GB/T 41815.3-2023 English PDFUS$744.00 ยท In stock
Delivery: <= 6 days. True-PDF full-copy in English will be manually translated and delivered via email. GB/T 41815.3-2023: Information technology - Biometric presentation attack detection - Part 3: Testing and reporting Status: Valid
Basic dataStandard ID: GB/T 41815.3-2023 (GB/T41815.3-2023)Description (Translated English): Information technology - Biometric presentation attack detection - Part 3: Testing and reporting Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: L67 Classification of International Standard: 35.240.15 Word Count Estimation: 40,427 Date of Issue: 2023-05-23 Date of Implementation: 2023-12-01 Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration GB/T 41815.3-2023: Information technology - Biometric presentation attack detection - Part 3: Testing and reporting---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order. ICS 35:240:15 CCSL67 National Standards of People's Republic of China Information technology biometrics presents attack detection Part 3: Testing and reporting Part 3:Testing and reporting Released on 2023-05-23 2023-12-01 Implementation State Administration for Market Regulation Released by the National Standardization Management Committee table of contentsPreface III Introduction IV 1 Scope 1 2 Normative references 1 3 Terms and Definitions 2 4 Abbreviations5 5 Compliance6 6 Presentation Attack Detection General Principles 6 7 presents the evaluation level of the attack detection mechanism 7 7:1 Overview 7 7:2 Present general principles for the evaluation of attack detection mechanisms7 7:3 Presentation attack detection subsystem evaluation 8 7:4 Data Acquisition Subsystem Evaluation 8 7:5 System-wide assessment 8 8 Prosthesis characteristics 9 8:1 Characteristics of attack tools presented in biometric impersonator attacks9 8:2 Characteristics of Attack Tools in Biometric Recognition Stealth Attacks10 8:3 Properties of synthetic biometric samples with anomalous features10 9 Considerations for non-compliant biometric capture attempts11 9:1 Approach 11 presented 9:2 Methods of assessment11 10 Creation and Use of Prostheses in the Evaluation of PAD Mechanisms 11 10:1 General 11 10:2 Creation and preparation of the prosthesis 11 10:3 Use of prostheses 12 10:4 Identifying effective prostheses through iterative trials 12 11 Process-Related Evaluation Factors 12 11:1 General 12 11:2 Evaluation of the registration process 13 11:3 Evaluation of the verification process 13 11:4 Evaluation of the identification process 13 11:5 Evaluation of Offline PAD Mechanisms 14 12 Assessment based on the Common Criteria Framework 14 12:1 General 14 12:2 General Criteria and Biometric Identification 15 13 Evaluation Indicators for Biometric Recognition System with PAD Mechanism 17 13:1 General 17 13:2 Metrics for PAD Subsystem Evaluation 18 13:3 Data Acquisition Subsystem Evaluation Index 21 13:4 System-wide assessment indicators 22 Appendix A (Informative) Attack Type Classification 25 Appendix B (informative) Examples of prostheses used in the evaluation of the PAD subsystem of fingerprint capture devices29 Appendix C (Informative) Roles in the PAD Test 30 Reference 31forewordThis document is in accordance with the provisions of GB/T 1:1-2020 "Guidelines for Standardization Work Part 1: Structure and Drafting Rules for Standardization Documents" drafting: This document is part 3 of GB/T 41815 "Information Technology Biometric Recognition Presentation Attack Detection", GB/T 41815 has been issued Published the following sections: --- Part 1: Framework; --- Part 2: Data format; --- Part 3: Testing and reporting: This document is equivalent to ISO /IEC 30107-3:2023 "Information Technology Biometric Recognition Presentation Attack Detection Part 3: Testing Test and Report": Please note that some contents of this document may refer to patents: The issuing agency of this document assumes no responsibility for identifying patents: This document is proposed and managed by the National Information Technology Standardization Technical Committee (SAC/TC28): This document was drafted by: China Institute of Electronics Standardization, Beijing Megvii Technology Co:, Ltd:, Guangzhou Myron Information Technology Co:, Ltd: Division, Xiamen Meiya Pico Information Co:, Ltd:, Zhejiang Yuantu Technology Co:, Ltd:, Guangdong Jiulian Technology Co:, Ltd:, China Institute of Automation, Academy of Sciences, Shanghai Shangtang Intelligent Technology Co:, Ltd:, Beijing Wanlihong Technology Co:, Ltd:, Beijing Eyes Intelligent Technology Co:, Ltd: Company, Hangzhou Hikvision Digital Technology Co:, Ltd:, Newland Digital Technology Co:, Ltd:, Lenovo Zhongtian Technology Co:, Ltd:, China China Mobile (Zhejiang) Innovation Research Institute Co:, Ltd:, Xiamen Ruiwei Information Technology Co:, Ltd:, Hangzhou Shenhao Technology Co:, Ltd:, China Mobile (Hangzhou) State) Information Technology Co:, Ltd:, Huizhou University, Guangdong Huayan Intelligent Technology Co:, Ltd:, Beijing Shuguang Yitong Technology Co:, Ltd:, Hangzhou Jinglian Wen Technology Co:, Ltd:, Hangzhou Mingguang Microelectronics Technology Co:, Ltd:, the 716th Research Institute of China Shipbuilding Industry Corporation, Shenzhen Youfangxin Information Technology Co:, Ltd:, Luokejiahua Technology Group Co:, Ltd:, Wuhan Hongshi Technology Co:, Ltd:, Shenzhen Mingtu Innovation Technology Co:, Ltd: Company, Shanghai Point and Surface Intelligent Technology Co:, Ltd:, Tianfu (Dongguan) Standard Technology Co:, Ltd: The main drafters of this document: Zhong Chen, Mei Jingqing, Shi Chunteng, Wang Wenfeng, Cui Fengke, Lei Zhen, Wu Hongwei, He Qiang, Shen Yuanhai, Li Qiang, Jiang Hui, Wu Junhong, Yu Jinxi, Song Jiwei, Liu Qianying, Zhang Xiaoliang, Yang Chunlin, Gong Qiong, Ren Wenqi, Cai Chunshui, Li Yongyue, Xiao Liang, Cao Lei, Jiang Jian, Liang Zhongquan, Wang Jun, Luo Sixin, He Yifan, Yu Xueping, Yang Zhanjin, Song Fangfang, Liu Yuntao, Jin Ze, Li Hongxing, Zhang Beibei, Luo Zhongliang, Zou Zhuo, Xue Xueqin, Yi Kaijun, Li Qingshun, Xi Yafen, Cheng Zhiguo, Wang Cheng, Yang Zhe, Wu Haiteng, Wang Lei, Gao Junxiong:IntroductionTo standardize the presentation of attack detection-related objects, it is necessary to first clearly present the attack detection framework as a whole to guide the detection of attacks: Definition of classification and tools, secondly, in order to exchange and share relevant data elements, a clear and unified data format needs to be defined, and finally in When evaluating the ability to detect attack on display, it is necessary to specify the test object, test environment and test indicators to guide the detection ability of attack on display: Scientific and objective evaluation: GB/T 41815 "Information Technology Biometric Feature Recognition Attack Detection" stipulates that the field of biometric feature recognition presents attack detection The relevant framework, data format, and test-related content are used to facilitate the design of the attack detection function and the evaluation of its capabilities: GB/T 41815 is proposed to consist of 3 parts: --- Part 1: Framework: The purpose is to establish an overall framework related to attack detection in the biometric identification system, which is suitable for biometric identification systems: Design and use of object feature recognition systems: --- Part 2: Data format: The purpose is to standardize the data format related to attack detection, which is suitable for biometric identification systems data exchange between them: --- Part 3: Testing and reporting: The purpose is to clearly present the various factors that need to be considered in the evaluation of attack detection capabilities and the evaluation methods: It is applicable to the analysis and evaluation of the attack detection capability of the biometric system: The process of presenting a prosthetic or human body feature to a biometric acquisition subsystem in a manner intended to interfere with the system's policies is called a presentation attack: hit: GB/T 41815 (all parts) presents techniques for automatic detection of attacks: These techniques are called Presence Attack Detection (PAD) mechanism: As in the case of biometric identification, the PAD mechanism is subject to false positive and false negative errors: False positive errors will be rendered as normal Misclassified as an offensive presentation, which may draw attention to or inconvenience legitimate users: False negative errors will present an attack Attacks (also known as attack renderings) are misclassified as normal renderings, which can lead to security breaches: Therefore, which PAD implementation to use depends on the requirements of specific applications and the trade-off considerations of safety, strength and efficiency: The purpose of preparing this document is to: ---Defining the terms of testing and reporting related to biometric identification presenting attack detection; ---Specify the performance evaluation principles and methods of biometric recognition presenting attack detection, including indicators: This document is intended for suppliers or laboratories that need to evaluate the PAD mechanism: Biometric performance testing terminology, practices, and methods of statistical analysis have been standardized: Wide range of indicators such as FAR, FRR and FTE It is widely used to characterize the performance of biometric identification systems: Due to the obvious difference between the biometric performance test and the PAD mechanism test, the biometric performance test technique Language, practice, and statistical analysis methods are only partially applicable to the assessment of PAD mechanisms: The differences between biometric performance tests and PAD mechanism tests can be grouped into the following categories: a) Statistical significance Biometric performance testing utilizes a statistically significant number of test subjects representative of the target user group: When adding more tests There is no appreciable change in the error rate when using different subjects or using completely different test groups: In general, taking more measurements increases the error rate accuracy: In the PAD test, many biometric modalities can be attacked by a large or indeterminate number of potential PAI types: In these case, it is difficult or even impossible to have all possible PAI synthesis models: So it is impossible to find a representative set of PAI types to to evaluate: Therefore, it cannot be assumed that the error rate measured for one set of PAIs also applies to the other set: PAI types were derived from systematic variation across trials: Different PAIs may have significantly different error rates: Furthermore, at any given In the PAI type, the differences between PAI series instances will change randomly: The number of presentations required to test for statistical significance versus the number of concerns The number of PAI types is linear: Within each PAI type, the uncertainty in the PAD error rate depends on the number of prostheses tested and on the individual quantity: Example 1: In fingerprinting, many effective prosthetic materials are known, but any material that can present the characteristics of a fingerprint to a biometric sensor Or mixtures of materials are possible candidates: Due to the characteristics of the prosthesis, such as age, thickness, humidity, temperature, mixing rate and manufacturing specifications will affect the PAD mechanism: Output has a significant impact, so tens of thousands of PAI types are easily identified using current materials: Thousands of presentations are required for proper statistical analysis analysis: Even then, the resulting error rate cannot be applied to the next set of new materials: b) Comparability of test results across systems In biometric performance testing, the specific error rate based on the same biometric sample library can be used to compare different biometric characteristics: sign recognition system or a different configuration: "Better" and "worse" are what people usually understand: In contrast, when benchmarking PAD mechanisms using error rates, words such as "better" can be highly dependent on the expected application: Example 2: In a given test scenario, there are 10 types of PAI (occurring 100 times), System 1 detects 90% of attack presentations, System 2 detects 85%: System1 detected all presentations of 9 PAIs but failed to detect all presentations of the 10th PAI: System 2 detects all PAI types 85%: Which is better question, in security analysis, system 1 will be worse than system 2, because exposing the 10th PAI type will lead the attacker to use this method Has been conquering the acquisition equipment: However, if an attacker could be prevented from using a 10th PAI type, then System 1 would be better than System 2, since individual rates show that, All PAI types have the potential to overcome System 2: c) cooperation In many biometric performance testing applications, the main body is cooperative, such as access control: Mistakes are due to lack of knowledge, experience It is caused by improper operation due to experience or guidance, and is not intended to be generated intentionally: Apparent noncooperative behavior in groups is not an underlying "biometric identification part of the "biometric model", but would render the known error rates nearly useless for biometric performance testing: The PAD test includes subjects who behave uncooperatively: Attackers will attempt to discover and exploit any weaknesses in the biometric system to regulate avoid or manipulate its intended operation: Based on the tester's experience and knowledge, presenting the type of attack can significantly change the success rate of an attack: Therefore, it is difficult to evaluate the error rate with a typical cooperative behavior, so as to define the test procedure: d) Automated testing In biometric performance testing, comparison algorithms can often be tested using a database derived from devices or sensors of similar quality: Law: The technical evaluation of performance can be carried out using the sample library collected previously and meeting the relevant requirements of GB/T 29268:1: In PAD testing, utilizing data from biometric sensors (such as digitized fingerprint images) may not be sufficient for evaluation: A biometric system with a PAD mechanism usually contains additional sensors to detect biometric characteristics: Therefore, previously for specific A database collected by a biometric system or configuration may not be applicable to another biometric system or configuration: Even small changes in hardware or software can invalidate earlier measurements: store multivariate synchronized PAD signals and automatically Using these signals in tests will not work: Therefore, in general PAD mechanisms are not tested and evaluated using automated testing methods: e) Quality and performance In biometric performance testing, usually performance is directly related to the quality of biometric data: Often, low-quality samples lead to lead to a higher error rate, while high-quality samples lead to a lower error rate: Therefore, quality metrics are often used to improve performance (depending on application use): In the PAD test, there is no reason to think that the prosthesis has a low biometric quality, even though it is possible that the prosthesis presented an unsuccessful challenge: A certain level of quality: The quality of samples from prosthetics can be better than samples from human biometrics: Due to lack of attacker skill mod type, it is possible (at least in security assessments) to assume a "worst case", i:e: the attacker always uses the best quality available: In this way, at least Ensure the minimum detection rate on the specified test set, while reducing the necessary number of tests: Then there is the question of assessing the potential for a successful prosthetic attack (level of quality and expertise required to meet the requirements) to assess the level of security, which is the norm for the assessment of common criteria: From the difference analysis from a) to e), the following general conclusions about the error rate and related indicators of the PAD mechanism can be drawn: ---In the evaluation, different types of PAI are analyzed/rated separately; ---For a PAI type, as long as the attack classification error rate is not 0%, it proves that the PAI is successful: different tests Humans may achieve higher or lower misclassification rates for presented attacks: Furthermore, training to identify relevant materials and parameters can In order to improve the classification error rate of the presentation attack of this PAI type: The experience and knowledge of the testers, as well as the necessary resources available are important factors in PAD testing and should be taken into account when performing comparison or performance analysis; --- The error rate of the PAD mechanism is determined by the specific environment, PAI type set, application, test method and test of the given PAD mechanism decides: Error rates for PAD mechanisms are not necessarily comparable in similar trials and may not necessarily be comparable in different laboratories repeatable: Information technology biometrics presents attack detection Part 3: Testing and reporting1 ScopeThis document specifies: ---Present the performance evaluation principles and methods of the attack detection mechanism; --- A report presenting the evaluation results of the attack detection mechanism; --- Classification of known attack types (see Appendix A): The scope not covered by this document is as follows: --- Concretely present the standardization of the attack detection mechanism; --- Detailed information on countermeasures (such as anti-spoofing techniques), algorithms or sensors; --- Biometric system-level security or vulnerability assessment: Attacks to be considered in GB/T 41815 are those that occur during the presentation and collection of biometric characteristics Attacks on the device: Other attacks are not within the scope of GB/T 41815: This document is applicable to the design, development, integration and detection of software and hardware products related to biometric recognition and attack detection:2 Normative referencesThe contents of the following documents constitute the essential provisions of this document through normative references in the text: Among them, dated references For documents, only the version corresponding to the date is applicable to this document; for undated reference documents, the latest version (including all amendments) is applicable to this document: cabulary-Part 37:Biometrics) Note: GB/T 5271:37-2022 Information Technology Vocabulary Part 37 (ISO /IEC 2382-37:2022, MOD) ISO /IEC 15408-1 Information security, cybersecurity and privacy protection, information technology security assessment criteria - Part 1: Introduction and Note: GB/T 18336:1-2015 Information technology security technology Information technology security assessment criteria Part 1: Introduction and general model (ISO /IEC 15408-1:2009, IDT) ISO /IEC 15408-2 Information security Network security and privacy protection Information technology security assessment criteria Part 2: Security function Note: GB/T 18336:2-2015 Information Technology Security Technology Information Technology Security Assessment Criteria Part 2: Security Functional Components (ISO /IEC 15408-2:2008, IDT) ISO /IEC 15408-3 Information Security Network Security and Privacy Protection Information Technology Security Assessment Criteria Part 3: Security Note: GB/T 18336:3-2015 Information Technology Security Technology Information Technology Security Assessment Criteria Part 3: Security Assurance Components (ISO /IEC 15408-3:2008, IDT) ......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 41815.3-2023_English be delivered?Answer: Upon your order, we will start to translate GB/T 41815.3-2023_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 6 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of GB/T 41815.3-2023_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 41815.3-2023_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. |
