BioSP™ (Biometric Services Platform)

BioSP™ (Biometric Services Platform) 2017-08-21T14:35:50+00:00

BioSP™ (Biometric Services Platform)

A Modular, Biometric Services Platform

BioSP™ (Biometric Services Platform) is a service-oriented platform used to enable a biometric system with advanced biometric data processing and management functionality in a web services architecture. It provides workflow, data management and formatting, and other important utilities for large-scale fingerprint recognition, face recognition, and iris recognition systems. BioSP is well suited for applications that require the collection of biometrics throughout a distributed network, and subsequent aggregation, analysis, processing, distribution, matching, and sharing of data with other system components. BioSP is modular, programmable, scalable, and secure, capable of managing all aspects of transaction workflow including messaging, submissions, responses, and logging. BioSP makes extensive use of open-source components and is J2EE-compliant.

biosp_connectivity

BioSP is a secure system, with three mechanisms applied to securing data, communications, and access:

  • User data access is provided by BioSP Logical Access module. This allows for both UI-level security and specific data security based an individual user groups and roles within the system.
  • BioSP utilizes Hibernate technology to abstract the database communication; therefore, it can take full advantage of both Microsoft and Oracle database security and encryption of data at rest. For example, Oracle provides Transparent Data Encryption (TDE) in their 11G product; this ties the data within the database to either a software-based private key or a specific piece of hardware (HSM).  Thus, in the event the data is stolen, it is useless without this private key.
  • All communication to and from the BioSP server supports both SSL encryption as well as WS-Security. These two technologies prevent both man-in-the-middle and malicious client attacks.
BioSP is a scalable and flexible system. Depending on the environment wherein it operates, there are five different areas were the system can scale:

  • BioSP employs load balancing functionality available through a J2EE container application such as Apache Tomcat or Oracle WebLogic. This allows for both increased performance, since the processing is spread over multiple machines, and increased application uptime; if one server fails, another server would automatically take the additional traffic.
  • BioSP runs in a Java Virtual Machine (JVM), so it can take advantage of multi-core processing.
  • BioSP utilizes an open source workflow engine from Apache called ODE based on BPEL, which can be run in a separate application server from the business process logic. This allows for increased performance and throughput.
  • BioSP has the ability to execute certain highly specialized biometric processing algorithms outside of the JVM, such as fingerprint matching algorithms. This allows these algorithms to be tuned to the specific operating system and processor on which they are executed, for maximum performance. Also, these algorithms communicate to the JVM via YAMI technology, which allows multiple algorithms to execute on separate machines in parallel.
  • BioSP uses Hibernate technology to abstract the database from the JVM; therefore, it can run on multiple database platforms such as Oracle and Microsoft SQL Server. This allows full use of Microsoft and Oracle database scalability features such as replication, mass storage, and disaster recovery.

Audit trails are implemented with BioSP Logical Access and Event Manager. Logical Access provides support for security services in BioSP. It provides authentication and role base authorization features. Logical Access deals with the following entities: Users, Roles, and Resources. A user can have multiple roles. A role can access a set of resources that are secured. These secured resources can be data within BioSP, user interface components of BioSP, or any custom defined resources.

Event Manager provides services to record and monitor business events in BioSP. The events can be categorized based on types and monitored separately. The basic functions performed by Event Manager are: 1) add an event, 2) find events based on criteria 3) associate a new event with a previously existing parent event.

BioSP offers improved resource access control. Features in the UI and services provided by the BioSP server can be viewed as resources. Access to these resources by users can be configured.

BioSP supports the concept of roles. A user with a given role is given permission to access a resource in a specific manner. For example, a user may be assigned to a role that allows them to see a list of transactions but not to see the individual NIST fields in the transactions. Another user may have permission to see the transactions and their contents but not to edit them.

BioSP supports the concept of groups. A group is a logical grouping of users. This allows BioSP to support functionality such as dividing users into groups. Groups are independent of roles; a user can have multiple roles and belong to multiple groups.

Other security-related features provided are:

  • Improved searching, sorting, and filtering of transactions, including searching, sorting and filtering based on submitting agency
  • Creation of users and groups that can see all transactions for a given agency or group
  • Denying access to a view based on user’s access permission
  • Role based access to transaction field viewing
  • Prevention of password reuse
  • Minimum password age before change is allowed
  • Forced password change after a specified number days
  • Account disabling after a specified number of failed logins for a specified number minutes.
  • Account locking after a specified number days of inactivity

Features and Functionality

  • Performs automated biometric image and data analysis, processing, formatting, quality assurance, and reporting
  • Utilizes web services in support of a scalable, secure, service-oriented architecture (SOA)
  • Integrates biometric functions with other enterprise systems such as identity management, access management, card management, and AFIS/ABIS
  • Performs 1:1 and 1:many biometric matching for verification, identification, and duplicate checking
  • Enables centralized system administration and user management
  • Enables advanced reporting capabilities for fast troubleshooting of biometric capture problems
  • Enables centralized configuration, distribution, and management of enrollment client software
  • Supports fingerprint, face, iris, and palm modalities

Applications

  • Fingerprint recognition, facial recognition, iris, and voice recognition
  • Integration of Automated biometric identification systems (ABIS) and Automated fingerprint identification systems (AFIS)
  • Citizen identity and voting programs
  • Know Your Customer
  • Fraud prevention
  • Border management
  • Mobile biometric authentication
  • Law enforcement
  • Defense
  • Citizen ID and voting systems

BioSP Diagram

BioSP Modules

BioSP offers many advanced biometric capabilities, available through independent, service-oriented software modules. Each BioSP module performs a discrete set of functions, including biometric authentication, search, and duplicate checking, centralized image and data analysis and processing, data formatting and transcoding, and image quality assurance and reporting. The modules interact with each other via web services.

Core

BioSP Core provides the central infrastructure services shared across BioSP modules and business processes. The Core is required to run other BioSP modules, which may be added and modified incrementally as business needs evolve. Components of the Core include the Web Services engine, security, Business Process Execution Language (BPEL) engine, email support, job scheduler, user management, logical access control, search services, document storage, and logging.

BioSP uses BPEL to allow for quick scripting of biometric-centric use cases. BPEL is an open, standardized scripting language that orchestrates services, operations, and criteria to automate business processes defined in XML. Lower-level operations defined in BioSP modules are aggregated in BPEL scripts to form composite services. These composites enable synchronous and asynchronous processing of transactions and data to meet the requirements of a wide variety of use case scenarios.

Workflow Manager

BioSP Workflow Manager allows stateful processing workflow that involves user interaction, such as approvals, reviews, or edits. The workflow is scripted using BPEL, which allows it to be easily modified to many use cases. Each state of the workflow can have a different owner, and history is tracked over the lifecycle.

Transaction Manager

BioSP Transaction Manager provides services for building transaction workflows between multiple disparate systems, including enrolment clients and other back-end systems. It is driven by BPEL workflow definitions and is highly configurable, managing both receipt of submissions and processing of responses from distributed sources. Store-and-forward requirements for standards-based communication with local, state, federal, and international government agencies are addressed with Transaction Manager.

Transaction Manager provides broadcast capabilities, whereby a single input transaction may be distributed to multiple external systems upon submission. In turn, Transaction Manager consolidates responses from multiple external systems that relate to a single, original submission, and manages this consolidation until all responses have been received for a given transaction.

Transactions received may be archived for reporting and resubmission in the event a submission fails. The resubmission logic within Transaction Manager integrates with workflows and the BioSP Core Job Scheduler to manage retry of failed submissions. Each destination has a unique resubmission configuration managed by and stored in Transaction Manager, such that different rules can be applied for resubmission to different systems. Transaction Manager offers a browser-based interface for searching and viewing transaction content and status.

Subject Manager

BioSP Subject Manager provides services for managing and archiving subject identity data, both biographic and biometric, as well as custom metadata. Subject Manager manages the server side of biometric enrolment processes, the collection of biometric samples (images or templates) and biographic data for credentialing, biometric identification, or biometric verification. It provides support for finger, face, palm, iris, and scar/mark/tattoo images.

Subject Manager receives enrolment data and populates its data stores and search indexes, providing services for managing new and existing identities, including create, delete, retrieve, and update of subject data. Subjects, or identities, are archived in the subject manager data store and indexes for field- or contextual-based searching. Biometrics are stored in image or template form for integration with internal or external matching systems and other business processes requiring biometrics. Subject Manager offers a browser-based interface for viewing and searching subject entry content.

Format Manager

BioSP Format Manager provides services for working with various open standards data formats to enable interchange of biometric and biographic data. Format Manager parses, validates, constructs or transcodes standard-compliant biometric data structures, including those formats defined by ANSI/NIST, ANSI/INCITS, ISO/IEC, FIPS-201, and ICAO.

Format Manager can build these data structures from the raw biometric and textual metadata or it can parse one type of data structure and convert it to another. Examples of this formatting include:

  • Creation of ANSI/NIST, FBI EFTS, DoD EBTS, PIV, or ICAO data structures from raw enrolment data
  • Creation of card personalization requests according to vendor-specific formats
  • Conversion between FBI EFTS and DOD EBTS
  • Conversion between Interpol ANSI/NIST and a specific country format
  • Conversion between binary ANSI/NIST and the XML variant of the standard
  • Conversion of ANSI/NIST Type-4 or Type-14 finger image records to ICAO DG3 format, ISO/IEC 19794, INCITS 378/381 or FIPS 201 (images or templates)
  • Conversion of ANSI/NIST Type-10 records to ICAO format (ISO/IEC 19794-5) or FIPS 201 format (ANSI/INCITS 385)
  • Conversion of WSQ and JPEG 2000 images to JPEG for easy viewing in a browser
  • Conversion of fingerprint transactions to fingerprint card images in PDF format

Data is parsed from input transactions in preparation for processing of the data depending on the business rules for a particular workflow. Data from one transaction may be transformed to create another, single transaction. Data may be edited and repackaged in the same or different formats.

A single transaction may also be used to create multiple, differently-formatted results. Multiple inputs may also be merged into a single transaction. Finally, data from disparate sources, be it other transactions, other data files, databases, or text, may be used to create a new transaction.

Biometric Identification

BioSP Biometric Identification module provides several biometric matching services, including one-to-one and one-to-many matching for authentication/verification, identification, and duplicate checking.

Aware’s Nexa matching algorithms or external matching engines may be integrated or called using BioSP BPEL services. Multiple matchers can be integrated. With its abstracted Web-services based API, it enables users to use a single implementation and set of instructions with multiple matchers.

One-to-one matching compares one or more biometric templates submitted to the matcher with corresponding templates stored in the database, leading to verification of an individual’s claimed identity. Common use cases include physical and logical access control applications and match-on-server based biometric verification prior to credential issuance. One-to-many matching is used to compare a set of biometrics with a gallery of subjects with the goal of determining an identity. Inbound biometric data is enrolled to matcher galleries, which are collections of biometric data.

Biometric Identification module supports the matching of standard compliant fingerprint templates (ISO/IEC 19794-2 or ANSI/INCITS 378).

Multi-sample fusion requires all matching algorithms to report scores on a common unit of measurement. The Biometric Identification Module ensures that all matchers report scores in a consistent manner. The scores returned from matchers are level set within the Biometric Identification Module and are directly related to the occurrence of an input subject (or probe) falsely matching a member of the current gallery. This is formally referred to as the False Positive Identification Rate (FPIR). BioSP returns the FPIR value which ranges from 0 to any positive value but is realistically limited to scores between 0.0 and 200.0. Once the FPIR scores are calculated the Biometric Identification Module can fuse the match scores across biometrics.

Report Manager

BioSP Report Manager and associated modules provide biometric data collection, statistical analysis, and customizable reporting by processing and presenting data generated by Format Manager and the Fingerprint Analysis, Facial Analysis, and Iris Analysis modules. Biometric transactions are analyzed for image quality problems and non-conformance errors, and the resulting data is made available for users to retrieve, organize, and visualize in the form of custom, graphical reports. The reports can be used to identify and troubleshoot enrolment problems, quantify environmental factors, and perform general system performance monitoring and improvements.

All raw data collected for each subject and component (e.g. all ten fingers in a slap/plain impression) is aggregated and processed into OLAP cubes according to selectable parameters. Custom reports are presented that can summarize data in such a way as to enable informed decision making. For example, data might be presented that measures biometric image quality as a function of capture hardware device or operator, and presents summarizing statistics such as averages and standard deviations with automatically identified outliers. A capture device shown to yield average quality scores that are low to a statistically significant degree could indicate that the device is working improperly. Similarly, an operator requiring additional training might be identified. Finally, environmental effects such as humidity or temperature could be correlated to image quality. Output report formats include PDF, comma-separated value (.csv), HTML, and XML/XSL.

Creating a new report

BioSP Report Manager

BioSP Report Manager

Designing a new report

Designing a new report

Modifying a report with filters

Modifying a report with filters

Displaying a report

Displaying a report

Fingerprint Analyzer

BioSP Fingerprint Analyzer module provides services for complex fingerprint processing tasks and workflows. Quality assessment, segmentation, compression, decompression, and other processing tools are provided by this module. Some of the functions performed by this module are as follows:

  • Compression ratio calculation
  • Images noise reduction
  • Left/right hand identification
  • WSQ, JP2 or JP2L compression and decompression
  • Insertion of binary or text comments into images during compression and decompression
  • Transcoding of JP2, JP2L images to WSQ
  • Downsampling of fingerprint images
  • Segmentation and cropping of single fingers from slap images
  • Calculation of NIST and Aware QualityCheck scores
  • Sequence checking with match and non-match checking
  • Light, dark, and invalid image detection

Face Analyzer

BioSP Face Analyzer module is designed for remote, web-based submission of facial images for compliance analysis against standards-based or custom profiles. Profiles contain values that must be attained in order for a facial image to be considered in compliance with a standard (e.g. ISO/IEC 19794-5 for e-passports).

Users submit electronic facial images individually or in batches via an easy-to-use web interface or web service call. They are presented with results in real time, including pass or fail, and descriptions of problems in the case of a failure. Compliant images generated by the module may be stored in BioSP for integration with other systems (e.g. CMS), returned to the user, or both.

See PreFace for more details about Face Analyzer capabilities.

Iris Analyzer

BioSP Iris Analyzer performs centralized iris image segmentation and quality scoring using IrisCheck libraries. Quality vectors and scores are defined according to the international biometric iris image quality standard ISO/IEC 29794-6.

See IrisCheck for more details about Iris Analyzer capabilities

Configuration Manager

BioSP Configuration Manager performs centralized management of client enrolment application configuration, enabling a high degree of automation of client software distribution and maintenance. Software updates are automatically downloaded from BioSP to remote clients, and take into account local client configuration and conditions, such as capture hardware model and version. Access to software updates is securely controlled.

Document Server

BioSP Document Server performs customizable PDF document generation from submitted biometric images and data transactions. It performs layout of biometric images, biographic data, and other data such as barcodes into documents according to configurable layout design files. Biometric data transactions are submitted to Document Server, which returns a PDF representation of the images and data according to the prescribed layout file. Document Server incorporates Aware’s AccuPrint™, an FBI-certified software product for creation of printed documents containing fingerprint images.