GB/T 41815.3-2023 Information technology - Biometric presentation attack detection - Part 3: Testing and reporting
1 Scope
This document establishes:
——principles and methods for the performance assessment of presentation attack detection (PAD) mechanisms;
——reporting of testing results from evaluations of PAD mechanisms; and
——a classification of known attack types (Annex A).
Outside the scope are:
——standardization of specific PAD mechanisms;
——detailed information about countermeasures (i.e. anti-spoofing techniques), algorithms or sensors; and
——overall system-level security or vulnerability assessment.
The attacks considered in GB/T 41815 take place at the biometric capture device during presentation. Any other attacks are considered outside the scope of this document.
This document is applicable to the design, development, integration and detection of hardware and software products related to biometric presentation attack detection.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 2382-37 Information technology - Vocabulary - Part 37: Biometrics
ISO/IEC 15408-1 Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 1: Introduction and general model
ISO/IEC 15408-2 Information security, cybersecurity and privacy protection - Evaluation criteria for IT
security - Part 2: Security functional components
ISO/IEC 15408-3 Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 3: Security assurance components
ISO/IEC 19795-1 Information technology - Biometric performance testing and reporting - Part 1: Principles and framework
ISO/IEC 30107-1 Information technology - Biometric presentation attack detection - Part 1: Framework
3. Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 19795-1, ISO/IEC 2382-37, ISO/IEC 30107-1 and the following apply.
3.1 Attack elements
3.1.1
presentation attack
attack presentation
presentation to the biometric data capture subsystem with the goal of interfering with the operation of the biometric system
Note: An attack presentation can be a single attempt, a multi-attempt transaction, or another type of interaction with a subsystem.
3.1.2
bona fide presentation
interaction of the biometric test subject and the biometric data capture subsystem in the fashion intended by the policy of the biometric system
Note 1: Bona fide is analogous to normal or routine, when referring to a bona fide presentation.
Note 2: Bona fide presentations can include those in which the user has a low level of training or skill. Bona fide presentations encompass the totality of good-faith presentations to a biometric data capture subsystem.
3.1.3
attack type
elements and characteristics of a presentation attack, including presentation attack instrument (PAI) species, concealer or impostor attack, degree of supervision, and method of interaction with the capture device
3.1.4
test approach
totality of considerations and factors involved in presentation attack detection (PAD) evaluation
Note 1: Elements of a test approach are given in Clauses 6–10.
Note 2: A test approach refers to all processes, factors and aspects specified in the course of the evaluation.
3.1.5
item under test
implementation that is the object of a test assertion or test case
Note: The IUT is the equivalent of the "target of evaluation" (TOE) in Common Criteria evaluations.
3.1.6
presentation attack instrument species
class of presentation attack instruments (PAIs) created using a common production method and based on different biometric characteristics
EXAMPLE 1: A set of fake fingerprints all made in the same way with the same materials but with different friction ridge patterns would constitute a PAIS.
EXAMPLE 2: A specific type of alteration made to the fingerprints of several test subjects would constitute a PAIS.
Note 1: The term “recipe” is often used to refer to how to make a PAIS.
Note 2: PAIs of the same species can have different success rates due to variability in the production process or in the PAI source.
3.1.7
PAI series
class of presentation attack instruments (PAIs) created using a common production method and based on the same biometric characteristics
EXAMPLE: A set of fake fingerprints all made in the same way with the same materials and with the same friction ridge pattern.
Note: Depending on the experimental goals, an evaluation can potentially utilize multiple series, each with different production methods or sources. While tests involving several biometric sources can demonstrate generality of a PAI species, they add variation associated with individual human traits.
3.1.8
target of evaluation
IT product that is the subject of the evaluation within the context of the Common Criteria
Note: The TOE is the equivalent of the "item under test" (IUT) in Common Criteria evaluations.
3.1.9
attack potential
measure of the capability to attack a target of evaluation (TOE) given the attacker’s knowledge, proficiency, resources and motivation
3.2 Metrics
3.2.1
attack presentation classification error rate
proportion of attack presentations using the same presentation attack instrument (PAI) species incorrectly classified as bona fide presentations by a presentation attack detection (PAD) subsystem in a specific scenario
3.2.2
attack presentation classification error rate at the given attack potential
attack presentation classification error rate (APCER) of the most successful presentation attack instrument (PAI) species within a given attack potential
3.2.3
bona fide presentation classification error rate
proportion of bona fide presentations incorrectly classified as presentation attacks in a specific scenario
3.2.4
attack presentation acquisition rate
proportion of attack presentations using the same presentation attack instrument (PAI) species from which the data capture subsystem acquires a biometric sample of sufficient quality
3.2.5
attack presentation non-response rate
proportion of attack presentations using the same presentation attack instrument (PAI) species that cause no response at the presentation attack detection (PAD) subsystem or data capture subsystem
EXAMPLE: A fingerprint system can potentially not register or react to the presentation of a PAI due to the PAI’s lack of realism.
3.2.6
bona fide presentation non-response rate
proportion of bona fide presentations that cause no response at the presentation attack detection (PAD) subsystem or data capture subsystem
Standard
GB/T 41815.3-2023 Information technology— Biometric presentation attack detection—Part 3: Testing and reporting (English Version)
Standard No.
GB/T 41815.3-2023
Status
valid
Language
English
File Format
PDF
Word Count
20500 words
Price(USD)
615.0
Implemented on
2023-12-1
Delivery
via email in 1~3 business day
Detail of GB/T 41815.3-2023
Standard No.
GB/T 41815.3-2023
English Name
Information technology— Biometric presentation attack detection—Part 3: Testing and reporting
GB/T 41815.3-2023 Information technology - Biometric presentation attack detection - Part 3: Testing and reporting
1 Scope
This document establishes:
——principles and methods for the performance assessment of presentation attack detection (PAD) mechanisms;
——reporting of testing results from evaluations of PAD mechanisms; and
——a classification of known attack types (Annex A).
Outside the scope are:
——standardization of specific PAD mechanisms;
——detailed information about countermeasures (i.e. anti-spoofing techniques), algorithms or sensors; and
——overall system-level security or vulnerability assessment.
The attacks considered in GB/T 41815 take place at the biometric capture device during presentation. Any other attacks are considered outside the scope of this document.
This document is applicable to the design, development, integration and detection of hardware and software products related to biometric presentation attack detection.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 2382-37 Information technology - Vocabulary - Part 37: Biometrics
ISO/IEC 15408-1 Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 1: Introduction and general model
ISO/IEC 15408-2 Information security, cybersecurity and privacy protection - Evaluation criteria for IT
security - Part 2: Security functional components
ISO/IEC 15408-3 Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 3: Security assurance components
ISO/IEC 19795-1 Information technology - Biometric performance testing and reporting - Part 1: Principles and framework
ISO/IEC 30107-1 Information technology - Biometric presentation attack detection - Part 1: Framework
3. Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 19795-1, ISO/IEC 2382-37, ISO/IEC 30107-1 and the following apply.
3.1 Attack elements
3.1.1
presentation attack
attack presentation
presentation to the biometric data capture subsystem with the goal of interfering with the operation of the biometric system
Note: An attack presentation can be a single attempt, a multi-attempt transaction, or another type of interaction with a subsystem.
3.1.2
bona fide presentation
interaction of the biometric test subject and the biometric data capture subsystem in the fashion intended by the policy of the biometric system
Note 1: Bona fide is analogous to normal or routine, when referring to a bona fide presentation.
Note 2: Bona fide presentations can include those in which the user has a low level of training or skill. Bona fide presentations encompass the totality of good-faith presentations to a biometric data capture subsystem.
3.1.3
attack type
elements and characteristics of a presentation attack, including presentation attack instrument (PAI) species, concealer or impostor attack, degree of supervision, and method of interaction with the capture device
3.1.4
test approach
totality of considerations and factors involved in presentation attack detection (PAD) evaluation
Note 1: Elements of a test approach are given in Clauses 6–10.
Note 2: A test approach refers to all processes, factors and aspects specified in the course of the evaluation.
3.1.5
item under test
implementation that is the object of a test assertion or test case
Note: The IUT is the equivalent of the "target of evaluation" (TOE) in Common Criteria evaluations.
3.1.6
presentation attack instrument species
class of presentation attack instruments (PAIs) created using a common production method and based on different biometric characteristics
EXAMPLE 1: A set of fake fingerprints all made in the same way with the same materials but with different friction ridge patterns would constitute a PAIS.
EXAMPLE 2: A specific type of alteration made to the fingerprints of several test subjects would constitute a PAIS.
Note 1: The term “recipe” is often used to refer to how to make a PAIS.
Note 2: PAIs of the same species can have different success rates due to variability in the production process or in the PAI source.
3.1.7
PAI series
class of presentation attack instruments (PAIs) created using a common production method and based on the same biometric characteristics
EXAMPLE: A set of fake fingerprints all made in the same way with the same materials and with the same friction ridge pattern.
Note: Depending on the experimental goals, an evaluation can potentially utilize multiple series, each with different production methods or sources. While tests involving several biometric sources can demonstrate generality of a PAI species, they add variation associated with individual human traits.
3.1.8
target of evaluation
IT product that is the subject of the evaluation within the context of the Common Criteria
Note: The TOE is the equivalent of the "item under test" (IUT) in Common Criteria evaluations.
3.1.9
attack potential
measure of the capability to attack a target of evaluation (TOE) given the attacker’s knowledge, proficiency, resources and motivation
3.2 Metrics
3.2.1
attack presentation classification error rate
proportion of attack presentations using the same presentation attack instrument (PAI) species incorrectly classified as bona fide presentations by a presentation attack detection (PAD) subsystem in a specific scenario
3.2.2
attack presentation classification error rate at the given attack potential
attack presentation classification error rate (APCER) of the most successful presentation attack instrument (PAI) species within a given attack potential
3.2.3
bona fide presentation classification error rate
proportion of bona fide presentations incorrectly classified as presentation attacks in a specific scenario
3.2.4
attack presentation acquisition rate
proportion of attack presentations using the same presentation attack instrument (PAI) species from which the data capture subsystem acquires a biometric sample of sufficient quality
3.2.5
attack presentation non-response rate
proportion of attack presentations using the same presentation attack instrument (PAI) species that cause no response at the presentation attack detection (PAD) subsystem or data capture subsystem
EXAMPLE: A fingerprint system can potentially not register or react to the presentation of a PAI due to the PAI’s lack of realism.
3.2.6
bona fide presentation non-response rate
proportion of bona fide presentations that cause no response at the presentation attack detection (PAD) subsystem or data capture subsystem
