{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,13]],"date-time":"2026-01-13T23:29:16Z","timestamp":1768346956695,"version":"3.49.0"},"reference-count":77,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2023,4,12]],"date-time":"2023-04-12T00:00:00Z","timestamp":1681257600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100000038","name":"NSERC","doi-asserted-by":"crossref","award":["RGPIN-2019-05120"],"award-info":[{"award-number":["RGPIN-2019-05120"]}],"id":[{"id":"10.13039\/501100000038","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2023,5,31]]},"abstract":"<jats:p>The uniqueness of behavioral biometrics (e.g., voice or keystroke patterns) has been challenged by recent works. Statistical attacks have been proposed that infer general population statistics and target behavioral biometrics against a particular victim. We show that despite their success, these approaches require several attempts for successful attacks against different biometrics due to the different nature of overlap in users\u2019 behavior for these biometrics. Furthermore, no mechanism has been proposed to date that detects statistical attacks. In this work, we propose a new hypervolumes-based statistical attack and show that unlike existing methods, it (1)\u00a0is successful against a variety of biometrics, (2)\u00a0is successful against more users, and (3)\u00a0requires fewest attempts for successful attacks. More specifically, across five diverse biometrics, for the first attempt, on average our attack is 18 percentage points more successful than the second best (37% vs. 19%). Similarly, for the fifth attack attempt, on average our attack is 18 percentage points more successful than the second best (67% vs. 49%). We propose and evaluate a mechanism that can detect the more devastating statistical attacks. False rejects in biometric systems are common, and by distinguishing statistical attacks from false rejects, our defense improves usability and security. The evaluation of the proposed detection mechanism shows its ability to detect on average 94% of the tested statistical attacks with an average probability of 3% to detect false rejects as a statistical attack. Given the serious threat posed by statistical attacks to biometrics that are used today (e.g., voice), our work highlights the need for defending against these attacks.<\/jats:p>","DOI":"10.1145\/3571743","type":"journal-article","created":{"date-parts":[[2022,11,19]],"date-time":"2022-11-19T10:22:06Z","timestamp":1668853326000},"page":"1-30","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":4,"title":["Revisiting the Security of Biometric Authentication Systems Against Statistical Attacks"],"prefix":"10.1145","volume":"26","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9515-6037","authenticated-orcid":false,"given":"Sohail","family":"Habib","sequence":"first","affiliation":[{"name":"University of Guelph, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2946-5920","authenticated-orcid":false,"given":"Hassan","family":"Khan","sequence":"additional","affiliation":[{"name":"University of Guelph, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7459-656X","authenticated-orcid":false,"given":"Andrew","family":"Hamilton-Wright","sequence":"additional","affiliation":[{"name":"University of Guelph, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9840-0015","authenticated-orcid":false,"given":"Urs","family":"Hengartner","sequence":"additional","affiliation":[{"name":"University of Waterloo, Waterloo, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2023,4,12]]},"reference":[{"key":"e_1_3_2_2_1","first-page":"265","volume-title":"Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI\u201916)","author":"Abadi Mart\u00edn","year":"2016","unstructured":"Mart\u00edn Abadi, Paul Barham, Jianmin Chen, Zhifeng Chen, Andy Davis, Jeffrey Dean, Matthieu Devin, et\u00a0al. 2016. TensorFlow: A system for large-scale machine learning. In Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI\u201916). 265\u2013283."},{"key":"e_1_3_2_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/TMC.2020.2974941"},{"key":"e_1_3_2_4_1","doi-asserted-by":"publisher","DOI":"10.1109\/tdsc.2007.70207"},{"key":"e_1_3_2_5_1","volume-title":"Proceedings of the USENIX Security Symposium","author":"Ballard Lucas","year":"2006","unstructured":"Lucas Ballard, Fabian Monrose, and Daniel P. Lopresti. 2006. Biometric authentication revisited: Understanding the impact of wolves in sheep\u2019s clothing. In Proceedings of the USENIX Security Symposium."},{"key":"e_1_3_2_6_1","unstructured":"BehavioSec. 2021. Continuous Authentication Solutions. Retrieved September 1 2021 from https:\/\/www.behaviosec.com\/."},{"key":"e_1_3_2_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/581271.581272"},{"key":"e_1_3_2_8_1","doi-asserted-by":"publisher","DOI":"10.1111\/ecog.03187"},{"key":"e_1_3_2_9_1","volume-title":"Hypervolume: High Dimensional Geometry and Set Operations Using Kernel Density Estimation, Support Vector Machines, and Convex Hulls (Version 2.0.12)","author":"Blonder Benjamin","year":"2019","unstructured":"Benjamin Blonder and David J. Harris. 2019. Hypervolume: High Dimensional Geometry and Set Operations Using Kernel Density Estimation, Support Vector Machines, and Convex Hulls (Version 2.0.12). Retrieved November 25, 2022 from https:\/\/CRAN.R-project.org\/package=hypervolume."},{"key":"e_1_3_2_10_1","doi-asserted-by":"publisher","DOI":"10.1111\/2041-210X.12865"},{"key":"e_1_3_2_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2005.1550191"},{"key":"e_1_3_2_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/AINA.2014.18"},{"key":"e_1_3_2_13_1","unstructured":"Lars Buitinck Gilles Louppe Mathieu Blondel Fabian Pedregosa Andreas Mueller Olivier Grisel Vlad Niculae et\u00a0al. 2013. API design for machine learning software: Experiences from the scikit-learn project. In Proceedings of the European Conference on Machine Learning and Principles and Practices of Knowledge Discovery in Databases ."},{"key":"e_1_3_2_14_1","unstructured":"Chris Burt. 2018. Biometrics-Secured Voice Banking with Amazon Alexa Now Available from Two Canadian Credit Unions. Retrieved July 1 2021 from https:\/\/www.biometricupdate.com\/201811\/biometrics-secured-voice-banking-with-amazon-alexa-now-available-from-two-canadian-credit-unions."},{"key":"e_1_3_2_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/2702123.2702252"},{"key":"e_1_3_2_16_1","article-title":"VoxCeleb2: Deep speaker recognition","author":"Chung Joon Son","year":"2018","unstructured":"Joon Son Chung, Arsha Nagrani, and Andrew Zisserman. 2018. VoxCeleb2: Deep speaker recognition. In Proceedings of the Conference of the International Speech Communication Association (INTERSPEECH\u201918).","journal-title":"Proceedings of the Conference of the International Speech Communication Association (INTERSPEECH\u201918)."},{"key":"e_1_3_2_17_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-006-0006-6"},{"key":"e_1_3_2_18_1","unstructured":"Gregory W. Corder and Dale I. Foreman. 2011. Nonparametric Statistics for Non-Statisticians: A Step-by-Step Approach. Wiley ."},{"issue":"34","key":"e_1_3_2_19_1","first-page":"1","article-title":"An omnibus test of normality for moderate and large sample sizes","volume":"58","author":"D\u2019Agostino Ralph","year":"1971","unstructured":"Ralph D\u2019Agostino. 1971. An omnibus test of normality for moderate and large sample sizes. Biometrika 58, 34 (1971), 1\u2013348.","journal-title":"Biometrika"},{"issue":"3","key":"e_1_3_2_20_1","first-page":"613","article-title":"Tests for departure from normality. Empirical results for the distributions of  \\(b^2\\)  and  \\(\\sqrt {b}\\)","volume":"60","author":"D\u2019Agostino Ralph","year":"1973","unstructured":"Ralph D\u2019Agostino and Egon S. Pearson. 1973. Tests for departure from normality. Empirical results for the distributions of \\(b^2\\) and \\(\\sqrt {b}\\) . Biometrika 60, 3 (1973), 613\u2013622.","journal-title":"Biometrika"},{"key":"e_1_3_2_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00053"},{"key":"e_1_3_2_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053032"},{"key":"e_1_3_2_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2012.2225048"},{"key":"e_1_3_2_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/JSYST.2015.2472579"},{"key":"e_1_3_2_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2007.902030"},{"key":"e_1_3_2_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP.2018.8462018"},{"key":"e_1_3_2_27_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.specom.2015.05.002"},{"key":"e_1_3_2_28_1","unstructured":"Edwin Herman Gilbert Strang William Radulovich Erica A. Rutter David Smith Kirsten R. Messer Alfred K. Mulzet Nicoleta Virginia Bila et\u00a0al. 2016. Calculus: Volume 2 . XanEdu Publishing."},{"key":"e_1_3_2_29_1","unstructured":"G. Evelyn Hutchinson. 1957. A Treatise on Liminology . Wiley."},{"key":"e_1_3_2_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/TCSVT.2003.818349"},{"key":"e_1_3_2_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/1966913.1966983"},{"key":"e_1_3_2_32_1","doi-asserted-by":"publisher","DOI":"10.1111\/2041-210X.12611"},{"key":"e_1_3_2_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/2906388.2906404"},{"key":"e_1_3_2_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/3210240.3210317"},{"key":"e_1_3_2_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372420"},{"key":"e_1_3_2_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2009.5270346"},{"key":"e_1_3_2_37_1","volume-title":"Probability Theory: A Comprehensive Course","author":"Klenke Achim","year":"2007","unstructured":"Achim Klenke. 2007. Probability Theory: A Comprehensive Course. Springer Science & Business Media."},{"key":"e_1_3_2_38_1","doi-asserted-by":"publisher","DOI":"10.1080\/01621459.1952.10483441"},{"key":"e_1_3_2_39_1","unstructured":"Justin Lee. 2016. NuData More Than Doubles Behavioral Transaction Volume. Retrieved September 1 2021 from http:\/\/www.biometricupdate.com\/201605\/nudata-security-more-than-doubles-behavioral-transaction-volume."},{"key":"e_1_3_2_40_1","volume-title":"Proceedings of the 20th Network and Distributed System Security Symposium","author":"Li Lingjun","year":"2013","unstructured":"Lingjun Li, Xinxin Zhao, and Guoliang Xue. 2013. Unobservable reauthentication for smart phones. In Proceedings of the 20th Network and Distributed System Security Symposium."},{"key":"e_1_3_2_41_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-28166-7_22"},{"issue":"6","key":"e_1_3_2_42_1","doi-asserted-by":"crossref","first-page":"863","DOI":"10.1109\/TPAMI.2006.122","article-title":"Improved gait recognition by gait dynamics normalization","author":"Liu Zongyi","year":"2006","unstructured":"Zongyi Liu and Sudeep Sarkar. 2006. Improved gait recognition by gait dynamics normalization. IEEE Transactions on Pattern Analysis & Machine Intelligence6 (2006), 863\u2013876.","journal-title":"IEEE Transactions on Pattern Analysis & Machine Intelligence"},{"key":"e_1_3_2_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP48549.2020.00020"},{"key":"e_1_3_2_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISIMP.2004.1434167"},{"key":"e_1_3_2_45_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00100"},{"key":"e_1_3_2_46_1","unstructured":"Stephen Mayhew. 2016. Nationwide Mobile Banking App Uses Behavioral Biometrics. Retrieved September 1 2016 from http:\/\/www.biometricupdate.com\/201604\/nationwide-mobile-banking-app-uses-behavioral-biometrics."},{"key":"e_1_3_2_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2016.2620278"},{"key":"e_1_3_2_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/266420.266434"},{"key":"e_1_3_2_49_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.csl.2019.101027"},{"key":"e_1_3_2_50_1","doi-asserted-by":"publisher","DOI":"10.21437\/Interspeech.2017-950"},{"key":"e_1_3_2_51_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23303"},{"key":"e_1_3_2_52_1","volume-title":"Proceedings of the 10th Symposium on Usable Privacy and Security","author":"Panjwani Saurabh","year":"2014","unstructured":"Saurabh Panjwani and Achintya Prakash. 2014. Crowdsourcing attacks on biometric systems. In Proceedings of the 10th Symposium on Usable Privacy and Security."},{"key":"e_1_3_2_53_1","doi-asserted-by":"publisher","DOI":"10.1016\/0377-0427(87)90125-7"},{"key":"e_1_3_2_54_1","unstructured":"Samsung SDS. 2021. Nexsign: Behavioral Biometrics for Continuous Frictionless Identity Authentication. Retrieved September 1 2021 from https:\/\/www.samsungsds.com\/us\/behavioral\/biometrics.html."},{"key":"e_1_3_2_55_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDCSW.2011.20"},{"key":"e_1_3_2_56_1","volume-title":"dynRB: Dynamic Range Boxes","author":"Schreyer Manuela","year":"2018","unstructured":"Manuela Schreyer, Robert R. Junker, Wolfgang Trutschnig, Jonas Kuppler, Arne Bathke, Judith H. Parkinson, and Raoul Kutil. 2018. dynRB: Dynamic Range Boxes (Version 0.15). Retrieved November 25, 2022 from https:\/\/CRAN.R-project.org\/package=dynRB."},{"key":"e_1_3_2_57_1","doi-asserted-by":"publisher","DOI":"10.1145\/2516960"},{"key":"e_1_3_2_58_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516659"},{"key":"e_1_3_2_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/2037252.2037263"},{"key":"e_1_3_2_60_1","doi-asserted-by":"publisher","DOI":"10.1145\/2898353"},{"key":"e_1_3_2_61_1","doi-asserted-by":"publisher","DOI":"10.1097\/00005053-195707000-00032"},{"key":"e_1_3_2_62_1","unstructured":"Kesar Singh and Minge Xie. 2008. Bootstrap: A statistical method. Unpublished manuscript. Rutgers University."},{"key":"e_1_3_2_63_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2015.2506542"},{"key":"e_1_3_2_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/2857705.2857748"},{"key":"e_1_3_2_65_1","volume-title":"Gait Analysis: Is it Easy to Learn to Walk Like Someone Else?","author":"Stang \u00d8yvind","year":"2007","unstructured":"\u00d8yvind Stang. 2007. Gait Analysis: Is it Easy to Learn to Walk Like Someone Else?Master\u2019s thesis. Gj\u00f8vik University College, Norway."},{"key":"e_1_3_2_66_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23351"},{"key":"e_1_3_2_67_1","doi-asserted-by":"publisher","DOI":"10.1890\/14-0235.1"},{"key":"e_1_3_2_68_1","volume-title":"Proceedings of the Annual Network and Distributed System Security Symposium","author":"Tey Chee Meng","year":"2013","unstructured":"Chee Meng Tey, Payas Gupta, and Debin Gao. 2013. I can be you: Questioning the use of keystroke dynamics as biometrics. In Proceedings of the Annual Network and Distributed System Security Symposium."},{"key":"e_1_3_2_69_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCAIS.2012.6466615"},{"key":"e_1_3_2_70_1","volume-title":"Asymptotic Statistics","author":"Vaart Aad W. Van der","year":"2007","unstructured":"Aad W. Van der Vaart. 2007. Asymptotic Statistics. Vol. 3. Cambridge University Press."},{"key":"e_1_3_2_71_1","first-page":"1027","volume-title":"Proceedings of the 18th Annual ACM-SIAM Symposium on Discrete Algorithms","author":"Vassilvitskii Sergei","year":"2006","unstructured":"Sergei Vassilvitskii and David Arthur. 2006. K-means++: The advantages of careful seeding. In Proceedings of the 18th Annual ACM-SIAM Symposium on Discrete Algorithms. 1027\u20131035."},{"key":"e_1_3_2_72_1","doi-asserted-by":"publisher","DOI":"10.1890\/07-1206.1"},{"key":"e_1_3_2_73_1","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866327"},{"key":"e_1_3_2_74_1","volume-title":"Proceedings of the Symposium on Usable Privacy and Security","author":"Xu Hui","year":"2014","unstructured":"Hui Xu, Yangfan Zhou, and Michael R. Lyu. 2014. Towards continuous and passive authentication via touch biometrics: An experimental study on smartphones. In Proceedings of the Symposium on Usable Privacy and Security."},{"key":"e_1_3_2_75_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24210"},{"key":"e_1_3_2_76_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046707.2046725"},{"key":"e_1_3_2_77_1","article-title":"One cycle attack: Fool sensor-based personal gait authentication with clustering","volume":"16","author":"Zhu Tiantian","year":"2020","unstructured":"Tiantian Zhu, Lei Fu, Qiang Liu, Zi Lin, Yan Chen, and Tieming Chen. 2020. One cycle attack: Fool sensor-based personal gait authentication with clustering. IEEE Transactions on Information Forensics and Security 16 (2020), 553\u2013568.","journal-title":"IEEE Transactions on Information Forensics and Security"},{"key":"e_1_3_2_78_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2020.2985628"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3571743","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3571743","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:49:33Z","timestamp":1750182573000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3571743"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,4,12]]},"references-count":77,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2023,5,31]]}},"alternative-id":["10.1145\/3571743"],"URL":"https:\/\/doi.org\/10.1145\/3571743","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,4,12]]},"assertion":[{"value":"2022-03-10","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-10-31","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-04-12","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}