研究生: |
葉全斌 Quan-bin Ye |
---|---|
論文名稱: |
DDIM-CAPTCHA: A Novel Drag-n-Drop Interactive Masking CAPTCHA Designed for Third Party Human Attacks DDIM-CAPTCHA: A Novel Drag-n-Drop Interactive Masking CAPTCHA Designed for Third Party Human Attacks |
指導教授: |
李漢銘
Hahn-Ming Lee 鄭博仁 Albert B. Jeng |
口試委員: |
林豐澤
Feng-Tse Lin 鄧惟中 Wei-Chung Teng 田筱榮 Hsiao-Rong Tyan |
學位類別: |
碩士 Master |
系所名稱: |
電資學院 - 資訊工程系 Department of Computer Science and Information Engineering |
論文出版年: | 2013 |
畢業學年度: | 101 |
語文別: | 英文 |
論文頁數: | 55 |
中文關鍵詞: | 拖曳 、驗證碼 、第三人攻擊 |
外文關鍵詞: | drag and drop, CAPTCHA, third party human attack |
相關次數: | 點閱:248 下載:0 |
分享至: |
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
A CAPTCHA(Completely Automated Public Turing test to tell Computers and Humans Apart) is a security mechanism that can be used to distinguish between humans and machines. It has become the most widely used standard security technology to prevent automated computer programs. A variety of CAPTCHA schemes have been deployed by many famous websites like Google, eBay, Yahoo, taobao, etc. However, most existing CAPTCHA systems are vulnerable against a so-called ``third party human attack." These schemes are mainly designed to tell humans and computers apart by generating proper challenges which are presumably easy for humans to answer, but hard for computers. The third party human attack employs hired human to solve challenges so that the systems will no longer be secure. In this paper, at first we explain how the third party human attack works. Then we research an efficient and effective aspect to defend the attack. Following the aspect, we design and analyze a novel system, DDIM-CAPTCHA, to deal with traditional attacks and the third party human attack. DDIM-CAPTCHA retains the basic requirements of CAPTCHAs and adds the properties of interaction and masking. Through a series of analyses and experiments, DDIM-CAPTCHA can be claimed to be a good approach for deployment to remedy the weaknesses of present CAPTCHA systems.
A CAPTCHA(Completely Automated Public Turing test to tell Computers and Humans Apart) is a security mechanism that can be used to distinguish between humans and machines. It has become the most widely used standard security technology to prevent automated computer programs. A variety of CAPTCHA schemes have been deployed by many famous websites like Google, eBay, Yahoo, taobao, etc. However, most existing CAPTCHA systems are vulnerable against a so-called ``third party human attack." These schemes are mainly designed to tell humans and computers apart by generating proper challenges which are presumably easy for humans to answer, but hard for computers. The third party human attack employs hired human to solve challenges so that the systems will no longer be secure. In this paper, at first we explain how the third party human attack works. Then we research an efficient and effective aspect to defend the attack. Following the aspect, we design and analyze a novel system, DDIM-CAPTCHA, to deal with traditional attacks and the third party human attack. DDIM-CAPTCHA retains the basic requirements of CAPTCHAs and adds the properties of interaction and masking. Through a series of analyses and experiments, DDIM-CAPTCHA can be claimed to be a good approach for deployment to remedy the weaknesses of present CAPTCHA systems.
[1] B. Acohido, “Cybergangs use cheap labor to break codes on social sites.” USA
Today, 2009. [Online]. Available: http://usatoday30.usatoday.com/tech/news/
computersecurity/2009-04-22-captcha-code-breakers N.htm
[2] J. P. Bigham and A. C. Cavender, “Evaluating existing audio CAPTCHAs and an
interface optimized for non-visual use,” in Proc. SIGCHI Conference on Human
Factors in Computing Systems(CHI ’09), pp. 1829–1838.
[3] E. Bursztein, R. Beauxis, H. Paskov, D. Perito, C. Fabry, and J. Mitchell, “The
Failure of Noise-Based Non-continuous Audio Captchas,” in Proc. 2011 IEEE
Symposium on Security and Privacy(SP), pp. 19–31.
[4] E. Bursztein, M. Martin, and J. Mitchell, “Text-based CAPTCHA strengths and
weaknesses,” in Proc. 18th ACM Conference on Computer and Communications
Security(CCS ’11), pp. 125–138.
[5] M. Chew and J. Tygar, “Image recognition captchas,” in Proc. 7th International
Information Security Conference(ISC ’04), pp. 268–279.
[6] D. Danchev, “Inside India’s CAPTCHA solving economy.” ZD-Net, 2008. [Online]. Available: http://www.zdnet.com/blog/security/
48
REFERENCES 49
inside-indias-captcha-solving-economy/1835
[7] A. Desai and P. Patadia, “Drag and Drop: A Better Approach to CAPTCHA,” in
Proc. 2009 Annual IEEE India Conference(INDICON), pp. 1–4.
[8] M. Egele, L. Bilge, E. Kirda, and C. Kruegel, “CAPTCHA smuggling: hijacking
web browsing sessions to create CAPTCHA farms,” in Proc. 2010 ACM
Symposium on Applied Computing(SAC ’10), pp. 1865–1870.
[9] J. Elson, J. R. Douceur, J. Howell, and J. Saul, “Asirra: a CAPTCHA that
exploits interest-aligned manual image categorization,” in Proc. 14th ACM
Conference on Computer and Communications Security(CCS ’07), pp. 366–374.
[10] H. Gao, H. Liu, D. Yao, X. Liu, and U. Aickelin, “An audio CAPTCHA to dis-tinguish humans from computers,” in Proc. 2010 Third International Symposium
on Electronic Commerce and Security(ISECS), pp. 265–269.
[11] R. Gossweiler, M. Kamvar, and S. Baluja, “What’s up CAPTCHA? a CAPTCHA
based on image orientation,” in Proc. 18th International Conference on World
Wide Web(WWW ’09), pp. 841–850.
[12] L. Kang and J. Xiang, “CAPTCHA Phishing: A Practical Attack on Human
Interaction Proofing,” in Proc. 5th International Conference on Information
Security and Cryptology(Inscrypt ’09), pp. 411–425.
[13] J.-W. Kim, W.-K. Chung, and H.-G. Cho, “A new image-based CAPTCHA using
the orientation of the polygonally cropped sub-images,” The Visual Computer:
International Journal of Computer Graphics, vol. 26, no. 6-8, pp. 1135–1143,
June 2010.
REFERENCES 50
[14] K. A. Kluever and R. Zanibbi, “Balancing usability and security in a video
CAPTCHA,” in Proc. 5th Symposium on Usable Privacy and Security(SOUPS
’09), pp. 14:1–14:11.
[15] J. Mabel and M. Balakrishnan, “CAPTCHA: A DEFENSIVE MECHANISM
AGAINST ATTACKS,” International Journal of Engineering Associates, vol. 1,
pp. 143–147, 2013.
[16] M. Mehrnejad, A. G. Bafghi, A. Harati, and E. Toreini, “Multiple SEIMCHA:
Multiple semantic image CAPTCHA,” in Proc. International Conference for In-ternet Technology and Secured Transactions(ICITST), pp. 196–201.
[17] R. Ordoez, “CAPTCHA Wish Your Girlfriend Was Hot Like Me?”
Trend Micro, 2007. [Online]. Available: http://blog.trendmicro.com/
trendlabs-security-intelligence/captcha-wish-your-girlfriend-was-hot-like-me/
[18] S. A. Ross, J. A. Halderman, and A. Finkelstein, “Sketcha: a captcha based on
line drawings of 3D models,” in Proc. 19th International Conference on World
Wide Web(WWW ’10), pp. 821–830.
[19] Y. Rui and Z. Liu, “ARTiFACIAL: automated reverse turing test us-ing FACIAL features,” in Proc. 11th ACM International Conference on
Multimedia(MULTIMEDIA ’03), pp. 295–298.
[20] N. A. Shah and M. T. Banday, “Drag and Drop Image CAPTCHA,” in Proc. 4th
J&K Science Congress.
REFERENCES 51
[21] Y. Soupionis and D. Gritzalis, “Audio CAPTCHA: Existing solutions assessment
and a new implementation for VoIP telephony,” Computers and Security, vol. 29,
no. 5, pp. 603–618, 2010.
[22] Y. Soupionis, G. Tountas, and D. Gritzalis, “Audio CAPTCHA for SIP-Based
VoIP,” in Proc. 24th International Information Security Conference(SEC ’09),
pp. 25–38.
[23] J. Tam, J. Simsa, S. Hyde, and L. von Ahn, “Breaking Audio CAPTCHAs,”
in Proc. Conference on Neural Information Processing Systems(NIPS), pp.
1625–1632.
[24] H. Truong, C. Turner, and C. Zou, “iCAPTCHA: The Next Generation of
CAPTCHA Designed to Defend against 3rd Party Human Attacks,” in Proc. 2011
IEEE International Conference on Communications(ICC), pp. 1–6.
[25] C.-C. Tseng, A. B. Jeng, and D.-F. Tseng, “An enhanced image recognition
captcha applicable to cloud computing authentication,” in Proc. 2nd Annual In-ternational Conference on Business Intelligence and Data Warehousing(BIDW
’11).
[26] S. Vikram, Y. Fan, and G. Gu, “SEMAGE: a new image-based two-factor CAPTCHA,” in Proc. 27th Annual Computer Security Applications
Conference(ACSAC ’11), pp. 237–246.
[27] L. von Ahn, M. Blum, and J. Langford, “Telling Humans and Computer Apart
Automatically or How Lazy Cryptographers do AI,” Communications of the
ACM, vol. 47, pp. 56–60, Feb. 2004.
REFERENCES 52
[28] T.-E. Wei, A. Jeng, and H.-M. Lee, “GeoCAPTCHA - A novel personalized
CAPTCHA using geographic concept to defend against 3rd Party Human At-tack,” in Proc. 2012 IEEE 31st International Performance Computing and Com-munications Conference(IPCCC), pp. 392–399.
[29] A. E. Whale, “Why the CAPTCHA Approach Is Doomed.” ABS computer
technology, 2009. [Online]. Available: http://www.abs-comptech.com/home/
headlines/news/why-the-CAPTCHA-approach-is-doomed
[30] B. B. Zhu, J. Yan, Q. Li, C. Yang, J. Liu, N. Xu, M. Yi, and K. Cai, “Attacks
and design of image recognition CAPTCHAs,” in Proc. 17th ACM Conference
on Computer and Communications Security(CCS ’10), pp. 187–200.