A secure annuli CAPTCHA system
Introduction
Completely Automated Public Turing test to Tell Computers and Humans Apart (CAPTCHA), or Human Interaction Proof (HIP), is a method to identify the user as human before she accesses the website. The CAPTCHA can prevent the website from being attacked by denial of service and protect services against email spam, online voting fraud, etc. There are many different types of CAPTCHAs. Text-based and image-based, called visual CAPTCHAs, are the most frequently used. Audio CAPTCHAs have been created in place of visual CAPTCHAs for blind or visually impaired users (Guerar, Verderame, Migliardi, Palmieri, Merlo, 2021, Sasmal, Ray, Sen, Mukherjee, Bandyopadhyay, 2020, Zhang, Gao, Pei, Luo, Chang, Cheng, 2019).
Currently, most websites utilize text-based CAPTCHA that contains alphanumeric characters and numbers. Text can be placed on a variety of backgrounds with noise (Poornananda Bhat and Naveen Raj, 2020). The widely used text-based CAPTCHA has led to an increasing number of research works. Among them, the security issue of CAPTCHA has been a widely studied topic. There are many ways to successfully attack text-based CAPTCHA (Gao, Tang, Liu, Zhang, Liu, 2017, Gao, Wang, Qi, Wang, Liu, Yan, 2013, Yan, El Ahmad) such as artificial intelligence, network information safety, natural language processing, computer vision, etc. Xu et al. (2020). These methods pre-process the image, then segment and recognize each single character. However, their success rate cannot reach a certain level, and it takes a lot of time to adapt the code.
In the era of deep learning, the deep neural network model has become more powerful and more efficient. Consequently, different attack methods based on deep learning have been proposed. Hu et al. (2018) proposed a method of identifying CAPTCHA based on the Convolutional Neural Network (CNN) model. Ye et al. (2018) proposed a GAN-based method to generate images that are very similar to the real sample of CAPTCHA image, and then use the generated images to train a CNN which can recognize various common CAPTCHAs. Zi et al. (2020) proposed an end-to-end method based on a CNN and an attention-based recurrent neural network without any segmentation or pre-processing steps, which can break almost all text-based CAPTCHA systems in the world. In addition, there are some research works aiming at other types of CAPTCHA (Mittal, Kaushik, Hashmi, Kumar, 2018, Zhang, Gao, Pei, Kang, Zhou, 2018). This shows that the existing CAPTCHAs are under great threat.
Unfortunately, existing CAPTCHAs have obvious disadvantages, such as lack of security under the attacks of deep learning methods, implementation difficulties, and low usability. To resolve these issues, in this paper we propose an annuli CAPTCHA system that is simple, secure, and effective against attack methods. Our CAPTCHA system utilizes an overlapping of annuli, which consists of circles and ovals. We verified the security of our system using different attack methods. Experimental results demonstrated that our CAPTCHA system can achieve a high level of security without complex security features. A usability survey of our annuli CAPTCHA system was conducted and the results of the survey prove that our system is friendly to users.
To sum up, the contributions of this research are as follows.
- •
We present the annuli CAPTCHA system without complex security features which can easily generate a CAPTCHA image on the fly.
- •
We verify the performance of our CAPTCHA system by traditional methods, deep learning methods and random guessing. The results of these experiments show that our CAPTCHA system is harder to attack compared with existing CAPTCHA systems.
- •
We study the usability of our CAPTCHA system by questionnaire survey. The survey results indicate that the questions in our CAPTCHA system are simple for most people.
- •
We identify the “distinguishable region” and verify the simple annuli images generated using the parameters in the “indistinguishable region.” The indistinguishable regions are the position where two annuli overlap and make it difficult to recognize by the attack model.
- •
Based on the concept of the “indistinguishable region,” we propose a reliable method to further improve the performance of our CAPTCHA system.
- •
Our CAPTCHA system provides new insights, showing that there is still a possibility that it can fight deep learning methods.
The rest of this paper is organized as follows. Section 2 surveys the related work on CAPTCHA. Section 3 describes the object detection techniques that apply to verify the performance of our annuli CAPTCHA system. Section 4 shows the design of our annuli CAPTCHA system, identifies the “indistinguishable distance” and proposes a reliable method to improve the performance for the proposed system. Section 5 presents the attack models. Section 6 demonstrates the experimental setup and results. Section 7 provides the questionnaire survey and its results. Section 8 discusses qualitative study. Finally, Section 9 concludes this paper.
Section snippets
Related work
Moni Naor first proposed the basic concept of CAPTCHA in 1996 and recommended using the Turing test to distinguish human users from bots (Naor, 1996). To date, text-based CAPTCHA is the most widespread CAPTCHA type, which asks users to enter the same text as the one in a given image whose background usually adds security features such as noise, distortion, waving, or overlapping to interfere with deep learning-based bot attacks (Bursztein, Martin, Mitchell, 2011, Zi, Gao, Cheng, Liu, 2020).
Preliminary
This section provides the object detection techniques applied to verify the performance of our proposed system.
Object detection consists of two problems. The first one is to detect the instance of a particular object, called a matching problem. The second one is to detect the instances of some predefined object categories, such as dogs, cats, and humans (Liu et al., 2020). The image-based CAPTCHA falls into the second type of problem for object detection, which focuses on detecting objects of a
System design
The proposed annuli CAPTCHA system is very easy to implement. It first generates an image containing a number of annuli and then asks the user wishing to log in to answer how many annuli are in the image. The user is granted access to the system if the answer is correct. There are two key components in the proposed system. The first one is the annuli generation module, and the second one is the security feature enhancement module. Moreover, we also propose an extra method that improves the
Attack model
In this section, we introduce the attack methods to verify the performance of the proposed annuli CAPTCHA system.
Experimental setup and result
In this section, we introduce the hardware settings, experimental parameters, experimental results of different attack models, and experimental results of the reliable method to improve the level of security.
Usability
In this section, we present the results of the usability survey conducted online. A total of 483 questionnaires were answered. Among them, 476 were valid, and 7 were invalid, in which the answers were very far from the truth.
Overlapping
Overlapping is an important security feature in our proposed annuli CAPTCHA system. We observe that annuli CAPTCHA images with more overlapping are generally more difficult to recognize correctly from attack methods. However, excessive overlapping will cause a decline in usability. Hence, it is important to achieve a balance between security and usability. We utilize different thicknesses and colors to make annuli easier for users to recognize. It has been proven to be effective in usability
Conclusion
In this paper, we propose a secure annuli CAPTCHA system, which generates an image composed of simple circles and ovals and asks the user to answer the question: “How many circles and ovals are in this image?”. We also set the attack model to simulate attackers using various methods to try to crack the system. The results show that the proposed annuli CAPTCHA system is more secure than the existing CAPTCHA systems. In addition, the anonymous questionnaire survey also proved the high usability
Data Availability
A Secure Annuli CAPTCHA System
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Jie Zhang is currently a PhD student at the Department of Computer Science and Information Engineering, National Central University, Taiwan. He is interested in graph representation learning.
References (41)
Generalizing the hough transform to detect arbitrary shapes
Readings in Computer Vision
(1987)- et al.
Preventing massive automated access to web resources
Comput. Secur.
(2009) - et al.
Invisible CAPPCHA: a usable mechanism to distinguish between malware and humans on the mobile IoT
Comput. Secur.
(2018) - et al.
A survey of CAPTCHA technologies to distinguish between human and computer
Neurocomputing
(2020) - et al.
Gestures based CAPTCHAs the use of sensor readings to solve CAPTCHA challenge on smartphones
2019 International Conference on Computational Science and Computational Intelligence (CSCI)
(2019) - Akrout, I., Feriani, A., Akrout, M., 2019. Hacking google reCAPTCHA v3 using reinforcement learning. arXiv preprint...
- et al.
Protection through multimedia CAPTCHAs
MoMM
(2010) - et al.
Development of CAPTCHA system based on puzzle
2014 International Conference on Computer, Communications, and Control Technology (I4CT)
(2014) - et al.
An evaluation of training size impact on validation accuracy for optimized convolutional neural networks
SMU Data Sci. Rev.
(2018) - et al.
Text-based CAPTCHA strengths and weaknesses
CCS
(2011)
Cascade R-CNN: delving into high quality object detection
CVPR
Using a test-to-speech synthesizer to generate a reverse turing test
ICTAI
Image recognition CAPTCHAs
ISC
SenCAPTCHA: a mobile-first CAPTCHA using orientation sensors
Proc. ACM on Interact. Mob.Wearable Ubiquitous Technol.
Annulus: a novel image-based CAPTCHA scheme
2016 IEEE Region 10 Conference (TENCON)
Research on the security of microsoft’s two-layer CAPTCHA
IEEE Trans. Inf. Forensics Secur.
The robustness of hollow CAPTCHAs
CCS
Fast R-CNN
Proceedings of the IEEE international conference on computer vision
Rich feature hierarchies for accurate object detection and semantic segmentation
Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition
Cited by (0)
Jie Zhang is currently a PhD student at the Department of Computer Science and Information Engineering, National Central University, Taiwan. He is interested in graph representation learning.
Min-Yen Tsai is currently an Engineer at Winynn Technology Corp. He received his master from the Department of Computer Science and Information Engineering, National Central University, Taiwan. He is interested in firmware development and algorithm design.
Kotcharat Kitchat is a PhD student in the Department of Computer Science and Information Engineering, National Central University, Taiwan. She received the BEng degree with second class honours from Kasetsart University, Thailand in 2015, the MSc degree from Sirindhorn International Institute of Technology, Thammasat University, Thailand in 2019. Her research interests include Computer Vision and Data Analytics.
Min-Te Sun is a professor in the Department of Computer Science and Information Engineering, National Central University, Taiwan. He received the BSc degree from National Taiwan University, the MSc degree from Indiana University, Bloomington, and the PhD degree in Computer and Information Science from The Ohio State University. His research interests include distributed computing and IoT. He is a member of the IEEE and ACM.
Kazuya Sakai received his PhD degree in Computer Science and Engineering from The Ohio State University in 2013. He is currently an associate professor at the Department of Electrical Engineering and Computer Science, Tokyo Metropolitan University. His research interests are in the area of information and network security, wireless and mobile computing, and distributed algorithms. He received the IEEE Computer Society Japan Chapter Young Author Award 2016. He is a member of the IEEE and ACM.
Wei-Shinn Ku received his PhD degree in computer science from the University of Southern California (USC) in 2007. He also obtained both the MS degree in computer science and the MS degree in electrical engineering from USC in 2003 and 2006, respectively. He is a professor with the Department of Computer Science and Software Engineering at Auburn University. His research interests include databases, data science, mobile computing, and cybersecurity. He has published more than 130 research papers in refereed international journals and conference proceedings. He is a senior member of the IEEE and a member of the ACM SIGSPATIAL.
Thattapon Surasak received his BEng degree in Computer Engineering from Kasetsart University, Nakhon Pathom, Thailand in 2014, MSc degree with distinction in Telecommunications Engineering from the University of Sunderland, Sunderland, the United Kingdom in 2016, and his PhD in Communications Engineering from National Tsing Hua University, Hsinchu, Taiwan, in 2020. Dr. Thattapon Surasak is currently a lecturer at the Department of Computer and Information Science, Faculty of Applied Science, King Mongkut’s University of Technology North Bangkok, Thaniland. He was a Senior Team Leader and Acting Director of the IOT and Digital Innovation Institute (VP level), Digital Economy Promotion Agency, Bangkok, Thailand. He was also the full-time lecturer of the Faculty of Information Technology with Thai-Nichi Institute of Technology, Bangkok, Thailand during March to September 2020. From 2017 to 2020, he had been serving as the Head of research laboratory for the Wireless Communications and Information Security (WCIS) Laboratory, National Tsing Hua University, Hsinchu, Taiwan. His research interests include Blockchain-based Applications & Services, Distributed Database Technologies for Blockchain, Data Analytics, Wireless Networks and Network Security.
Tipajin Thaipisutikul received the master’s degree (Hons.) in the research path from The University of Sydney (USYD), Sydney, NSW, Australia in 2012 and received the Ph.D. degree from the Department of Computer Science and Information Engineering, National Central University, Chung-Li, Taiwan in 2021. She is currently an instructor with the Faculty of Information and Communication Technology (ICT), Mahidol University, Thailand. Her research mainly focuses on machine learning, applied intelligence, data mining, and social network analysis.