Biometrics-based Internet of Things and Big data design framework

: Application Specific Internet of Things (ASIoTs) has recently been proposed to address specific requirements for IoT. The objective of this paper is to serve as a framework for the design of ASIoTs using biometrics as the application. This paper provides comprehensive discussions for an ASIoT architecture considering the requirements for biometrics-based security, multimedia content and Big data applications. A comprehensive architecture for Biometrics-based IoT (BiometricIoT) and Big data applications needs to address three challenges: 1) IoT devices are hardware-constrained and cannot afford resource-demanding cryptographic protocols; 2) Biometrics devices introduce multimedia data content due to different biometric traits; and 3) The rapid growth of biometrics-based IoT devices and content creates large amounts of data for computational processing. The proposed BiometricIoT architecture consists of seven layers which have been designed to handle the challenges for biometrics applications and decision making. The latter part of the paper gives discussions for design factors for the BiometricIoT from four perspectives: 1) parallel divide-and-conquer (D&C) computation; 2) computational complexity; 3) device security; and 4) algorithm efficacies. Experimental results are given to validate the effectiveness of the D&C approach. The paper motivates the further research towards the research and development of ASIoTs for biometrics applications.


Introduction
Due to the rapid progress in sensing, processing and cloud technology platforms, the Internet-of-Things (IoT) in recent years is increasingly becoming highly important and ubiquitous. The IoT gives the capabilities of connecting intelligent devices and objects to large networks and be accessible from additional layers in the BiometricIoT are proposed to deal with the specific requirements for biometrics applications. For example, the benefits of the Biometrics Object Layer are that it considers the physical objects which can be the biometrics sensors to produce multimedia contents due to the biometric traits with different modalities. The Big Biometrics Data Computation Layer is designed specifically to consider Big data including data computations for biometrics. This layer can accommodate various kinds of data including multimedia content such as video, image and audio generated by biometrics objects. The authors in [20] discussed several categories and types of ASIoTs, where a brief sketch of a biometrics IoT was one of the examples used for illustration. This paper provides comprehensive discussions for an ASIoT architecture considering the requirements for biometrics-based security, multimedia content and Big data applications.
Motivated by the aforementioned challenges, the work in this paper aims to serve as a full and comprehensive design framework for ASIoT using biometrics as the application. The security issues are also discussed for each layer in the BiometricIoT. Furthermore, the paper also gives discussions for various design factors for the BiometricIoT from four perspectives: 1) parallel divide-and-conquer (D&C) data computation; 2) computational complexity; 3) device security; and 4) algorithm efficacies. This paper is structured as follows: Section 2 discusses the BiometricIoT and seven-layer architecture. Section 3 gives discussions on the important design factors to be considered for the BiometricIoT. This section also gives theoretical discussions and experimental results to validate the algorithm efficacies. Section 5 gives some concluding remarks and suggests challenges and some potential research for the proposed framework.

Application-specific IoT (ASIoT) architecture for biometrics framework
This section discusses the Biometrics-based ASIoT (BiometricIoT) architecture. Figure 1 shows the BiometricIoT and its seven layers and an overview of the components for the different layers. This section also discusses the proposed Big Biometrics Computation Layer to consider Big data computations for biometrics. The architecture of the BiometricIoT is application-specific and can be contrasted with other works on the general IoT architectures which can be found in [21][22][23].

Layer 1: Biometrics Identification Layer
The Biometrics Identification Layer supplies the biometrics objects or things with a unique digital identifier which is permanent and global for the lifetime of the object. This unique identifier can then be used to refer to the biometrics object/thing with its characteristics and information history. The identifier can make use of available naming codes being used by manufacturers (e.g., EPC-electronic product codes, uCodes-ubiquitous codes) and addressing schemes such as IP addresses (e.g., IPv6). A combination of naming codes together with addressing schemes creates a unique identifier for the biometrics object.

Layer 2: Biometrics Object Layer
The Biometrics Object Layer performs the data collection from the biometric sensors and objects in the network. This could include sensing devices from fingerprint, voice/speech, iris/retina, facial features, gait features, or other biometric modalities. It is important to implement security and protection measures at this layer to mitigate against attacks conducted against the physical sensors. For example, side channel attacks [24,25] based on power consumption, timing information or electromagnetic leaks may reveal to an attacker useful information to retrieve secret keys. The physical IoT sensors are usually left out in the open and not stored in physically secure locations. Thus, an adversary can get in close proximity to launch the side-channel attacks. The author in [26] commented that existing physical layer security techniques may not be suitable for IoT applications compared to mobile devices (phones and tablets). This is particularly the case for biometrics IoT sensors due to its limited hardware, processing, storage, and energy resources. These important aspects for physical layer security for biometrics sensors have so far received limited attention in the literature. Further issues and potential attacks for this layer are jamming attacks [27,28] and tampering [29,30] of the biometric devices.

Layer 3: Biometrics Device Layer
The Biometrics Device Layer consists of wireless devices, nodes or motes which have the capability to send the captured biometrics data to other parts of the network. This could form part of the implementation for body sensor networks or other wearable devices. The wireless transmission of the biometrics data gives an opportunity for adversaries and attackers. It is important to implement security and protection measures at this layer to mitigate against attacks conducted against the data transmission. However, the implementation of these security protocols has to be designed to meet the requirements for IoT devices which are hardware-constrained. Biometric devices would have low computational power, storage capacity, and limited energy resources. A solution would be to use lowcomplexity encryption methods and lightweight cryptographic protocols to secure the biometrics data before transmission [5,6]. Further issues on design factors for device security are given in Section 3.

Layer 4: Biometrics Communication Layer
The Biometrics Communication Layer consists of three sub-layers: 1) Link Sub-Layer; 2) Network Sub-Layer; and 3) Transport Sub-Layer. The Link Sub-Layer has the responsibility for the medium access control (MAC) protocols in the BiometricIoT. To meet the hardware constraints, a consideration is to implement and deploy MAC protocols with low-cost and/or low-power consumption wireless networks such as given in the IEEE 802.15.4 specification [31]. The IEEE 802.15.4 includes three security modes which can be utilized depending on the level of security required [32,33]: 1) Unsecured mode-this mode provides no security services and is not suitable for high security applications like the BiometricIoT; 2) ACL mode-this mode utilizes an access control list (ACL) and provides a limited amount of security services to reject transmission frames which do not originate from registered devices contained in the ACL. This mode does not provide encryption or cryptographic services; and 3) Secured mode-this mode provides several security suites including cryptographic protocols. These suites employ the advanced encryption standard (AES) in various modes of operations. An important security issue at this sub-layer is termed the backoff manipulation attack [34] where an attacker attempts to use its nodes to maximize its access to the medium by deliberately selecting a small backoff window, and thus deprive or reduce the legitimate node's access to the medium. The authors in [34] investigated this potential attack on IEEE 802.11 networks. The authors in [35] gave a study of potential attacks on the IEEE802.15.4 for a wireless body area network (WBAN) application, finding that a sophisticated backoff detection scheme successfully detected the backoff attacks.
The Network Sub-Layer has the responsibility for the routing and connectivity in the BiometricIoT. The IEEE 802.15.4 specification proposes the RPL (Routing over Low Power and Lossy Networks) protocol. Security issues at this sub-layer include network congestion, network traffic disruption and route changes when an adversary introduces false packets or routing details into the network. An example is the rank attack [36] when an adversary creates false nodes and violates the rank rule in RPL to create longer routing paths for data transmission. This has the effect of decreasing the overall performance of the network (e.g., delay and throughput) and consumes extra energy to deplete the network resources. Other possible routing attacks aim to reduce network performance by spoofing, misdirecting, packet dropping, generating routing loops, or injecting false error messages into the network. Several authors have considered these potential attacks which include Black Hole, Gray Hole, Worm Hole, Hello Flood, and Sybil. Further details for these attacks at the Network sublayer can be found in [21].
The Transport Sub-Layer has the responsibility for the flow and congestion controls in the BiometricIoT. Two protocols which can be utilized at this sub-layer are TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). TCP is a connection-oriented protocol and suffers from a high amount of data overheads for the communications. UDP is a connectionless protocol and does not guarantee packets to be delivered. However, authors in [37] have shown that techniques using UDP and application layer retransmission control could give an effective trade-off between transmission reliability and energy efficiency. Security issues at this sub-layer include de-synchronization attacks and flooding [38]. In de-synchronization attacks, an adversary aims to spoof messages in the network to cause retransmission of missing frames or report errors in reception. This misinforms the host node and causes it to re-transmit the data frames which will subsequently lead to depleting the node resources. A solution to this is to apply end-to-end authentication between communicating nodes so that the adversary cannot spoof the messages. Flooding is a resource exhaustion attack where an adversary repeatedly initiates a large number of new connection requests and blocks legitimate requests from being serviced.

Layer 5: Biometrics Cloud Services Layer
The Biometrics Cloud Services Layer consists of hardware and software architecture for the BiometricIoT. The cloud hardware architecture consists of servers, storage and network equipment and may deploy virtualization technology and parallel computational environments. The cloud software architecture consists of the services centre and the access centre. Most cloud services are powered by data centres. The data centre is the physical location which houses and run a cloud service. Some examples of cloud services are Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). The access centre provides the access control services to only allow authorized users. This layer could be implemented using private or public cloud components (e.g., from Amazon EC2, Google Cloud). It is important to implement security and protection measures at this layer to mitigate against attacks conducted against security and privacy attacks for cloud-based IoT [39] such as identity/location privacy, node compromise attacks, layer removing/adding attacks, and semi-trusted/malicious cloud security attacks. From these issues, one particularly relevant security issue for the BiometricIoT is the need for forward and backward security. The implications for forward security are that users which have just enrolled into the BiometricIoT should only be allowed to decipher encrypted messages which have been received after (and not before) they join the cloud services. Similarly, the implications for backward security are that revoked users should only be allowed to decipher messages which have been received before (and not after) leaving the cloud services. Further security issues are to secure end-to-end communications between the end of the Device Layer (e.g., gateway) and the Cloud Services Layer. A sub-layer can be designed to secure end to end communications between the gateway and the cloud servers without needing the control of the full communication path which is not possible for the global Internet.

Layer 6: Big Biometrics Data Computation Layer
The proposed architecture of Big Biometrics Data Computation Layer consists of four components: 1) Biometrics Centralized Unit (Bio_CU); 2) Biometrics Aggregation and Preprocessing Unit (Bio_AU); 3) Biometrics Feature Extraction Unit (Bio_FU); and 4) Biometrics Decision Making Unit (Bio_DU). The Bio_CU has the responsibility to extract the data from biometrics objects and devices. For multi-biometric data, this unit combines the biometric data from objects with the same identity which may have been transported using different routes through the network. With the integrated biometric sensors and installed plug-ins, the component devices or smart 'things' in the Device Elements Layer can send the sensed data from the biometrics objects in the Biometrics Objects Layer to the Biometrics Cloud Services Layer through a range of communication gateways in the Biometrics Communication Layer. The Bio_AU has the responsibility for the data aggregation role and performs the ordering of the data into blocks based on the identities of the blocks and biometrics modalities, and then feeds the ordered blocks into the Bio_FU. The Bio_FU makes use of divide and conquer (D&C) mechanisms for parallel computation of the biometrics data.
Section 3 gives further discussions on the D&C mechanisms using algorithm variants for PCA (principal component analysis) and LDA (linear discriminant analysis) which are suitable for largescale D&C implementation in the BiometricIoT. The Bio_DU has the responsibility for the final decision making for the biometrics data. The Bio_DU can perform decision making for single modality and multiple modality biometric objects. The decision making for multimodal biometric objects utilizes various fusion techniques (e.g., early fusion, late fusion) to perform the joint decision making tasks. Figure 2 shows the proposed architecture of the Big Biometrics Data Computation Layer.

Layer 7: Biometrics Application Layer
The Application Layer in the BiometricIoT has the responsibility to provide services and protocols for the various application requirements (e.g., smart homes, banking and finance, industry and manufacturing, healthcare and medicine, etc.). The IEEE 802.15.4 specification proposes the constrained application protocol (CoAP) [40] for implementation in low power networks. Security issues at this layer should also be considered to be essential to the overall security for the BiometricIoT. The authors in [41] proposed an approach using DTLS (Datagram Transport Layer Security) and X.509 public key certificates for end to end secure communications where the IoT infrastructure does not have complete control over the communications network and channels. Besides CoAP, other application layer protocols which could utilized for the BiometricIoT include message queue telemetry transport (MQTT), representational state transfer (REST), advanced message queuing protocol (AMQP) and extensible messaging and presence protocol (XMPP) [42].

Design factors for biometrics IoT
Section 2 has discussed the comprehensive seven-layer framework for the BiometricIoT. This section gives discussions regarding the design factors for the biometrics IoT from four perspectives: 1) parallel Big data divide-conquer (D&C) computation; 2) computational complexity; 3) device security; and 4) algorithm efficacies. The design factors are important to develop the BiometricIoT considering the requirements for biometrics-based security, multimedia content and Big data applications.

Design factor 1: parallel Big data (D&C) computation
A first design factor for the BiometricIoT to be considered is the parallel Big data computation. This section will focus on the specific novelty for one layer and illustrate the parallel computation for the Bio_Data_FU using divide and conquer (D&C) techniques for the principal component analysis (PCA) [43] and linear discriminant analysis (LDA) [44] feature extraction approaches. A novel cascaded feature extraction technique called the Cascaded D&C PCA and LDA (Cas-D&C PCA-LDA) is proposed for Big Biometrics Data Computation Layer in the BiometricIoT. The traditional PCA and LDA algorithms incurs high computational costs due to the need to perform a SVD (singular value decomposition) on the full data matrix.
The authors in [45] proposed a split and combine technique to reduce the computational requirements for LDA to permit the deployment of parallel processing approaches using multicore architectures or graphical processing units (GPUs). In this section, we propose the full reconstructivediscriminative cascaded PCA-LDA problem on Big data for the BiometricIoT. The proposed approach uses variations of the PCA and LDA using the QR decomposition in place of the SVD. Further discussions on the PCA/QR can be found in [46]. The LDA/QR algorithm variation can be found in [47]. Equation (1) shows the LDA/QR objective function G, using the pseudoinverse operation of • .

max ∈
(1) Figure 3 shows the Cas-D&C PCA-LDA feature extraction architecture to be implemented in the Big Biometric Data Computation Layer and Table 1 shows a summary of the notations and terminology. Figure 3 shows the block diagram of the Cas-D&C PCA feature extraction for the BiometricIoT. The actual algorithm of the Cas-D&C PCA feature extraction is given in Figure 4. A summary and discussion of the algorithm is given next. The algorithm inputs are the dataset, A which is stored in an m × n matrix and the class data, C which is stored in a 1 × n vector. The algorithm outputs are three matrices, A1, A2, ATest, and three row vectors C1, C2, and CTest where A1 and A2 are matrices of size m × n/4, and ATest is a matrix of size m × n/2. This is shown as Step 1. In Step 2, the centered data matrices X1 and X2 are formed by subtracting the sample means from the respective datasets.
Step 3 performs the two Divide PCA in parallel.
Step 4 performs the Conquer PCA and calculates the PCA matrix ɸ. This is followed by the D&C LDA. Further theoretical discussions for the Cas-D&C LDA module can be found in [45].

Design factor 2: computational complexity
A second design factor for the BiometricIoT to be considered is the computational complexity requirements. The computational complexity for a SVD decomposition is 14 mn 2 flops [46] whereas the computational complexity for a QR decomposition is 4 mn 2 -(4/3)n 3 flops [48]. Table 2 shows a summary of the computational complexity for different Cas-D&C PCA-LDA architecture configurations. The architecture is scalable and each QR decomposition can be further split into three smaller QR decompositions to suit the computational requirements for the architecture. This becomes illustrative of the processing operations in the Big biometric data computation layer for the BiometricIoT. With a large number of computational processing units available (e.g., in a multicore or GPU architecture), the data blocks can be split until the block size reaches a threshold. In this way, a scalable architecture can be used to distribute the blocks to multiple parallel computational processing units for recombination at a later stage.

Design factor 3: device security
A third design factor for the BiometricIoT to be considered is the device security. This is particularly the case for IoT devices and applications which require significant levels of security such as biometrics identification for medical, financial and military systems. This section provides a discussion for the device security for the biometrics IoT. Device security (e.g., encryption) is required for securing the network transmission from the biometric devices/objects to the gateway. Encryption approaches that can be used includes identity-based [49,50] and pairing-based [51] methods. An advantage of identity or pairing-based approaches compared with other public-key cryptography approaches is that user-defined bit strings (e.g., derived from IP addresses, email addresses, or biometric traits) could be used as the public key. A disadvantage is that key revocation would also revoke the user identity. This is an especially important for the BiometricIoT using the biometric traits (e.g., facial identity) as the public key as the user biometric traits are permanent. A solution to this is to concatenate the identity component with a timestamp [52]. A biometrics identity breach would be limited to when the timestamp expired. Another approach proposed by [53] used a technique where nodes monitor its neighbor nodes for suspicious behavior (e.g., nodes sending invalid messages, extremely high traffic) and accumulates the information in an accusation matrix (AM). The public key is then revoked when the sum of all accusations exceeds a threshold. The authors in [54] identified a further security issue when compromised nodes attempt to transmit forged packets in the network.

Design factor 4: algorithm efficacies
A fourth design factor for the BiometricIoT to be considered is the efficacy of the algorithms. This is particularly the case for algorithms which have been initially designed for sequential implementations on traditional computer systems, and which now have to be efficiently executed on the IoT platforms. This section provides a discussion for the algorithm efficacy for the biometrics IoT. The face feature extraction and recognition procedure using the proposed Cas-D&C PCA-LDA approach is investigated and compared with traditional sequential implementations. Figures 5 and 6 show the comparison on the ORL and Yale datasets. The first two columns on the left show the algorithm performance using the traditional PCA and PCA + LDA (Fisherface [55]) approaches. The remaining columns to the right show the algorithm performance using the Cas-D&C PCA-LDA configurations (PCA-LDA/QR). The classification was performed using the nearest neighbor classifier. As shown in Figures 5 and 6, the Cas-D&C PCA-LDA gave higher performance than the traditional and well-established Fisherface approach. This demonstrates that a parallel approach could give high algorithm efficacies without needing to compromise on performance. Figures 5 and 6 also show that the various splitting configurations gave similar algorithm efficacy. Thus, the divide-and-conquer processing can be tailored to suit the number of computational elements in the architecture.

Conclusions
This paper has presented a seven-layer biometrics-based IoT (BiometricIoT) architecture with Big data computation and discussed various design factors for the IoT architecture. The BiometricIoT serves as an example of an ASIoT and requires additional challenges to be addressed compared with conventional IoT systems. Security issues for the different layers have also been discussed for the different layers. Some layers which are specific for the biometrics-based IoT including Big biometrics computation layer for biometrics data analytics has been introduced. In response to some of the security and processing issues raised in the architecture description, the authors have presented experimental data in support of a proposed novel cascaded feature extraction technique called Cas-D&C PCA-LDA for Big biometrics data analytics. The approach utilizes divide-and-conquer (D&C) techniques for realworld Big data applications and have been validated with experiments on real-world datasets. The work in this paper has given a comprehensive framework for the design of ASIoTs using biometrics as the application, and has the objective to encourage researchers/practitioners towards the research and development of ASIoTs. It is expected that the integration of biometric technology to IoT connected devices to be happen over the next few years. This area will continue to grow as businesses look to tackle the potential threats caused by unsecured IoT devices on their network. For future research, some aspects such as security and threats, multimedia content and Big data can be further researched and strengthen making the proposed framework more reliable, secure and can meet the need of Big data applications. For example, security may be considered as a transverse layer which crosses the other seven system layers.