- Email: [email protected]
New perspectives in automatic signature verification
Information
Security Technical
Report, Vol. 3, No. 1 (1998) 52-59
New Perspectives in Automatic Signature Verification Electronic By M.C. Fairhurst, Laboratory, University of Kent
Engineering
Many different biometrics have been proposed as a means of determining or veribing personal identity. Of these, the handwritten signature is well established and widely accepted, yet attempts to realize viable practical systems for automatic signature verification have not always been very successful. This paper reviews some fundamental aspects of signature verification and suggests some basic principles which might help to promote the more widespread adoption of signature verification technology which is increasingly both reliable and robust.
1. Introduction Many approaches have been proposed over the years to the automated realization of a biometric measure which can uniquely and reliably allow identification of an individual, or verification of his or her purported identity. Of the various biometrics proposed (see, for example [l]), the analysis of the handwritten signature has a very long history, and represents an approach which offers many advantages. For example, the signature has long been established as an accepted means of confirming or validating a transaction and the analysis of a handwritten signature as part of an automated system consequently requires little or no change to widely accepted and very natural customs and practices. Likewise, the extraction of identifying information from a handwritten signature requires no invasive measurement on a human subject and has no unpleasant or socially unacceptable connotations. On the other hand, the signature is a behavioural biometric, and is therefore inherently dependent on the changing activity
52
patterns of the signer and the signing process, with the resulting expectation of potentially high variability and consequent decreasing reliability under unconstrained conditions of use. Nevertheless, automatic signature verification has an important place in the possible battery of biometric approaches which are available for use in different operational situations, and there is an increasing awareness of design maximize strategies which can the effectiveness with which this type of technology can be applied to practical tasks and real operational environments. This paper will consider various aspects of practical signature verification, and will address a number of issues which are important in achieving the goal of practical viability for systems embodying automatic signature verification techniques.
2. Principles of automatic signature verification The many techniques for signature verification which have been reported in literature generally rely on one of two possible underlying feature processing paradigms. Static verification methods (see, for example [2]) are based on the limited information available solely from the basic shape and structural characteristics of the signature represented as a two-dimensional image, and consequently can present a very difficult problem. On the other hand, dynamic verification (see, for example [3]) relies on features which define the pattern of execution of the signature (for example, pen motion, pen velocity, stroke sequencing, and so on) which consequently are able to exploit information
0167-4048/98/$19.00
0 1998, Elsevier Science Ltd
New Perspectives in Automatic Signature Verification
1
ENROLMENT STAGE SAMPLE PATTERNS
-b
CLASS IDENTIFIER
-b
CLASS MODEL CONSTRUCTION
P TEST PATTERN ALLEGED IDENTITY
+ -+
TEST AGAINST CLASS MODEL
-b
DECISION
VERIFICATION STAGE Figure 1: A basic signature verijcation processing model.
which is hidden to the casual observer, but which may be highly characteristic of an individual signer, and can therefore offer the potential for greater degrees of success. A third general verification paradigm is one based on neural network techniques (see, for example, [4]), though this differs from the others in terms of its fundamental underlying computational philosophy rather than through the exploitation of fundamentally different feature types. This approach also suffers from the somewhat undesirable constraint that relatively large training sample sets are often required if acceptable levels of to be achieved. performance are Comprehensive reviews of the whole field of automatic signature verification can be found in [5] and [6]. Although it is then clearly possible to tackle automatic signature verification in a number of different ways, the most common approach adopted is to extract features from the specific two-dimensional signature image (static
Information Security Technical Report, Vol. 3, No. 1
features) and/or execution pattern of signing (dynamic features) and to use quantitative measurements of these features in order to make a comparison with a stored model which has been constructed to reflect the statistical variations in the corresponding measurements taken from known genuine individual signature specimens. Adopting this principle, automatic signature verification then embodies two separate, but highly interdependent, processing stages, as illustrated in Figure 1. First, a potential user of the automated system must enrol by providing a set of valid signature samples (preferably, for obvious practical reasons, the number of samples required should be kept to a minimum). On the basis of these genuine samples, a model is constructed which will encapsulate in some appropriate way the characteristics of an individual signer with respect to the features chosen for signature representation. Subsequently, appropriate processing of a newly presented sample for
53
New Perspectives in Automatic Signature Verification
verification is assessed with likely authenticity by means of statistically based, against the corresponding to the purported
respect to its a comparison, stored model signer.
Errors which occur in a signature verification system are generally categorized as one of two types. A Type I error occurs when a genuine signer is rejected by the system. This might happen because the signer is careless in the execution of the signature sample presented for verification, or sometimes as a result of natural high variability in the signing process. On the other hand, an expert forger might, in principle, be able to produce a sample which is accepted by the system (in relation to the features measured) as genuine, resulting in a Type II error (a false acceptance). A useful and convenient way of viewing the verification process is to characterize it as the evaluation of a discriminant function for a given test sample which can be compared against a threshold value, this comparison resulting in a binary decision which either accepts or rejects a sample as authentic specific or a forgery/imitation. The threshold setting chosen in practice is, therefore, crucial in determining the limits of acceptability to be adopted in a given situation, and will thus define a trade-off between ensuring that the system is resistant to compromise through forgery and the degree to which false rejection of genuine signers occurs.
3. A practical approach to system design The most usual techniques adopted in implementing a signature verification system have rested on the assumption that a universally applicable set of features can be found on which to base a judgement about the acceptability or otherwise of any specific sample presented for verification. However, despite the practical difficulties associated with most alternative viewpoints, it is
54
increasingly being recognized that the search for this principle of universality may be a limiting factor in designing reliable systems. Instead, it may be more productive, particularly in investigating task-specific configurations, to seek ‘locally-optimized’ solutions. One specific implication of this is that individually-derived feature sets may be usefully defined (see, for example [7,8]) but, in broader terms, this approach suggests that a much greater degree of flexibility needs to be incorporated into system designs in general. There are a variety of operational parameters which may be important in characterizing and evaluating a system. For example, the Type I/Type II error rate trade-off characteristics are clearly crucial to an understanding of attainable system performance, but many other factors processing speed, number of training samples required, system cost, security of data, and so on - can be equally influential in determining the viability of a particular system in relation to a specific operating environment. This suggests that an approach to system design which is likely to be particularly productive is one in which a system implementation can be realized from a ‘toolkit’ of modules which, through appropriate selection, interconnection and configuration, can satisfy performance requirements on a localized or task-specific basis. One practical system which conforms exactly to these basic principles of modularity and flexibility is the KAPPA system 191. This is a system which can operate in either online or offline mode, can make independent checks of static and dynamic features of the signature, and can draw on a variety (unlimited in principle) of feature types to drive the verification algorithms. The system is structured in a very flexible and adaptable way, and hence can in principle be used in a variety of application areas which may have widely differing practical requirements.
Information Security Technical Report, Vol. 3, No. 1
New Perspectives in Automatic Signature Verification
4. Task-orientated system optimization Some of the many advantages afforded by the modular task-orientated implementation approach discussed can be illustrated by considering a situation where operational constraints are well established and exploitable in terms of optimizing the system configuration and its performance characteristics.
! !
I
I
i
i
Figure 2: Structure verijka tion sys tern.
of the KAPPA
signature
J
The KAPPA system embodies a number of characteristics of considerable practical significance. The system has a highly modular structure configured as a design toolkit, it can achieve online and offline processing, it can utilize multi-source feature extraction depending on the data capture facilities available, it has the capacity for feature selection, offers many optimization features such as enrolment model validation (see below), and can provide robust and efficient operation in a variety of task domains. An overview of the system structure is shown in Figure 2 which illustrates clearly the high degree of modularity in its implementation. The following sections will describe a number of the more important aspects of this particular system, illustrating some of the advantages of the type of flexible structure specified above.
Information
Security Technical
Report, Vol. 3, No. 1
An obvious example is to consider the problems which arise through the false rejection of genuine signatures, for in many applications a high false rejection rate might make a system unusable in practice. However, there are many applications in which it is possible to disregard false rejections on a ‘single shot’ basis by allowing the possibility of what might be called a ‘re-try’ facility. Thus, the signer might be allowed, say, three attempts to generate an acceptable signature sample before rejection is confirmed, and this strategy provides a simple but effective mechanism for significantly reducing the overall false rejection rate at the system level without the necessity of compromising the reliability of the system with respect to its ability to identify forgery attempts. Even a simple strategy such as this has been found to offer significant performance benefits and, coupled with other measures such as those described below, can facilitate an extremely effective system implementation suitable for many applications. Indeed, exactly this kind of procedure is already adopted in many practical systems in current use, such as the ubiquitous PIN-controlled ATM cash dispensers. One of the particularly interesting and important modules available in the KAPPA system is an enrolment validation module. This provides a means of significantly reducing the extent to which errors occur as a result of adopting a signature model which is
55
New Perspectives
in Automatic
Signature Verification
unrepresentative of the true variability of the signature characteristics of an individual signer. The requirement in most practical situations that the model adopted is constructed from a small number of signature samples means that a mechanism for seeking an effective representation of the signature model is a particularly important element in optimizing an overall implementation with respect to a given task domain. The precise role and benefits of this type of signature model monitoring can be illustrated by considering a process in which a signature model is constructed on the basis of a fixed small number of donated samples, but which allows the acquisition of additional samples to refine or adjust an individual reference model if its initial formulation is shown by the validation procedure to be unsatisfactory. For example, an experiment has been carried out in an online verification system where up to 10 donated samples are allowed for construction of an individual signature model, but where five samples only are utilized in a first pass, further samples being requested only where the validation process indicates failure to construct a suitable reference model. The results obtained are illustrated in Figure 3. Starting with an enrolment set based on just five donated samples, it is seen that a very unsatisfactory performance characteristic emerges, where around 30% of enrolees would have subsequent test signatures processed with an inappropriate reference model, thereby seriously impairing the overall system performance attainable. Allowing further samples (up to a maximum of 10 here) to be added where necessary, however, achieves a situation where only around 6% of enrolees would then fail to enrol with a satisfactory signature model. Testing this system with a large database generated during public trials (which generated more than 8000 signature samples
56
I-
6
7
6
9
~.__
Number of Training Samples
Figure 3: Effect of number of training samples on enrolment validation in an online verification process. in all [lo]) demonstrated that using a fixed enrolment sequence of five samples per enrolee resulted in a false rejection rate as high as almost 20%, while allowing up to 10 samples per enrolee using the model validation mechanism reduced this to around 6.9%. Adding to the system a mechanism whereby individuals who still failed to enrol satisfactorily after donating 10 samples were excluded from the system, then the error rate was reduced further to 1.8%. This figure could be reduced to less than 1% when a re-try facility, as discussed above, was added. The concept of enrolment validation is also applicable in cases where offline signature processing is required, and an example of its use in such circumstances allows the consideration of an alternative protocol for model construction. Automatic signature verification using only static (offline) information is inherently more difficult in principle than is the case when dynamic information is also available. Static features, by their very nature, provide a much less information-rich source of verification evidence on which the processor can operate, while in most situations where static processing is demanded the number of signature samples which are available is generally limited by the nature of the specific
Information Security Technical Report, Vol. 3, No. 1
New Perspectives in Automatic Signature Verification
task. However, the principle of enrolment validation can in most tasks still be applied, and can provide an improvement in the performance profile of an overall system. As an example to illustrate this, a procedure has been defined to evaluate a set of signature samples, rejecting those which degrade the current reference model. In a series of experiments reference models were constructed from a pool of 15 candidate samples per signer for a group of around 250 enrolees on the basis of selecting the best n out of m samples. System performance was then measured using the so-called equal error rate measure (the value of the system error at which Type I and Type II error rates are equal). Figures 4 and 5 illustrate the test results obtained, plotting equal error rate performance against the total number of samples used in constructing the reference signature model. Figure 4 represents the performance of the system when enrolment is not validated, while Figure 5 shows the corresponding performance when validation is applied. It is apparent that the verification performance achievable is limited when only static features are available for the verification processing,
45
I
I
I
I
6
5
10
I
I
12
14
40 $I
35
d
30
b t W
25
z
20
z W s
15 10
2
4
Numbu of Signature5 in Rehnnu
Model
Figure 5: Equal error rate performance (enrolment validated). the introduction of an enrolment validation procedure is effective even here in considerably improving the error rates delivered by the system. The results also point clearly to the real difficulties of working with a small number of signature samples for enrolment, and it can be seen that typically at least 8-10 valid samples per enrolee are required in order to achieve a reasonable degree of stability in performance. yet
The availability of options such as these, all of which can be incorporated where a particular operational environment permits this, can be most valuable in achieving task-related optimized performance, and it is clear that the inherent modular design structure proposed here is instrumental in facilitating this high degree of flexibility and system tunability. 5. Conclusions
0
2
I
I
I
I
I
4
6
*
10
12
14
Number of Signatures in Refemnce Model
Figure 4: Equal error rate performance (enrolment not valida ted).
Information
Security Technical
Report, Vol. 3, No. 1
The long history of automatic signature verification is well-known, yet relatively few successful commercial systems have emerged over the years. While the many advantages associated with the use of the handwritten signature as a biometric for identification/ verification purposes are abundantly clear, it is also true to say that the performance
57
New Perspectives in Automatic Signature Verification
actually delivered by many proposed systems has not been able to achieve the levels required for practical viability in many applications. This paper has addressed a number of key issues which might be particularly influential in promoting the further exploitation of signature verification technology in practice. A key factor here is the requirement to ensure a careful match between the characteristics of a specific task domain and the precise configuration which is implemented by judicious selection from the operational elements which the technology can in principle supply. In seeking to achieve this, a system architecture has been developed which offers a toolkit for a system designer to facilitate this type of very flexible and taskorientated optimization. Of course, a principal avenue to pursue in attempting to improve further the attainable levels of performance in this type of system relates to efforts to develop and refine the basic verification algorithms themselves, but work in this area is likely to achieve at best only small incremental improvements in the foreseeable future. In any case, the performance of any system is necessarily limited by the nature of the underlying statistical properties of the signature data to be processed. It is clear, however, that an examination of other operational factors can lead to productive approaches for improving achievable performance, and that a clear understanding of the limitations and constraints of a particular operational environment can be instrumental in maximizing the benefits afforded by technological solutions. Overall then, there are certainly many positive messages for those who believe that practical biometric testing still has much to offer, even in the short term. One of these is that the
58
modular approach advocated here should allow the introduction of more reliable products, particularly in relation to many smaller-scale localized application areas. This is especially true of automatic signature verification, a biometric technique which can offer significant benefits at the technological level without the need completely to reeducate a possibly sceptical user community to new and potentially alarming modes of social behaviour, and practical success for signature verification technology may still be a goal which can be achieved even with the technology which is currently available.
6. References processing for biometric [l]Image measurement, IEE Colloquium Digest Ref: 1994/200,1994. [2]Lee, S. and Pan, J.C., Offline tracing and representation of signatures, IEEE Trans., SMC-22,7X%-771,1992. [3]Plamondon, R., A model-based dynamic signature verification system, Conf. on Fundamentals in Handwriting Recognition, Chateau de Bonas, France, 1993, pp. 75-93. [4]Drouhard, J.P., Off-line signature verification using directional PDF and neural networks, Proc. 11 th ICPR, 1992, pp. 321-325. [5]Plamondon, R. and Lorette, G., Automatic signature verification - the state of the art, Pattern Recognition, 22,1989, pp. 107-131. [6]Leclerc, F. and Plamondon, R., Automatic signature verification - the state of the art 1989-1993, ht. J. Pattern Recog. Artif: Intell., 8, 1994, pp. 643-659. [7]Fairhurst, M.C., Brittan, I?. and Cowley, K.D., Parallel realisation of feature selection for a high performance signature verification
Information
Security Technical
Report, Vol. 3, No. 1
New Perspectives
system”, 974-982.
Proc. PACTA, Barcelona,
1992, pp.
[B]Brittan, I? and Fairhurst, M.C., An approach to handwritten signature verification using a high performance parallel architecture, In Impedovo, S. and Simon, J.C. (Eds.): From pixels tofeatures III (Elsevier), 1992, pp. 385390. [9]Fairhurst, M.C., Automatic signature verification: making it work, Proc. Zst IEE European Workshop on Handwriting Analysis and Recognition, Brussels, 1994.
Information Security Technical Report, Vol. 3, No. 1
in Automatic Signature Verification
[lO]KAPPA signature verification public trials and public survey on biometrics, Available from BTG plc, 101, Fleet Place, London, EC4M 7SB.
Acknowledgement This paper is based on an article which appeared in the Electronics & Communication Engineering Journal (December 1997, pp. 273280), published by the Institution of Electrical Engineers, to whom the author is grateful for cooperation in respect of the material which has been reproduced.
59
Security Technical
Report, Vol. 3, No. 1 (1998) 52-59
New Perspectives in Automatic Signature Verification Electronic By M.C. Fairhurst, Laboratory, University of Kent
Engineering
Many different biometrics have been proposed as a means of determining or veribing personal identity. Of these, the handwritten signature is well established and widely accepted, yet attempts to realize viable practical systems for automatic signature verification have not always been very successful. This paper reviews some fundamental aspects of signature verification and suggests some basic principles which might help to promote the more widespread adoption of signature verification technology which is increasingly both reliable and robust.
1. Introduction Many approaches have been proposed over the years to the automated realization of a biometric measure which can uniquely and reliably allow identification of an individual, or verification of his or her purported identity. Of the various biometrics proposed (see, for example [l]), the analysis of the handwritten signature has a very long history, and represents an approach which offers many advantages. For example, the signature has long been established as an accepted means of confirming or validating a transaction and the analysis of a handwritten signature as part of an automated system consequently requires little or no change to widely accepted and very natural customs and practices. Likewise, the extraction of identifying information from a handwritten signature requires no invasive measurement on a human subject and has no unpleasant or socially unacceptable connotations. On the other hand, the signature is a behavioural biometric, and is therefore inherently dependent on the changing activity
52
patterns of the signer and the signing process, with the resulting expectation of potentially high variability and consequent decreasing reliability under unconstrained conditions of use. Nevertheless, automatic signature verification has an important place in the possible battery of biometric approaches which are available for use in different operational situations, and there is an increasing awareness of design maximize strategies which can the effectiveness with which this type of technology can be applied to practical tasks and real operational environments. This paper will consider various aspects of practical signature verification, and will address a number of issues which are important in achieving the goal of practical viability for systems embodying automatic signature verification techniques.
2. Principles of automatic signature verification The many techniques for signature verification which have been reported in literature generally rely on one of two possible underlying feature processing paradigms. Static verification methods (see, for example [2]) are based on the limited information available solely from the basic shape and structural characteristics of the signature represented as a two-dimensional image, and consequently can present a very difficult problem. On the other hand, dynamic verification (see, for example [3]) relies on features which define the pattern of execution of the signature (for example, pen motion, pen velocity, stroke sequencing, and so on) which consequently are able to exploit information
0167-4048/98/$19.00
0 1998, Elsevier Science Ltd
New Perspectives in Automatic Signature Verification
1
ENROLMENT STAGE SAMPLE PATTERNS
-b
CLASS IDENTIFIER
-b
CLASS MODEL CONSTRUCTION
P TEST PATTERN ALLEGED IDENTITY
+ -+
TEST AGAINST CLASS MODEL
-b
DECISION
VERIFICATION STAGE Figure 1: A basic signature verijcation processing model.
which is hidden to the casual observer, but which may be highly characteristic of an individual signer, and can therefore offer the potential for greater degrees of success. A third general verification paradigm is one based on neural network techniques (see, for example, [4]), though this differs from the others in terms of its fundamental underlying computational philosophy rather than through the exploitation of fundamentally different feature types. This approach also suffers from the somewhat undesirable constraint that relatively large training sample sets are often required if acceptable levels of to be achieved. performance are Comprehensive reviews of the whole field of automatic signature verification can be found in [5] and [6]. Although it is then clearly possible to tackle automatic signature verification in a number of different ways, the most common approach adopted is to extract features from the specific two-dimensional signature image (static
Information Security Technical Report, Vol. 3, No. 1
features) and/or execution pattern of signing (dynamic features) and to use quantitative measurements of these features in order to make a comparison with a stored model which has been constructed to reflect the statistical variations in the corresponding measurements taken from known genuine individual signature specimens. Adopting this principle, automatic signature verification then embodies two separate, but highly interdependent, processing stages, as illustrated in Figure 1. First, a potential user of the automated system must enrol by providing a set of valid signature samples (preferably, for obvious practical reasons, the number of samples required should be kept to a minimum). On the basis of these genuine samples, a model is constructed which will encapsulate in some appropriate way the characteristics of an individual signer with respect to the features chosen for signature representation. Subsequently, appropriate processing of a newly presented sample for
53
New Perspectives in Automatic Signature Verification
verification is assessed with likely authenticity by means of statistically based, against the corresponding to the purported
respect to its a comparison, stored model signer.
Errors which occur in a signature verification system are generally categorized as one of two types. A Type I error occurs when a genuine signer is rejected by the system. This might happen because the signer is careless in the execution of the signature sample presented for verification, or sometimes as a result of natural high variability in the signing process. On the other hand, an expert forger might, in principle, be able to produce a sample which is accepted by the system (in relation to the features measured) as genuine, resulting in a Type II error (a false acceptance). A useful and convenient way of viewing the verification process is to characterize it as the evaluation of a discriminant function for a given test sample which can be compared against a threshold value, this comparison resulting in a binary decision which either accepts or rejects a sample as authentic specific or a forgery/imitation. The threshold setting chosen in practice is, therefore, crucial in determining the limits of acceptability to be adopted in a given situation, and will thus define a trade-off between ensuring that the system is resistant to compromise through forgery and the degree to which false rejection of genuine signers occurs.
3. A practical approach to system design The most usual techniques adopted in implementing a signature verification system have rested on the assumption that a universally applicable set of features can be found on which to base a judgement about the acceptability or otherwise of any specific sample presented for verification. However, despite the practical difficulties associated with most alternative viewpoints, it is
54
increasingly being recognized that the search for this principle of universality may be a limiting factor in designing reliable systems. Instead, it may be more productive, particularly in investigating task-specific configurations, to seek ‘locally-optimized’ solutions. One specific implication of this is that individually-derived feature sets may be usefully defined (see, for example [7,8]) but, in broader terms, this approach suggests that a much greater degree of flexibility needs to be incorporated into system designs in general. There are a variety of operational parameters which may be important in characterizing and evaluating a system. For example, the Type I/Type II error rate trade-off characteristics are clearly crucial to an understanding of attainable system performance, but many other factors processing speed, number of training samples required, system cost, security of data, and so on - can be equally influential in determining the viability of a particular system in relation to a specific operating environment. This suggests that an approach to system design which is likely to be particularly productive is one in which a system implementation can be realized from a ‘toolkit’ of modules which, through appropriate selection, interconnection and configuration, can satisfy performance requirements on a localized or task-specific basis. One practical system which conforms exactly to these basic principles of modularity and flexibility is the KAPPA system 191. This is a system which can operate in either online or offline mode, can make independent checks of static and dynamic features of the signature, and can draw on a variety (unlimited in principle) of feature types to drive the verification algorithms. The system is structured in a very flexible and adaptable way, and hence can in principle be used in a variety of application areas which may have widely differing practical requirements.
Information Security Technical Report, Vol. 3, No. 1
New Perspectives in Automatic Signature Verification
4. Task-orientated system optimization Some of the many advantages afforded by the modular task-orientated implementation approach discussed can be illustrated by considering a situation where operational constraints are well established and exploitable in terms of optimizing the system configuration and its performance characteristics.
! !
I
I
i
i
Figure 2: Structure verijka tion sys tern.
of the KAPPA
signature
J
The KAPPA system embodies a number of characteristics of considerable practical significance. The system has a highly modular structure configured as a design toolkit, it can achieve online and offline processing, it can utilize multi-source feature extraction depending on the data capture facilities available, it has the capacity for feature selection, offers many optimization features such as enrolment model validation (see below), and can provide robust and efficient operation in a variety of task domains. An overview of the system structure is shown in Figure 2 which illustrates clearly the high degree of modularity in its implementation. The following sections will describe a number of the more important aspects of this particular system, illustrating some of the advantages of the type of flexible structure specified above.
Information
Security Technical
Report, Vol. 3, No. 1
An obvious example is to consider the problems which arise through the false rejection of genuine signatures, for in many applications a high false rejection rate might make a system unusable in practice. However, there are many applications in which it is possible to disregard false rejections on a ‘single shot’ basis by allowing the possibility of what might be called a ‘re-try’ facility. Thus, the signer might be allowed, say, three attempts to generate an acceptable signature sample before rejection is confirmed, and this strategy provides a simple but effective mechanism for significantly reducing the overall false rejection rate at the system level without the necessity of compromising the reliability of the system with respect to its ability to identify forgery attempts. Even a simple strategy such as this has been found to offer significant performance benefits and, coupled with other measures such as those described below, can facilitate an extremely effective system implementation suitable for many applications. Indeed, exactly this kind of procedure is already adopted in many practical systems in current use, such as the ubiquitous PIN-controlled ATM cash dispensers. One of the particularly interesting and important modules available in the KAPPA system is an enrolment validation module. This provides a means of significantly reducing the extent to which errors occur as a result of adopting a signature model which is
55
New Perspectives
in Automatic
Signature Verification
unrepresentative of the true variability of the signature characteristics of an individual signer. The requirement in most practical situations that the model adopted is constructed from a small number of signature samples means that a mechanism for seeking an effective representation of the signature model is a particularly important element in optimizing an overall implementation with respect to a given task domain. The precise role and benefits of this type of signature model monitoring can be illustrated by considering a process in which a signature model is constructed on the basis of a fixed small number of donated samples, but which allows the acquisition of additional samples to refine or adjust an individual reference model if its initial formulation is shown by the validation procedure to be unsatisfactory. For example, an experiment has been carried out in an online verification system where up to 10 donated samples are allowed for construction of an individual signature model, but where five samples only are utilized in a first pass, further samples being requested only where the validation process indicates failure to construct a suitable reference model. The results obtained are illustrated in Figure 3. Starting with an enrolment set based on just five donated samples, it is seen that a very unsatisfactory performance characteristic emerges, where around 30% of enrolees would have subsequent test signatures processed with an inappropriate reference model, thereby seriously impairing the overall system performance attainable. Allowing further samples (up to a maximum of 10 here) to be added where necessary, however, achieves a situation where only around 6% of enrolees would then fail to enrol with a satisfactory signature model. Testing this system with a large database generated during public trials (which generated more than 8000 signature samples
56
I-
6
7
6
9
~.__
Number of Training Samples
Figure 3: Effect of number of training samples on enrolment validation in an online verification process. in all [lo]) demonstrated that using a fixed enrolment sequence of five samples per enrolee resulted in a false rejection rate as high as almost 20%, while allowing up to 10 samples per enrolee using the model validation mechanism reduced this to around 6.9%. Adding to the system a mechanism whereby individuals who still failed to enrol satisfactorily after donating 10 samples were excluded from the system, then the error rate was reduced further to 1.8%. This figure could be reduced to less than 1% when a re-try facility, as discussed above, was added. The concept of enrolment validation is also applicable in cases where offline signature processing is required, and an example of its use in such circumstances allows the consideration of an alternative protocol for model construction. Automatic signature verification using only static (offline) information is inherently more difficult in principle than is the case when dynamic information is also available. Static features, by their very nature, provide a much less information-rich source of verification evidence on which the processor can operate, while in most situations where static processing is demanded the number of signature samples which are available is generally limited by the nature of the specific
Information Security Technical Report, Vol. 3, No. 1
New Perspectives in Automatic Signature Verification
task. However, the principle of enrolment validation can in most tasks still be applied, and can provide an improvement in the performance profile of an overall system. As an example to illustrate this, a procedure has been defined to evaluate a set of signature samples, rejecting those which degrade the current reference model. In a series of experiments reference models were constructed from a pool of 15 candidate samples per signer for a group of around 250 enrolees on the basis of selecting the best n out of m samples. System performance was then measured using the so-called equal error rate measure (the value of the system error at which Type I and Type II error rates are equal). Figures 4 and 5 illustrate the test results obtained, plotting equal error rate performance against the total number of samples used in constructing the reference signature model. Figure 4 represents the performance of the system when enrolment is not validated, while Figure 5 shows the corresponding performance when validation is applied. It is apparent that the verification performance achievable is limited when only static features are available for the verification processing,
45
I
I
I
I
6
5
10
I
I
12
14
40 $I
35
d
30
b t W
25
z
20
z W s
15 10
2
4
Numbu of Signature5 in Rehnnu
Model
Figure 5: Equal error rate performance (enrolment validated). the introduction of an enrolment validation procedure is effective even here in considerably improving the error rates delivered by the system. The results also point clearly to the real difficulties of working with a small number of signature samples for enrolment, and it can be seen that typically at least 8-10 valid samples per enrolee are required in order to achieve a reasonable degree of stability in performance. yet
The availability of options such as these, all of which can be incorporated where a particular operational environment permits this, can be most valuable in achieving task-related optimized performance, and it is clear that the inherent modular design structure proposed here is instrumental in facilitating this high degree of flexibility and system tunability. 5. Conclusions
0
2
I
I
I
I
I
4
6
*
10
12
14
Number of Signatures in Refemnce Model
Figure 4: Equal error rate performance (enrolment not valida ted).
Information
Security Technical
Report, Vol. 3, No. 1
The long history of automatic signature verification is well-known, yet relatively few successful commercial systems have emerged over the years. While the many advantages associated with the use of the handwritten signature as a biometric for identification/ verification purposes are abundantly clear, it is also true to say that the performance
57
New Perspectives in Automatic Signature Verification
actually delivered by many proposed systems has not been able to achieve the levels required for practical viability in many applications. This paper has addressed a number of key issues which might be particularly influential in promoting the further exploitation of signature verification technology in practice. A key factor here is the requirement to ensure a careful match between the characteristics of a specific task domain and the precise configuration which is implemented by judicious selection from the operational elements which the technology can in principle supply. In seeking to achieve this, a system architecture has been developed which offers a toolkit for a system designer to facilitate this type of very flexible and taskorientated optimization. Of course, a principal avenue to pursue in attempting to improve further the attainable levels of performance in this type of system relates to efforts to develop and refine the basic verification algorithms themselves, but work in this area is likely to achieve at best only small incremental improvements in the foreseeable future. In any case, the performance of any system is necessarily limited by the nature of the underlying statistical properties of the signature data to be processed. It is clear, however, that an examination of other operational factors can lead to productive approaches for improving achievable performance, and that a clear understanding of the limitations and constraints of a particular operational environment can be instrumental in maximizing the benefits afforded by technological solutions. Overall then, there are certainly many positive messages for those who believe that practical biometric testing still has much to offer, even in the short term. One of these is that the
58
modular approach advocated here should allow the introduction of more reliable products, particularly in relation to many smaller-scale localized application areas. This is especially true of automatic signature verification, a biometric technique which can offer significant benefits at the technological level without the need completely to reeducate a possibly sceptical user community to new and potentially alarming modes of social behaviour, and practical success for signature verification technology may still be a goal which can be achieved even with the technology which is currently available.
6. References processing for biometric [l]Image measurement, IEE Colloquium Digest Ref: 1994/200,1994. [2]Lee, S. and Pan, J.C., Offline tracing and representation of signatures, IEEE Trans., SMC-22,7X%-771,1992. [3]Plamondon, R., A model-based dynamic signature verification system, Conf. on Fundamentals in Handwriting Recognition, Chateau de Bonas, France, 1993, pp. 75-93. [4]Drouhard, J.P., Off-line signature verification using directional PDF and neural networks, Proc. 11 th ICPR, 1992, pp. 321-325. [5]Plamondon, R. and Lorette, G., Automatic signature verification - the state of the art, Pattern Recognition, 22,1989, pp. 107-131. [6]Leclerc, F. and Plamondon, R., Automatic signature verification - the state of the art 1989-1993, ht. J. Pattern Recog. Artif: Intell., 8, 1994, pp. 643-659. [7]Fairhurst, M.C., Brittan, I?. and Cowley, K.D., Parallel realisation of feature selection for a high performance signature verification
Information
Security Technical
Report, Vol. 3, No. 1
New Perspectives
system”, 974-982.
Proc. PACTA, Barcelona,
1992, pp.
[B]Brittan, I? and Fairhurst, M.C., An approach to handwritten signature verification using a high performance parallel architecture, In Impedovo, S. and Simon, J.C. (Eds.): From pixels tofeatures III (Elsevier), 1992, pp. 385390. [9]Fairhurst, M.C., Automatic signature verification: making it work, Proc. Zst IEE European Workshop on Handwriting Analysis and Recognition, Brussels, 1994.
Information Security Technical Report, Vol. 3, No. 1
in Automatic Signature Verification
[lO]KAPPA signature verification public trials and public survey on biometrics, Available from BTG plc, 101, Fleet Place, London, EC4M 7SB.
Acknowledgement This paper is based on an article which appeared in the Electronics & Communication Engineering Journal (December 1997, pp. 273280), published by the Institution of Electrical Engineers, to whom the author is grateful for cooperation in respect of the material which has been reproduced.
59