CAPTCHA Systems Research Articles

MCaptcha: Replacing Captchas with Rate Limiters to Improve Security and Accessibility

Dek: To counter the threat of AI-powered bots, captcha systems are growing increasingly complex, often sacrificing usability and accessibility. Can mCaptcha, a proof-of-work captcha system, effectively address these issues?

Adversarial Captcha

CAPTCHAs, tests to separate humans from machines, serve as a method to verify whether an interaction is being performed by a human or a computer, were developed in reaction to the vulnerability of computer networks to intrusions by programmers using bots and computer attack programs. The most popular Captcha scheme is the Text Captcha because of how simple it is to create and use. However, the presumed security of Captchas has been undermined by hackers and programmers, making websites open to attack.Given that attack speeds are generally moderate, usually ranging from two to five seconds per image and that this is not a serious worry, text captchas are nevertheless extensively utilized. This study proposes a novel image-based Captcha called Style Area Captcha (SACaptcha), which is built on deep learning techniques, pixel-level segmentation, and semantic data understanding.The proposed SACaptcha emphasises using deep learning to create neural networks neural networks image-based Captchas. Acquiring methods to enhance security and captcha systems are all covered in this paper.It compares the proving that text-based Captchas are insecure. Key words: deep, text-based, security, and captcha Convolutional image-based learning

Machine Learning Defenses: Exploring the integration of machine learning techniques within CAPTCHA systems to dynamically adjust challenge difficulty and thwart adversarial attacks

The utilization of machine learning (ML) techniques within CAPTCHA systems represents a significant advancement in cybersecurity, offering dynamic adaptability to thwart evolving adversarial attacks. This research delves into the integration of ML defenses within CAPTCHA frameworks, focusing on their efficacy in adjusting challenge difficulty dynamically to counter sophisticated attacks. By leveraging ML algorithms, CAPTCHA systems can analyze user behavior patterns and adaptively tailor challenges to deter automated bots while ensuring user accessibility and engagement. This paper aims to provide a comprehensive investigation into the design, implementation, and evaluation of ML-based CAPTCHA defenses. It explores various ML approaches, including supervised learning, reinforcement learning, and deep learning, in dynamically adjusting challenge complexity based on user interactions and environmental factors. Furthermore, the study delves into the assessment of ML-driven CAPTCHA systems' resilience against adversarial attacks, such as machine learning-based algorithms, optical character recognition (OCR) techniques, and adversarial image manipulation. Through empirical analysis and experimentation, this research endeavors to elucidate the effectiveness and limitations of ML-based CAPTCHA defenses in real-world scenarios. By elucidating the intricacies of integrating ML techniques within CAPTCHA systems, this paper seeks to contribute valuable insights to the field of cybersecurity, offering guidance for the development of robust and adaptive CAPTCHA mechanisms capable of mitigating emerging threats in the digital landscape.

Next-Generation Captcha: Enhancing Security Through Hand Gestures and Gaming

Abstract: In the digital age, the threat of automated attacks on online platforms continues to evolve, necessitating innovative approaches to ensure cybersecurity. Traditional text-based CAPTCHA systems are becoming increasingly vulnerable to sophisticated attacks, prompting the exploration of alternative solutions. This research proposes a novel approach to enhance online security through the integration of hand gestures and gaming elements into CAPTCHA mechanisms. By leveraging the unique biometric characteristics of hand gestures and the engaging nature of gaming, this next-generation CAPTCHA system aims to provide robust protection against automated bots while ensuring a user-friendly experience. The study explores the design, implementation, and evaluation of this hybrid CAPTCHA solution, assessing its effectiveness in mitigating various challenges associated with existing CAPTCHA methods. Through empirical analysis and user feedback, the research aims to demonstrate the feasibility and efficacy of incorporating hand gestures and gaming into CAPTCHA systems to enhance security and usability in online environments.

Breaking Captcha System with Minimal Exertion through Deep Learning: Real-time Risk Assessment on Indian Government Websites

Captchas are used to prevent computer bots from launching spam attacks and automatically extracting data available in the websites. The government websites mostly contain sensitive data related to citizens and assets of the country, and the vulnerability to its captcha systems raises a major security challenge. The proposed work focuses on the real-time captcha systems used by the government websites of India and identifies the risks level. To effectively analyze its captcha security, we concentrate on the problem from an attacker’s perspective. From the viewpoint of an attacker, building an effective solver to breach the captcha security system from scratch with limited feature engineering knowledge of text and image processing is a challenge. Neural network models are useful in automated feature extraction, and a simple model can be trained with a minimum number of manually annotated real captchas. Along with popular text captchas , government websites of India use text instructions –based captchas. We analyze an effective neural network pipeline for solving text captchas. The text instructions captchas are relatively new, and the work provides novel end-to-end neural network architectures to break different types of text instructions captchas . The proposed models achieve more than 80% accuracy and on a desktop GPU has a maximum inference speed of 1.063 seconds . The study comes up with an ecosystem and procedure to rate the overall risk of a captcha system used on a website. We observe that concerning the importance of available information on these government websites, the effort required to solve the captcha systems by an attacker is alarming.

A secure annuli CAPTCHA system

Many websites and applications rely on CAPTCHA for protection from bot attacks. Otherwise, users and businesses will be exposed to risks. Although several different CAPTCHA systems have been proposed, the development of deep learning algorithms allows attackers to create more efficient and accurate attack methods. Many studies have shown that existing CAPTCHA systems are no longer safe, especially text-based CAPTCHA. To resolve this issue, a simple, secure, and effective annuli CAPTCHA system is proposed in this paper. In the proposed system, the annuli CAPTCHA image containing the overlapping of circles and ovals is randomly generated. The user wishing to gain access to the system is required to answer correctly the total number of circles and ovals in the image to prove that he/she is not a bot. The security of our proposed CAPTCHA system is verified by three attack methods. Additionally, the usability survey of our CAPTCHA system conducted by anonymous questionnaires shows that our system is user friendly. In other words, the proposed system maintains a high level of usability under the premise of high security. Compared with the existing CAPTCHA system, our CAPTCHA system is significantly better in terms of security, usability and ease of implementation.

BeCAPTCHA-Mouse: Synthetic mouse trajectories and improved bot detection

We first study the suitability of behavioral biometrics to distinguish between computers and humans, commonly named as bot detection. We then present BeCAPTCHA-Mouse, a bot detector based on: i) a neuromotor model of mouse dynamics to obtain a novel feature set for the classification of human and bot samples; and ii) a learning framework involving real and synthetically generated mouse trajectories. We propose two new mouse trajectory synthesis methods for generating realistic data: a) a function-based method based on heuristic functions, and b) a data-driven method based on Generative Adversarial Networks (GANs) in which a Generator synthesizes human-like trajectories from a Gaussian noise input. Experiments are conducted on a new testbed also introduced here and available in GitHub: BeCAPTCHA-Mouse Benchmark; useful for research in bot detection and other mouse-based HCI applications. Our benchmark data consists of 15,000 mouse trajectories including real data from 58 users and bot data with various levels of realism. Our experiments show that BeCAPTCHA-Mouse is able to detect bot trajectories of high realism with 93% of accuracy in average using only one mouse trajectory. When our approach is fused with state-of-the-art mouse dynamic features, the bot detection accuracy increases relatively by more than 36%, proving that mouse-based bot detection is a fast, easy, and reliable tool to complement traditional CAPTCHA systems.

A Novel Animated CAPTCHA Technique based on Persistence of Vision

Image-based CAPTCHA challenges have been successfully used to distinguish between humans and bots for a long time. However, image-based CAPTCHA techniques are constantly broken by hackers, forcing web developers to implement more robust security features and new approaches in CAPTCHA images. Modern-day bots can use many techniques and technologies to break CAPTCHA images automatically. These techniques include OCR, Segmentation, erosion, threshold, flood fill, etc. This led to innovative CAPTCHA systems, including those based on drag and drop, image recognition, fingerprint, mathematical problems, etc. Animated image CAPTCHAs have also been designed to show moving characters and objects and require users to recognize the characters or objects in the animation. Unfortunately, these CAPTCHA systems have also been broken successfully. This research proposes a novel animated CAPTCHA technique based on the persistence of vision, which shows text characters in multiple layers in an animated image. The proposed CAPTCHA technique has been implemented in PHP using GD library functions and tested using various popular CAPTCHA breaking tools. Further, the proposed CAPTCHA challenge has also been tested against the frame separation based breaking technique. The security analysis and usability study have demonstrated user-friendliness, vast accessibility, and robustness.

SECURITY AND PRIVACY METHODS IN DISTRIBUTED SYSTEMS.

Rapid technological developments and distributed systems have found their most significant expression in the field of communication and dissemination of information. This mass spread of communications through distributed systems such as: internet, intranet, web services, etc., has been influenced by a number of advantages that they present, which have to do with the ease, speed of communication, the ability to communicate in real time between two or more subjects that are located at great distances from each other, etc. Increasing use of computers, computer systems, and distributed systems has increased the potential risk of damage or misuse of data and computer systems. The dangers that exist are many where some are with minor consequences and some with major consequences, such as: viruses that delete or modify data in systems, gain access to personal computers and use them to attack others, theft of credentials or credit card data, etc. Unfortunately 100% security in a distributed system does not exist despite the measures that can be taken, but taking some security measures minimizes the risk. While in institutions and private companies the protection measures are greater due to the organization, technical structures or investments made for security systems, etc. and thus ensuring a certain level of security, ordinary citizens or users are the ones who are most exposed and must show personal care in their protection. Therefore, they should have basic knowledge about the methods of its preservation. In this paper, we first study the features and types of distributed systems, security methods through CAPTCHA systems, cryptography, firewalls, etc; DS access channels. As a conclusion, it is intended to build a program in Java, with NetBeans IDE environment that enables the encryption (encoding) of a file with the help of the symmetric encryption algorithm TEA, in this case the encryption of an image, its decryption and display after decryption. Keyword : encryption algorithm, security, IOT DOI: 10.7176/CTI/10-07 Publication date: December 31 st 2020

Semi-supervised deep learning approach to break common CAPTCHAs

Manual data annotation is a time consuming activity. A novel strategy for automatic training of the CAPTCHA breaking system with no manual dataset creation is presented in this paper. We demonstrate the feasibility of the attack against a text-based CAPTCHA scheme utilizing similar network infrastructure used for Denial of Service attacks. The main goal of our research is to present a possible vulnerability in CAPTCHA systems when combining the brute-force attack with transfer learning. The classification step utilizes a simple convolutional neural network with 15 layers. Training stage uses automatically prepared dataset created without any human intervention and transfer learning for fine-tuning the deep neural network classifier. The designed system for breaking text-based CAPTCHAs achieved 80% classification accuracy after 6 fine-tuning steps for a 5 digit text-based CAPTCHA system. The results presented in this paper suggest, that even the simple attack with a large number of attacking computers can be an effective alternative to current CAPTCHA breaking systems.

SenCAPTCHA

CAPTCHAs are used to distinguish between human- and computer-generated (i.e., bot) online traffic. As there is an ever-increasing amount of online traffic from mobile devices, it is necessary to design CAPTCHAs that work well on mobile devices. In this paper, we present SenCAPTCHA, a mobile-first CAPTCHA that leverages the device's orientation sensors. SenCAPTCHA works by showing users an image of an animal and asking them to tilt their device to guide a red ball into the center of that animal's eye. SenCAPTCHA is especially useful for devices with small screen sizes (e.g., smartphones, smartwatches). In this paper, we describe the design of SenCAPTCHA and demonstrate that it is resilient to various machine learning based attacks. We also report on two usability studies of SenCAPTCHA involving a total of 472 participants; our results show that SenCAPTCHA is viewed as an "enjoyable" CAPTCHA and that it is preferred by over half of the participants to other existing CAPTCHA systems.

Development of a system for graphic captcha systems recognition using competing cellular automata

Peculiarities of the use of competing cellular automata for problems of recognition of complex captcha systems have been explored. For this purpose, the concept of competing cellular automata has been introduced and a mathematical model of their functioning and interaction has been developed. The mathematical model of competing cellular automata based on the set theory has been described to specify moving cellular automata, which shift to the neighboring states of characters and implement their transition rules in such a way. Based on this mathematical model, a recognition system for captcha images implemented in the code by means of JavaFX 2.0 technology has been developed, which allowed reaching the crossplatformness and correct functioning on different operating systems. The libraries of cellular automata have been developed for the English language. Each symbol of the alphabet is represented in the form of a state system, which is aligned with a cellular automaton with states describing the given symbol. We used Java programming language for development and OpenCV library for the ability to handle images which allowed us to achieve high-quality recognition results. The architecture of the developed system of recognition of complex captcha images in the form of diagrams of classes of the main blocks with detailed descriptions of each class has been considered. Computer experiments have been carried out with different sets of distorted characters used in actual captcha systems and recognition quality indices of the developed software obtained. It has been shown that the probability of obtaining the correct result of captcha image recognition exceeds 80 % with a degree of deformation of characters up to 20 %. With a degree of deformation of characters over 30 %, there is a high probability of false character recognition. The advantages of the method of text character recognition based on competing cellular automata include simplicity of rules of engagement, ability to parallelize the process of recognition easily, capability of recognition of distorted and partially overlapping characters that are the basis of modern captcha systems

Design of Accented Character-based CAPTCHA with Usability Test for Online Transactions

Websites serve as the primary interface on the Internet for transactions such as subscription, downloads, database access and storage. Websites are however, sources of security breaches to information systems that are attached to them. Several techniques have been developed to provide security on websites such as secured socket layer (ssl) and CAPTCHA systems. CAPTCHA is an authentication system for verifying human identity during online transactions. Text, mathematical operations, images and audio have been used to develop CAPTCHA systems. The basis of each system has been limited thus leading to successful attacks and compromised systems. In this work, the aim is to integrate accented characters into the CAPTCHA code generation mechanism and test the usability of the developed system on a website. The results indicate successful generation and user acceptability.

Privacy-preserving, user-centric VoIP CAPTCHA challenges

Purpose – This work aims to argue that it is possible to address discrimination issues that naturally arise in contemporary audio CAPTCHA challenges and potentially enhance the effectiveness of audio CAPTCHA systems by adapting the challenges to the user characteristics. Design/methodology/approach – A prototype has been designed, called PrivCAPTCHA, to offer privacy-preserving, user-centric CAPTCHA challenges. Anonymous credential proofs are integrated into the Session Initiation Protocol (SIP) protocol and the approach is evaluated in a real-world Voice over Internet Protocol (VoIP) environment. Findings – The results of this work indicate that it is possible to create VoIP CAPTCHA services offering privacy-preserving, user-centric challenges while maintaining sufficient efficiency. Research limitations/implications – The proposed approach was evaluated through an experimental implementation to demonstrate its feasibility. Additional features, such as appropriate user interfaces and efficiency optimisations, would be useful for a commercial product. Security measures to protect the system from attacks against the SIP protocol would be useful to counteract the effects of the introduced overhead. Future research could investigate the use of this approach on non-audio CAPTCHA services. Practical implications – PrivCAPTCHA is expected to achieve fairer, non-discriminating CAPTCHA services while protecting the user’s privacy. Adoption success relies upon the general need for employment of privacy-preserving practices in electronic interactions. Social implications – This approach is expected to enhance the quality of life of users, who will now receive CAPTCHA challenges closer to their characteristics. This applies especially to users with disabilities. Additionally, as a privacy-preserving service, this approach is expected to increase trust during the use of services that use it. Originality/value – To the best of authors’ knowledge, this is the first comprehensive proposal for privacy-preserving CAPTCHA challenge adaptation. The proposed system aims at providing an improved CAPTCHA service that is more appropriate for and trusted by human users.

OTRCaptcha: A Novel Object and Text Recognition Based Image CAPTCHA

CAPTCHA is an important technology to prevent auto-script attack. Currently most of the CAPTCHA systems are text based, which firstly distort, rotate different characters and then use some obfuscation, aiming to make the text difficult to be recognized by auto- script while still can be learnt easily by real users. However, such kind of CAPTCHA schema either too simple, which can be attacked easily by using optimal character recognition (OCR) or machine learning based technology, or it is too complex that even real users cannot tell it. By observing such contradiction between security and usability, we propose a novel object and text recognition based image CAPTCHA system called OTRCaptcha. In OTRCaptcha, some object images (each has a label) and their names are attached into a background image respectively. In order to pass this CAPTCHA, users have to identify all the object images, labels within those objects and their names. Besides, users also need to identify the semantic relationship between object and its name. Both the theoretical analysis and experiment result show that OTRCapthcha can provide both high security and strong usability.

Labeled-Image CAPTCHA: concept of a secured and universally useful CAPTCHA

Captcha (Completely Automated Public Turing test to tell Computers and Humans Apart) is a widely used online security tool that ensures that a computer program is not posing as a human user. While smart programs with advanced image processing capability have already cracked picture based captcha systems there is a need for making the test harder. This paper presents a design prototype of a simplified type of labeled-image captcha where a picture of a common animal or household item is marked with a number of different labels and the users will be asked to provide the correct label for specific parts of the picture. Due to human’s familiarity with body shapes and part names of such common pictures, they will easily identify a specific organ/parts of the picture. Such labeled-image captcha tests are expected to be very easy for human users regardless of their culture, age, gender, educational background and other discriminations but tough for the bots and automated computer programs.

Human Cognition in Automated Truing Test Design

Nowadays, many services in the internet including Email, search engine, social networking are provided with free of charge due to enormous growth of web users. With the expansion of Web services, denial of service (DoS) attacks by malicious automated programs (e.g., web bots) is becoming a serious problem of web service accounts. A HIP, or Human Interactive Proofs, is a human authentication mechanism that generates and grades tests to determine whether the user is a human or a malicious computer program. Unfortunately, the existing HIPs tried to maximize the difficulty for automated programs to pass tests by increasing distortion or noise. Consequently, it has also become difficult for potential users too. So there is a tradeoff between the usability and robustness in designing HIP tests. In their propose technique the authors tried to balance the readability and security by adding contextual information in the form of natural conversation without reducing the distortion and noise. In the result section, a microscopic large-scale user study was conducted involving 110 users to investigate the actual user views compare to existing state of the art CAPTCHA systems like Google's reCAPTCHA and Microsoft's CAPTCHA in terms of usability and security and found the authors' system capable of deploying largely over internet.

Strengthening CAPTCHA-based Web security

Simple, universally applicable strategies can help any captcha–protected system resist automated attacks and can improve the ability of administrators to detect attacks. The strategies discussed here cause an exponential increase in the difficulty faced by automated attackers, while only increasing the inconvenience for human users in an approximately linear manner. These strategies are characterised using a new metric, the ‘Captcha Improvement Ratio’. The paper concludes that presenting multiple captcha systems together in random order may provide quantitative and qualitative advantages over many typical present–day captcha systems.

Application of the Technology Acceptance Model to OCR-based CAPTCHA systems. Preliminary results

Abstract This research investigates the applicability of F. Davis' Technology Acceptance Model (TAM) to OCR-based CAPTCHAs involved in a free e-mail accounts registration process. The results provide preliminary evidence that the model may be a useful tool for research focused on acceptance of CAPTCHAs. The results are especially interesting when it comes to the concept of perceived usefulness and its direct relationship to the concept of attitude toward use. This relation indicates a new area of research for CAPTCHA developers interested in improving usability and accessibility of these systems.

Usability study of text-based CAPTCHAs

Completely Automatic Public Turing test to tell Computers and Humans Apart, or CAPTCHA, is a security measure that guards a system from exploitation by the discrimination between a real human being and an automated computer program via the method of presenting to the unknown user the challenges that are hard for computer yet easy for human. Focusing on text-based CAPTCHA, this study conducted an experiment to study the effect of age groups and distortion types on the CAPTCHA task. Twenty-four participants were recruited to take part in the experiment, where twelve of them were in the elder group (aged 50–56) and twelve in the young group (aged 23–24). One type with no distortion and five types of common CAPTCHA distortion techniques were considered. The results of non-parametric analysis of the data revealed that the participants of two age groups differed significantly in terms of response time, error rate, and NASA-TLX score. Distortion type had significant effect on response time, error rate, Critical flicker fusion (CFF), and NASA-TLX score. Post-hoc analysis showed that Blot Mask and Line Mask were the hardest CAPTCHAs, while Thread Noise, Global Warp, and Geometry Noise were on a par with Normal Type (no distortion). Dependent variables were also correlated to each other. With the inevitability of the security measure and the increasing population of elder internet users, this study has important implications for the design of CAPTCHA systems.