Enhancing Security in a Distributed Examination Using Biometrics and Distributed Firewall System

Transcription

1 Enhancing Security in a Distributed Examination Using Biometrics and Distributed Firewall System Moses O. Onyesolu 1, Virginia E. Ejiofor 2, McDonald N. Onyeizu 3, Dan Ugoh 4 1,2,4 Department of Computer Science, Nnamdi Azikiwe University, Awka, Anambra State, Nigeria. 3 MedSoft Technologies Ltd., No. 43, Okigwe Road, Owerri, Imo state, Nigeria. Abstract Online examination is a great opportunity for modern life and has seen exponential growth over the past decade. However, the tools used to present and administer this need to be coupled with efficient and reliable security mechanisms to ensure the medium can be established as a dependable one. Identification, authentication and monitoring of e-exam takers at a distance are of prime importance so that exams are administered by fair means. We proposed a biometric system for identification and distributed firewall techniques to monitor candidates and control network packets of all machines incorporating the traditional username and password for authentication. Keywords Biometric system, distributed firewall, password, fingerprint, e-examination, e-learning. I. INTRODUCTION Information and Communication Technology (ICT) has changed our lives and provided us with a new dimension of thinking and doing things. ICT has had effects in all aspects of human endeavor. The World Wide Web an aspect of ICT is one of the inventions of computer technology which has wide spread in all aspect of life. A new concept which has emerged from World Wide Web is education on the web otherwise known as electronic learning or e-learning [1]. Since the inception of e-learning, there has been a security breach as it poses various threats especially when exams are held electronically (online). Security is one of the challenges of both traditional and online-based examination system. It imposes fear on institutions and test administrators. Institutions and test administrators are wary of administering examinations online. One way to mitigate security breach during online examination is to identify, authenticate and monitor candidates during online examination. This is to ascertain who is exactly pushing the buttons and to ensure that candidates do not receive outside assistance to improve their exam score [2]. II. SECURITY IN ONLINE EXAMINATION One of the main challenges facing the security of e- exams and the e-learning environment is to authenticate students so that no unauthorized individuals are permitted to upload submissions or access information, respectively [3]. Some other problems faced during e-exams are double submissions from the same students [4], and e-exams not being held in supervised locations, which therefore enables the individual to access unauthorized areas, etc [5], [6]. A study by [8] concludes that 73.6% of the students that were selected for the sample have the point of view that it is easier to cheat in an online environment rather than in a conventional one. According to the Center for Academic Integrity [9] cheating on exams has been reported at an alarming range of 74%. Reference [10] reported that 70% of students in their study confessed to cheating on multiple exams. A study by [11] compared faculty members perceptions on various students unethical conducts seriousness. They concluded that students unethical conduct related to exam taking perceived by faculty to be one of the most serious unethical behaviors. Similarly, Dick et al. [12] also noted that 24% their study participants believed that advances on technology have lead to increased cheating. The perceived seriousness of cheating on exams has led numerous academic institutions to reduce their e-learning course offering and in other instances, cease e-learning altogether. In fact, [13] admitted that the inadequate technology has led some academic institutions to cease offering e-learning courses due to concerns over the quality of students assessment and standards. Ramim and Levy [14] discussed a case study of an academic institution that faced a tragic cyber attach to their e-learning environment by an insider intruder. Other scholars have documented related security problems in academic institutions. 65

2 Yu and Tsao [15] discussed security challenges of e- learning environments. However, their exploration focused on shielding the technology infrastructure against unauthorized users. Current security practices in e-learning systems relay principally on the utilization of passwords authentication mechanisms. Similarly, [3] discussed aspects of security in e-learning systems and suggested attention to two layers when securing e-learning systems. The first layer addresses security of the technology infrastructure used to facilitate e-learning (i.e. hardware, networks, etc.) and the second layer addresses the various applications employed in enabling e-learning (i.e. learning management systems, rich media communication tools, etc.). Huang et al [3] criticized existing proprietary e-learning systems for not paying enough attention to the issue of properly authenticating students, in particular during quizzes and exams. Hugl [16] noted numerous security related technologies that are not currently employed in e-learning. One such solution can include biometric technologies that may potentially become an integral part of e-learning systems. Michelle and Yair [17] argued that all computers to be used under exam conditions need to be audited. Computers connected to the Internet are difficult to make secure, and safety issues are particularly important in longer exams. Where examinations are conducted in a laboratory environment it needs to be recognized that computer labs are rarely set up for testing. Meanwhile, for proper implementation of the new system, some security features are put in place during development and design. User validation and fingerprint identification are embedded in the system to improve security. Hence, we propose the following solutions to enhance security of online examination. III. PROPOSED NEW SOLUTION After a comprehensive study of the security challenges of online examination, two new approaches are proposed: (a) use of distributed firewall system to monitor the actions on candidates during examination and (b) fingerprint biometrics solution for e-exam takers identification. A. Distributed Firewall Solution Distributed firewalls are host-resident security software applications that protect the enterprise network's servers and end-user machines against unwanted intrusion. Distributed firewalls that are managed from a central server can help to map corporate security policies to the configuration of workstation firewall systems [7]. They offer the advantage of filtering traffic from both the Internet and the internal network. This enables them to prevent hacking attacks that originate from both the Internet and the internal network. This is important because the most costly and destructive attacks still originate from within the organization. They are like personal firewalls except they offer several important advantages like central management, logging, and in some cases, access-control granularity. These features are necessary to implement corporate security policies in larger enterprises. In distributed firewalls, security policy is defined centrally but enforced at each individual network endpoint (hosts, routers, etc.). The system propagates the central policy to all endpoints. Policy distribution may take various forms. For example, it may be pushed directly to the end systems that have to enforce it, or it may be provided to the users in the form of credentials that they use when trying to communicate with the hosts or it may be a combination of both [18]. Figure 6 explains how distributed system will be implemented. The benefits/advantages of firewall includes: 1. Firewall protects hosts that are not within a topology boundary - topology independence 2. Firewall provides protection against internal attacks 3. Firewall helps to eliminate single point of failure 4. They secure remote end-user machines. 5. They secure critical servers on the network preventing intrusion by malicious code and "jailing" other such code by not letting the protected server be used as a launch pad for expanded attacks. B. Biometric Solutions Biometric is the application of computational methods to biological features, especially with regard to the study of unique biological characteristics of humans. Such unique biological characteristics relies on individual human identities such as DNA, voice, retinal and iris, fingerprints, facial images, hand prints, or other unique biological characteristics [19]. It is a method of identification that has been growing in popularity. These characteristics are identified using biometric devices. A biometric device is technological device that utilizes an individual s unique physical or behavioral characteristic to identify and authenticate the individual precisely [20]. Essentially, biometric technologies operate by scanning a biological characteristic and matching it with the stored data. Reference [21] noted that a biometric system is essentially a pattern recognition system that makes a personal identification by establishing the authenticity of a specific physiological or behavioral characteristic possessed by the user. 66

3 Coventry, De Angeli and Johnson [22] discussed the usability aspect of authentication systems and noted that it is a tradeoff between usability, memorability and security. They opined that in order to increase biometric security, traditional PINs and password authentication methods are inevitable by increasing the length of the password and PIN, ensuring they do not form meaningful words and ensuring all are different, makes them more difficult to remember [12], [19], [20] and [21]. Coventry et al [22] maintained that most biometric systems include a digital identifier, a template and a recognition algorithm and they follow similar matching processes. However, they maintained that biometric systems can be separated into physiological biometric (i.e. finger, iris) as well as behavioural biometric (i.e. voice, key board typing behaviour). Biometric systems performance can be assessed by employing statistical methods in which accuracy is calculated. Although biometric systems are relatively reliable, reference [22] asserted that system malfunction stems from users lack of establishing the biometric during the initial stage as well as potential interruptions during transmission of the biometric image in the validation process. Subsequently, they concluded that although the trade off between security and usability aspects remains, biometric systems can facilitate automatic verification for public environments. Pons [20] maintained that fingerprints biometric scans are the most commonly used biometric solution as they are less expensive compared with other biometric solutions. A fingerprint is a unique pattern of ridges and furrows on the surface of a fingertip, the formation of which is determined during the fetal period. Fingerprints are unique for each individual, where even identical twins have different fingerprints [21]. Several scholars documented the increase popularity of fingerprint biometric-based systems and their decline in costs [21] and [22]. For example, Joint Admission and Matriculation Board (JAMB) currently use biometric devices to authenticate their candidates by capturing candidates fingerprints before checking in for examination. Furthermore, Williams [23] pointed out that fingerprints have been universally acceptable in the legal system worldwide. Fingerprints are a permanent attribute unique to an individual. Fingerprints can be scanned, transmitted and matched with the aid of a simple device. McGinity [24] pointed out that biometric have been commonly employed in replacing conventional password systems. Biometric devices enable portable scanning and rapid identification. Thus, finger biometric can be a suitable solution for rapid authentication of users. 67 Using a portable device, users can scan their fingerprints and send a print image via the Internet to the University s network. The network will consist of an authentication server that will house a database of students fingerprints images. The server will then process the matching of the transmitted print image with a stored copy of the fingerprint (called template ). Following that, the server will generate a matching result. Thus, McGinity [24] predicted that fingerprints based biometric would become a household activity in the near future. Yang and Verbauwhede [25] proposed a secured technique for matching fingerprints in a biometric system. They argued that biometric systems enhance security far more than the current systems. Biometric systems are more accurate as well as simpler to operate compared with passwords systems. They described a fingerprint based biometric system in which the fingerprint template is kept in a server during initiation. Upon scanning the finger, an input device scans a biometric signal and transmits it to a server where it is processed for matching. In an effort to shield the system against security compromises, they recommended processing the matching of fingerprints images in an embedded device rather than the server and only transmitting the results to the servers. Furthermore, they suggested encrypting the fingerprint template prior to storing it on the server. Fingerprints templates can be decrypted whenever a matching process occurs. They also provided additional solutions useful for building up multiple layers of security in fingerprint based biometric systems. A number of affordable and widely available biometric devices that read fingerprints and plug into USB ports are shown in Figures 2, 3, 4 and 5. Figure 1: Fingerprint enabled mouse Figure 2: Fingerprint enabled keypad

4 Biometric Device(s) Fingerprint Preprocessing Figure 3: Fingerprint enabled keyboard e-exam Biometric Figure 5: Enrollment Process Figure 4: Fingerprint Enable USB device C. Proposed Enrolment Method The first process in any biometric recognition system is enrolment, whereby all students who are supposed to appear for the e-exam will have to enroll their fingerprints so that they are stored in the relevant e-learning server database and biometric server database [26]. All the fingerprint scans will be saved in an encrypted form to avoid any modifications. When the client initiates the e- exam, the intelligent agent assigns the student ID with an IP address so that the student cannot log-in from any other PC [4]. The intelligent agent will then start extracting the fingerprint scans from the hardware devices we mentioned above at every second. The advantages of the proposed biometric enrollment method include: The interval at which the fingerprints will be scanned is one second, which ensures that no other individual can take the exam on another student s behalf. The scanned fingerprints will be saved in the two databases in an encrypted form to mitigate attacks from intruders. IV. GENERAL EXAMINATION PROCESS The architecture of the general examination process is presented (Figure 6), starting from identification (using biometric device(s)), authentication (using traditional username and password system) and monitoring (using distributed firewall system). The general examination process is presented Figure 6. The Test Manager who acts as the administrator uploads the system and distributes it among the clients (candidates) machines across the institution intranet. 68

5 Controlled Clients with biometrics International Journal of Emerging Technology and Advanced Engineering Candidates are then identified with biometric system by verifying their fingerprints with those earlier captured during enrolment. After successful identification, they now log in with their Username and Password (for authentication) which are assigned to them after identification. After successful authentication, the system captures the Username and Client Machine s IP address to enable the Test manager monitor them through distributed firewall system. Test Manager e-exam Distributed Firewall SSL Institution Intranet Figure 6: General Examination Process V. CONCLUSION We have discussed the concept of biometrics and distributed firewall and their usage in enhancing security in online examination system and presented architecture for enhancing security in a distributed examination system using biometrics and distributed firewall system. Under this scheme, identification and network security policy specification remain under the control of the network/test administrator. Since security system will be strengthened using these two approaches, various shortcomings of using one approach will be overcome. Therefore, security will no longer be dependent on identifying the candidates who are to take the exam. Candidates machines will be monitored through the use of distributed firewall and communications to external world/machines are restricted. A B C Biometric 69 With distributed firewall, insiders (candidates workstation) may no longer be treated as unconditionally trusted. Flow of data and network compartmentalization will become significantly easier. REFERENCES [1] Takahashi, Y., Abiko, T. and Negishi, E An Ontology-based System for Network Security, IEEE, [2] Onyeizu, M. N. and Ejiofor, V. E Distributed Architecture for Post UTME Assessment, Unpublished Masters Theses, Nnamdi Azikiwe University, Awka, Nigeria. [3] Huang, W., Yen, D. C., Lin, Z. X. and Huang, J. H How to compete in a global education market effectively: A conceptual framework for designing a next generation eeducation system, Journal of Global Information Management, 12(2), [4] Apampa, K. M., Wills, G. B., Argles, D. and Marais, E Electronic Integrity Issues in E-assessment Security. [5] Marais, E. and Argles, D Security issues specific to E- assessments, 8th Annual Conference on WWW Applications, Conference proceedings, Bloemfontein, South Africa. [6] IS Blackboard team, Online Assessment, Aberystwyth Learning and Teaching Online, [7] Ernst-Georg, H., Uwe, R., Andreas, H., Thomas, E., and Christoph, M Managing Distributed Personal Firewalls with Smart Data s. Institute of Telematics Trier, Germany [8] King, C. G, Guyette, R. W. and Piotrowski, C Online exams and cheating: An empirical analysis of business students views, The Journal of Educators Online, 6(1). df [9] Center for Academic Integrity Retrieved September 12, 2006, from [10] McCabe, D. L., and Trevino, L. K What we know about cheating in college. Change, 28(1), [11] Pincus, H. S., and Schmelkin, L. P Faculty perceptions of academic dishonesty: A multidimensional scaling analysis. Journal of Higher Education, 74, [12] Dick, M., Sheard, J., Bareiss, C., Carter, J., Joyce, D., Harding, T., and Laxer, C ACM SIGCSE bulletin working group, 35(2), [13] King, C. G, Guyette, R. W. and Piotrowski, C Online exams and cheating: An empirical analysis of business students views, The Journal of Educators Online, 6(1). [14] Ramim, M. and Levy, Y Securing e-learning systems: A case of insider cyber attacks and novice IT management in a small university. Journal of Cases on Information Technology, 8(4), [15] Yu, C. and Tsao, C. C Web teaching: Design, security, and legal issues. Delta Pi Epsilon Journal, 45(3), [16] Hugl, U Tech-developments and possible influences on learning processes and functioning in the future. Journal of American Academy of Business, 6(2), [17] Michelle M. R. and Yair L Towards a Framework of Biometric Exam Authentication in E-Learning Environments. Idea Group Inc. [18] Sotiris Ioannidis, Angelos D. Keromytis, Steve M. Bellovin, and Jonathan M. Smith, Implementing a Distributed Firewall:

6 [19] Tabitha J., Pirim, T., Boswell, K., Reithel, B. and Barkhi, R Determining the intention to use biometric devices: An application and extension of the technology acceptance model. Journal of Organizational and End User Computing, 18(3), [20] Pons, A. P Biometric marketing: Targeting the online consumer. Communications of the ACM, 49(8), [21] Jain, A., Hong, L. and Pankanti, S Biometric identification. Communications of the ACM, 43(2), [22] Coventry, L., De Angeli, A., and Johnson, G Usability of large scale public systems: Usability and biometric verification at the ATM interface. Proceedings of the Conference on Human Factors in Computing Systems. Florida, USA, [23] Williams, J. M New security paradigms. Proceedings of the 2002 Workshop on New Security Paradigms, Virginia Beach, Virginia, [24] McGinity, M Staying connected: Let your fingers do the talking. Communications of the ACM, 48(1), [25] Yang, S. and Verbauwhede, I. M A secure fingerprint matching technique. Proceedings of the 2003 ACM SIGMM workshop on Biometrics methods and applications, California, USA [26] Alotaibi, S Using Biometrics Authentication via Fingerprint Recognition in E-exams in E-Learning Environment. In: The 4th Saudi International Conference, July 2010, The University of Manchester, UK 70