14-04-2011, 10:48 AM
[attachment=12159]
A CAPTCHA is a type of challenge-response test used in computing as an attempt to ensure that the response is not generated by a computer. The process usually involves one computer (a server) asking a user to complete a simple test which the computer is able to generate and grade. Because other computers are supposedly unable to solve the CAPTCHA, any user entering a correct solution is presumed to be human. Thus, it is sometimes described as a reverse Turing test, because it is administered by a machine and targeted to a human, in contrast to the standard Turing test that is typically administered by a human and targeted to a machine. A common type of CAPTCHA requires the user to type letters or digits from a distorted image that appears on the screen.
The term "CAPTCHA" was coined in 2000 by Luis von Ahn, Manuel Blum, Nicholas J. Hopper, and John Langford (all of Carnegie Mellon University). It is a contrived acronym based on the word "capture" and standing for "Completely Automated Public Turing test to tell Computers and Humans Apart". Carnegie Mellon University attempted to trademark the term, but the trademark application was abandoned on 21 April 2008.
A CAPTCHA is a means of automatically generating challenges which intends to:
Provide a problem easy enough for all humans to solve.
Prevent standard automated software from filling out a form, unless it is specially designed to circumvent specific CAPTCHA systems.
A check box in a form that reads "check this box please" is the simplest (and perhaps least effective) form of a CAPTCHA. CAPTCHAs do not have to rely on difficult problems in artificial intelligence, although they can.
This has the benefit of distinguishing humans from computers. It also creates incentive to further develop artificial intelligence of computers.
Vulnerabilities
HTTP does not distinguish between human & machine users.
HTTP & SSL do not guarantee client software or user is benign.
Malicious bots can be anonymous and distributed.
Benign bots spider for searches, etc.
Threats to Web
Content Theft-- stealing paid data
Copyright Infringement-- “scraping” content from one site to display on another, “out of context”
Unwanted spidering-- search engines may ignore robots.txt or “nofollow” tags
Poll Stuffing-- MIT vs. CMU on /. [1]
Web Spam-- unsolicited commenting, abusing free email, scraping addresses
Web Spam
• Web comments, discussions, guest books, Wikis, many public forms are open to spam messages.
• More eyeballs per message than e-mail
• E-mail spam is illegal, but most Web spam is legal.
• Bots collect email addresses on Web.
TYPES OF CAPTCHA
1.TEXT BASED:
• Images of distorted text.
• Frequently cracked and improved.
• In current version, 5 pairs of overlapped words. User identifies 3 words.
• Random placement, font, distortion, background pattern
• Overlapping words need no noise.
2.Visual puzzle
• Computer can generate & display, but not solve.
• If too many choices, humans get it wrong.
• If not enough choices, computers can be effective with random guess.
3. Photo Recognition
• Need large image DB
• Images need keywords
• Four images with same keyword shown
• Random subset of keywords as choices
• Poor implementations easy to crack (color of top left pixel unique, etc.)
4.SPEECH CAPTCHA
• Usually spells out one-time-password in synthesized or recorded voices
• Voice recognition cracks simple case.
• Applied audio filters risk human misunderstanding.
• Used with image CAPTCHA for increased accessibility.
• If both use same OTP, easier to crack.
5. 3D CAPTCHA
• Renders OTP in 3D space to image
• Reputedly the most difficult to crack
• Server needs good graphics card to be practical (rare)
• Can be combined with other methods
• Not yet common
• Might see more in future
VIDEO CAPTCHA
Unfortunately, many users find existing character-recognition based CAPTCHAs frustrating and attack success rates as high as 60% have been reported for Microsoft’s
Hotmail CAPTCHA . To address these problems, we present a first attempt at using content-based video labeling (‘tagging’) as a CAPTCHA task. We define correct responses using tags provided by the individual that posts a video to a public database (YouTube.com), along with tags on videos designated as being ‘related’ in the database.In an experiment involving 184 human participants, we were able to increase human pass rates on our video CAPTCHAs from roughly 70% to 90% while keeping the success of a frequency-based attack fixed at around 13%. Through a different parameterization of the challenge generation and tag matching algorithms, we were able to reduce the success rate of the same attack to 2%, while still increasing the human pass rate to 75% .The frequency-based attack we consider is simple but logical for this type of CAPTCHA: the computer submits the three tags with the highest estimated frequencies below the rejection threshold, on the assumption that the tag frequency estimates used in creating the CAPTCHAs are publicly available. A screenshot of our video-based CAPTCHA is shown in Figure 1. To pass the challenge, a user provides three words (‘tags’) describing the video. If one of the submitted tags belongs to the automatically generated ground truth tag set, the challenge is passed. This task is similar to the ESP game of von Ahn et al. in which online users are randomly paired and presented with an image that they then submit tags to describe. Players cannot see each other’s submitted tags until they agree on a common tag, at which point the round of the game ends. Our video CAPTCHA is similar to a game of ESP in which one player is online, while the other player’s responses (the ground truth tags) are computed automatically.
A CAPTCHA is a type of challenge-response test used in computing as an attempt to ensure that the response is not generated by a computer. The process usually involves one computer (a server) asking a user to complete a simple test which the computer is able to generate and grade. Because other computers are supposedly unable to solve the CAPTCHA, any user entering a correct solution is presumed to be human. Thus, it is sometimes described as a reverse Turing test, because it is administered by a machine and targeted to a human, in contrast to the standard Turing test that is typically administered by a human and targeted to a machine. A common type of CAPTCHA requires the user to type letters or digits from a distorted image that appears on the screen.
The term "CAPTCHA" was coined in 2000 by Luis von Ahn, Manuel Blum, Nicholas J. Hopper, and John Langford (all of Carnegie Mellon University). It is a contrived acronym based on the word "capture" and standing for "Completely Automated Public Turing test to tell Computers and Humans Apart". Carnegie Mellon University attempted to trademark the term, but the trademark application was abandoned on 21 April 2008.
A CAPTCHA is a means of automatically generating challenges which intends to:
Provide a problem easy enough for all humans to solve.
Prevent standard automated software from filling out a form, unless it is specially designed to circumvent specific CAPTCHA systems.
A check box in a form that reads "check this box please" is the simplest (and perhaps least effective) form of a CAPTCHA. CAPTCHAs do not have to rely on difficult problems in artificial intelligence, although they can.
This has the benefit of distinguishing humans from computers. It also creates incentive to further develop artificial intelligence of computers.
Vulnerabilities
HTTP does not distinguish between human & machine users.
HTTP & SSL do not guarantee client software or user is benign.
Malicious bots can be anonymous and distributed.
Benign bots spider for searches, etc.
Threats to Web
Content Theft-- stealing paid data
Copyright Infringement-- “scraping” content from one site to display on another, “out of context”
Unwanted spidering-- search engines may ignore robots.txt or “nofollow” tags
Poll Stuffing-- MIT vs. CMU on /. [1]
Web Spam-- unsolicited commenting, abusing free email, scraping addresses
Web Spam
• Web comments, discussions, guest books, Wikis, many public forms are open to spam messages.
• More eyeballs per message than e-mail
• E-mail spam is illegal, but most Web spam is legal.
• Bots collect email addresses on Web.
TYPES OF CAPTCHA
1.TEXT BASED:
• Images of distorted text.
• Frequently cracked and improved.
• In current version, 5 pairs of overlapped words. User identifies 3 words.
• Random placement, font, distortion, background pattern
• Overlapping words need no noise.
2.Visual puzzle
• Computer can generate & display, but not solve.
• If too many choices, humans get it wrong.
• If not enough choices, computers can be effective with random guess.
3. Photo Recognition
• Need large image DB
• Images need keywords
• Four images with same keyword shown
• Random subset of keywords as choices
• Poor implementations easy to crack (color of top left pixel unique, etc.)
4.SPEECH CAPTCHA
• Usually spells out one-time-password in synthesized or recorded voices
• Voice recognition cracks simple case.
• Applied audio filters risk human misunderstanding.
• Used with image CAPTCHA for increased accessibility.
• If both use same OTP, easier to crack.
5. 3D CAPTCHA
• Renders OTP in 3D space to image
• Reputedly the most difficult to crack
• Server needs good graphics card to be practical (rare)
• Can be combined with other methods
• Not yet common
• Might see more in future
VIDEO CAPTCHA
Unfortunately, many users find existing character-recognition based CAPTCHAs frustrating and attack success rates as high as 60% have been reported for Microsoft’s
Hotmail CAPTCHA . To address these problems, we present a first attempt at using content-based video labeling (‘tagging’) as a CAPTCHA task. We define correct responses using tags provided by the individual that posts a video to a public database (YouTube.com), along with tags on videos designated as being ‘related’ in the database.In an experiment involving 184 human participants, we were able to increase human pass rates on our video CAPTCHAs from roughly 70% to 90% while keeping the success of a frequency-based attack fixed at around 13%. Through a different parameterization of the challenge generation and tag matching algorithms, we were able to reduce the success rate of the same attack to 2%, while still increasing the human pass rate to 75% .The frequency-based attack we consider is simple but logical for this type of CAPTCHA: the computer submits the three tags with the highest estimated frequencies below the rejection threshold, on the assumption that the tag frequency estimates used in creating the CAPTCHAs are publicly available. A screenshot of our video-based CAPTCHA is shown in Figure 1. To pass the challenge, a user provides three words (‘tags’) describing the video. If one of the submitted tags belongs to the automatically generated ground truth tag set, the challenge is passed. This task is similar to the ESP game of von Ahn et al. in which online users are randomly paired and presented with an image that they then submit tags to describe. Players cannot see each other’s submitted tags until they agree on a common tag, at which point the round of the game ends. Our video CAPTCHA is similar to a game of ESP in which one player is online, while the other player’s responses (the ground truth tags) are computed automatically.
