VOL. 1, NO.

2, Oct 2010 E-ISSN 2218-6301

Journal of Emerging Trends in Computing and Information Sciences

©2009-2010 CIS Journal. All rights reserved.

http://www.cisjournal.org 

The Rule Based Intrusion Detection and Prevention Model

for Biometric System
Maithili Arjunwadkar 1, R.V. Kulkarni 2
1
MCA Dept, Modern College Of Engineering, Pune, India
2
Director, SIBER , Kolhapur, India
E-Mail: Maithili.arjunwadkar@gmail.com, drrvkulkarni@siberindia.co.in

ABSTRACT
Modern biometric systems claim to provide alternative solution to traditional authentication processes. Even though there
are various advantages of biometric process, it is vulnerable to attacks which can decline it’s security. The intrusion
detection is an essential supplement of traditional security system. This security system needs the robust automated
auditing, intelligent reporting mechanism and robust prevention techniques. We suggest rule based intelligent intrusion
detection and prevention model for biometric system. This model contains a scheduler to prepare a schedule to check
different logs for possible intrusions, detectors to detect normal or abnormal activity. If activity is normal then alarming
and reporting has been executed. If abnormal activity is found the rule engine fires the rule to detect intrusion point and
type of intrusion. The model also contains an expert system to detect source of intrusion and suggest best possible
prevention technique and suitable controls for different intrusions. This model is also used for security audit as well as
alarming and reporting mechanisms. The malicious activity database is stored for future intrusion detection. To detect
source tracking backward chaining approach is used. The rules are defined and stored in the Rule engine of the system.

Keywords: Security, biometric process, attacks, intrusion detection, prevention, expert system.

1. INTRODUCTION 2. RELATED WORK

Modern biometric technologies like biometric Even though there are various advantages of
based authentication system that uses physiological (e.g. biometric process, it is vulnerable to attacks, which can
thumb print, retina scan, iris) or behavioral (e.g voice, decline it’s security. Ratha et al. [15] analyzed these
keystroke, touch) claim to provide an alternative for attacks and grouped them into different attack points
traditional authentication systems that are based on which are shown in figure 1 [16].
password (token-based) and key (knowledge based).
Biometric process or biometric encryption
process is used in two separate modes namely enrollment
and authentication process. During the enrollment process,
the user’s physiological and behavioral characteristics are
captured by the sensor. The different feature extractor or
key binding algorithms are used to create biometric
template. The template is stored during enrollment process
to be compared in the future to the one produced during an
authentication process. The stored template & the one
produced during authentication process is compared by
matching algorithm that produces matching result
(response Yes/NO). The matched response is then sent to
the application, on which a decision algorithm is
implemented for granting or denying to the user.
This paper is divided into three primary areas.
The first section provides an overview of Biometric
process, possible intrusions in the biometric process and
intrusion detection fundamentals. The second section
describes the architecture of intrusion detection &
prevention system for intrusions in biometric process. The
third section provides how intelligent models are used in Figure 1: Location of biometric process Attack points
this architecture. Finally, the future research and
conclusion of intrusion detection & prevention system are According to common criteria of biometric
presented. evaluation methodology supplement [16], it is particularly
important to consider that attacks can be done on the direct
input and output of a biometric template. The Biometric

117
 VOL. 1, NO. 2, Oct 2010
Journal of Emerging Trends in Computing and Information Sciences
©2009-2010 CIS Journal. All rights reserved.
http://www.cisjournal.org
templates are considered to be very sensitive information.
They identify and are bound to people. It is the template
that is used to determine the user’s rights and privileges to
access a resource.
When performing a vulnerability evaluation of a
biometric system, we must consider a wide variety of
generic possible attacks or threats to the security of the
system. All elements of a biometric system are susceptible
to these threats to some degree. Fig 1 showing locations
within the biometric system identified numerically.
Throughout the process, there are different points
of possible attacks. Some of the possible attack points may
be at biometric device, extractor, on channel on which
template is transported or transmitted, Extraction/
Comparison unit, Extraction/ Template Storage points
during Enrolment, Template Storage units, Template
Retrieval unit etc.
Before created biometric template, the biometric
sample which is really bound to the credentials, privileges,
rights, etc. are in most vulnerable state. An attacker may
try to substitute his/her own sample or biometric template
to masquerade as the intended user.
When a template is not associated from its
binding with the user, there is the possibility of a
substitution attack. If the unbound template is transported
or transmitted through an accessible, unprotected medium,
then an appropriate means of protection must be
considered. The possibility of somehow duplicating the
device specific format of the biometric must also is
considered for evaluation. This must be done through the
analysis of the device algorithms that transform the
biometric sample into the template used by the device for
comparison, determining the output of the algorithm and
then determining the likelihood of duplicating the output
through some logic.
The different locations which are shown in figure 1 require
some detection technique which can be used to detect the
attack at those points.
The intrusion detection is a necessary supplement
of traditionally security protection measures such as
firewalls, data encryption, because it can provide real
protection against internal attacks, external attacks and
abuse [4].
We can incrementally improve security through
the use of tools such as Intrusion Detection System (IDS).
The IDS approach to security is based on the assumption
that a system will not be secure, but that violations of
security policy (intrusions) can be detected by monitoring
and analyzing system behavior. [14] IShahbaz Parvez et
al. [7] describe that, the Intrusion Detection system can be
categorized into Anomaly Detection, Misuse detection &
hybrid detection which is nothing but combined anomaly
& misuse.
Anomaly detection is the general category of
Intrusion Detection, which works by identifying activities
which vary from established patterns for users, or groups
of users. Anomaly detection typically involves the creation
of knowledge bases which contain the profiles of the
monitored activities.
Misuse Detection is a second approach to
Intrusion Detection. This technique involves the
E-ISSN 2218-6301
 
comparison of a user's activities with the known behaviors
of attackers attempting to penetrate a system. Misuse
Detection also utilizes a knowledge base of information.
Hybrid or Combined Anomaly/Misuse Detection is a third
approach, which combine the Anomaly Detection
approach and the Misuse Detection approach. The
combined approach permits a single Intrusion Detection
System to monitor for indications of external and internal
attacks. Intrusion detection system which includes
functions like monitoring and analyzing both user and
system activities and detect suspicious pattern. [7]
Most of the intrusion detection systems are
available for network security purpose. The biometric
process also requires some system which can be used to
detect the possible attacks and used some prevention
mechanisms to avoid these attacks in future. The authors
suggest the Intrusion detection & Prevention System
(IDPS) to detect attacks, back tracing the origin of the
attack and some suggest prevention mechanisms.
3. ARCHITECTURE OF IDPS
To design robust security system, it fulfills the
objectives of security like authenticity, confidentiality,
integrity, availability & non-repudiation. IDPS (Intrusion
detection & Prevention System) contains modules to
detect intrusion, filtering intrusion, trace back of intrusion
origin, and prevention mechanism for theses intrusions.
This security system needs the robust automated auditing
& and intelligent reporting mechanism and robust
prevention techniques.
We suggest security system using intelligent
models for biometric protection approach.
This system is divided into 3 sub systems :
• Intrusion detection
• Backtracking of intrusion source
• Prevention techniques.
The components of the intrusion detection and prevention
system are shown in figure 2.
The Rule based intelligent intrusion detection and
prevention model for biometric system contains a
scheduler to prepare schedule to check different logs for
possible intrusions, and detectors to detect normal or
abnormal activity. If activity is normal then standard
alarming and reporting would be executed. If abnormal
activity is found then the rule engine checks the rule to
detect intrusion point and type of intrusion. The model
also contains an expert system to detect source of intrusion
and suggests best possible prevention technique and
suitable controls for different intrusions. This model also
uses security audit as well as alarming and reporting
mechanisms. The malicious activity database is stored for
future intrusion detection. To detect the source by
tracking, backward chaining approach is used. The rules
are defined and are stored in the Rule engine of the
system. Intrusion points & type is passed to expert system.
Expert system evaluates that data with known malicious
activity database and detects the source using backward
chaining approach.
118
 VOL. 1, NO. 2, Oct 2010
Journal of Emerging Trends in Computing and Information Sciences
©2009-2010 CIS Journal. All rights reserved.
http://www.cisjournal.org
Activit Normal
Detector Activity
Data
Yes
Alarming
Normal? & biometric sensor. If the rule or rules for this scenario fire,
R ti
No
Rule Known
Engine Malicious
activity
Figure 2: Components of Intrusion Detection Process
Detected
Intrusion
i t&
Figure 2: components of intrusion detection and
prevention system
After detecting source, system suggests the
different prevention techniques. For this robust security
system the authors use intelligent models like expert
system.
4. IDP MODEL AS RULED-BASED EXPERT
SYSTEM
Expert systems are the most common form of AI
applied today in intrusion detection system. An expert
system consists of a set of rules that encode the knowledge
of a human "expert”. These rules are used by the system to
make conclusions about the security-related data from the
intrusion detection system. Expert system permits the
incorporation of an extensive amount of human experience
into a computer application and then utilizes that
knowledge to identify activities that match the defined
characteristics of misuse and attack. Expert system detects
intrusions by encoding intrusion scenarios as a set of rules.
These rules replicate the partially ordered
sequence of actions that include the intrusion scenario.
Some rules may be applicable to more than one intrusion
scenario. Rule-based programming is one of the most
commonly used techniques for developing expert systems.
Rule based analysis relies on sets of predefined rules that
can be repeatedly applied to a collection of facts and that
are provided by an administrator, automatically created by
the system or both. Facts represent conditions that describe
a certain situation in the audit records or directly from
system activity monitoring & rules represent heuristics
that define a set of actions to be executed in a given
situation & describe known intrusion scenario(s) or
generic techniques. The rule then fires. It may cause an
alert to be raised for a system administrator. Alternatively,
E-ISSN 2218-6301
 
some automated response, such as terminating that user’s
session, block user’s account will be taken. Normally, a
rule firing will result in additional assertions being added
to the fact base. They, in turn, may lead to additional rule-
fact bindings. This process continues until there are no
more rules to be fired. [3]. Consider the intrusion scenario
in which two or more unsuccessful authentication attempts
are made in a period of time shorter than it would take a
human to present biometric info in the login information at
then suspicion level of specific user can get increased. The
system may raise an alarm or report ‘freeze action’ to the
named user’s account. Account freeze would be entered
into the fact database.
Expert system module categorizes the audit data
by fact base component initially and then uses relevant
detection technique for different audit data. The Rules are
defined using JESS. Jess is a clone of the popular expert
system shell CLIPS which rewritten entirely in Java.
If biometric template stored in central database, alteration
and deletion of biometric template is not allowed to any
user except root or system or super user for database
administration purpose. The attacker modifies or deletes
the biometric template. The rule which is to be checked for
unauthorized modification of biometric template is:
IF( (user is “root” || “superuser”|| “system”)
&&( transaction_type is “Modification”) &&
( not(time_stamp is normaltime_stamp)))
THEN (Alart: “UnauthorizedModification”)
Figure 3: unauthorized Modification of biometric
template rule
The rule which is to be checked for unauthorized
deletion of biometric template is:
IF( (user is “root” || “superuser”|| “system”)
&&( transaction_type is “Deletion”) &&
( not(time_stamp is normaltime_stamp)))
THEN (Alart: “Unauthorized Deletion”)
Figure 4: unauthorized Deletion of biometric template rule
The imposter steals the biometric template of an
authorized user from template storage or from other
biometric system. The rule which is to be checked for
illegal copy of biometric template is:
IF (transaction_type is “Copy”)
THEN (Alart “Unauthorized Copying )
Figure5: unauthorized Copying of biometric template rule
5. CONCLUSION
In spite of the various advantages of biometric
process, it is vulnerable to attacks which can compromise
on it’s security objectives. Intruder can attack on different
points of biometric process for example biometric
119
 VOL. 1, NO. 2, Oct 2010
Journal of Emerging Trends in Computing and Information Sciences
©2009-2010 CIS Journal. All rights reserved.
http://www.cisjournal.org
template database, network channel, biometric device,
template creation module etc. The model suggested in this
paper is useful to detect the intrusion in both types. The
model also contains an expert system to detect source of
intrusion and suggests best possible prevention technique
and suitable controls for different intrusions. This model
also uses security audit as well as alarming and reporting
mechanisms. The malicious activity database is stored for
future intrusion detection. To detect the source by
tracking, backward chaining approach is used. The rules
are defined and are stored in the Rule engine of the
system. The intelligent model uses AI and expert system is
backbone of this system.
6. FUTURE Work
In this paper the authors design the architecture of
the model for intrusion detection and prevention in
biometric process. In future the research will expand the
different methods for intrusion detection of different
vulnerabilities. The backward chaining approach of expert
system can be used to detect source of intrusion
Also we design some rules for backtracking of source
using backward chaining process and suggest different
prevention techniques.
REFERENCES
[1] Computer System Intrusion Detection: A Survey By
Anita K. Jones and Robert S. Sielken
[2] Feature deduction and ensemble design of Intrusion
detection system By Srilatha Chebrolu, Ajith
Abraham,Johnson Thomas Computer & security
(2004)
[3] An Intrusion detection system expert system with fact
based ByYuan Yuan,Dai Guanzhong Asian Journal of
Information Technology 6(5) 614-617, 2007
[4] The Application of Generic Neural Network in
Network Intrusion Detection By Hua Jian, Junhu
E-ISSN 2218-6301
 
Ruan in Journal of computers vol 4 no 12 December
2009.
[5] Design & Implementation of rule based expert
system for fault management, by Su Myat Soe and
Paing Paing Zaw in World academy of science ,
engineering & technology 48 2008
[6] Jess in Action by Ernest Friedman -Hill
[7] A Comparative Analysis of Artificial Neural Network
Technologies in Intrusion Detection Systems by
Shahbaz Pervez, Iftikhar Ahmad, Adeel Akram, Sami
Ullah Swati
[8] Intelligent system for information security
Management: architecture & design issues by Marina
Hentea in Informing science & information
technology vol. 4 2007.
[9] Neural Network Learning based chaos by Truong
Quang Dang Khoa & Masahiro Nakagava in
International Journal of computer & system Science
& engineering 1:2 2007
[10] One way hash functions based on neural network
Shiguo Lian,Jinsheng sun, Zhiquan Wang
[11] Password based a generalize robust security system
design using neural network By Manoj Kumar Singh
In IJCSI international Journal of computer science
issue vol 4 no 2,2009
[12] An Introduction to Intrusion Detection by Aurobindo
Sundaram
[13] On artificial Intelligence approaches for network
Intrusion detection systems by sattar B. Sadkhan in
MASUAM Journal of computing vol. 1 issue 2 ,
September 2009.
[14] A Backpropagation Neural Network for Computer
Network Security Khalil Shihab
[15] “An analysis of minutiae matching strength” by
N.K.Ratha , J.H. Connell and R.M. Bolle Proc
AVBPA 2001, Third international conference on
Audio and video based biometric person
authentication pp 223-228 2001.
[16] Biometric Evaluation Methodology (BEM)
suppliment, Produced by the common criteria
Biometric evaluation methodology working group.
Version 1.0 August 2002.
120