簡易檢索 / 詳目顯示

回結果列表
研究生: 葉全斌
Quan-bin Ye
論文名稱: DDIM-CAPTCHA: A Novel Drag-n-Drop Interactive Masking CAPTCHA Designed for Third Party Human Attacks
DDIM-CAPTCHA: A Novel Drag-n-Drop Interactive Masking CAPTCHA Designed for Third Party Human Attacks
指導教授: 李漢銘
Hahn-Ming Lee
鄭博仁
Albert B. Jeng
口試委員: 林豐澤
Feng-Tse Lin
鄧惟中
Wei-Chung Teng
田筱榮
Hsiao-Rong Tyan
學位類別: 碩士
Master
系所名稱: 電資學院 - 資訊工程系
Department of Computer Science and Information Engineering
論文出版年: 2013
畢業學年度: 101
語文別: 英文
論文頁數: 55
中文關鍵詞: 拖曳驗證碼第三人攻擊
外文關鍵詞: drag and drop, CAPTCHA, third party human attack
相關次數: 點閱:229下載:0
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報
  •  上一筆

    • A CAPTCHA(Completely Automated Public Turing test to tell Computers and Humans Apart) is a security mechanism that can be used to distinguish between humans and machines. It has become the most widely used standard security technology to prevent automated computer programs. A variety of CAPTCHA schemes have been deployed by many famous websites like Google, eBay, Yahoo, taobao, etc. However, most existing CAPTCHA systems are vulnerable against a so-called ``third party human attack." These schemes are mainly designed to tell humans and computers apart by generating proper challenges which are presumably easy for humans to answer, but hard for computers. The third party human attack employs hired human to solve challenges so that the systems will no longer be secure. In this paper, at first we explain how the third party human attack works. Then we research an efficient and effective aspect to defend the attack. Following the aspect, we design and analyze a novel system, DDIM-CAPTCHA, to deal with traditional attacks and the third party human attack. DDIM-CAPTCHA retains the basic requirements of CAPTCHAs and adds the properties of interaction and masking. Through a series of analyses and experiments, DDIM-CAPTCHA can be claimed to be a good approach for deployment to remedy the weaknesses of present CAPTCHA systems.

    A CAPTCHA(Completely Automated Public Turing test to tell Computers and Humans Apart) is a security mechanism that can be used to distinguish between humans and machines. It has become the most widely used standard security technology to prevent automated computer programs. A variety of CAPTCHA schemes have been deployed by many famous websites like Google, eBay, Yahoo, taobao, etc. However, most existing CAPTCHA systems are vulnerable against a so-called ``third party human attack." These schemes are mainly designed to tell humans and computers apart by generating proper challenges which are presumably easy for humans to answer, but hard for computers. The third party human attack employs hired human to solve challenges so that the systems will no longer be secure. In this paper, at first we explain how the third party human attack works. Then we research an efficient and effective aspect to defend the attack. Following the aspect, we design and analyze a novel system, DDIM-CAPTCHA, to deal with traditional attacks and the third party human attack. DDIM-CAPTCHA retains the basic requirements of CAPTCHAs and adds the properties of interaction and masking. Through a series of analyses and experiments, DDIM-CAPTCHA can be claimed to be a good approach for deployment to remedy the weaknesses of present CAPTCHA systems.

    ABSTRACT i 1 Introduction 1 1.1 Origin of CAPTCHA . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.3 Motivation/Contribution . . . . . . . . . . . . . . . . . . . . . . . . 6 1.4 Outline of Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2 Related Work 8 2.1 Security Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1.1 Random Guess Attack . . . . . . . . . . . . . . . . . . . . . 8 2.1.2 OCR Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.1.3 Third Party Human Attack . . . . . . . . . . . . . . . . . . . 10 2.2 Existing Remedies . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3 DDIM-CAPTCHA Design 19 3.1 Review of Existing Remedies . . . . . . . . . . . . . . . . . . . . . . 19 3.2 Design Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 3.3 Novel Idea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 3.4 System Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 3.5 System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3.5.1 Pre-process Phase . . . . . . . . . . . . . . . . . . . . . . . . 28 3.5.2 Generation Phase . . . . . . . . . . . . . . . . . . . . . . . . 29 3.5.3 Authentication Phase . . . . . . . . . . . . . . . . . . . . . . 31 3.6 Technical Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . 32 4 Experiments and Analysis 36 4.1 System Performance of Generating Per CAPTCHA Challenge . . . . 36 4.2 Overlapped Coverage of Candidates . . . . . . . . . . . . . . . . . . 38 4.3 Success Rate of Random Guess Attacks . . . . . . . . . . . . . . . . 41 4.4 Comparison of Minimum Required Actions . . . . . . . . . . . . . . 42 4.5 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 4.5.1 Defeating Random Guess Attack . . . . . . . . . . . . . . . . 44 4.5.2 Defeating OCR Attack . . . . . . . . . . . . . . . . . . . . . 44 4.5.3 Defeating Third Party Human Attack . . . . . . . . . . . . . 45 5 Conclusion and Future Work 46 References 47

    [1] B. Acohido, “Cybergangs use cheap labor to break codes on social sites.” USA
    Today, 2009. [Online]. Available: http://usatoday30.usatoday.com/tech/news/
    computersecurity/2009-04-22-captcha-code-breakers N.htm
    [2] J. P. Bigham and A. C. Cavender, “Evaluating existing audio CAPTCHAs and an
    interface optimized for non-visual use,” in Proc. SIGCHI Conference on Human
    Factors in Computing Systems(CHI ’09), pp. 1829–1838.
    [3] E. Bursztein, R. Beauxis, H. Paskov, D. Perito, C. Fabry, and J. Mitchell, “The
    Failure of Noise-Based Non-continuous Audio Captchas,” in Proc. 2011 IEEE
    Symposium on Security and Privacy(SP), pp. 19–31.
    [4] E. Bursztein, M. Martin, and J. Mitchell, “Text-based CAPTCHA strengths and
    weaknesses,” in Proc. 18th ACM Conference on Computer and Communications
    Security(CCS ’11), pp. 125–138.
    [5] M. Chew and J. Tygar, “Image recognition captchas,” in Proc. 7th International
    Information Security Conference(ISC ’04), pp. 268–279.
    [6] D. Danchev, “Inside India’s CAPTCHA solving economy.” ZD-Net, 2008. [Online]. Available: http://www.zdnet.com/blog/security/
    48
    REFERENCES 49
    inside-indias-captcha-solving-economy/1835
    [7] A. Desai and P. Patadia, “Drag and Drop: A Better Approach to CAPTCHA,” in
    Proc. 2009 Annual IEEE India Conference(INDICON), pp. 1–4.
    [8] M. Egele, L. Bilge, E. Kirda, and C. Kruegel, “CAPTCHA smuggling: hijacking
    web browsing sessions to create CAPTCHA farms,” in Proc. 2010 ACM
    Symposium on Applied Computing(SAC ’10), pp. 1865–1870.
    [9] J. Elson, J. R. Douceur, J. Howell, and J. Saul, “Asirra: a CAPTCHA that
    exploits interest-aligned manual image categorization,” in Proc. 14th ACM
    Conference on Computer and Communications Security(CCS ’07), pp. 366–374.
    [10] H. Gao, H. Liu, D. Yao, X. Liu, and U. Aickelin, “An audio CAPTCHA to dis-tinguish humans from computers,” in Proc. 2010 Third International Symposium
    on Electronic Commerce and Security(ISECS), pp. 265–269.
    [11] R. Gossweiler, M. Kamvar, and S. Baluja, “What’s up CAPTCHA? a CAPTCHA
    based on image orientation,” in Proc. 18th International Conference on World
    Wide Web(WWW ’09), pp. 841–850.
    [12] L. Kang and J. Xiang, “CAPTCHA Phishing: A Practical Attack on Human
    Interaction Proofing,” in Proc. 5th International Conference on Information
    Security and Cryptology(Inscrypt ’09), pp. 411–425.
    [13] J.-W. Kim, W.-K. Chung, and H.-G. Cho, “A new image-based CAPTCHA using
    the orientation of the polygonally cropped sub-images,” The Visual Computer:
    International Journal of Computer Graphics, vol. 26, no. 6-8, pp. 1135–1143,
    June 2010.
    REFERENCES 50
    [14] K. A. Kluever and R. Zanibbi, “Balancing usability and security in a video
    CAPTCHA,” in Proc. 5th Symposium on Usable Privacy and Security(SOUPS
    ’09), pp. 14:1–14:11.
    [15] J. Mabel and M. Balakrishnan, “CAPTCHA: A DEFENSIVE MECHANISM
    AGAINST ATTACKS,” International Journal of Engineering Associates, vol. 1,
    pp. 143–147, 2013.
    [16] M. Mehrnejad, A. G. Bafghi, A. Harati, and E. Toreini, “Multiple SEIMCHA:
    Multiple semantic image CAPTCHA,” in Proc. International Conference for In-ternet Technology and Secured Transactions(ICITST), pp. 196–201.
    [17] R. Ordoez, “CAPTCHA Wish Your Girlfriend Was Hot Like Me?”
    Trend Micro, 2007. [Online]. Available: http://blog.trendmicro.com/
    trendlabs-security-intelligence/captcha-wish-your-girlfriend-was-hot-like-me/
    [18] S. A. Ross, J. A. Halderman, and A. Finkelstein, “Sketcha: a captcha based on
    line drawings of 3D models,” in Proc. 19th International Conference on World
    Wide Web(WWW ’10), pp. 821–830.
    [19] Y. Rui and Z. Liu, “ARTiFACIAL: automated reverse turing test us-ing FACIAL features,” in Proc. 11th ACM International Conference on
    Multimedia(MULTIMEDIA ’03), pp. 295–298.
    [20] N. A. Shah and M. T. Banday, “Drag and Drop Image CAPTCHA,” in Proc. 4th
    J&K Science Congress.
    REFERENCES 51
    [21] Y. Soupionis and D. Gritzalis, “Audio CAPTCHA: Existing solutions assessment
    and a new implementation for VoIP telephony,” Computers and Security, vol. 29,
    no. 5, pp. 603–618, 2010.
    [22] Y. Soupionis, G. Tountas, and D. Gritzalis, “Audio CAPTCHA for SIP-Based
    VoIP,” in Proc. 24th International Information Security Conference(SEC ’09),
    pp. 25–38.
    [23] J. Tam, J. Simsa, S. Hyde, and L. von Ahn, “Breaking Audio CAPTCHAs,”
    in Proc. Conference on Neural Information Processing Systems(NIPS), pp.
    1625–1632.
    [24] H. Truong, C. Turner, and C. Zou, “iCAPTCHA: The Next Generation of
    CAPTCHA Designed to Defend against 3rd Party Human Attacks,” in Proc. 2011
    IEEE International Conference on Communications(ICC), pp. 1–6.
    [25] C.-C. Tseng, A. B. Jeng, and D.-F. Tseng, “An enhanced image recognition
    captcha applicable to cloud computing authentication,” in Proc. 2nd Annual In-ternational Conference on Business Intelligence and Data Warehousing(BIDW
    ’11).
    [26] S. Vikram, Y. Fan, and G. Gu, “SEMAGE: a new image-based two-factor CAPTCHA,” in Proc. 27th Annual Computer Security Applications
    Conference(ACSAC ’11), pp. 237–246.
    [27] L. von Ahn, M. Blum, and J. Langford, “Telling Humans and Computer Apart
    Automatically or How Lazy Cryptographers do AI,” Communications of the
    ACM, vol. 47, pp. 56–60, Feb. 2004.
    REFERENCES 52
    [28] T.-E. Wei, A. Jeng, and H.-M. Lee, “GeoCAPTCHA - A novel personalized
    CAPTCHA using geographic concept to defend against 3rd Party Human At-tack,” in Proc. 2012 IEEE 31st International Performance Computing and Com-munications Conference(IPCCC), pp. 392–399.
    [29] A. E. Whale, “Why the CAPTCHA Approach Is Doomed.” ABS computer
    technology, 2009. [Online]. Available: http://www.abs-comptech.com/home/
    headlines/news/why-the-CAPTCHA-approach-is-doomed
    [30] B. B. Zhu, J. Yan, Q. Li, C. Yang, J. Liu, N. Xu, M. Yi, and K. Cai, “Attacks
    and design of image recognition CAPTCHAs,” in Proc. 17th ACM Conference
    on Computer and Communications Security(CCS ’10), pp. 187–200.

    QR CODE