An efficient multi-factor authentication scheme based CNNs for securing ATMs over cognitive-IoT

Image encryption and decryption

The encryption is used to increase the proposed model’s security level while transmitting iris images over the internet which complicates the way of any system hackers (Stallings, 2016). Iris image encryption of the proposed model is done at the gray level. The implemented encryption algorithm is based on a chaotic key sequence generated by the sequence of the logistic map and sequence of states of Linear Feedback Shift Register (LFSR) as in Rohith, Bhat & Sharma (2014). It consists of two main steps

1. Encryption key sequence ( $K\mathrm{\_}Seq$) generation

2. Iris image encryption using the generated key sequence

To generate the encryption key sequence $K\mathrm{\_}Seq$; two other non-negative integer finite sequences $K1$ and $K2$ of equal lengths, as shown in Eqs. (1) and (2), must be generated first.

(1) $$K\mathrm{\_}Seq,K1,K2:\left\{1,2,3,\dots \dots ,p\right\}\to \left[0,255\right]$$ (2) $$p=w\ast l$$where ( $w$) and ( $l$) are the width and the length of the iris image, respectively because the length of these sequences must equal the length of the iris image that will be encrypted. Terms of $K1$ sequence are generated first by the logistic map Eq. (3).

(3) $$X_{n+1}=r\ast X_n\ast \left(1-X_n\right)$$where $\left(r\right)$ is a parameter in the range of the closed interval $\left[2,4\right]$ and $X_{n+1}$ and $X_n$ are generic terms in the range of $\left[0,1\right]$. With high values of $\left(r\right)$ like $\left(r=3.99\right)$, $K_1$ will be a chaotic and unexpected sequence. then we round all terms of the obtained sequence by multiplying it by 255 to make sequence values in the range of gray level.

$K2$ sequence is generated by a sequence of states of an 8-bit Linear Feedback Shift Register. This sequence is defined inductively by the recurrence relation in Eq. (4) with an initial term $K{2}_1$, called the seed value, equals an integer in the range of [0,255], then perform XOR binary operation on bits of that seed, shift left it with the output of XOR operation and the result will be the second element of the $K2$ sequence and other sequence elements will be generated inductively in the same way.

(4) $$K{2}_{n+1}=K{2}_n\gg \left(\oplus K{2}_n\right)\mathrm{\forall }n\left(1\le n\le p-1\right)$$where $\gg \left(x\right)$ denotes shift left operation with the value of $x$ bit, and $\oplus$ denotes the XORing operation of all bits of a term of a sequence.

Now $K\mathrm{\_}Seq$ can be obtained directly from $K1$ and $K2$ sequences by XORing them as shown in Eq. (5)

(5) $$K\mathrm{\_}Se{q}_n=K{1}_n(\oplus K{2}_n)\mathrm{\forall }n\left(1\le n\le p\right)$$

Now, after obtaining encryption key sequence $K\mathrm{\_}Seq$, encryption of iris image will be done by XORing each pixel of an iris image with its corresponding element in the key sequence as shown in Eq. (6).

(6) $$IM\mathrm{\_}ENC\left(x,y\right)=K\mathrm{\_}Se{q}_{x+\left(y-1\right)\ast w}\oplus IM\mathrm{\_}ORIG\left(x,y\right):\mathrm{\forall }x,y\left(\left(1\le x\le w\right)\wedge \left(1\le y\le l\right)\right)$$where $IM\mathrm{\_}ORIG\left(x,y\right)$ and $IM\mathrm{\_}EN{C}_{\left(x,y\right)}$ denotes the value of the original and encrypted image pixels at $\left(x,y\right)$.

With respect to key management which to the management of cryptographic keys in a cryptosystem where these keys must be chosen carefully and distributed and stored securely. In general, the distributed key management scheme can be further divided into symmetric schemes and public-key schemes. The symmetric-key method uses a secret key which is known as an asymmetric key the same key is used for a cryptographic system. The second method named Asymmetric key that uses two related keys (i.e., a public key and a private key) where the public key may be known by anyone; the private key should be under the sole control of the entity that owns the key pair. In the proposed system, the server and ATM generated the key in the same way for verification purposes at each side, exclusively. Therefore, in this suggested system, there is no need for the exchange process between them due to the idea of this work principally focuses on building an efficient iris recognition system and not predominantly on key management. Furthermore, for the effectiveness of this system will be a need for a security method for the secure exchange of this symmetric key especially with the increasing number of nodes belongs to the banking system. For key management that can be suitable for this work, it can be considered that used the symmetric key scheme, which is based on private key cryptography, whereby shared secrets can be used to authenticate legitimated machines (in our system are the server and ATM) to provide secure communication between them over the IoT system. This shared secret key can be distributed via secure channels and it is the same key for both entities of the banking system.

The decryption operation is typically the reverse order of these steps of encryption. As shown in Rohith, Bhat & Sharma (2014), this LFSR methodology provides cryptographically better results as compared to the methods that encrypt using a logistic map scheme alone, it provides a high degree of secrecy and security. The original iris image and the encrypted image are highly uncorrelated and perceptually different. For the above reasons, this version of chaotic encryption is incorporated in the proposed model; to add secure iris transmission between ATMs and the bank server over the internet.

Iris segmentation and normalization

The segmentation step, as the more critical in the recognition operation, is proposed. The generated iris template by Masking Technique (MT) (Gad et al., 2016, 2018) is stored in the IoT server. The decrypted iris image A (x, y) is the original iris image in this stage. The simplest operation, to remove the upper and lower parts of the iris, occluded by eyelashes and eyelids, is by changing all the pixels above and below the vertical diameter of the pupil to zero value. Let iris image $I\left(x,y\right)$ has $m\ast n$ pixels, $\mathrm{\forall }1\le y\le n$, the eyelashes/eyelids removing mask [ $M_e\left(x,y\right)$] identified as: (7) $$M_e\left(x,y\right)=\{\begin{array}{c}0:1\le x\le Index\left(P_4\left(x,y\right)\right),Index\left(P_2\left(x,y\right)\right)\le x\le m\\ 1:Index\left(P_4\left(x,y\right)\right)<x<Index\left(P_2\left(x,y\right)\right),\end{array}$$The final mask [ $M_o\left(x,y\right)$], is shown in Fig. 5, identified in binary format as: (8) $$M_o\left(x,y\right)=M_p\left(x,y\right)\times M_e\left(x,y\right)$$

A fixed template size (such as 60 × 90 pixels) is generated. This was unsuitable for some images in datasets, due to image size and resolution. Some modifications were done over MT; the (N) pixels to the left and right of the localized pupil are concatenated. Iris template is created by mapping the selected pixels on a fixed size (60 × 2N) matrix.

In the case of the Phoenix dataset, the dataset is available in a segmented state as shown in Fig. 6A. The upper half and the lower half of iris images were selected, each of dimensions of (350*100) pixels, then concatenated together, as shown in Figs. 6B, 6C, and 6D. We use the final concatenation parts of the image by dimensions of (350*200) as an iris template in the next stage of feature extraction. This solution does not consider the rotation of both the camera and the eye. Moreover, a bit of iris information is lost in the left and right collarette zones.

Deep CNN-based feature extraction and classification

Different CNNs with different architectures (as it will be shown in experimental results), were used to extract the deep features from iris images for the dual iris in the case of Phoenix and the lonely iris in the case of UBIRIS.V1. The target is to find an architecture that gives the highest recognition rate. After a lot of experiments, we gain a complete model for all datasets consists of CNN as an iris feature extractor, which consists of “3” convolutional layers, “3” max-pooling layers, “3” RELU activation layers (Aggarwal, 2018), and FCNN of “2” fully connected layers, and “1” SoftMax layer (Courville, Goodfellow & Bengio, 2016) as a classifier. The specific configuration of the overall network is illustrated in Table 1 and Fig. 7.

System reliability

To ensure the reliability and robustness of the proposed system, we explored how it deals with noised data and how the accuracy of the recognition rate of the proposed model would be affected. It is assumed that image acquisition at ATMs may gain some external noise due to several reasons like system attacks, environmental dust, interference noise on iris sensing devices, or bad iris acquisition due to faults of system users, different illumination states…etc. Two different kinds of noise are added. The first kind is generated randomly from a Gaussian distribution, with a mean ( $\mu$) zero and several standard deviations ( $\sigma$) (Rice, 2007). The other type of noise is generated by uniform distribution at different intervals (Ross, 2014). Probability density functions for these distributions (Wackerly, Mendenhall & Scheaffer, 2008) are shown in Fig. 8; Eqs. (9), and (10). These randomly generated noise values are added per pixel of iris images.

(9) $$f\left(x\right)={\displaystyle \frac{1}{\sigma \sqrt{2\pi }}\ast e^{{\displaystyle \frac{-{\left(x-\mu \right)}^2}{2\ast {\sigma }^2}}}-\mathrm{\infty }<x<+\mathrm{\infty }}$$ (10) $$f\left(x\right)=\{\begin{array}{c}{\displaystyle \frac{1}{\beta -\alpha }\alpha <\mathrm{x}<\beta }\\ 0\mathrm{o}\mathrm{t}\mathrm{h}\mathrm{e}\mathrm{r}\mathrm{w}\mathrm{i}\mathrm{s}\mathrm{e}\end{array}$$The overall practical steps of the experiments will be viewed before dealing with the experimental results of each step alone. First, the bank server task is set up for listening to connection requests from clients’ mobile applications or ATMs. When the client’s mobile application requests an OTP, the bank server accepts the request and denotes an OTP to the client. When ATM’s client request ATM access by entering the received OTP and capturing his/her eye image, the server receives his/her request, perform all needed operations like segmentation, normalization, classification, and OTP correctness checking. Then the final access decision is sent to clients by accepting or rejecting ATMs access. These sequences of actions at mobile applications, ATMs, and the bank server are shown in Fig. 9.

Iris acquisition

Two publicly available datasets were used in the experiments which capture the iris eyes using visible light cameras; so, they are suitable for ATMs, which are the target environments of the proposed system. These datasets are Phoenix and UBIRIS.V1. The later dataset incorporates images with several noise factors, thus permitting the evaluation of more robust iris recognition methods. The iris images in these datasets are captured under different situations of pupil dilation, eyelids/eyelashes occlusion, the slight shadow of eyelids, specular reflection, etc.

The iris images of the Phoenix dataset have a resolution of 576 × 768 pixels. The images were taken by TOPCON TRC50IA optical device connected to SONY DXC-950P 3CCD camera. Also, all iris images of the UBIRIS dataset are 8-bit Gray-level of (. JPEG) file format. Its iris is imaged with a resolution of 200 × 150 pixels. The irises were taken by Nikon E5700 camera with a Focal Length of 71 mm and Exposure Time of 1/30 s. The third dataset used in our system; to strengthen our model, is the CASIA V4-interval dataset. CASIA V4-interval dataset is the latest dataset captured by CASIA self-developed close-up iris camera, all iris images are 8-bit Gray-level (. JPEG) files, collected under near-infrared (NIR) illumination. Its iris images with resolution (320*280) pixel. The summary of the configuration of these datasets is shown in Table 2.

In our experiments, we used a Sony laptop with Intel CORE i5 CPU and RAM of 6 GB, a raspberry pi 2 kit, and ALCATEL one touch Pixi3 tablet with an Android operating system of 5.1 version. They were used as the server-side, ATM node, and the client mobile phone respectively. All these components were shown previously (in Figs. 2 and 3). Java, Python, and MATLAB programing languages were used for experiments. PyCharm, NetBeans, MATLAB, and Android studio are used as integrated development environments in overall experiments.

Iris encryption and decryption

In all experiments on light vision dataset images, the values of the parameters needed to generate $K\mathrm{\_}Seq$, $K1,$ and $K2$ sequences are chosen as shown in assignments Eq. (11).

(11) $$r=3.99X_1=0.1K{2}_1={\left(0100101\right)}_2$$

Figure 10 shows the results of the chaotic encryption algorithm on light vision datasets.

Iris segmentation and normalization

In MT, the mask size (N) controls the iris region. In Table 3, the accuracy changed according to the value of the (N) parameter. The specular reflect in the pupil is one circular white spot; our algorithm hardly detects a pupil with such environmental nature. The range of (30–35) for mask size (N) in MT achieves the best accuracy. When $(N<30)$ the final iris mask expanded, including sclera pixels gradually. For $(N>35)$, the mask loses more information from the iris circle.

Training and classification using CNNs

Many trials of experiments were done to arrive at the best tuning of the network parameters of the proposed model architecture previously shown in Table 1. Some metrics were measured; to evaluate the performance of the proposed model. The first metric is the recognition accuracy rate ( ${\mathrm{A}}_{RR}$%) which is the portion of correctly iris classifications to the total number of classified irises declared in Eq. (12). The other metrics are precision, recall, F1-Score, and the training time of the proposed CNN model.

(12) $${\mathrm{A}}_{RR}\left(\mathrm{\%}\right)={\displaystyle \frac{{\mathit{N}}_{\mathit{c}}}{{\mathit{T}}_{\mathit{c}}}\ast 100}$$where (N_c) represents the number of correct iris classifications and (T_c) represents the total number of classified irises. We divided each data set into two subsets, the first subset is used for training CNN to get the best tuning of the parameters, and the second is used for testing each CNN configuration to get its ${\mathrm{A}}_{RR}$. In all datasets the ratio between training to testing datasets ( $R_{\mathrm{t}\mathrm{e}\mathrm{s}\mathrm{t}}^{\mathrm{t}\mathrm{r}\mathrm{a}\mathrm{i}\mathrm{n}}$) is shown in Eq. (13).

(13) $$R_{\mathrm{T}\mathrm{e}\mathrm{s}\mathrm{t}}^{\mathrm{T}\mathrm{r}\mathrm{a}\mathrm{i}\mathrm{n}}={\displaystyle \frac{\left|\mathrm{T}\mathrm{r}\mathrm{a}\mathrm{i}\mathrm{n}\right|}{\left|\mathrm{T}\mathrm{e}\mathrm{s}\mathrm{t}\right|}=4:1}$$where $\left|\mathrm{T}\mathrm{r}\mathrm{a}\mathrm{i}\mathrm{n}\right|$ and $\left|\mathrm{T}\mathrm{e}\mathrm{s}\mathrm{t}\right|$ are the cardinality of training and testing subsets, respectively.

During experiments, different CNN architectures differ in their configuration of convolutional layers, max-pooling layers, RELU layers, kernel sizes, strides, and their fully connected layers. Different training parameters (Vinayakumar et al., 2020) like learning rate, number of epochs, patch sizes, and dimensions of input iris images were used. Tables 4–7 show a part of the experiments done on the model until reaching the best architecture that gives the highest recognition rate. The best architecture for all datasets together, is shown in Table 6 and its configuration was previously described in Table 1. We did not any experiments on UBIRIS. V1 or CASIA V4 with dimensions of (128 * 128) as shown in Table 7 because the dimensions of the iris template are less than this, so we avoided generating extra features and depending on them.

With the Phoenix dataset, the model was trained with 120 iris images for 60 classes of data in the case of each iris left and right and tested against 60 iris images. The model correctly classified all iris images for both left and right irises with an accuracy of recognition rate of 100% for left and right iris. With the UBIRIS. V1 dataset the model was trained with 200 iris images for 50 classes of data and tested against 50 iris images. The model correctly classified all iris images except only one with an accuracy of recognition rate of 98%. With the CASIA V4 interval dataset, we trained our model with 265 iris images for 55 classes of data in the case of each iris left and right and tested it against 66 iris images. The model correctly classified 65 iris images with the left eye and 66 images with the right eye. The accuracy of the recognition rate of 98.48% and 100% for the left and right iris, respectively. So, the model has an accuracy of 99.24% of the overall CASIA V4-interval dataset. So, the overall accuracy of the proposed model is 99.33% as shown in Table 6. Figure 11 shows the average accuracy curves for training for visible light vision datasets. Figure 12 shows heatmap representation of activation functions and saliency map representation for all used datasets.

Because our problem is a multi-class classification problem, so we have a Precision, recall, and F1-Score measure for each class of the clients of the system as shown in Eqs. (14), (15) and (16).

(14) $$\mathrm{P}\mathrm{r}\mathrm{e}\mathrm{c}\mathrm{i}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}\left(\mathrm{C}\mathrm{l}\mathrm{a}\mathrm{s}\mathrm{s}=\mathrm{x}\right)={\displaystyle \frac{\mathrm{T}\mathrm{P}\left(\mathrm{c}\mathrm{l}\mathrm{a}\mathrm{s}\mathrm{s}=\mathrm{x}\right)}{\mathrm{T}\mathrm{P}\left(\mathrm{c}\mathrm{l}\mathrm{a}\mathrm{s}\mathrm{s}=\mathrm{x}\right)+\mathrm{F}\mathrm{P}\left(\mathrm{c}\mathrm{l}\mathrm{a}\mathrm{s}\mathrm{s}=\mathrm{x}\right)}}$$ (15) $$\mathrm{R}\mathrm{e}\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{l}\left(\mathrm{C}\mathrm{l}\mathrm{a}\mathrm{s}\mathrm{s}=x\right)={\displaystyle \frac{\mathrm{T}\mathrm{P}\left(\mathrm{c}\mathrm{l}\mathrm{a}\mathrm{s}\mathrm{s}=x\right)}{\mathrm{T}\mathrm{P}\left(\mathrm{c}\mathrm{l}\mathrm{a}\mathrm{s}\mathrm{s}=x\right)+\mathrm{F}\mathrm{N}\left(\mathrm{c}\mathrm{l}\mathrm{a}\mathrm{s}\mathrm{s}=x\right)}}$$ (16) $$\mathrm{F}1-\mathrm{S}\mathrm{c}\mathrm{o}\mathrm{r}\mathrm{e}\left(\mathrm{C}\mathrm{l}\mathrm{a}\mathrm{s}\mathrm{s}=\mathrm{x}\right)=2\ast {\displaystyle \frac{\mathrm{P}\mathrm{r}\mathrm{e}\mathrm{c}\mathrm{i}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}\left(\mathrm{c}\mathrm{l}\mathrm{a}\mathrm{s}\mathrm{s}=\mathrm{x}\right)\ast \mathrm{R}\mathrm{e}\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{l}\left(\mathrm{c}\mathrm{l}\mathrm{a}\mathrm{s}\mathrm{s}=\mathrm{x}\right)}{\mathrm{P}\mathrm{r}\mathrm{e}\mathrm{c}\mathrm{i}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}\left(\mathrm{c}\mathrm{l}\mathrm{a}\mathrm{s}\mathrm{s}=\mathrm{x}\right)+\mathrm{R}\mathrm{e}\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{l}\left(\mathrm{c}\mathrm{l}\mathrm{a}\mathrm{s}\mathrm{s}=\mathrm{x}\right)}}$$where TP, FP, FN, and $x$ stands for true positive, false positive, false negative, and the number of client’s class, respectively.

All of the 60 classes of the Phoenix dataset, for left and right iris, have 1, 0.0163, and 0.032 for precision, recall, and F1-Score, respectively. With the UBIRIS. V1 dataset, 49 class has 1, 0.02, and 0.039 for precision, recall, and F1-Score, respectively.

Concerning the time sequence of operations between the bank server and ATMs, this time includes receiving encrypted images, performing iris preprocessing operations of segmentation and normalization, passing it to the classifier, and replying to ATMs with the final decision, in our experiments this time is within the average of (0.5 s), which considered a relatively small period as shown previously in Fig. 9. To deal with the lack of dataset images per subject during training, a simple data augmentation operation was done. This augmentation was based on simple image processing operations on iris images like concatenating some parts from the top, bottom, left, or right of iris images. And these new images were added as a part of the training set.

With each of the experiments in Tables 4, 5, 6, and 7, the number of epochs, batch size, and learning rate was varying until reaching the best values. It is found that a suitable number of epochs needed for training which gives us the highest recognition rate was 60 epochs with a batch size of 40, a learning rate of 0.001 with categorical cross-entropy loss function.

Concerning training time, with the final configuration of the CNN model, the training time of the Phoenix dataset was about 17 min for each right and left sub-sets, 22 min for UBIRIS. V1 dataset and the training time of the CASIA V4 interval dataset was about 25 min for each right and left iris sub-sets. It is considered relatively low training time comparing with others, like (Al-Waisy et al., 2018), who addressed the use of deep learning in iris recognition with training time exceeds 6 h. Table 8 shows that the proposed CNNs model has competitive results compared to state-of-the-art methods in terms of recognition accuracy.

Testing the effect of noise on the proposed model

Figures 13–16; Tables 9 and 10 show the obtained results with Phoenix, UBIRIS. V1 and CASIA V4 datasets for the added noise from Gaussian distribution and the uniform distribution (Walpole et al., 2012), respectively. These results are based on our final CNN configuration that yields the highest recognition rate in the ideal case of iris images without any added noise.

These results show how well the proposed model deals with noised iris images from different noise distributions like Normal and uniform distributions. The proposed system shows a low degradation of recognition accuracy rates in the case of using noised iris images.