Type 3 authentication: something you are
Type 3 authentication (something you are) is biometrics, which uses physical characteristics as a means of identification or authentication. Biometrics may be used to establish an identity or to authenticate (prove an identity claim). For example, an airport facial recognition system may be used to establish the identity of a known terrorist, and a fingerprint scanner may be used to authenticate the identity of a subject (who makes the identity claim and then swipes his or her finger to prove it).
Biometric enrollment and throughput
Enrollment describes the process of registering with a biometric system: creating an account for the first time. Users typically provide their username (identity), a password or PIN, and then provide biometric information, such as swiping fingerprints on a fingerprint reader or having a photograph taken of their irises. Enrollment is a one-time process that should take 2 minutes or less.
Throughput describes the process of authenticating to a biometric system. This is also called the biometric system response time. A typical throughput is 6-10 seconds.
Accuracy of biometric systems
The accuracy of biometric systems should be considered before implementing a biometric control program. Three metrics are used to judge biometric accuracy: the False Reject Rate (FRR), the False Accept Rate (FAR), and the Crossover Error Rate (CER).
False reject rate
A false rejection occurs when an authorized subject is rejected by the biometric system as unauthorized. False rejections are also called a Type I error. False rejections cause frustration of the authorized users, reduction in work due to poor access conditions, and expenditure of resources to revalidate authorized users.
False accept rate
A false acceptance occurs when an unauthorized subject is accepted as valid. If an organization’s biometric control is producing a lot of false rejections, the overall control might have to lower the accuracy of the system by lessening the amount of data it collects when authenticating subjects. When the data points are lowered, the organization risks an increase in the false acceptance rate. The organization risks an unauthorized user gaining access. This type of error is also called a Type II error.
Crunch Time
A false accept is worse than a false reject: most organizations would prefer to reject authentic subjects to accepting impostors. FARs (Type II errors) are worse than FRRs (Type I errors). Two is greater than one, which will help you remember that FAR is Type II, which are worse than Type I (FRRs).
Crossover Error Rate
The Crossover Error Rate (CER) describes the point where the False Reject Rate (FRR) and False Accept Rate (FAR) are equal. CER is also known as the Equal Error Rate (EER). The Crossover Error Rate describes the overall accuracy of a biometric system.
As the sensitivity of a biometric system increases, FRRs will rise and FARs will drop. Conversely, as the sensitivity is lowered, FRRs will drop and FARs will rise. Figure 1.2 shows a graph depicting the FAR versus the FRR. The CER is the intersection of both lines of the graph as shown in Figure 1.2, based on the ISACA Biometric Auditing Guide, G36.5
Figure 1.2. Crossover error rate.
Types of biometric controls
There are a number of biometric controls used today. Below are the major implementations and their specific pros and cons with regard to access control security.
Fingerprints
Fingerprints are the most widely used biometric control available today. Smartcards can carry fingerprint information. Many U.S. Government office buildings rely on fingerprint authentication for physical access to the facility. Examples include smart keyboards, which require users to present a fingerprint to unlock the computer’s screen saver.
The data used for storing each person’s fingerprint must be of a small enough size to be used for authentication. This data is a mathematical representation of fingerprint minutiae, specific details of fingerprint friction ridges, which include whorls, ridges, bifurcation, and others. Figure 1.3 shows minutiae types (from left) bifurcation, ridge ending, core, and delta.6
Figure 1.3. Fingerprint minutiae.10
Retina scan
A retina scan is a laser scan of the capillaries that feed the retina of the back of the eye. This can seem personally intrusive because the light beam must directly enter the pupil, and the user usually needs to press their eye up to a laser scanner eyecup. The laser scan maps the blood vessels of the retina. Health information of the user can be gained through a retina scan: conditions such as pregnancy and diabetes can be determined, which may raise legitimate privacy issues. Because of the need for close proximity of the scanner in a retina scan, exchange of bodily fluids is possible when using retina scanning as a means of access control.
Exam Warning
Retina scans are rarely used because of health risks and invasion-of-privacy issues. Alternatives should be considered for biometric controls that risk exchange of bodily fluid or raise legitimate privacy concerns.
Iris scan
An iris scan is a passive biometric control. A camera takes a picture of the iris (the colored portion of the eye) and then compares photos within the authentication database. This also works through contact lenses and glasses. Each person’s two irises are unique, even twins’ irises. Benefits of iris scans include high-accuracy, passive scanning (which may be accomplished without the subject’s knowledge), and no exchange of bodily fluids.
Hand geometry
In hand geometry biometric control, measurements are taken from specific points on the subject’s hand: “The devices use a simple concept of measuring and recording the length, width, thickness, and surface area of an individual’s hand while guided on a plate.”7 Hand geometry devices are fairly simple and can store information in as little as 9 bytes.
Keyboard dynamics
Keyboard dynamics refers to how hard a person presses each key and the rhythm by which the keys are pressed. Surprisingly, this type of access control is cheap to implement and can be effective. As people learn how to type and use a computer keyboard, they develop specific habits that are difficult to impersonate, although not impossible.
Dynamic signature
Dynamic signatures measure the process by which someone signs his or her name. This process is similar to keyboard dynamics, except that this method measures the handwriting of the subjects while they sign their name. Measuring time, pressure, loops in the signature, and beginning and ending points all help to ensure the user is authentic.
Voiceprint
A voiceprint measures the subject’s tone of voice while stating a specific sentence or phrase. This type of access control is vulnerable to replay attacks (replaying a recorded voice), so other access controls must be implemented along with the voiceprint. One such control requires subjects to state random words, protecting against an attacker playing prerecorded specific phrases. Another issue is people’s voices may substantially change due to illness, resulting in a false rejection.
Facial scan
Facial scan technology has greatly improved over the past few years. Facial scanning (also called facial recognition) is the process of passively taking a picture of a subject’s face and comparing that picture to a list stored in a database. Although not frequently used for biometric authentication control due to the high cost, law enforcement and security agencies use facial recognition and scanning technologies for biometric identification to improve security of high-valued, publicly accessible targets.
Содержание
- Оценка качества Биометрических систем
- Biometric security and hypothesis testing
- False Acceptance Rate
- False Rejection Rate
- Crossover Error Rate
- Loss Function
- Biometric Security Jargon: CER, EER, FRR, FAR
- Biometrics are at the cutting edge of cybersecurity. Get ahead of the game by learning all the jargon associated with the burgeoning field!
- False Acceptance Rate
- False Rejection Rate
- Crossover Error Rate
- Loss Function
- Основные параметры биометрических систем
- Вступление
- Термины и определения
- Самое главного из перечисленного
- Границы параметров FAR и FRR биометрических систем
- Самое главное из перечисленного
Оценка качества Биометрических систем
Работа биометрической системы идентификации пользователя (БСИ) описывается техническими и ценовыми параметрами. Качество работы БСИ характеризуется процентом ошибок при прохождении процедуры допуска. В БСИ различают ошибки трех видов:
FRR (False Rejection Rate)ошибка первого рода— вероятность принять «своего» за «чужого». Обычно в коммерческих системах эта ошибка выбирается равной примерно 0,01, поскольку считается, что, разрешив несколько касаний для «своих», можно искусственным способом улучшить эту ошибку. В ряде случаев (скажем, при большом потоке, чтобы не создавать очередей) требуется улучшение FRR до 0,001-0,0001. В системах, присутствующих на рынке, FRR обычно находится в диапазоне 0,025-0,01.
FAR (False Acceptance Rate)ошибка второго рода— вероятность принять «чужого» за «своего». В представленных на рынке системах эта ошибка колеблется в основном от 10 -3 до 10 -6 , хотя есть решения и с FAR = 10 -9 . Чем больше данная ошибка, тем грубее работает система и тем вероятнее проникновение «чужого»; поэтому в системах с большим числом пользователей или транзакций следует ориентироваться на малые значения FAR.
EER (Equal Error Rates)– равная вероятность (норма) ошибок первого и второго рода.
Биометрические технологии основаны на биометрии, измерении уникальных характеристик отдельно взятого человека. Это могут быть как уникальные признаки, полученные им с рождения, например: ДНК, отпечатки пальцев, радужная оболочка глаза; так и характеристики, приобретённые со временем или же способные меняться с возрастом или внешним воздействием, например: почерк, голос или походка.
Все биометрические системы работают практически по одинаковой схеме. Во-первых, система запоминает образец биометрической характеристики (это и называется процессом записи). Во время записи некоторые биометрические системы могут попросить сделать несколько образцов для того, чтобы составить наиболее точное изображение биометрической характеристики. Затем полученная информация обрабатывается и преобразовывается в математический код. Кроме того, система может попросить произвести ещё некоторые действия для того, чтобы «приписать» биометрический образец к определённому человеку. Например, персональный идентификационный номер (PIN) прикрепляется к определённому образцу, либо смарт-карта, содержащая образец, вставляется в считывающее устройство. В таком случае, снова делается образец биометрической характеристики и сравнивается с представленным образцом. Идентификация по любой биометрической системе проходит четыре стадии:
Запись – физический или поведенческий образец запоминается системой;
Выделение – уникальная информация выносится из образца и составляется биометрический образец;
Сравнение – сохраненный образец сравнивается с представленным;
Совпадение/несовпадение — система решает, совпадают ли биометрические образцы, и выносит решение.
Подавляющее большинство людей считают, что в памяти компьютера хранится образец отпечатка пальца, голоса человека или картинка радужной оболочки его глаза. Но на самом деле в большинстве современных систем это не так. В специальной базе данных хранится цифровой код длиной до 1000 бит, который ассоциируется с конкретным человеком, имеющим право доступа. Сканер или любое другое устройство, используемое в системе, считывает определённый биологический параметр человека. Далее он обрабатывает полученное изображение или звук, преобразовывая их в цифровой код. Именно этот ключ и сравнивается с содержимым специальной базы данных для идентификации личности [19].
Преимущества биометрической идентификации состоит в том, что биометрическая защита дает больший эффект по сравнению, например, с использованием паролей, смарт-карт, PIN-кодов, жетонов или технологии инфраструктуры открытых ключей. Это объясняется возможностью биометрии идентифицировать не устройство, но человека.
Обычные методы защиты чреваты потерей или кражей информации, которая становится открытой для незаконных пользователей. Исключительный биометрический идентификатор, например, отпечатки пальцев, является ключом, не подлежащим потере [18].
Источник
Biometric security and hypothesis testing
A few weeks ago I wrote about how there are many ways to summarize the operating characteristics of a test. The most basic terms are accuracy, precision, and recall, but there are many others. Nobody uses all of them. Each application area has their own jargon.
Biometric security has its own lingo, and it doesn’t match any of the terms in the list I gave before.
False Acceptance Rate
Biometric security uses False Acceptance Rate (FAR) for the proportion of times a system grants access to an unauthorized person. In statistical terms, FAR is Type II error. Also known as False Match Rate (FRM).
False Rejection Rate
False Rejection Rate (FRR) is the proportion of times a biometric system fails to grant access to an authorized person. In statistical terms, FRR is Type I error. FAR is also known as False Non Match Rate (FNMR).
Crossover Error Rate
One way to summarize the operating characteristics of a biometric security system is to look at the Crossover Error Rate (CER), also known as the Equal Error Rate (EER). The system has parameters that can be tuned to adjust the FAR and FRR. Adjust these to the point where the FAR and FRR are equal. When the two are equal, their common value is the CER or EER.
The CER gives a way to compare systems. The smaller the CER the better. A smaller CER value means it’s possible to tune the system so that both the Type I and Type II error rates are smaller than they would be for another system.
Loss Function
CER is kind of a strange metric. Everyone agrees that you wouldn’t want to calibrate a system so that FAR = FRR. In security applications, FAR (unauthorized access) is worse than FRR (authorized user locked out). The former could be a disaster while the latter is an inconvenience. Of course there could be a context where the consequences of FAR and FRR are equal, or that FRR is worse, but that’s not usually the case.
A better approach would be to specify a loss function (or its negative, a utility function). If unauthorized access is K times more costly than locking out an authorized user, then you might want to know at what point K * FAR = FRR or your minimum expected loss [1] over the range of tuning parameters. The better system for you, in your application, is the one corresponding to your value of K.
Since everyone has a different value of K, it is easier to just use K = 1, even though everyone’s value of K is likely to be much larger than 1. Unfortunately this often happens in decision theory. When people can’t agree on a realistic loss function, they standardize on a mathematically convenient implicit loss function that nobody would consciously choose.
If everyone had different values of K near 1, the CER metric might be robust, i.e. it might often make the right comparison between two different systems even though the criteria is wrong. But since K is probably much larger than 1 for most people, it’s questionable that CER would rank two systems the same way people would if they could use their own value of K.
[1] These are not the same thing. To compute expected loss you’d need to take into account the frequency of friendly and unfriendly access attempts. In a physically secure location, friends may attempt to log in much more often than foes. On a public website the opposite is more likely to be true.
Источник
Biometric Security Jargon: CER, EER, FRR, FAR
Biometrics are at the cutting edge of cybersecurity. Get ahead of the game by learning all the jargon associated with the burgeoning field!
Join the DZone community and get the full member experience.
A few weeks ago I wrote about how there are many ways to summarize the operating characteristics of a test. The most basic terms are accuracy, precision, and recall, but there are many others. Nobody uses all of them. Each application area has their own jargon.
Biometric security has its own lingo, and it doesn’t match any of the terms in the list I gave before.
False Acceptance Rate
Biometric security uses False Acceptance Rate (FAR) for the proportion of times a system grants access to an unauthorized person. In statistical terms, FAR is a Type II error. Also known as False Match Rate (FRM).
False Rejection Rate
False Rejection Rate (FRR) is the proportion of times a biometric system fails to grant access to an authorized person. In statistical terms, FRR is a Type I error. FAR is also known as False Non-Match Rate (FNMR).
Crossover Error Rate
One way to summarize the operating characteristics of a biometric security system is to look at the Crossover Error Rate (CER), also known as the Equal Error Rate (EER). The system has parameters that can be tuned to adjust the FAR and FRR. Adjust these to the point where the FAR and FRR are equal. When the two are equal, their common value is the CER or EER.
The CER gives a way to compare systems. The smaller the CER the better. A smaller CER value means it’s possible to tune the system so that both the Type I and Type II error rates are smaller than they would be for another system.
Loss Function
CER is kind of a strange metric. Everyone agrees that you wouldn’t want to calibrate a system so that FAR = FRR. In security applications, FAR (unauthorized access) is worse than FRR (authorized user locked out). The former could be a disaster while the latter is an inconvenience. Of course, there could be a context where the consequences of FAR and FRR are equal, or that FRR is worse, but that’s not usually the case.
A better approach would be to specify a loss function (or its negative, a utility function). If unauthorized access is K times more costly than locking out an authorized user, then you might want to know at what point K * FAR = FRR or your minimum expected loss [1] over the range of tuning parameters. The better system for you, in your application, is the one corresponding to your value of K.
Since everyone has a different value of K, it is easier to just use K = 1, even though everyone’s value of K is likely to be much larger than 1. Unfortunately, this often happens in decision theory. When people can’t agree on a realistic loss function, they standardize on a mathematically convenient implicit loss function that nobody would consciously choose.
If everyone had different values of K near 1, the CER metric might be robust, i.e. it might often make the right comparison between two different systems even though the criteria is wrong. But since K is probably much larger than 1 for most people, it’s questionable that CER would rank two systems the same way people would if they could use their own value of K.
[1] These are not the same thing. To compute expected loss you’d need to take into account the frequency of friendly and unfriendly access attempts. In a physically secure location, friends may attempt to log in much more often than foes. On a public web site, the opposite is more likely to be true.
Published at DZone with permission of John Cook , DZone MVB . See the original article here.
Opinions expressed by DZone contributors are their own.
Источник
Основные параметры биометрических систем
Вступление
В настоящее время наблюдается бурное развитие биометрических систем контроля и допуска (далее биометрии) как за рубежом, так и в России. Действительно, использование биометрии для целей охраны чрезвычайно привлекательно. Любой ключ, таблетку — Touchmemory, Proxy-карту или другой материальный идентификатор можно украсть, сделать дубликат и таким образом получить доступ к объекту охраны.
Цифровой пин-код (вводится человеком с помощью клавиатуры) можно зафиксировать с помощью банальной видеокамеры, и потом есть возможность шантажа человека или угрозы физического воздействия на него с целью получения значения кода. Редко кто из читателей, на собственном опыте или на опыте своих знакомых, не сталкивался с таким способом мошенничества. Появился даже термин, обозначающий данный способ изъятия честно заработанных денег у граждан, — скимминг (от англ. skim — снимать сливки).
Биометрический идентификатор невозможно украсть или получить путем шантажа, что делает в перспективе его очень привлекательным для целей охраны и доступа. Правда, можно попытаться создать имитатор биологического признака человека, но тут должна проявить себя в полной мере биометрическая система и отвергнуть подделку.
Вопрос «обхода» биометрических систем — это большая и отдельная тема, и в рамках этой статьи мы не будем ее затрагивать, да и создать имитатор биологического признака человека — непростая задача.
Особенно отрадно отметить активное развитие данного направления охранной техники в России. Например, «Русское общество содействия развитию биометрических технологий, систем и коммуникаций» существует с 2002 года.
Существует и технический комитет по стандартизации ТК 098 «Биометрия и биомониторинг», который работает достаточно плодотворно (выпущено более 30 ГОСТ), но нас, как пользователей, больше всего интересует ГОСТ Р ИСО/МЭК19795-1-2007 «Автоматическая идентификация. Идентификация биометрическая. Эксплуатационные испытания и протоколы испытаний в биометрии. Часть 1. Принципы и структура».
Термины и определения
Для того чтобы понимать, о чем пишут в нормативных документах, необходимо определиться в терминах и определениях. Чаще всего по своему физическому принципу пишут об одном и том же, но называют совершенно иначе. Итак, о наиболее значимых параметрах в биометрии:
VERIFICATION (верификация) — процесс, при котором происходит сравнение представленного пользователем образца с шаблоном, зарегистрированным в базе данных (ГОСТ Р ИСО/МЭК19795-1-2007). Здесь принципиальным является, что один образец сравнивается с одним шаблоном (сравнение один к одному с биометрическим шаблоном), поэтому любая биометрическая система будет иметь лучшие показатели для верификации по сравнению с идентификацией.
IDENTIFICATION (идентификация) — процесс, при котором осуществляется поиск в регистрационной базе данных и предоставляется список кандидатов, содержащих от нуля до одного или более идентификаторов (ГОСТ Р ИСО/МЭК19795-1-2007). Здесь принципиальным является, что один образец сравнивается со многими шаблонами (сравнение один ко многим), и ошибка системы многократно возрастает. Идентификация становится наиболее критичным параметром для систем биометрии, основанной на распознавании характерных черт лица человека. Для машины лица людей практически идентичны.
FAR (False Acceptance Rate) — вероятность несанкционированного допуска (ошибка первого рода), выраженное в процентах число допусков системой неавторизованных лиц (имеется в виду верификация). Вероятностные параметры выражаются или в абсолютных величинах (10-5), для параметра FAR это означает, что 1 человек из 100 тыс. будет несанкционированно допущен, в процентах данное значение будет (0,001%).
ВЛД — вероятность ложного допуска (FAR), (ГОСТ Р ИСО/МЭК19795-1-2007).
FRR (False Rejection Rate) — вероятность ложного задержания (ошибка второго рода), выраженное в процентах число отказов в допуске системой авторизованных лиц (имеется в виду верификация).
ВЛНД — вероятность ложного недопуска (FRR), (ГОСТ Р ИСО/МЭК19795-1-2007).
FMR (False Match Rate) — вероятность ложного совпадения параметров. Где-то мы это уже читали, см. FAR, но в данном случае один образец сравнивается со многими шаблонами, заложенными в базу данных, т.е. происходит идентификация.
ВЛС — вероятность ложного совпадения (FMR), (ГОСТ Р ИСО/МЭК19795-1-2007).
FNMR (False Non-Match Rate) — вероятность ложного несовпадения параметров, в данном случае один образец сравнивается со многими шаблонами, заложенными в базу данных, т.е. происходит идентификация.
ВЛНС — вероятность ложного несовпадения (FNMR), (ГОСТ Р ИСО/МЭК19795-1-2007).
Параметры (как и остальные перечисленные выше) взаимосвязаны (рис. 1). Меняя порог FAR и FRR — «чувствительности» биометрической системы, мы одновременно изменяем их, выбирая требуемое соотношение. Действительно, можно так настроить биометрическую систему, что она с большой долей вероятности будет пропускать зарегистрированных пользователей, но и с достаточной долей вероятности будет пропускать и незарегистрированных пользователей. Поэтому данные параметры должны быть указаны одновременно для биометрической системы.
Рис. 1. Графики FAR и FRR
Если указывается только один параметр, то вас, как пользователя, это должно насторожить, поскольку таким образом очень легко завысить параметры в сравнении с конкурентом. Утрируя, можно сказать, что самый низкий коэффициент FAR будет иметь неработающая система, уж точно она никого несанкционированно не допустит.
Более или менее объективным параметром биометрической системы является коэффициент EER.
Коэффициент EER (равный уровень ошибок) — это коэффициент, при котором обе ошибки (ошибка приема и ошибка отклонения) эквивалентны. Чем ниже коэффициент EER, тем выше точность биометрической системы.
Для параметров FMR и FNMR строят аналогичный график (рис. 2). Обратите внимание, что этот график всегда должен иметь привязку к объему базы данных (обычно числа выбирают с шагом 100, 1000, 10000 шаблонов и т.д.).
Рис. 2. Графики FMR и FNMR
КОО — кривая компромиссного определения ошибки (англ. DET — detection error trade-off curve; DET curve). Модифицированная кривая рабочей характеристики, по осям которой отложены вероятности ошибки (ложноположительная — по оси X и ложноотрицательная — по оси У), (ГОСТ Р ИСО/МЭК19795-1-2007).
Кривую КОО (DET) используют для построения графика вероятностей ошибок сравнения (ВЛНС (FNMR) в зависимости от ВЛС (FMR)), вероятностей ошибок принятия решения (ВЛНД (FRR) в зависимости от ВЛД (FAR)) (рис. 3-4) и вероятностей идентификации на открытом множестве (ВЛОИ в зависимости от ВЛПИ), (ГОСТ Р ИСО/МЭК19795-1-2007).
Рис. 3. График DET
Рис. 4. Пример кривых КОО (ГОСТ Р ИСО/МЭК19795-1-2007)
Графики, отображающие качество работы биометрических систем, достаточно многочисленны, иногда создается впечатление, что их назначение — запутать доверчивого пользователя. Существуют еще РХ — кривая рабочей характеристики (англ. ROC — receiver operating characteristic curve) (рис. 5-6), и, конечно, вы понимаете, что это далеко не последние кривые и зависимости, которые существуют в биометрии, но для ясности вопроса не будем на них останавливаться.
Рис. 5. Пример набора кривых РХ (ГОСТ Р ИСО/МЭК19795-1-2007)
Рис. 6. Пример ROC-кривой
Кривые РХ (ROC) не зависят от порога, что позволяет проводить сравнение эксплуатационных характеристик различных биометрических систем, используемых в аналогичных условиях, или одной биометрической системы, используемой в различных условиях окружающей среды.
Кривые РХ (ROC) используют для изображения эксплуатационных характеристик алгоритма сравнения (1 — ВЛНС в зависимости от ВЛС), (1 — FNMR в зависимости от FMR), эксплуатационных характеристик биометрических систем верификации (1 — ВЛНД в зависимости от ВЛД), (1 — FRR в зависимости от FAR), а также эксплуатационных характеристик биометрических систем идентификации на открытом множестве (вероятность идентификации в зависимости от ВЛПИ).
Примечание: ВЛПИ — вероятность ложноположительной идентификации (англ. FPIR — false-positive identification-error rate), т.е. доля транзакций идентификации незарегистрированных в системе пользователей, в результате которых возвращается идентификатор (ГОСТ Р ИСО/МЭК19795-1-2007).
Самое главного из перечисленного
1) Параметры FAR (ВЛД), FRR (ВЛНД) и FMR (ВЛС) FNMR (ВЛРС) имеет смысл рассматривать только в совокупности.
2) Чем ниже коэффициент EER, тем выше точность биометрической системы.
3) Хорошим тоном для биометрической системы является наличие графиков DET (КОО) и ROC (РХ).
Границы параметров FAR и FRR биометрических систем
Теперь давайте прикинем, какие параметры FAR и FRR должны быть у биометрических систем. Обратимся за аналогией к требованиям для цифрового кодонаборника. Согласно ГОСТ число значимых десятичных цифр должно быть не менее 6, т.е. диапазон 0-999999, или 107 вариантов кода. Тогда вероятность FAR — 10-7, а вероятность FRR определяется работоспособностью системы, т.е. стремится к нулю.
В банкоматах используется 4-разрядный десятичный код (что не соответствует ГОСТ), и тогда FAR будет составлять 10-5. Возьмем FAR = 10-5 за определяющий параметр. Какое значение можно взять за приемлемое для FRR? Это зависит от задач биометрической системы, но нижняя граница должна находиться в диапазоне 10-2, т.е. вас, как легального пользователя, система не допустит только один раз из ста попыток. Для систем с большой пропускной способностью, например, проходная завода, это значение должно быть 10-3, иначе не понятно назначение биометрии, если мы не избавились от «человеческого» фактора.
Многие биометрические системы заявляют похожие и даже на порядок лучшие характеристики, но поскольку наши величины являются вероятностными, то необходимо указывать доверительный интервал этой величины. С этого момента производители биометрии предпочитают не вдаваться в подробности и не указывать данный параметр.
Если методика расчета, схема эксперимента и доверительный интервал не указаны, то по умолчанию подразумевается действие правила «тридцати», которое выдвинул J. F. Poter в работе «On the 30 error criterion)) (1997).
Об этом же говорит и ГОСТ Р ИСО/ МЭК19795-1-2007. В правиле «тридцати» утверждается, что для того, чтобы с доверительной вероятностью 90% истинная вероятность ошибки находилась в диапазоне ±30% от установленной вероятности ошибки, должно быть зарегистрировано не менее 30 ошибок. Например, если получены 30 ошибок ложного несоответствия в 3000 независимых испытаниях, можно с доверительной вероятностью 90% утверждать, что истинная вероятность ошибки находится в диапазоне от 0,7% до 1,3%. Правило следует непосредственно из биноминального распределения при независимых испытаниях и может применяться с учетом ожидаемых эксплуатационных характеристик для выполнения оценки.
После этого следует логичный вывод: чтобы получить величину ложного доступа в 10-5, нужно провести 3х106 опытов, что практически невозможно осуществить физически при реальном тестировании биометрической системы. Вот тут нас начинают мучить смутные сомнения.
Остается надеяться, что такое тестирование было проведено в лаборатории путем сравнения шаблонов вводимых биометрических признаков с шаблонами базы данных системы. Лабораторные испытания позволяют достаточно корректно оценить надежность заложенных алгоритмов обработки данных, но не реальную работу системы. Лабораторные испытания исключают такие воздействия на биометрическую систему, как электромагнитные наводки (актуально для всех систем биометрии), за-пыление или загрязнение контактных или дистанционных устройств считывания биометрического параметра, реальное поведение человека при взаимодействии с устройствами биометрии, недостаток или избыток освещения, периодическое изменение освещенности и т.д., да мало ли, что еще может повлиять на такую сложную систему, как система биометрии. Если бы человек мог заранее предугадать все негативно-действующие факторы, то можно было бы и не проводить натурные испытания.
Из опыта работы с другими охранными системами можем утверждать, что даже эксплуатация охранной системы в течение 45 суток не выявляет большинство скрытых проблем, и только опытная эксплуатация в течение 1-1,5 лет позволяет их устранить. У разработчиков существует даже термин — «детские болезни». Любая система должна ими переболеть.
Таким образом, кроме лабораторных испытаний необходимо проводить и натурные испытания, естественно, что оценки доверительных интервалов при меньшем количестве опытов должны оцениваться по другим методикам.
Обратимся к учебнику Е.С. Вентцель «Теория вероятностей» (М.: «Наука», 1969. С. 334), который утверждает, если вероятность Р очень велика или очень мала (что несомненно соответствует реальным результатам измерения вероятностей для биометрических систем), доверительный интервал строят, исходя не из приближенного, а из точного закона распределения частоты. Нетрудно убедиться, что это есть биномиальное распределение. Действительно, число появлений события А в n-опытах распределено по биномиальному закону: вероятность того, что событие А появится ровно m раз, равна
а частота р* есть не что иное, как число появлений события, деленное на число опытов.
В данном труде приводится графическая зависимость доверительного интервала от количества проведенных опытов (рис. 7) для доверительной вероятности b = 0,9.
Рис. 7. Графическая зависимость доверительного интервала от количества проведенных опытов
Рассмотрим пример. Мы провели 100 натурных опытов, из которых получили вероятность события равную 0,7. Тогда по оси абсцисс откладываем значение частоты р* = 0,7, проводим через эту точку прямую, параллельную оси ординат, и отмечаем точки пересечения прямой с парой кривых, соответствующих данному числу опытов n = 100; проекции этих точек на ось ординат и дадут границы р1 = 0,63, р2 = 0,77 доверительного интервала.
Для тех случаев, когда точность построения графического метода недостаточна, можно воспользоваться достаточно детальными табличными зависимостями (рис. 
доверительного интервала, приведенными в труде И.В. Дунина-Барковского и Н.В. Смирнова «Теория вероятностей и математическая статистика в технике» (М.: Государственное издательство технико-теоретической литературы, 1955). В данной таблице х-числитель, n-знаменатель частости. Вероятности умножены на 1000.
Рассмотрим пример. Мы провели 204 натурных опытов, из которых событие произошло 4 раза. Вероятность Р = 4/204 = 0,0196, границы доверительного интервала р1 = 0,049, р2= 0,005.
Теоретически подразумевается, что заявленные в документации параметры должны быть подтверждены сертификатами. Однако в России почти во всех областях жизни действует институт добровольной сертификации, поэтому сертифицируют на те требования, на которые хотят или могут получать сертификат.
Берем первый попавшийся сертификат на биометрическую систему, и видим 6 наименований ГОСТ, из которых ни один не содержит перечисленные выше параметры. Слава богу, что они хоть относятся к охранной технике и нормам безопасности. Это еще не самый худший вариант, приходилось встречать приемники и передатчики радиосистем передачи данных (РСПИ), сертифицированные как электрические машины.
Рис. 8. Фрагмент табличной зависимости доверительного интервала от количества проведенных опытов для доверительной вероятности b = 0,95
Самое главное из перечисленного
1) Параметры FAR (ВЛД) должны быть не ниже 10-5, а FRR (ВЛНД) должны находиться в диапазоне 10’2-10’3.
2) Не стоит безоговорочно доверять указанным в документации вероятностным параметрам, их можно воспринимать только как ориентир.
3) Кроме лабораторных испытаний необходимо проводить и натурные испытания биометрических систем.
4) Необходимо попытаться получить от разработчика, производителя, продавца как можно больше информации о реальных биометрических параметрах системы и методике их получения.
5) Не ленитесь расшифровывать, на какие ГОСТ(ы) и пункты ГОСТ(ов) сертифицирована биометрическая система.
Источник
Last Updated on December 11, 2018 by
-
Recommend
Quiz Instructions
This quiz covers all of the content in Cybersecurity Essentials 1.1. It is designed to test the skills and knowledge presented in the course.
There are multiple task types that may be available in this quiz.
NOTE: Quizzes allow for partial credit scoring on all item types to foster learning. Points on quizzes can also be deducted for answering incorrectly.
-
A cybersecurity specialist is asked to identify the potential criminals known to attack the organization. Which type of hackers would the cybersecurity specialist be least concerned with?
- black hat hackers
- gray hat hackers
- script kiddies
- white hat hackers
-
Which statement best describes a motivation of hacktivists?
- They are trying to show off their hacking skills.
- They are interested in discovering new exploits.
- They are curious and learning hacking skills.
- They are part of a protest group behind a political cause.
Explanation:
-
What is an example of early warning systems that can be used to thwart cybercriminals?
- Infragard
- ISO/IEC 27000 program
- Honeynet project
- CVE database
Explanation:
-
Which technology should be used to enforce the security policy that a computing device must be checked against the latest antivirus update before the device is allowed to connect to the campus network?
- SAN
- VPN
- NAC
- NAS
Explanation:
-
Which data state is maintained in NAS and SAN services?
- stored data
- data in-transit
- encrypted data
- data in-process
Explanation:
-
What are three states of data during which data is vulnerable? (Choose three.)
- purged data
- stored data
- data in-process
- data encrypted
- data decrypted
- data in-transit
Explanation:
-
Which technology can be used to ensure data confidentiality?
- hashing
- identity management
- encryption
- RAID
Explanation:
-
A cybersecurity specialist is working with the IT staff to establish an effective information security plan. Which combination of security principles forms the foundation of a security plan?
- secrecy, identify, and nonrepudiation
- confidentiality, integrity, and availability
- technologies, policies, and awareness
- encryption, authentication, and identification
Explanation:
-
What are the two most effective ways to defend against malware? (Choose two.)
- Implement strong passwords.
- Implement a VPN.
- Implement RAID.
- Update the operating system and other application software.
- Implement network firewalls.
- Install and update antivirus software.
Explanation:
-
What is an impersonation attack that takes advantage of a trusted relationship between two systems?
- man-in-the-middle
- spoofing
- spamming
- sniffing
Explanation:
-
Users report that the network access is slow. After questioning the employees, the network administrator learned that one employee downloaded a third-party scanning program for the printer. What type of malware might be introduced that causes slow performance of the network?
- virus
- worm
- spam
- phishing
Explanation:
-
Which statement describes a distributed denial of service attack?”
- An attacker views network traffic to learn authentication credentials.
- An attacker builds a botnet comprised of zombies.
- An attacker sends an enormous quantity of data that a server cannot handle.
- One computer accepts data packets based on the MAC address of another computer.
Explanation:
-
What type of application attack occurs when data goes beyond the memory areas allocated to the application?
- buffer overflow
- RAM Injection
- SQL injection
- RAM spoofing
Explanation:
-
What type of attack has an organization experienced when an employee installs an unauthorized device on the network to view network traffic?
- sniffing
- spoofing
- phishing
- spamming
Explanation:
-
A penetration testing service hired by the company has reported that a backdoor was identified on the network. What action should the organization take to find out if systems have been compromised?
- Look for policy changes in Event Viewer.
- Scan the systems for viruses.
- Look for unauthorized accounts.
- Look for usernames that do not have passwords.
Explanation:
-
The IT department is tasked to implement a system that controls what a user can and cannot do on the corporate network. Which process should be implemented to meet the requirement?
- user login auditing
- a biometric fingerprint reader
- observations to be provided to all employees
- a set of attributes that describes user access rights
Explanation:
-
Smart cards and biometrics are considered to be what type of access control?
- administrative
- technological
- logical
- physical
Explanation:
-
Which access control should the IT department use to restore a system back to its normal state?
- compensative
- preventive
- corrective
- detective
Explanation:
-
A user has a large amount of data that needs to be kept confidential. Which algorithm would best meet this requirement?
- 3DES
- ECC
- RSA
- Diffie-Hellman
Explanation:
-
Alice and Bob use a pre-shared key to exchange a confidential message. If Bob wants to send a confidential message to Carol, what key should he use?
- the private key of Carol
- the public key of Bob
- the same pre-shared key he used with Alice
- a new pre-shared key
Explanation:
-
What happens as the key length increases in an encryption application?
- Keyspace increases proportionally.
- Keyspace decreases exponentially.
- Keyspace decreases proportionally.
- Keyspace increases exponentially.
Explanation:
-
In which situation would a detective control be warranted?
- when the organization needs to repair damage
- when the organization needs to look for prohibited activity
- when the organization cannot use a guard dog, so it is necessary to consider an alternative
- after the organization has experienced a breach in order to restore everything back to a normal state
Explanation:
-
An organization has implemented antivirus software. What type of security control did the company implement?
- recovery control
- deterrent control
- compensative control
- detective control
Explanation:
-
You have been asked to describe data validation to the data entry clerks in accounts receivable. Which of the following are good examples of strings, integers, and decimals?
- 800-900-4560, 4040-2020-8978-0090, 01/21/2013
- male, $25.25, veteran
- female, 9866, $125.50
- yes/no 345-60-8745, TRF562
Explanation:
-
Which hashing technology requires keys to be exchanged?
- salting
- AES
- HMAC
- MD5
Explanation:
-
Your organization will be handling market trades. You will be required to verify the identify of each customer who is executing a transaction. Which technology should be implemented to authenticate and verify customer electronic transactions?
- data hashing
- symmetrical encryption
- digital certificates
- asymmetrical encryption
Explanation:
-
What technology should be implemented to verify the identity of an organization, to authenticate its website, and to provide an encrypted connection between a client and the website?
- digital signature
- digital certificate
- asymmetric encryption
- salting
Explanation:
-
Alice and Bob are using a digital signature to sign a document. What key should Alice use to sign the document so that Bob can make sure that the document came from Alice?
- private key from Bob
- private key from Alice
- username and password from Alice
- public key from Bob
Explanation:
-
What is a feature of a cryptographic hash function?
- Hashing requires a public and a private key.
- The hash function is a one-way mathematical function.
- The output has a variable length.
- The hash input can be calculated given the output value.
Explanation:
-
A VPN will be used within the organization to give remote users secure access to the corporate network. What does IPsec use to authenticate the origin of every packet to provide data integrity checking?
- salting
- HMAC
- CRC
- password
Explanation:
-
Which hashing algorithm is recommended for the protection of sensitive, unclassified information?
- MD5
- SHA-256
- 3DES
- AES-256
Explanation:
-
Your risk manager just distributed a chart that uses three colors to identify the level of threat to key assets in the information security systems. Red represents high level of risk, yellow represents average level of threat and green represents low level of threat. What type of risk analysis does this chart represent?
- quantitative analysis
- exposure factor analysis
- loss analysis
- qualitative analysis
Explanation:
-
What is it called when an organization only installs applications that meet its guidelines, and administrators increase security by eliminating all other applications?
- asset classification
- asset availability
- asset standardization
- asset identification
Explanation:
-
Keeping data backups offsite is an example of which type of disaster recovery control?
- management
- preventive
- detective
- corrective
Explanation:
-
What are two incident response phases? (Choose two.)
- detection and analysis
- confidentiality and eradication
- prevention and containment
- mitigation and acceptance
- containment and recovery
- risk analysis and high availability
Explanation:
-
The team is in the process of performing a risk analysis on the database services. The information collected includes the initial value of these assets, the threats to the assets and the impact of the threats. What type of risk analysis is the team performing by calculating the annual loss expectancy?
- quantitative analysis
- qualitative analysis
- loss analysis
- protection analysis
Explanation:
-
What approach to availability provides the most comprehensive protection because multiple defenses coordinate together to prevent attacks?
- obscurity
- limiting
- layering
- diversity
Explanation:
-
Being able to maintain availability during disruptive events describes which of the principles of high availability?
- fault tolerance
- system resiliency
- single point of failure
- uninterruptible services
Explanation:
-
There are many environments that require five nines, but a five nines environment may be cost prohibitive. What is one example of where the five nines environment might be cost prohibitive?
- department stores at the local mall
- the New York Stock Exchange
- the U.S. Department of Education
- the front office of a major league sports team
Explanation:
-
Which risk mitigation strategies include outsourcing services and purchasing insurance?
- reduction
- avoidance
- acceptance
- transfer
Explanation:
-
Which utility uses the Internet Control Messaging Protocol (ICMP)?
- NTP
- ping
- RIP
- DNS
Explanation:
-
Which technology can be used to protect VoIP against eavesdropping?
- strong authentication
- encrypted voice messages
- ARP
- SSH
Explanation:
-
What Windows utility should be used to configure password rules and account lockout policies on a system that is not part of a domain?
- Local Security Policy tool
- Event Viewer security log
- Computer Management
- Active Directory Security tool
Explanation:
-
In a comparison of biometric systems, what is the crossover error rate?
- rate of false positives and rate of acceptability
- rate of false negatives and rate of false positives
- rate of rejection and rate of false negatives
- rate of acceptability and rate of false negatives
Explanation:
-
Which protocol would be used to provide security for employees that access systems remotely from home?
- WPA
- SSH
- SCP
- Telnet
Explanation:
-
Which three protocols can use Advanced Encryption Standard (AES)? (Choose three.)
- WPA
- TKIP
- WPA2
- 802.11i
- 802.11q
- WEP
Explanation:
-
Mutual authentication can prevent which type of attack?
- wireless poisoning
- wireless sniffing
- wireless IP spoofing
- man-in-the-middle
Explanation:
-
Which website offers guidance on putting together a checklist to provide guidance on configuring and hardening operating systems?
- CERT
- The National Vulnerability Database website
- The Advanced Cyber Security Center
- Internet Storm Center
Explanation:
-
Which threat is mitigated through user awareness training and tying security awareness to performance reviews?
- user-related threats
- device-related threats
- cloud-related threats
- physical threats
Explanation:
-
HVAC, water system, and fire systems fall under which of the cybersecurity domains?
- device
- network
- physical facilities
- user
Explanation:
-
Recommend
Last Updated on November 7, 2022 by
-
What is an example of early warning systems that can be used to thwart cybercriminals?
- CVE database
- Infragard
- ISO/IEC 27000 program
- Honeynet project
Explanation:
-
Technologies like GIS and IoE contribute to the growth of large data stores. What are two reasons that these technologies increase the need for cybersecurity specialists? (Choose two.)
- They require 24-hour monitoring.
- They collect sensitive information.
- They contain personal information.
- They increase processing requirements.
- They require more equipment.
- They make systems more complicated.
Explanation:
-
Which two groups of people are considered internal attackers? (Choose two.)
- ex-employees
- amateurs
- black hat hackers
- hacktivists
- trusted partners
Explanation:
-
Which methods can be used to implement multifactor authentication?
- IDS and IPS
- tokens and hashes
- VPNs and VLANs
- passwords and fingerprints
Explanation:
-
Which technology should be used to enforce the security policy that a computing device must be checked against the latest antivirus update before the device is allowed to connect to the campus network?
- NAC
- VPN
- SAN
- NAS
Explanation:
-
A security specialist is asked for advice on a security measure to prevent unauthorized hosts from accessing the home network of employees. Which measure would be most effective?
- Implement a firewall.
- Implement intrusion detection systems.
- Implement a VLAN.
- Implement RAID.
Explanation:
-
Which technology can be used to ensure data confidentiality?
- hashing
- identity management
- RAID
- encryption
Explanation:
-
An organization allows employees to work from home two days a week. Which technology should be implemented to ensure data confidentiality as data is transmitted?
- VPN
- VLANS
- RAID
- SHS
Explanation:
-
What are the two most effective ways to defend against malware? (Choose two.)
- Implement a VPN.
- Implement strong passwords.
- Install and update antivirus software.
- Implement RAID.
- Implement network firewalls.
- Update the operating system and other application software.
Explanation:
-
An executive manager went to an important meeting. The secretary in the office receives a call from a person claiming that the executive manager is about to give an important presentation but the presentation files are corrupted. The caller sternly recommends that the secretary email the presentation right away to a personal email address. The caller also states that the executive is holding the secretary responsible for the success of this presentation. Which type of social engineering tactic would describe this scenario?
- familiarity
- intimidation
- trusted partners
- urgency
Explanation:
-
Which statement describes a distributed denial of service attack?”
- An attacker sends an enormous quantity of data that a server cannot handle.
- An attacker views network traffic to learn authentication credentials.
- An attacker builds a botnet comprised of zombies.
- One computer accepts data packets based on the MAC address of another computer.
Explanation:
-
What type of attack will make illegitimate websites higher in a web search result list?
- DNS poisoning
- browser hijacker
- spam
- SEO poisoning
Explanation:
-
What is a nontechnical method that a cybercriminal would use to gather sensitive information from an organization?
- man-in-the-middle
- social engineering
- pharming
- ransomeware
Explanation:
-
A penetration testing service hired by the company has reported that a backdoor was identified on the network. What action should the organization take to find out if systems have been compromised?
- Look for usernames that do not have passwords.
- Look for unauthorized accounts.
- Look for policy changes in Event Viewer.
- Scan the systems for viruses.
Explanation:
-
Users report that the database on the main server cannot be accessed. A database administrator verifies the issue and notices that the database file is now encrypted. The organization receives a threatening email demanding payment for the decryption of the database file. What type of attack has the organization experienced?
- DoS attack
- Trojan horse
- ransomeware
- man-in-the-middle attack
Explanation:
-
A user has a large amount of data that needs to be kept confidential. Which algorithm would best meet this requirement?
- RSA
- Diffie-Hellman
- 3DES
- ECC
Explanation:
-
What happens as the key length increases in an encryption application?
- Keyspace decreases exponentially.
- Keyspace increases exponentially.
- Keyspace decreases proportionally.
- Keyspace increases proportionally.
Explanation:
-
Which algorithm will Windows use by default when a user intends to encrypt files and folders in an NTFS volume?
- RSA
- DES
- AES
- 3DES
Explanation:
-
Before data is sent out for analysis, which technique can be used to replace sensitive data in nonproduction environments to protect the underlying information?
- data masking substitution
- steganography
- software obfuscation
- steganalysis
Explanation:
-
In which situation would a detective control be warranted?
- when the organization needs to repair damage
- after the organization has experienced a breach in order to restore everything back to a normal state
- when the organization needs to look for prohibited activity
- when the organization cannot use a guard dog, so it is necessary to consider an alternative
Explanation:
-
An organization plans to implement security training to educate employees about security policies. What type of access control is the organization trying to implement?
- administrative
- technological
- physical
- logical
Explanation:
-
An organization has implemented antivirus software. What type of security control did the company implement?
- deterrent control
- detective control
- recovery control
- compensative control
Explanation:
-
Passwords, passphrases, and PINs are examples of which security term?
- authorization
- access
- authentication
- identification
Explanation:
-
An organization has determined that an employee has been cracking passwords on administrative accounts in order to access very sensitive payroll information. Which tools would you look for on the system of the employee? (Choose three)
- password digest
- reverse lookup tables
- lookup tables
- rouge access points
- algorithm tables
- rainbow tables
Explanation:
-
What technique creates different hashes for the same password?
- SHA-256
- HMAC
- CRC
- salting
Explanation:
-
Which hashing technology requires keys to be exchanged?
- HMAC
- salting
- MD5
- AES
Explanation:
-
You have been asked to implement a data integrity program to protect data files that need to be electronically downloaded by the sales staff. You have decided to use the strongest hashing algorithm available on your systems. Which hash algorithm would you select?
- SHA-1
- AES
- MD5
- SHA-256
Explanation:
-
What kind of integrity does a database have when all its rows have a unique identifier called a primary key?
- entity integrity
- referential integrity
- domain integrity
- user-defined integrity
Explanation:
-
Technicians are testing the security of an authentication system that uses passwords. When a technician examines the password tables, the technician discovers the passwords are stored as hash values. However, after comparing a simple password hash, the technician then discovers that the values are different from those on other systems. What are two causes of this situation? (Choose two.)
- The systems use different hashing algorithms.
- Both systems use MD5.
- Both systems scramble the passwords before hashing.
- One system uses hashing and the other uses hashing and salting.
- One system uses symmetrical hashing and the other uses asymmetrical hashing.
Explanation:
-
Alice and Bob are using a digital signature to sign a document. What key should Alice use to sign the document so that Bob can make sure that the document came from Alice?
- public key from Bob
- private key from Alice
- private key from Bob
- username and password from Alice
Explanation:
-
The X.509 standards defines which security technology?
- digital certificates
- security tokens
- strong passwords
- biometrics
Explanation:
-
What is it called when an organization only installs applications that meet its guidelines, and administrators increase security by eliminating all other applications?
- asset standardization
- asset identification
- asset classification
- asset availability
Explanation:
-
Being able to maintain availability during disruptive events describes which of the principles of high availability?
- single point of failure
- system resiliency
- fault tolerance
- uninterruptible services
Explanation:
-
An organization has recently adopted a five nines program for two critical database servers. What type of controls will this involve?
- stronger encryption systems
- remote access to thousands of external users
- limiting access to the data on these systems
- improving reliability and uptime of the servers
Explanation:
-
What approach to availability provides the most comprehensive protection because multiple defenses coordinate together to prevent attacks?
- layering
- obscurity
- diversity
- limiting
Explanation:
-
The team is in the process of performing a risk analysis on the database services. The information collected includes the initial value of these assets, the threats to the assets and the impact of the threats. What type of risk analysis is the team performing by calculating the annual loss expectancy?
- qualitative analysis
- loss analysis
- protection analysis
- quantitative analysis
Explanation:
-
Which two values are required to calculate annual loss expectancy? (Choose two.)
- asset value
- exposure factor
- frequency factor
- annual rate of occurrence
- single loss expectancy
- quantitative loss value
Explanation:
-
An organization wants to adopt a labeling system based on the value, sensitivity, and criticality of the information. What element of risk management is recommended?
- asset identification
- asset availability
- asset standardization
- asset classification
Explanation:
-
What approach to availability involves using file permissions?
- layering
- simplicity
- obscurity
- limiting
Explanation:
-
What are two incident response phases? (Choose two.)
- prevention and containment
- containment and recovery
- mitigation and acceptance
- detection and analysis
- risk analysis and high availability
- confidentiality and eradication
Explanation:
-
What Windows utility should be used to configure password rules and account lockout policies on a system that is not part of a domain?
- Local Security Policy tool
- Event Viewer security log
- Active Directory Security tool
- Computer Management
Explanation:
-
In a comparison of biometric systems, what is the crossover error rate?
- rate of false negatives and rate of false positives
- rate of false positives and rate of acceptability
- rate of rejection and rate of false negatives
- rate of acceptability and rate of false negatives
Explanation:
-
What describes the protection provided by a fence that is 1 meter in height?
- It deters casual trespassers only.
- The fence deters determined intruders.
- It offers limited delay to a determined intruder.
- It prevents casual trespassers because of its height.
Explanation:
-
Mutual authentication can prevent which type of attack?
- wireless poisoning
- man-in-the-middle
- wireless sniffing
- wireless IP spoofing
Explanation:
-
Which protocol would be used to provide security for employees that access systems remotely from home?
- SSH
- WPA
- Telnet
- SCP
Explanation:
-
Which technology can be used to protect VoIP against eavesdropping?
- encrypted voice messages
- strong authentication
- SSH
- ARP
Explanation:
-
Which three protocols can use Advanced Encryption Standard (AES)? (Choose three.)
- WPA
- 802.11q
- 802.11i
- TKIP
- WPA2
- WEP
Explanation:
-
HVAC, water system, and fire systems fall under which of the cybersecurity domains?
- network
- user
- device
- physical facilities
Explanation:
-
Which national resource was developed as a result of a U.S. Executive Order after a ten-month collaborative study involving over 3,000 security professionals?
- ISO OSI model
- NIST Framework
- ISO/IEC 27000
- the National Vulnerability Database (NVD)
Explanation:
-
Which cybersecurity weapon scans for use of default passwords, missing patches, open ports, misconfigurations, and active IP addresses?
- packet sniffers
- vulnerability scanners
- password crackers
- packet analyzers
Explanation:
Selected Answer: E
Crossover Error Rate (CER)—the point at which FRR and FAR meet. The lower the CER, the more efficient and reliable the technology.
Errors are reduced over time by tuning the system. This is typically accomplished by adjusting the sensitivity of the system until CER is reached.
upvoted 26 times
The reason I like FAR (False acceptance rate) is because the company is more focused on making sure unauthorized users will be denied access. They aren’t too worried about FRR (False rejection rate) as these users will already have access, so they don’t need to focus on comparing both FAR and FRR using CER. That is why I pick D.
upvoted 2 times
…
Halaa
4 months, 3 weeks ago
I agree with you .
As the sensitivity of a biometric system increases, FRRs will rise and FARs will drop.
upvoted 2 times
…
Probably right, I chose D. FAR but the question is worded strangely, ‘what should they compare against?» CER would be more useful.
upvoted 4 times
…
…
Selected Answer: D
«with the highest likelihood that an unauthorized user will be denied access» — I would think this is D (False Acceptance Rate).
upvoted 16 times
I hope you didn’t select this on the exam…
upvoted 1 times
lo. you funny
upvoted 2 times
…
…
False Acceptance Rate means the likelihood that an unauthorized used will be accessed(Acceptance)..
upvoted 3 times
make this rate close to 0 to achieve the goal.
upvoted 3 times
…
…
…
Ranaer
Most Recent
2 weeks, 1 day ago
Selected Answer: D
Here we are focused on «the highest likelihood that an unauthorized user will be denied access». Lets tackle this point by point.
A/ FRR — False rejection rate. This is when you are authorized, but the system rejects you. Not relevant.
B/ Difficulty of use — again, not relevant.
C/ Cost — again, not relevant.
D/ False acceptance rate — This is the occurrence when an unauthorized person IS accepted and allowed by the scanner. This is the exact metric we need to work with to increase the likelyhood of unauthorized users being denied. The lower the FAR, the less likely it is to let in unauthorized users.
E/ Crossover error rate — This is the correlation between FRR and FAR. It provides the best compromise between security AND convenience. Since in this question we DO NOT CARE about convenience, this is one of the wrong answers. We ONLY care about denying unauthorized people.
upvoted 4 times
…
Selected Answer: D
Answer is D
upvoted 1 times
…
Selected Answer: E
«Which of the following should the organization use to compare biometric solutions?»
Crossover Error Rate (CER)—the point at which FRR and FAR meet. The lower the
CER, the more efficient and reliable the technology.
upvoted 1 times
…
Selected Answer: A
D. FAR
The False Accept Rate (FAR) is the measure of the likelihood that an unauthorized user will be incorrectly granted access to a system. An organization should choose a biometric system with a low FAR, as this will increase the likelihood that an unauthorized user will be denied access.
The False Reject Rate (FRR) is the measure of the likelihood that an authorized user will be incorrectly denied access to a system. The Cost is the price of the biometric system. The Difficulty of use is the ease or difficulty with which a person can use the system. The Crossover Error Rate (CER) is the point at which the FRR and FAR are equal. An organization should prioritize choosing a system with a low FAR over these other factors.
upvoted 2 times
…
ChatGPT says D
upvoted 2 times
…
Selected Answer: D
The Crossover Error Rate (CER) describes the point where the False Reject Rate (FRR) and False Accept Rate (FAR) are equal. CER is also known as the Equal Error Rate (EER). The Crossover Error Rate describes the overall accuracy of a biometric system.
So, it is asked a minimum False Accept Rate (FAR)
upvoted 1 times
…
Selected Answer: D
An organization that wants to implement a biometric system with the highest likelihood that an unauthorized user will be denied access should choose a system with a low FAR.
upvoted 2 times
…
Selected Answer: E
The oganization wants to COMPARE biometric solutions. CER is «a comparison metric for different biometric devices and technologies; the error rate at which FAR equals FRR. The lower the CER, the more accurate and reliable the biometric device.»
upvoted 2 times
…
Selected Answer: E
‘compare’ = crossover error rate
upvoted 2 times
…
Selected Answer: D
The question seem to be concern about false acceptance, no mention of false rejection, or the two being balanced.
upvoted 2 times
…
Selected Answer: D
Also agree it should be D (FAR) — it’s just that the question is worded strangly….
upvoted 3 times
…
Lynx_
2 months, 2 weeks ago
Selected Answer: D
False acceptance rate = % of time an unauthorized user is granted access.
If we compare biometric products, then select one with the lowest False Acceptance, we can ensure fewer falsely accepted users. In other words “the highest likelihood an unauthorized user will be denied”.
upvoted 4 times
…
Actually there is no option with an answer
the answer should be TRR (True Rejection Rate)
But there is no TRR option. Therefore, it can be said that the correct answer is not FAR!! i think so.
upvoted 1 times
…
MUST not be FAR
False acceptance rate (FAR)
– Likelihood that an unauthorized user will be «accepted»
upvoted 1 times
…
FMMIR
2 months, 2 weeks ago
Selected Answer: A
The Crossover Error Rate (CER) describes the point where the False Rejection Rate (FRR) and False Accept Rate (FAR) are equal. CER is also known as the Equal Error Rate (EER). The Crossover Error Rate describes the overall accuracy of a biometric system.
upvoted 2 times
FMMIR
1 month, 4 weeks ago
Sorry. I was wrong. The correct answer is D:
The organization should use the False Acceptance Rate (FAR) to compare biometric solutions. The FAR is the likelihood that an unauthorized user will be granted access to a system when using a biometric authentication method. A biometric system with a low FAR will have a higher likelihood of denying access to unauthorized users, making it a more secure option for the organization. Other factors such as the False Rejection Rate (FRR), the cost, and the ease of use may also be important to consider, but the FAR is the most relevant metric for evaluating the security of a biometric system.
upvoted 1 times
…
…