulin or configuring the bolus dose of insulin,it requires the patient to authenticate to the pump by usingthe prescribed fingerprint authentication procedure.

III. FINGERPRINT AUTHENTICATION ALGORITHMThe FIPsec scheme could be implemented by using variousfingerprint authentication algorithms. Some of these algo-rithms have a high level matching performance. For instance,the state-of-the-art Minutia Cylinder-Code (MCC)-based

algorithm can achieve an equal error rate of below 2%on FVC2006 DB2 [18]. However, the construction of alocal structure (a cylinder) is complex and consumes sig-nificant amount of resources. Considering that the insulinpump is a wireless mobile system with limited resources,a triangle-based feature representation is selected in thescheme design where features are constructed from minutiaetriplets [19], [20]. In this section, a Delaunay triangulationprocess is applied to triangulate the minutiae on a finger-print as it has capabilities to tackle nonlinear fingerprintimage distortion andmissing or spurious minutiae influences.A cancelable feature is added into the scheme in order toprotect the fingerprint template stored in the IPS which canbe revoked if it is disclosed by adversaries.

FIGURE 2. The fingerprint verification algorithm using cancelableDelaunay triangulation based feature representations. User’s PIN is usedto generate cancelable fingerprint templates for use.

A. FINGERPRINT VERIFICATION PROCESSThe Delaunay triangulation based fingerprint verificationmethod is shown in Fig. 2, with each step described below:• Delaunay triangle-based feature representation: Thisstep in Fig. 2 includes processes of image pre-processing, minutiae extraction, Voronoi partitioning,Delaunay triangulation and feature representation. Afterthis step, the fingerprint image is represented as trianglefeatures which are suitable for the automatic matchingprocess.

• Cancelable transformation: This step transforms trian-gle features to generate cancelable fingerprint templatesby using one-way transformation function in the featuredomain. The cancelable fingerprint template is usedto protect the patient’s biometrics which are stored inthe medical device. With the cancelable transformation,if the fingerprint template is compromised, a new tem-plate can be generated by using a new transformationfunction.

• Fingerprint matching: The matching step comparesquery features against the template features in the IPS todecide whether the access to the IPS is allowed or not.

In the processes, the query image is the fingerprint measuredevery time before the verification takes place. The user’s PINis a secret key that is used to transform the fingerprint features

75632 VOLUME 7, 2019


FIGURE 3. The process of Delaunay triangulation. (a) A fingerprint imagewith detected minutia points. (b) A Voronoi diagram which partitions theplane into cells. (c) Delaunay triangulation of the minutiae.

in order to generate cancelable features. Each of these stepsare detailed in the following sections.

B. DELAUNAY TRIANGULATION-BASED MATCHING1) MINUTIAE DELAUNAY TRIANGULATIONAssume there is a fingerprint image, FI , in IR2 with a set ofminutiae points M = {mi}ni=1, as shown in Fig. 3 (a). For∀mi ∈ M the Voronoi cell VM (i) of mi can be denoted by,

VM (i) := { q ∈ IR2| d(q,mi) ≤ d(q, p) for ∀p ∈ M} (1)

d(.) is the Euclidean distance between two points in IR2.d(q,mi) ≤ d(q, p) represents that, for any point q in aVoronoi cell VM (i), the Euclidean distance to the its center,d(q,mi), is not greater than its distance to any other minutiaep inM . The Euclidean distance between a point q(qx , qy) anda minutia, e.g., the minutia mi(mix ,miy), can be calculated as

d(q,mi) = ‖q− mi‖

=

√(px − mix)2 + (py − miy)2 (2)

The Voronoi Diagram VD(M ) of the minutiae set M ={mi}ni=1 in IR2 is the subdivision of the plane induced bythe Voronoi cells VM (i) for i = 1, 2, . . . , n (as shownin Fig. 3 (b)). The set of vertices are denoted by VV (M ),the set of edges by VE(M ) and the set of regions by VR(M ).If no four points in M are co-circular, then for every vertexv ∈ VV (M ), v is the common intersection of exactly threeedges from VE(M ) and is the incident to exactly three regionsfrom VR(M ). v is also the center of a circle C(v) which goesthrough exactly three minutiae inM and C(v) ∩M = ∅.A triangulation of a finite minutiae set M = {mi}ni=1 in

IR2 is defined as a collection τ of triangles which satisfyconditions that:

conv(M ) =⋃

T∈τ TM =

⋃T∈τ V (T )

Ti ∩ Tj = V (Ti,Tj),E(Ti,Tj), or ∅for ∀Ti,Tj ∈ τ, i 6= j

(3)

where conv(M ) is the convex hull of the minutiae set M .T is a triangle in the collection τ with its vertices denoted

by V (T ) and edges by E(T ). The triangulation of convex hullM is the straight-line dual of the Voronoi Diagram, VD(M ),which is constructed by connecting any two minutiae pointsin the neighboring Voronoi cell by a straight line (shownin Fig. 3 (c)). This is a Delaunay triangulation ofM , denotedby τDT , which will be unique if no three points from M arecollinear and no four points from M are cocircular. τDT sat-isfies the empty circumcircle criterion, that is, there is nominutia in the interior of the circumcircle of every trianglein τDT . Compared to other triangulations of the minutiaeset M , the Delaunay triangulation maximizes the smallestinterior angle of triangles. If the smallest angle of a triangu-lation, τ , is denoted by γ (τ ), then γ (τ ) ≤ γ (τDT ).

2) FINGERPRINT FEATURE REPRESENTATIONAND MATCHINGA local structure in the fingerprint image is defined as aconvex hull which consists of all triangles with a minutiaeas the common vertex, denoted by,

LS(mi) =⋃

T (mi), ∀mi ∈ M (4)

where LS(mi) is the local structure at the minutia mi andT (mi) is a triangle with mi as its vertex. Features of thefingerprint image with the minutiae setM can be representedas a collection ψ of local structures, denoted by

ψ =⋃

i=1,...,n

LS(mi), mi ∈ M (5)

For LS(mi), a Cartesian coordinate system is defined todescribe coordinates of triangle features, with its originlocated at mi and its x axis aligned with the orientation of theminutiae mi. Fig. 3 (c) shows a local structure LS(a) with theminutia a as the common vertex. Features from the triangle4abc which are used to represent the triangle are describedbelow:– lao: the distance between the vertex a and the incircle

center o.– αcax : the angle between the x axis and the edge ac

measured in the anti clockwise direction.– αbax is the angle between the x axis and the edge ab

measured in the anti clockwise direction.– βbc: the orientation difference between the minutiaeb and c.

So, features obtained from the triangle 4abc can be denotedby f4abc = (lao, αcax , αbax , βbc). Features for the local struc-ture LS(a) can be denoted by F(a) = {f4abc, f4acd , f4ade,f4aef , f4afg, f4agb}. Thus, the fingerprint image can be rep-resented by features of these local structures, denoted by

F(FI ) =⋃

i=1,...,n

F(mi), mi ∈ M (6)

where F(mi) is features of the local structure LS(mi) andF(FI ) represents the features of the fingerprint FI .A cancelable transformation is performed on the fea-

tures in order to protect the original fingerprint template.

VOLUME 7, 2019 75633


Ratha et al. [21] initiated three different methods to gen-erate cancelable fingerprint templates: Cartesian, polar andfunctional transformations. In order to improve system secu-rity and performance, Wang et al. [22], [23] proposed afew new cancelable transformation methods, such as thepartial Hadamard transform based approach [22] and theapproach based on zoned minutia pairs and partial discreteFourier transform (P-DFT) [23]. Based on the P-DFTmethod,Yang et al. [24] proposed an enhanced partial discrete Fouriertransform (EP-DFT) based non-invertible transformationalgorithm which achieves a better security performance.Kho et al. [25] proposed a cancelable design based on PartialLocal Structure (PLS) descriptor and Permutated Random-ized Non-Negative Least Square (PR-NNLS) which has thecapability to resist against matching performance deteriora-tion after transformation. In this paper, a polar transformation,proposed by Ahmad et al. [26], is adopted to transform thetemplate.

A polar coordinate space can be divided into several polarsectors, with L levels and S angles. The polar transforma-tion changes the sector positions of the fingerprint templatefeatures F(FI ), including the angle and the length of eachDelaunay triangle. If the transformation matrix for the angleand the length features are Ms and Ml , respectively, then thepolar transformation process is denoted by,{

Ts = S +Ms

Tl = L +Ml(7)

For instance, if S = 4,L = 1 and Ms = [1, 1,−1,−3],the polar transformation through the matrixMs is:

Ts = S +Ms

= [1, 2, 3, 4]+ [1, 1,−1,−3]

= [2, 3, 2, 1] (8)

FIGURE 4. Fingerprint feature representation with cancelabletransformation. Features from 4abc include αcax , αbax , lao, θb and θc .A polar transformation method transforms features in 4abc to thosein 4a1 b1 c1.

Fig. 4 shows that the 4abc in Sector 1 (S = 1) is trans-formed to 4a1 b1 c1 in Sector 2 (S = 2). Obviously, thismapping is a many-to-one process. After the transformation,

original features in both Sector 1 and 3 are mapped to the sec-tor 2. Therefore, it is impossible for an adversary to abtain theoriginal template by inverting the transformed features, evenif the adversary knows the transformation matrices and thetransformed features. The combination of Ms and Ml is usedas the user’s PIN, that is, a secret key, to generate cancelablefingerprint templates. If the template data is compromised,a new template can be generated and stored in the IPS bysimply using different matrics ofMs andMl .

The matching process is performed based on the trans-formed triangle features. For the triangle 4abc, its trans-formed features can be denoted by f4a1 b1 c1 = (la1 o1 ,αc1 a1 x1 , αb1 a1 x1 , βb1 c1 ). These feature values are thenquantized for the matching purpose. Suppose there is a fin-gerprint template with a set of minutiae MT

= {mi}nT

i=1 withfeatures of a local structure denoted by FT (mi), and a querywith a set of minutiae MQ

= {mj}nQ

j=1 with features of a localstructure denoted by FQ(mj). If these two local structuresmatch one another, their local triangle features should bethe same. If there are nij matched triangles between FT (mi)and FQ(mj), then the similarity between them is defined by:

Sij =nij × nijnT × nQ

(9)

These two local structures, FT (mi) and FQ(mj), are consid-ered to be matching one another if the similarity score, Sij,is larger than a pre-defined threshold, thij. By comparing alllocal structures between the template and the query, the num-ber of matched local structures, nTQ, is calculated. If nTQ isequal to or larger than a pre-defined threshold, thTQ, the queryimage is considered as matching with the template stored inthe insulin pump. In this case, the fingerprint-based authen-tication is successful and the access to the insulin pumpis permitted. Otherwise, the access to the insulin pump isconsidered as malicious and is to be rejected.

C. MATCHING ALGORITHM IMPROVEMENTAs a wearable device, an insulin pump has very limitedresources in terms of computations, power and storage.In order to conserve these resources, we propose to improvethe fingerprint matching algorithm by reducing the size offeatures. The overheads that are introduced by a matchingalgorithm are mainly determined by the number of featuresin the template and the query fingerprint, denoted by,

O = g(nT , nQ) (10)

where O represents the overheads due to computationsand power usage, and g is a positive correlation function.nT and nQ are the number of local structures in the templateand the query. Here the reduction of the template size is notrecommended due to following reasons: a) the template iscaptured and processed before it is embedded into the pump;b) using the whole template can ensure a high matchingaccuracy of the algorithm. The steps in the improved querygeneration process is outlined below:

75634 VOLUME 7, 2019


1) The IPS with a fingerprint scanner captures thepatient’s finger tip image, FIQ, and detects the corre-sponding minutiae points, MQ. Thereafter, it deploysthe cancelable Delaunay Triangulation algorithm tocreate local structures associated with each minu-tia, LSQ(mi), in order to generate query features,FQ(mi), where mi ∈ MQ.

2) The IPS then obtains the central point of the queryimage by calculating the mean of x-axis and y-axisvalues respectively of the minutiae in MQ, denoted byC = mean({xmi}, {ymi}) where xmi , ymi are coordinatevalues of minutiae, and mean(.) is a function to calcu-late the mean value.

3) It then proceeds to select a subset from MQ with nsminutiae which are spatially closest to the center C ,denoted byMQ

s = {ms1 ,ms2 , . . . ,msns }. The Euclideandistance between a minutia, m = {xm, ym}, and thequery image center,C , is calculated to determine whichminutiae lie closest to the center, denoted by d(m,C) =√(xm − xc)2 + (ym − yc)2.

4) The query features are selected from FQ(mi), wheremi ∈ M

Qs , denoted by F

Qs . This query feature sub-set is

then used for the matching purpose.

According to the local structure construction in Section III,each LS contains information of the minutiae which are sur-rounding the center minutia of LS. So, the query FQs repre-sents minutiae more than MQ

s . This guarantees the improvedmatching algorithm to have reduced false acceptance rate.

IV. EXPERIMENTAL ANALYSISIn this section, the proposed cancelable Delaunay triangle-based fingerprint matching algorithm is tested in order toevaluate its overall performance in securing the insulin pumpsystem. The influence of the cancelable polar transformationis also investigated in the experiments.

The publicly available fingerprint databases from theFVC2002 DB1 and FVC2002 DB2 are used in the exper-iments [27]. Each database has 800 gray-level fingerprintimages. They are captured from 100 different fingers with8 images of each finger captured. Minutiae points fromeach image are extracted by using the Verifinger 4.0 soft-ware tool from the Neurotechnology [28]. The FVC2002 testprotocol [29] is adopted in the experiments.

Since the fingerprint image contains pixel information,the quantization step for lao is set as 20 pixels. The quantiza-tion steps for the angles αcax , αbax and βbc are defined as 5π

36 .The division angles and levels in the polar space are chosen tobe S = 8 and L = 3. The similarity threshold, thij, is definedas 0.25.

The performance of the proposed cancelable Delaunaytriangle-based algorithm is evaluated by using the followingparameters:

1) False Rejection Rate (FRR): the ratio of failed authen-tication attempts to the total number of attempts whena genuine finger is used in each attempt.

2) False Acceptance Rate (FAR): the ratio of successfulauthentication attempts to the total attempts when afalsified fingerprint is applied in each attempt. Thisfalsified fingerprint could be from a different person’sfinger or a counterfeited fingerprint image.

3) Equal Error Rate (EER): the error rate when the FRRequals the FAR. The optimal system performance couldbe achieved when both rates are equal.

4) Genuine Acceptance Rate (GAR): the ratio of suc-cessful genuine attempts to the total genuine attempts.GAR equals 1-FRR.

FIGURE 5. Experimental results of the fingerprint matching algorithmwhich includes the cancelable transformation process. The fingerprintdatabases, FVC2002 DB1 and DB2, are used in the experiment.

Matching with cancelable transformation: The perfor-mance of the fingerprint matching algorithm with cancelabletransformations is evaluated using both FVC2002 DB1 andDB2 databases, with the results shown in Fig. 5. All thefeatures used in the experiment are extracted from Delaunaytriangles which are processed by the polar transformationbefore the matching process. We can see from Fig. 5 thatthe proposed cancelable fingerprint matching algorithm canachieve a high GAR while keeping the FAR at low level. TheEER performance is 5.88% on DB1 and 3.90% on DB2.Matching without cancelable transformation: The influ-

ence of cancelable transformation on the fingerprint match-ing performance is investigated. Two individual experimentsare run on each fingerprint database. In each experiment,we compare the matching performance of the algorithmwhich has the process of cancelable transformation withthe algorithm which does not. The results from experi-ments on FVC2002 DB1 are shown in Fig. 6 and thoseon FVC2002 DB2 shown in Fig. 7. Their EER results arepresented in Table 1.We can see from the results that, after the cancelable

transformation, the matching performance of the algorithmslightly declines, with the EER on DB1 increasing from5.38% up to 5.88% and the EER on DB2 from 2.69% upto 3.90%. This is because the many-to-one polar mappingmay cause collision. As a result, some triangles in the print

VOLUME 7, 2019 75635


FIGURE 6. The comparison of matching performances onFVC2002 DB1 between the algorithm which does not include thecancelable transformation process and the one which has the cancelabletransformation process.

FIGURE 7. The comparison of matching performances onFVC2002 DB2 between the algorithm which does not include thecancelable transformation process and the one which has the cancelabletransformation process.

TABLE 1. EER experimental results on both the FVC2002 DB1 andDB2 fingerprint databases.

not do not match after non-invertible transformation. How-ever, with the cancelable fingerprint matching algorithm,the overall EER can still bemaintained at around 5%,which iswithin the acceptable limits. Therefore, the proposed match-ing algorithm is efficient and can be a viable option toprotect the insulin pump from malicious access from activeadversaries.

In order to test the performance of the improved fingerprintmatching algorithm, query features associated with ns minu-tiae which are closest to the fingerprint center are selected.In the experiments, ns is chosen from 18 to 40, as shown incolumn 1 in Table 2 and Table 3. In the table, Half Total Error

TABLE 2. Experimental results of improved Cancelable Delaunaytriangulation algorithm on FVC2002 DB1.

TABLE 3. Experimental results of improved Cancelable Delaunaytriangulation algorithm on FVC2002 DB2.

Rate (HTER), which is the mean value of FRR and FAR,is used to assess the overall performance of the algorithm.We can see from Table 2 that when the number of selectedlocal structures in query decreases, the FRR performancegoes down while the FAR goes up. It reaches the best HTERwhen ns = 27. In comparison to the algorithm that uses40 local structures in its query, in our proposed approach,the size of the query features is reduced by 32.5%. Similarly,in Table 3 the HTER is the smallest when ns = 23. Com-pared to the query which uses 40 local structures, the sizeof the query is decreased by 42.5%. We can therefore safelyconclude that it will not affect the overall matching perfor-mance by reducing the size of query features. However, it canhelp conserve resources in the pump and improve the energyefficiency of the IPS.

V. SECURITY ANALYSISThe current range of insulin pump products do not havesupport for any rigorous authentication mechanism that canmoderate and control the access to the pump. So, by sendinga malicious request to the pump, adversaries can retrieveprivate information of the patient or even change therapyrelated settings in the pump. These settings decide the dosageof insulin that will be infused into the patient’s body. Both,an overdose or an underdose of insulin, can cause harmfulor even lethal consequences to the patient. However, withthe proposed FIPsec scheme, any user who wants to per-form operations on the pump has to be first authenticatedby using the patient’s finger. It becomes intuitively clearwhen a malicious entity who tries to unlock the pump with

75636 VOLUME 7, 2019


TABLE 4. Comparison of fingerprint authentication algorithms for securing an insulin pump.

the patient’s fingertip can be easily detected by the patient.Since the adversary cannot pass the authentication process, itscommunication request to the pumpwill be blocked, which inturn protects the pump from both privacy breach and adversedosage attacks.

In the FIPsec scheme, the fingerprint matching algorithmhas the property of cancelability. So, an adversary cannotreveal the patient’s fingerprint if the biometric template inthe pump is disclosed. A new template can be generatedby using a different transformation matrix and saved in thepump for authentication. Hence, the patient’s original finger-print template will be protected. Furthermore, the proposedDelaunay triangle based matching algorithm can achievearound 5% EER, which is viable in the real applicationscenario, since the insulin pump has to be always worn onthe patient’s body and can be constantly monitored by thepatient. If an adversary wants to launch a brute-force attackon the pump by continually using a forged fingerprint, it willbe easily detected by the patient. Therefore, the use of thefingerprint based authentication scheme can protect the pumpeffectively by blockingmalicious operations from adversarieson the pump with lethal consequences.

VI. RELATED WORKWireless connections in insulin pump systems have triggeredcyber security concerns [7], [33]–[37]. These issues can notonly result in breaches of privacy of the patients, but also havea potential to risk the patient’s life by delivering a lethal doseof insulin to the patient. Therefore, the cyber security issueshave to be resolved before the next generation automated IPSproducts coming out [38]. This section compares recently

proposed fingerprint authentication algorithms and analyzesrelated work on the IPS security.

A. FINGERPRINT AUTHENTICATIONThe design of a security scheme for the IPS needs to achieve atrade-off between the security performance and the resourceconstraints in the device, since the insulin pump is a wire-less mobile medical device with very limited resources.In this paper, we proposed to apply an improved cance-lable Delaunay triangle-based fingerprint matching algorithmto control access to the pump. Table 4 lists some of therecent proposed fingerprint verification algorithms and high-lights the key points if they are applied to secure an IPS,including the state-of-the-art Minutia Cylinder-Code (MCC)based algorithm [18] and the convolutional neural net-works (CNNs) and deep learning based fingerprint verifica-tion algorithm [31]. This section will compare the fingerprintauthentication algorithm designed for the IPS with each onein the table.

The MCC-based fingerprint verification algorithm is thestate-of-the-art and can achieve an EER of less than 2% onFVC2006 DB2. The construction of local structures (cylin-ders) includes processes of projecting minutiae into cellsin the cylinder and calculating a numerical value of eachcell based on accumulated contributions from its neighbor-ing minutiae. It requires mathematical computations of sig-moid functions, euclidean distances, Gaussian functions andothers, and therefore is more complex than the construc-tion of triangle local structures in the FIPsec scheme. Con-sidering that the insulin pump has very limited resourcesmost of which have to be reserved for medical applications,

VOLUME 7, 2019 75637


TABLE 5. Recent research results on the insulin pump system security.

the MCC-based algorithm is not viable here. In the finger-print verification algorithm proposed by Jin et al. [30], twosteps are required to generate fixed-length binary strings torepresent minutiae features: Polar Grid-based Three-tupleQuantization (PGTQ) and Kernel-based Fixed-Length Trans-formation(KFLT). The first step (PGTQ) already generatesalignment-free feature representation. However, comparedwith the MCC, it requires one more step, that is, KFLT,to generate fixed-length binary strings from the alignment-free feature representations. So, this algorithm is not viableto be applied on the IPS due to the computation complexityconcern in the fingerprint local structure process.

Ahmad et al. [26] proposed to use pair-polar coordinatevectors to represent the fingerprint minutiae features. For afingerprint template with a minutiae set M = {mi}ni=1, eachlocal structure associated to a minutia has (n − 1) vectorsand each vector contains three features, including angles anddistances. However, in our proposed algorithm, each localstructure (a Delaunay triangle) is denoted by one vector withonly four feature elements in the vector, for instance, f4abc =(lao, αcax , αbax , βbc) for 4abc in Fig. 4. So, features used torepresent each local structure in [26] are more than that in ourproposed algorithm, resulting in more resource consumptionin the pump. Furthermore, its matching performance (EERof 6% on FVC2002 DB2 and 9% on DB1) is not as good asour proposed algorithm which can achieve EER of 3.90% onDB2 and 5.88% on DB1, respectively.

Lin and Kumar [31] proposed a novel fingerprint verifica-tion algorithm built upon convolutional neural networks anddeep learning technologies. This algorithm does not requirethe construction of local structures to represent the finger-print. Nonetheless, the computation of CNNs and deep learn-ing algorithms is heavy and thus is not suitable for wirelessmedical devices. Authors used Intel i5-2500 3.3GHz CPUand NVIDIA 980Ti GPU to perform training and testing ofthe algorithm in [31]. Omar et al. [32] proposed to use fingertextures (FTs) for the verification purpose. The biometrictrait used is the FT which is the area located between theupper phalanx and the lower knuckle of the finger, whichis not convenient for biometric capture in practice comparedwith the fingerprint based biometric algorithm. Meanwhile,the deep learning technologies are used in [32], making thecomputation load of the algorithm heavy for the wirelessinsulin pump.

B. IPS SECURITYRecent IPS security research can be categorized into threetypes: IPS vulnerabilities test and demonstration, IPS securitysolution proposal and design, and IPS forensics, as shownin Table 5. The summary and analysis of research in eachcategory is presented below:

1) IPS vulnerabilities: Recent research demonstrates thatthe IPS could be attacked by using Universal SoftwareRadio Peripheral (USRP) [39] or a customized softwareand antenna [8]. Both eavesdropping and active attackscan be launched by the adversaries. The experimentsshowed that the privacy of the patient could be breachedby the eavesdroppers, e.g., the patient ID, medicalhistory and therapeutic records. Furthermore, activeadversaries can send malicious commands to controlthe pump and deliver lethal dose of insulin to thepatient, which may lead to medical conditions such ashyperglycemia (high blood glucose) or hypoglycemia(low blood glucose).

2) IPS security solution design: Currently a fewsolutions have been proposed to secure the IPS.Hei et al. [6], [41] proposed a patient infusion pat-tern based access control scheme (PIPAC) which usespatient infusion patterns to detect abnormal infusiondelivery in order to recover the safe infusion settingsautomatically according to the pump’s logs. Its aimis to address two types of abnormal infusion attacks:abnormal bolus dosage attacks and abnormal basalrate attacks. Marin et al. [42] proposed a solution thatmade use of both the AES-128 in counter mode andthe AES-128 as a message authentication code (MAC)to provide confidentiality and authentication as well.However, theAES algorithm cannot be applied to CGMsince it is only a sensor coupled with a transmitter.Ahmad et al. [43] proposed to use a deep learningmethod to predict the dosage threshold and ask thepatient to perform gestures if the insulin to be injectedis higher than the threshold. A visible channel basedaccess control scheme, proposed by Zhao et al. [44],can authenticate the doctor’s USB by transmitting thePIN/key to the IPS via visible light signals.

3) IPS forensics: Forensic research for the IPS and med-ical devices in general is to keep records relatedto medical devices for post incident investigation.

75638 VOLUME 7, 2019


Benedict et al. [45] presented a case of homi-cide in which the victim’s insulin pump was usedto inject lethal doses of etomidate and atracurium.Henry et al. [46] proposed to integrate a new sen-sor into the IPS in order to detect bowel sounds ofthe patient for forensic analysis. This forensic infor-mation can determine the cause of the event andwhether it is due to security breaches to the IPS ornot. Rahman et al. [47] proposed a forensically readysystem which uses drones and surveillance cameras torecord medical incidents and save them into a forensicserver located in a hospital internal network.

In this paper, we have proposed a novel IPS securitysolution based on fingerprint authentication. It is lightweightin terms of resource consumption in the insulin pump as itdoes not require the pump to capture and process a real-timefingerprint in each and every authentication attempt. It doesnot rely on a key or password to be stored in every hospital.Any doctor can gain access to the pump by using the patient’sfinger directly. It also has a strong usability as the patient canjust press his/her finger on a button on the IPS. So, it is veryuseful for elderly people, especially those with dementia.

VII. CONCLUSIONCurrent insulin pump products lack support for rigorousauthentication mechanism to prevent malicious entities fromaccessing it, and this can lead to attacks that are harmful tothe patients. Therefore, in this paper, we propose a Fingerprintbased Insulin Pump security (FIPsec) scheme which employsa fingerprint authentication scheme to verify any accessrequest to the pump. With this scheme, any unauthorizedor malicious access to the pump will be instantly blocked.A cancelable Delaunay triangle-based fingerprint matchingalgorithm is presented to implement the schemewhich has thecapabilities to resist against fingerprint distortion or missingminutiae during the capturing process. In order to conserveresources in the insulin pump, the matching algorithm isfurther improved by reducing the size of query features.Experimental results show that this improvement does notinfluence the overall matching performance but it can helpconserve the resources in the pump significantly.

REFERENCES[1] S. Zavitsanou, A. Chakrabarty, E. Dassau, and F. J. Doyle, ‘‘Embedded

control in wearable medical devices: Application to the artificial pan-creas,’’ Processes, vol. 4, no. 4, p. 35, 2016.

[2] B. H. McAdams and A. A. Rizvi, ‘‘An overview of insulin pumps andglucose sensors for the generalist,’’ J. Clinical Med., vol. 5, no. 1, p. 5,Jan. 2016.

[3] H. Rathore, A. Mohamed, A. Al-Ali, X. Du, and M. Guizani, ‘‘A review ofsecurity challenges, attacks and resolutions for wireless medical devices,’’in Proc. 13th Int. Wireless Commun. Mobile Comput. Conf. (IWCMC),Jun. 2017, pp. 1495–1501.

[4] K. Saleem, B. Shahzad, M. A. Orgun, J. Al-Muhtadi, J. J. P. C. Rodrigues,and M. Zakariah,‘‘Design and deployment challenges in immersive andwearable technologies,’’ Behav. Inf. Technol., vol. 36, no. 7, pp. 687–698,Jan. 2017.

[5] G. Fang, M. A. Orgun, R. Shankaran, E. Dutkiewicz, and G. Zheng,‘‘Truthful channel sharing for self coexistence of overlappingmedical bodyarea networks,’’ PloS One, vol. 11, no. 2, Feb. 2016, Art. no. e0148376.

[6] X. Hei, X. Du, S. Lin, I. Lee, and O. Sokolsky, ‘‘Patient infusion patternbased access control schemes for wireless insulin pump system,’’ IEEETrans. Parallel Distrib. Syst., vol. 26, no. 11, pp. 3108–3121, Nov. 2015.

[7] N. Paul, T. Kohno, and D. C. Klonoff, ‘‘A review of the security ofinsulin pump infusion systems,’’ J. Diabetes Sci. Technol., vol. 5, no. 6,pp. 1557–1562, Nov. 2011.

[8] S. Blues. (Oct. 2011). Insulin Pump Hack Delivers Fatal Dosage Overthe Air. [Online]. Available: https://www.theregister.co.uk/2011/10/27/fatal_insulin_pump_attack

[9] G. Zheng, W. Yang, C. Valli, L. Qiao, R. Shankaran, M. A. Orgun, andS. C. Mukhopadhyay, ‘‘Finger-to-heart(F2H): Authentication for wirelessimplantable medical devices,’’ IEEE J. Biomed. Health Inform., to bepublished.

[10] D. Halperin, T. Kohno, T. S. Heydt-Benjamin, K. Fu, and W. H. Maisel,‘‘Security and privacy for implantable medical devices,’’ IEEE PervasiveComput., vol. 7, no. 1, pp. 30–39, Jan./Mar. 2008.

[11] L. Reverberi and D. Oswald, ‘‘Breaking (and fixing) a widely used contin-uous glucose monitoring system,’’ in Proc. 11th USENIX Conf. OffensiveTechnol., Berkeley, CA, USA, 2017, pp. 1–10.

[12] S. Kulaç, ‘‘Security belt for wireless implantable medical devices,’’ J. Med.Syst., vol. 41, no. 11, p. 172, Sep. 2017.

[13] K. Nandakumar and A. K. Jain, ‘‘Local correlation-based fingerprintmatching,’’ in Proc. 4th Indian Conf. Comput. Vis., Graph. Image Process.(ICVGIP), Kolkata, India, Dec. 2004, pp. 503–508.

[14] A. M. Bazen, G. T. Verwaaijen, S. H. Gerez, L. P. Veelenturf, andB. J. Van Der Zwaag, ‘‘A correlation-based fingerprint verification sys-tem,’’ in Proc. Workshop Circuits, Syst. Signal Process., Nov. 2000,pp. 205–213.

[15] J. Feng and A. K. Jain, ‘‘Fingerprint reconstruction: From minutiaeto phase,’’ IEEE Trans. Pattern Anal. Mach. Intell., vol. 33, no. 2,pp. 209–223, Feb. 2011.

[16] J. Feng, Z. Ouyang, and A. Cai, ‘‘Fingerprint matching using ridges,’’Pattern Recognit., vol. 39, no. 11, pp. 2131–2140, 2006.

[17] A. K. Jain, J. Feng, and K. Nandakumar, ‘‘Fingerprint matching,’’ Com-puter, vol. 43, no. 2, pp. 36–44, Feb. 2010.

[18] R. Cappelli, M. Ferrara, and D. Maltoni, ‘‘Minutia cylinder-code: A newrepresentation and matching technique for fingerprint recognition,’’ IEEETrans. Pattern Anal. Mach. Intell., vol. 32, no. 12, pp. 2128–2141,Dec. 2010.

[19] B. Bhanu and X. Tan, ‘‘Fingerprint indexing based on novel features ofminutiae triplets,’’ IEEE Trans. Pattern Anal. Mach. Intell., vol. 25, no. 5,pp. 616–622, May 2003.

[20] M. A. Medina-Pérez, M. García-Borroto, A. E. Gutierrez-Rodríguez, andL. Altamirano-Robles, ‘‘Improving fingerprint verification using minutiaetriplets,’’ Sensors, vol. 12, no. 3, pp. 3418–3437, Mar. 2012.

[21] N. K. Ratha, S. Chikkerur, J. H. Connell, and R. M. Bolle, ‘‘Generatingcancelable fingerprint templates,’’ IEEE Trans. Pattern Anal. Mach. Intell.,vol. 29, no. 4, pp. 561–572, Apr. 2007.

[22] S. Wang, G. Deng, and J. Hu, ‘‘A partial hadamard transform approach tothe design of cancelable fingerprint templates containing binary biometricrepresentations,’’ Pattern Recognit., vol. 61, pp. 447–458, Jan. 2017.

[23] S. Wang, W. Yang, and J. Hu, ‘‘Design of alignment-free cancelablefingerprint templates with zoned minutia pairs,’’ Pattern Recognit., vol. 66,pp. 295–301, Jun. 2017.

[24] W. Yang, S.Wang, J. Hu, G. Zheng, and C. Valli, ‘‘A fingerprint and finger-vein based cancelable multi-biometric system,’’ Pattern Recognit., vol. 78,pp. 242–251, Jun. 2018.

[25] J. B. Kho, J. Kim, I.-J. Kim, and A. B. J. Teoh, ‘‘Cancelable fingerprinttemplate design with randomized non-negative least squares,’’ PatternRecognit., vol. 91, pp. 245–260, Jul. 2019.

[26] T. Ahmad, J. Hu, and S. Wang, ‘‘Pair-polar coordinate-based cance-lable fingerprint templates,’’ Pattern Recognit., vol. 44, nos. 10–11,pp. 2555–2564, 2011.

[27] FVC2002 Databases. (2002). [Online]. Available: http://bias.csr.unibo.it/fvc2002/databases.asp

[28] NeuroTechnology. (2017). Verifinger SDK. Accessed: Apr. 2017, 10.[Online]. Available: http://www.neurotechnology.com/verifinger.html

[29] B SLaboratory, (2002).Fingerprint Verification Competition-PerformanceEvaluation. [Online]. Available: http://bias.csr.unibo.it/fvc2002/perfeval.asp

[30] Z. Jin, M.-H. Lim, A. B. J. Teoh, B.-M. Goi, and Y. H. Tay, ‘‘Generatingfixed-length representation from minutiae using kernel methods for fin-gerprint authentication,’’ IEEE Trans. Syst., Man, Cybern. Syst., vol. 46,no. 10, pp. 1415–1428, Oct. 2016.

VOLUME 7, 2019 75639


[31] C. Lin and A. Kumar, ‘‘A CNN-based framework for comparison of con-tactless to contact-based fingerprints,’’ IEEE Trans. Inf. Forensics Security,vol. 14, no. 3, pp. 662–676, Mar. 2019.

[32] R. R. Omar, T. Han, S. A. M. Al-Sumaidaee, and T. Chen, ‘‘Deep fingertexture learning for verifying people,’’ IET Biometrics, vol. 8, no. 1,pp. 40–48, Jan. 2019.

[33] K. E. Britton and J. D. Britton-Colonnese, ‘‘Privacy and security issuessurrounding the protection of data generated by continuous glucose moni-tors,’’ J. Diabetes Sci. Technol., vol. 11, no. 2, pp. 216–219, Mar. 2017.

[34] D. T. O’Keeffe, S. Maraka, A. Basu, P. Keith-Hynes, and Y. C. Kudva,‘‘Cybersecurity in artificial pancreas experiments,’’ Diabetes Technol.Therapeutics, vol. 17, no. 9, pp. 664–666, Aug. 2015.

[35] D. C. Klonoff, ‘‘Cybersecurity for connected diabetes devices,’’ J. DiabetesSci. Technol., vol. 9, no. 5, pp. 1143–1147, Apr. 2015.

[36] N. Paul and T. Kohno, ‘‘Security risks, low-tech user interfaces, andimplantable medical devices: A case study with insulin pump infusion sys-tems,’’ Presented 3rd USENIX Workshop Health Secur. Privacy, Bellevue,WA, USA, Aug. 2012, pp. 1–2.

[37] L. Wu, X. Du, M. Guizani, and A. Mohamed, ‘‘Access control schemes forimplantable medical devices: A survey,’’ IEEE Internet Things J., vol. 4,no. 5, pp. 1272–1283, Oct. 2017.

[38] J. R. Castle, J. H. DeVries, and B. Kovatchev, ‘‘Future of automated insulindelivery systems,’’Diabetes Technol. Therapeutics, vol. 19, no. S3, p. S-67,Jun. 2017.

[39] C. Li, A. Raghunathan, and N. K. Jha, ‘‘Hijacking an insulin pump:Security attacks and defenses for a diabetes therapy system,’’ in Proc. 13thIEEE Int. Conf. e-Health Netw. Appl. Services, Jun. 2011, pp. 150–156.

[40] J. Radcliffe, ‘‘Hacking medical devices for fun and insulin: Breaking thehuman SCADA system,’’ in Proc. Black Hat Conf. Presentation Slides,Aug. 2011, pp. 1–13.

[41] X. Hei, X. Du, S. Lin, and I. Lee, ‘‘Pipac: Patient infusion patternbased access control scheme for wireless insulin pump system,’’ in Proc.INFOCOM, Aug. 2013, pp. 3030–3038.

[42] E. Marin, D. Singelée, B. Yang, I. Verbauwhede, and B. Preneel, ‘‘On thefeasibility of cryptography for a wireless insulin pump system,’’ in Proc.6th ACMConf. Data Appl. Secur. Privacy, NewYork, NY,USA,Mar. 2016,pp. 113–120.

[43] U. Ahmad, H. Song, A. Bilal, S. Saleem, and A. Ullah, ‘‘Securing insulinpump system using deep learning and gesture recognition,’’ in Proc. 17thIEEE Int. Conf. Trust, Secur. Privacy Comput. Commun., 12th IEEE Int.Conf. Big Data Sci. Eng., Aug. 2018, pp. 1716–1719.

[44] J. Zhao, K. Kong, X. Hei, Y. Tu, and X. Du, ‘‘A visible light channel basedaccess control scheme for wireless insulin pump systems,’’ in Proc. IEEEInt. Conf. Commun.(ICC), May 2018, pp. 1–6.

[45] B. Benedict, R. Keyes, and F. C. Sauls, ‘‘The insulin pump as murderweapon: A case report,’’ Amer. J. Forensic Med. Pathol., vol. 25, no. 2,pp. 159–160, Jun. 2004.

[46] N. L. Henry, N. R. Paul, and N. McFarlane, ‘‘Using bowel sounds to createa forensically-aware insulin pump system,’’ Presented Workshop HealthInf. Technol., Washington, DC, USA, 2013, p. 8.

[47] A. F. A. Rahman, R. Ahmad, and S. N. Ramli, ‘‘Forensics readiness forWireless Body Area Network (WBAN) system,’’ in Proc. 16th Int. Conf.Adv. Commun. Technol. (ICACT), Feb. 2014, pp. 177–180.

GUANGLOU ZHENG (S’13–M’17) received theB.Eng. and M.Eng. degrees from the Nanjing Uni-versity of Aeronautics and Astronautics, Nanjing,China, in 2006 and 2009, respectively, and Ph.D.degree in computer science from Macquarie Uni-versity, Sydney, NSW, Australia, in 2016. Thetitle of his Ph.D. thesis is ‘‘securing wirelessimplantable medical devices using electrocardio-gram signals.’’

He is currently a Postdoctoral Research Fel-low with the Security Research Institute, Edith Cowan University, Perth,WA, Australia. He was a Telecommunication System Research and Develop-ment Engineer with Nanjing Zhongxing Software Company, Ltd., Nanjing.His research interests include wireless network security, medical sys-tem security, biometrics, IoT security, ECG signal processing, spacecraftorbit determination, GPS/GNSS, and precise navigation and positioningtechnologies.

WENCHENG YANG received the bachelor’sdegree from the Wuhan University of Tech-nology, Wuhan, China, in 2006, the master’sdegree in computer science from Korea Uni-versity, South Korea, in 2008, and the Ph.D.degree in computer science from the University ofNew South Wales, Australia, in 2015.

He is currently a Postdoctoral Researcher withthe Security Research Institute (SRI), Edith CowanUniversity (ECU), Perth, WA, Australia. His

research interests include biometric security and pattern recognition. He haspublished several high-quality papers on high ranking journals and confer-ences, e.g., IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, andPattern Recognition.

CRAIG VALLI received the Diploma of Teach-ing from the Western Australian CAE, Perth,Australia, in 1985, and the Bachelor of Education,Master of Management (Information Systems),and Doctor of Information Technology degreesfrom Edith Cowan University, Perth, in 1990,2000, and 2003, respectively. He has over 30 years’experience in the ICT Industry and consults toindustry and government on cyber security anddigital forensics issues. He is the Director of Edith

Cowan University Security Research Institute and a Professor of DigitalForensics.

He has over 100 peer reviewed academic publications in cyber security anddigital forensics. His main research and consultancy is focused on securingnetworks and critical infrastructures, detection of network borne threats andforensic analysis of cyber security incidents.

Mr. Craig is a Fellow of the Australian Computer Society, and the Directorof the Australian Computer Society Centre of Expertise in Security at ECU.He is currently the Research Director of the Australian Cyber SecurityResearch Institute, the Vice President of the High-Tech Crime InvestigatorsAssociation (Australian Chapter) and a Member of the INTERPOL CyberCrime Experts Group.

RAJAN SHANKARAN received the M.B.A.degree in management information systems fromthe Maastricht School of Management, Holland,in 1994, and the M.Comp., M.Sc. (Hons.), andPh.D. degrees in computing from the Universityof Western Sydney, in 1996, 1999, and 2005,respectively.

He was a Lecturer with the University ofWestern Sydney. He is currently a Senior Lecturerwith the Department of Computing, Macquarie

University, where he is a member of the WiMED Research Center, Fac-ulty of Science and Engineering. He is also a member of the AdvancedCyber Security Research Group, Department of Computing. His currentresearch interests include network security and trust and key management inad-hoc/sensor networks.

HAIDER ABBAS (SM’15) received the M.S.degree in engineering and management of infor-mation systems and the Ph.D. degree in infor-mation security from KTH, Sweden, in 2006and 2010, respectively.

He is currently associated with the NationalUniversity of Sciences and Technology, Pakistan,as an Associate Professor. He is the Cyber SecurityProfessional, who took professional trainings andcertifications from the Massachusetts Institute of

Technology, USA, Stockholm University, Sweden, IBM, and EC-Council.He is also the Principal Advisor for several graduate and doctoral stu-dents with King Saud University, the National University of Sciences andTechnology, Pakistan, and the Florida Institute of Technology, USA. He isan associate editor or on the editorial board of a number of internationaljournals. He received many awards and several research grants for ICTrelated projects from various research-funding authorities from U.S., EU,KSA, and Pakistan.

75640 VOLUME 7, 2019


GUANGHE ZHANG received the M.E. degreefrom Jiangxi Normal University, Nanchang,China, the Ph.D. degree from the Institute ofComputing Technology, Chinese Academy of Sci-ences (CAS), China.

He is currently an Assistant Teaching Profes-sor with Jiangxi Normal University. His currentresearch interests include body sensor networksecurity, biosignal processing, and development ofsoftware for education.

GENGFA FANG received the master’s degreein telecommunications from Zhejiang Univer-sity and the Ph.D. in wireless communicationsfrom the Institute of Computing Technology,Chinese Academy of Sciences, in 2002 and 2007,accordingly.

He is currently a Senior Lecturer with theUniversity of Technology Sydney, Sydney, NSW,Australia. From 2007 to 2009, he was aResearcher with the Canberra Research Labora-

tory of National ICT Australia (NICTA) on WCDMA Femtocell Project.Since 2010, he was involving on Rural Broadband Access project at CSIROas a Research Scientist. From 2009 to 2015, he was with the Departmentof Engineering Macquarie University. He has published over 100 papers,patents on embedded wireless network systems, MAC protocols, cross-layer design, wireless resource management, and allocation for 5G, IoT, andmedical body area networks.

JUNAID CHAUDHRY received the Ph.D.degree in cyber security from Ajou University,South Korea. He obtained training with HarvardBusiness School, University of Amsterdam, andKaspersky Research Laboratory in cyber huntingand training. He is currently a Cyber Security Fac-ulty with the College of Security and Intelligence,Embry-Riddle Aeronautical University, Prescott,AZ, USA.

He has over 15 years of exciting experience inacademia, industry, law-enforcement, and in corporate world in informationand cyber security domain. He is a Practicing Engineer, a Member of HighTechnology Crime Investigation Association (HTCIA), Australian Comput-ing Society, Australian Information Security Association, and frequentlyvolunteers in promotion of science through public speaking, conferenceorganisation, and by editing the scientific journals, i.e., IEEE ACCESS,Computer and Security (Elsevier), the IEEE Internet Policy and IEEEFuture Directions, and the board member of tech startups. He has authoredthree books and over 75 research papers. He received awards for hisresearch achievements from Government of South Korea, Qatar, Pakistan,and Saudi Arabia.

LI QIAO received the B.Eng. and Ph.D. degreesfrom the Nanjing University of Aeronautics andAstronautics, China, in 2004 and 2011, respec-tively. She was a Visiting Ph.D. Student with theUniversity of New South Wales (UNSW), Sydney,Australia, from 2008 to 2010.

She has been a Research Associate with UNSWsince 2011, where she is currently with the Capa-bility Systems Center, School of Engineeringand Information Technology. Her current research

interests include space system engineering, GNSS navigation, spacecraftattitude determination and control systems, space operations and optimalestimation, and filtering design.

VOLUME 7, 2019 75641

fingerprint access control for wireless insulin pump ... · in this paper, we propose a fingerprint...

Documents