CAPTCHA user identification services that require users to recognize and type in static distorted characters may be a method of the past, according to studies published by researchers at the University of Alabama at Birmingham (UAB).
CAPTCHAs represent a security mechanism that is often seen as a necessary hassle by Web services providers — necessary because they seek to prevent Web resource abuse, yet a hassle because the representation of a CAPTCHA may not be easy to solve. Moreover, successful attacks have been developed against many existing CAPTCHA schemes.
Nitesh Saxena, associate professor of the Department of Computer and Information Sciences and information assurance pillar co-leader of the Center for Information Assurance and Joint Forensics Research, led a team that investigated the security and usability of the next generation of CAPTCHAs that are based on simple computer games.
The UAB researchers focused on a broad form of gamelike CAPTCHAs, called dynamic cognitive game, or DCG, CAPTCHAs, which challenge the user to perform a gamelike cognitive task interacting with a series of dynamic images. For example, in a "ship parking" DCG challenge, the user is required to identify the boat from a set of moving objects and drag-and-drop it to the available "dock" location.
The puzzle is easy for the human user to solve, but may be difficult for a computer program to figure out. Also, its gamelike nature may make the process more engaging for a user compared to conventional text-based CAPTCHAs.
The researchers work is described in several papers, including "Dynamic Cognitive Game CAPTCHA Usability and Detection of Streaming-Based Farming," by Manar Mohamed, Song Gao, Nitesh Saxena, and Chengcui Zhang.
Saxena's team set out to investigate the effectiveness of DCG CAPTCHAs. They first created dynamic cognitive game prototypes to represent a common type of DCG CAPTCHA, then developed a novel, fully automated attack framework to break these DCG challenges.
"The attack is based on computer vision techniques and can automatically solve new game challenges based on knowledge present in a 'dictionary' built from past challenges," says co-author Gao, a UAB doctoral student.
"In traditional CAPTCHA systems, computers may have a hard time figuring out what the distorted characters are — but trained humans can do it in seconds," Saxena says. "The trouble is that criminals have figured out that they can pay people — a penny or less per time — to sit in front of a screen and 'solve' CAPTCHAs to let them do what they want. This is known as a CAPTCHA relay attack."
"Most existing varieties of CAPTCHAs are completely vulnerable to such relay attacks," says co-author Mohamed, a UAB doctoral student. "Our research shows that DCG CAPTCHAs appear to be one of the ﬁrst CAPTCHA schemes that enable reliable detection of relay attacks."
By the time the solver provides the location of moving objects in the given challenge frame, the objects themselves would have moved to other places, which makes the provided information inaccurate. The Web robot attempting the breach could not pass the challenge due either to time out or to generating too many incorrect drag-and-drop operations, which would be recognized by the backend server as different from normal human behavior. As a result, the DCG CAPTCHAs can provide protection against relay attack to some extent.
The usability studies of these DCG CAPTCHAs conducted by the team indicate a more user-friendly and playful design direction compared to the conventional text-based CAPTCHAs.
The research team is now working toward re-designing DCG CAPTCHAs so that automated or semi-automated attacks can be made difficult while still retaining their inherent usability advantages and tolerance to relay attacks. The team has been working with companies such as Are You a Human which have been offering the first commercial instantiation of DCG CAPTCHAs.
The research is funded in part by a grant from the National Science Foundation and a research award from Comcast. Several studies have been done in conjunction with this research.
The project resulted in three publications at prime security conferences. One study, "A Three-Way Investigation of a Game – CAPTCHA: Automated Attacks, Relay Attacks, and Usability" was conducted in collaboration with the Indraprastha Institute of Information Technology in India, Carleton University and Virginia State University, and was recently presented at the ACM Symposium on Information, Computer and Communications Security. Another study completed by Saxena and his research team at UAB was presented at the Usability Workshop at the Network and Distributed System Security Symposium. A final study, "Gaming the Game: Defeating a Game CAPTCHA with Efficient and Robust Hybrid Attacks," appeared at the IEEE International Conference on Multimedia and Expo. Chengcui Zhang, also an associate professor of Computer and Information Sciences, is a faculty co-author on the project.