Elsevier

Computers & Security

Volume 125, February 2023, 103025
Computers & Security

A secure annuli CAPTCHA system

https://doi.org/10.1016/j.cose.2022.103025Get rights and content

Abstract

Many websites and applications rely on CAPTCHA for protection from bot attacks. Otherwise, users and businesses will be exposed to risks. Although several different CAPTCHA systems have been proposed, the development of deep learning algorithms allows attackers to create more efficient and accurate attack methods. Many studies have shown that existing CAPTCHA systems are no longer safe, especially text-based CAPTCHA. To resolve this issue, a simple, secure, and effective annuli CAPTCHA system is proposed in this paper. In the proposed system, the annuli CAPTCHA image containing the overlapping of circles and ovals is randomly generated. The user wishing to gain access to the system is required to answer correctly the total number of circles and ovals in the image to prove that he/she is not a bot. The security of our proposed CAPTCHA system is verified by three attack methods. Additionally, the usability survey of our CAPTCHA system conducted by anonymous questionnaires shows that our system is user friendly. In other words, the proposed system maintains a high level of usability under the premise of high security. Compared with the existing CAPTCHA system, our CAPTCHA system is significantly better in terms of security, usability and ease of implementation.

Introduction

Completely Automated Public Turing test to Tell Computers and Humans Apart (CAPTCHA), or Human Interaction Proof (HIP), is a method to identify the user as human before she accesses the website. The CAPTCHA can prevent the website from being attacked by denial of service and protect services against email spam, online voting fraud, etc. There are many different types of CAPTCHAs. Text-based and image-based, called visual CAPTCHAs, are the most frequently used. Audio CAPTCHAs have been created in place of visual CAPTCHAs for blind or visually impaired users (Guerar, Verderame, Migliardi, Palmieri, Merlo, 2021, Sasmal, Ray, Sen, Mukherjee, Bandyopadhyay, 2020, Zhang, Gao, Pei, Luo, Chang, Cheng, 2019).

Currently, most websites utilize text-based CAPTCHA that contains alphanumeric characters and numbers. Text can be placed on a variety of backgrounds with noise (Poornananda Bhat and Naveen Raj, 2020). The widely used text-based CAPTCHA has led to an increasing number of research works. Among them, the security issue of CAPTCHA has been a widely studied topic. There are many ways to successfully attack text-based CAPTCHA (Gao, Tang, Liu, Zhang, Liu, 2017, Gao, Wang, Qi, Wang, Liu, Yan, 2013, Yan, El Ahmad) such as artificial intelligence, network information safety, natural language processing, computer vision, etc. Xu et al. (2020). These methods pre-process the image, then segment and recognize each single character. However, their success rate cannot reach a certain level, and it takes a lot of time to adapt the code.

In the era of deep learning, the deep neural network model has become more powerful and more efficient. Consequently, different attack methods based on deep learning have been proposed. Hu et al. (2018) proposed a method of identifying CAPTCHA based on the Convolutional Neural Network (CNN) model. Ye et al. (2018) proposed a GAN-based method to generate images that are very similar to the real sample of CAPTCHA image, and then use the generated images to train a CNN which can recognize various common CAPTCHAs. Zi et al. (2020) proposed an end-to-end method based on a CNN and an attention-based recurrent neural network without any segmentation or pre-processing steps, which can break almost all text-based CAPTCHA systems in the world. In addition, there are some research works aiming at other types of CAPTCHA (Mittal, Kaushik, Hashmi, Kumar, 2018, Zhang, Gao, Pei, Kang, Zhou, 2018). This shows that the existing CAPTCHAs are under great threat.

Unfortunately, existing CAPTCHAs have obvious disadvantages, such as lack of security under the attacks of deep learning methods, implementation difficulties, and low usability. To resolve these issues, in this paper we propose an annuli CAPTCHA system that is simple, secure, and effective against attack methods. Our CAPTCHA system utilizes an overlapping of annuli, which consists of circles and ovals. We verified the security of our system using different attack methods. Experimental results demonstrated that our CAPTCHA system can achieve a high level of security without complex security features. A usability survey of our annuli CAPTCHA system was conducted and the results of the survey prove that our system is friendly to users.

To sum up, the contributions of this research are as follows.

  • We present the annuli CAPTCHA system without complex security features which can easily generate a CAPTCHA image on the fly.

  • We verify the performance of our CAPTCHA system by traditional methods, deep learning methods and random guessing. The results of these experiments show that our CAPTCHA system is harder to attack compared with existing CAPTCHA systems.

  • We study the usability of our CAPTCHA system by questionnaire survey. The survey results indicate that the questions in our CAPTCHA system are simple for most people.

  • We identify the “distinguishable region” and verify the simple annuli images generated using the parameters in the “indistinguishable region.” The indistinguishable regions are the position where two annuli overlap and make it difficult to recognize by the attack model.

  • Based on the concept of the “indistinguishable region,” we propose a reliable method to further improve the performance of our CAPTCHA system.

  • Our CAPTCHA system provides new insights, showing that there is still a possibility that it can fight deep learning methods.

The rest of this paper is organized as follows. Section 2 surveys the related work on CAPTCHA. Section 3 describes the object detection techniques that apply to verify the performance of our annuli CAPTCHA system. Section 4 shows the design of our annuli CAPTCHA system, identifies the “indistinguishable distance” and proposes a reliable method to improve the performance for the proposed system. Section 5 presents the attack models. Section 6 demonstrates the experimental setup and results. Section 7 provides the questionnaire survey and its results. Section 8 discusses qualitative study. Finally, Section 9 concludes this paper.

Section snippets

Related work

Moni Naor first proposed the basic concept of CAPTCHA in 1996 and recommended using the Turing test to distinguish human users from bots (Naor, 1996). To date, text-based CAPTCHA is the most widespread CAPTCHA type, which asks users to enter the same text as the one in a given image whose background usually adds security features such as noise, distortion, waving, or overlapping to interfere with deep learning-based bot attacks (Bursztein, Martin, Mitchell, 2011, Zi, Gao, Cheng, Liu, 2020).

Preliminary

This section provides the object detection techniques applied to verify the performance of our proposed system.

Object detection consists of two problems. The first one is to detect the instance of a particular object, called a matching problem. The second one is to detect the instances of some predefined object categories, such as dogs, cats, and humans (Liu et al., 2020). The image-based CAPTCHA falls into the second type of problem for object detection, which focuses on detecting objects of a

System design

The proposed annuli CAPTCHA system is very easy to implement. It first generates an image containing a number of annuli and then asks the user wishing to log in to answer how many annuli are in the image. The user is granted access to the system if the answer is correct. There are two key components in the proposed system. The first one is the annuli generation module, and the second one is the security feature enhancement module. Moreover, we also propose an extra method that improves the

Attack model

In this section, we introduce the attack methods to verify the performance of the proposed annuli CAPTCHA system.

Experimental setup and result

In this section, we introduce the hardware settings, experimental parameters, experimental results of different attack models, and experimental results of the reliable method to improve the level of security.

Usability

In this section, we present the results of the usability survey conducted online. A total of 483 questionnaires were answered. Among them, 476 were valid, and 7 were invalid, in which the answers were very far from the truth.

Overlapping

Overlapping is an important security feature in our proposed annuli CAPTCHA system. We observe that annuli CAPTCHA images with more overlapping are generally more difficult to recognize correctly from attack methods. However, excessive overlapping will cause a decline in usability. Hence, it is important to achieve a balance between security and usability. We utilize different thicknesses and colors to make annuli easier for users to recognize. It has been proven to be effective in usability

Conclusion

In this paper, we propose a secure annuli CAPTCHA system, which generates an image composed of simple circles and ovals and asks the user to answer the question: “How many circles and ovals are in this image?”. We also set the attack model to simulate attackers using various methods to try to crack the system. The results show that the proposed annuli CAPTCHA system is more secure than the existing CAPTCHA systems. In addition, the anonymous questionnaire survey also proved the high usability

Data Availability

A Secure Annuli CAPTCHA System

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Jie Zhang is currently a PhD student at the Department of Computer Science and Information Engineering, National Central University, Taiwan. He is interested in graph representation learning.

References (41)

  • Z. Cai et al.

    Cascade R-CNN: delving into high quality object detection

    CVPR

    (2018)
  • T.-Y. Chan

    Using a test-to-speech synthesizer to generate a reverse turing test

    ICTAI

    (2003)
  • M. Chew et al.

    Image recognition CAPTCHAs

    ISC

    (2004)
  • Y. Feng et al.

    SenCAPTCHA: a mobile-first CAPTCHA using orientation sensors

    Proc. ACM on Interact. Mob.Wearable Ubiquitous Technol.

    (2020)
  • H. Gao et al.

    Annulus: a novel image-based CAPTCHA scheme

    2016 IEEE Region 10 Conference (TENCON)

    (2016)
  • H. Gao et al.

    Research on the security of microsoft’s two-layer CAPTCHA

    IEEE Trans. Inf. Forensics Secur.

    (2017)
  • H. Gao et al.

    The robustness of hollow CAPTCHAs

    CCS

    (2013)
  • R. Girshick

    Fast R-CNN

    Proceedings of the IEEE international conference on computer vision

    (2015)
  • R. Girshick et al.

    Rich feature hierarchies for accurate object detection and semantic segmentation

    Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition

    (2014)
  • Google. reCAPTCHA v2 Google Developer. https://developers.google.com/recaptcha/docs/display. Accessed Jan 14,...

    • Cited by (0)

    Jie Zhang is currently a PhD student at the Department of Computer Science and Information Engineering, National Central University, Taiwan. He is interested in graph representation learning.

    Min-Yen Tsai is currently an Engineer at Winynn Technology Corp. He received his master from the Department of Computer Science and Information Engineering, National Central University, Taiwan. He is interested in firmware development and algorithm design.

    Kotcharat Kitchat is a PhD student in the Department of Computer Science and Information Engineering, National Central University, Taiwan. She received the BEng degree with second class honours from Kasetsart University, Thailand in 2015, the MSc degree from Sirindhorn International Institute of Technology, Thammasat University, Thailand in 2019. Her research interests include Computer Vision and Data Analytics.

    Min-Te Sun is a professor in the Department of Computer Science and Information Engineering, National Central University, Taiwan. He received the BSc degree from National Taiwan University, the MSc degree from Indiana University, Bloomington, and the PhD degree in Computer and Information Science from The Ohio State University. His research interests include distributed computing and IoT. He is a member of the IEEE and ACM.

    Kazuya Sakai received his PhD degree in Computer Science and Engineering from The Ohio State University in 2013. He is currently an associate professor at the Department of Electrical Engineering and Computer Science, Tokyo Metropolitan University. His research interests are in the area of information and network security, wireless and mobile computing, and distributed algorithms. He received the IEEE Computer Society Japan Chapter Young Author Award 2016. He is a member of the IEEE and ACM.

    Wei-Shinn Ku received his PhD degree in computer science from the University of Southern California (USC) in 2007. He also obtained both the MS degree in computer science and the MS degree in electrical engineering from USC in 2003 and 2006, respectively. He is a professor with the Department of Computer Science and Software Engineering at Auburn University. His research interests include databases, data science, mobile computing, and cybersecurity. He has published more than 130 research papers in refereed international journals and conference proceedings. He is a senior member of the IEEE and a member of the ACM SIGSPATIAL.

    Thattapon Surasak received his BEng degree in Computer Engineering from Kasetsart University, Nakhon Pathom, Thailand in 2014, MSc degree with distinction in Telecommunications Engineering from the University of Sunderland, Sunderland, the United Kingdom in 2016, and his PhD in Communications Engineering from National Tsing Hua University, Hsinchu, Taiwan, in 2020. Dr. Thattapon Surasak is currently a lecturer at the Department of Computer and Information Science, Faculty of Applied Science, King Mongkut’s University of Technology North Bangkok, Thaniland. He was a Senior Team Leader and Acting Director of the IOT and Digital Innovation Institute (VP level), Digital Economy Promotion Agency, Bangkok, Thailand. He was also the full-time lecturer of the Faculty of Information Technology with Thai-Nichi Institute of Technology, Bangkok, Thailand during March to September 2020. From 2017 to 2020, he had been serving as the Head of research laboratory for the Wireless Communications and Information Security (WCIS) Laboratory, National Tsing Hua University, Hsinchu, Taiwan. His research interests include Blockchain-based Applications & Services, Distributed Database Technologies for Blockchain, Data Analytics, Wireless Networks and Network Security.

    Tipajin Thaipisutikul received the master’s degree (Hons.) in the research path from The University of Sydney (USYD), Sydney, NSW, Australia in 2012 and received the Ph.D. degree from the Department of Computer Science and Information Engineering, National Central University, Chung-Li, Taiwan in 2021. She is currently an instructor with the Faculty of Information and Communication Technology (ICT), Mahidol University, Thailand. Her research mainly focuses on machine learning, applied intelligence, data mining, and social network analysis.

    View full text
    © 2022 Elsevier Ltd. All rights reserved.