Using machine learning to identify common flaws in CAPTCHA design: FunCAPTCHA case analysis

Using machine learning to identify common flaws in CAPTCHA design: FunCAPTCHA case analysis

Human Interactive Proofs (HIPs 11Human Interaction Proof, or also Human Interactive Proof. or CAPTCHAs 22Completely Automated Public Turing test to tell Computers and Humans Apart.) have become a first-level security measure on the Internet to avoid automatic attacks or minimize their effects. All t...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Computers & security 2017-09, Vol.70, p.744-756
Hauptverfasser: Hernández-Castro, Carlos Javier, R-Moreno, María D., Barrero, David F., Gibson, Stuart
Format: Artikel
Sprache:eng
Schlagworte:
Artificial intelligence
CAPTCHA
Cybersecurity
Gender classification
HIP
Image analysis
Machine learning
Network security
Side-channel attack
Studies
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 756
container_issue
container_start_page 744
container_title Computers & security
container_volume 70
creator Hernández-Castro, Carlos Javier
R-Moreno, María D.
Barrero, David F.
Gibson, Stuart
description Human Interactive Proofs (HIPs 11Human Interaction Proof, or also Human Interactive Proof. or CAPTCHAs 22Completely Automated Public Turing test to tell Computers and Humans Apart.) have become a first-level security measure on the Internet to avoid automatic attacks or minimize their effects. All the most widespread, successful or interesting CAPTCHA designs put to scrutiny have been successfully broken. Many of these attacks have been side-channel attacks. New designs are proposed to tackle these security problems while improving the human interface. FunCAPTCHA is the first commercial implementation of a gender classification CAPTCHA, with reported improvements in conversion rates. This article finds weaknesses in the security of FunCAPTCHA and uses simple machine learning (ML) analysis to test them. It shows a side-channel attack that leverages these flaws and successfully solves FunCAPTCHA on 90% of occasions without using meaningful image analysis. This simple yet effective security analysis can be applied with minor modifications to other HIPs proposals, allowing to check whether they leak enough information that would in turn allow for simple side-channel attacks.
doi_str_mv 10.1016/j.cose.2017.05.005
format Article
fullrecord <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_journals_1967360615</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><els_id>S0167404817301128</els_id><sourcerecordid>1967360615</sourcerecordid><originalsourceid>FETCH-LOGICAL-c372t-89a18c26b608cd44f93f030df74037e904006171a02f63fb674f357897c15d5e3</originalsourceid><addsrcrecordid>eNp9kE1LAzEURYMoWKt_wFXA9Ywv85FkxE0pVoWCLuzKRUgzSc0wTWoyVfrvzVDdunpwOedxuQhdE8gJEHrb5cpHnRdAWA51DlCfoAnhrMhoAfwUTRLEsgoqfo4uYuwggZTzCXpfRes2eCvVh3Ua91oGNwaDx7bVbrDmgJXfbr3DppffEVuH57PXt_nTDLc62o27w4u9-4uUjBpLJ_tDtPESnRnZR331e6dotXhIWLZ8eXyez5aZKlkxZLyRhKuCrilw1VaVaUoDJbSGVVAy3UAFQAkjEgpDS7OmrDJlzXjDFKnbWpdTdHP8uwv-c6_jIDq_D6lEFKShrKRJrxNVHCkVfIxBG7ELdivDQRAQ44iiE-OIYhxRQC3SiEm6P0o69f-yOoiorHZKtzZoNYjW2__0Hw6teFQ</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>1967360615</pqid></control><display><type>article</type><title>Using machine learning to identify common flaws in CAPTCHA design: FunCAPTCHA case analysis</title><source>Elsevier ScienceDirect Journals</source><creator>Hernández-Castro, Carlos Javier ; R-Moreno, María D. ; Barrero, David F. ; Gibson, Stuart</creator><creatorcontrib>Hernández-Castro, Carlos Javier ; R-Moreno, María D. ; Barrero, David F. ; Gibson, Stuart</creatorcontrib><description>Human Interactive Proofs (HIPs 11Human Interaction Proof, or also Human Interactive Proof. or CAPTCHAs 22Completely Automated Public Turing test to tell Computers and Humans Apart.) have become a first-level security measure on the Internet to avoid automatic attacks or minimize their effects. All the most widespread, successful or interesting CAPTCHA designs put to scrutiny have been successfully broken. Many of these attacks have been side-channel attacks. New designs are proposed to tackle these security problems while improving the human interface. FunCAPTCHA is the first commercial implementation of a gender classification CAPTCHA, with reported improvements in conversion rates. This article finds weaknesses in the security of FunCAPTCHA and uses simple machine learning (ML) analysis to test them. It shows a side-channel attack that leverages these flaws and successfully solves FunCAPTCHA on 90% of occasions without using meaningful image analysis. This simple yet effective security analysis can be applied with minor modifications to other HIPs proposals, allowing to check whether they leak enough information that would in turn allow for simple side-channel attacks.</description><identifier>ISSN: 0167-4048</identifier><identifier>EISSN: 1872-6208</identifier><identifier>DOI: 10.1016/j.cose.2017.05.005</identifier><language>eng</language><publisher>Amsterdam: Elsevier Ltd</publisher><subject>Artificial intelligence ; CAPTCHA ; Cybersecurity ; Gender classification ; HIP ; Image analysis ; Machine learning ; Network security ; Side-channel attack ; Studies</subject><ispartof>Computers &amp; security, 2017-09, Vol.70, p.744-756</ispartof><rights>2017 Elsevier Ltd</rights><rights>Copyright Elsevier Sequoia S.A. Sep 2017</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c372t-89a18c26b608cd44f93f030df74037e904006171a02f63fb674f357897c15d5e3</citedby><cites>FETCH-LOGICAL-c372t-89a18c26b608cd44f93f030df74037e904006171a02f63fb674f357897c15d5e3</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://www.sciencedirect.com/science/article/pii/S0167404817301128$$EHTML$$P50$$Gelsevier$$H</linktohtml><link.rule.ids>314,776,780,3536,27903,27904,65309</link.rule.ids></links><search><creatorcontrib>Hernández-Castro, Carlos Javier</creatorcontrib><creatorcontrib>R-Moreno, María D.</creatorcontrib><creatorcontrib>Barrero, David F.</creatorcontrib><creatorcontrib>Gibson, Stuart</creatorcontrib><title>Using machine learning to identify common flaws in CAPTCHA design: FunCAPTCHA case analysis</title><title>Computers &amp; security</title><description>Human Interactive Proofs (HIPs 11Human Interaction Proof, or also Human Interactive Proof. or CAPTCHAs 22Completely Automated Public Turing test to tell Computers and Humans Apart.) have become a first-level security measure on the Internet to avoid automatic attacks or minimize their effects. All the most widespread, successful or interesting CAPTCHA designs put to scrutiny have been successfully broken. Many of these attacks have been side-channel attacks. New designs are proposed to tackle these security problems while improving the human interface. FunCAPTCHA is the first commercial implementation of a gender classification CAPTCHA, with reported improvements in conversion rates. This article finds weaknesses in the security of FunCAPTCHA and uses simple machine learning (ML) analysis to test them. It shows a side-channel attack that leverages these flaws and successfully solves FunCAPTCHA on 90% of occasions without using meaningful image analysis. This simple yet effective security analysis can be applied with minor modifications to other HIPs proposals, allowing to check whether they leak enough information that would in turn allow for simple side-channel attacks.</description><subject>Artificial intelligence</subject><subject>CAPTCHA</subject><subject>Cybersecurity</subject><subject>Gender classification</subject><subject>HIP</subject><subject>Image analysis</subject><subject>Machine learning</subject><subject>Network security</subject><subject>Side-channel attack</subject><subject>Studies</subject><issn>0167-4048</issn><issn>1872-6208</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2017</creationdate><recordtype>article</recordtype><recordid>eNp9kE1LAzEURYMoWKt_wFXA9Ywv85FkxE0pVoWCLuzKRUgzSc0wTWoyVfrvzVDdunpwOedxuQhdE8gJEHrb5cpHnRdAWA51DlCfoAnhrMhoAfwUTRLEsgoqfo4uYuwggZTzCXpfRes2eCvVh3Ua91oGNwaDx7bVbrDmgJXfbr3DppffEVuH57PXt_nTDLc62o27w4u9-4uUjBpLJ_tDtPESnRnZR331e6dotXhIWLZ8eXyez5aZKlkxZLyRhKuCrilw1VaVaUoDJbSGVVAy3UAFQAkjEgpDS7OmrDJlzXjDFKnbWpdTdHP8uwv-c6_jIDq_D6lEFKShrKRJrxNVHCkVfIxBG7ELdivDQRAQ44iiE-OIYhxRQC3SiEm6P0o69f-yOoiorHZKtzZoNYjW2__0Hw6teFQ</recordid><startdate>201709</startdate><enddate>201709</enddate><creator>Hernández-Castro, Carlos Javier</creator><creator>R-Moreno, María D.</creator><creator>Barrero, David F.</creator><creator>Gibson, Stuart</creator><general>Elsevier Ltd</general><general>Elsevier Sequoia S.A</general><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>8FD</scope><scope>JQ2</scope><scope>K7.</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope></search><sort><creationdate>201709</creationdate><title>Using machine learning to identify common flaws in CAPTCHA design: FunCAPTCHA case analysis</title><author>Hernández-Castro, Carlos Javier ; R-Moreno, María D. ; Barrero, David F. ; Gibson, Stuart</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c372t-89a18c26b608cd44f93f030df74037e904006171a02f63fb674f357897c15d5e3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2017</creationdate><topic>Artificial intelligence</topic><topic>CAPTCHA</topic><topic>Cybersecurity</topic><topic>Gender classification</topic><topic>HIP</topic><topic>Image analysis</topic><topic>Machine learning</topic><topic>Network security</topic><topic>Side-channel attack</topic><topic>Studies</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Hernández-Castro, Carlos Javier</creatorcontrib><creatorcontrib>R-Moreno, María D.</creatorcontrib><creatorcontrib>Barrero, David F.</creatorcontrib><creatorcontrib>Gibson, Stuart</creatorcontrib><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Technology Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>ProQuest Criminal Justice (Alumni)</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>Computers &amp; security</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Hernández-Castro, Carlos Javier</au><au>R-Moreno, María D.</au><au>Barrero, David F.</au><au>Gibson, Stuart</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Using machine learning to identify common flaws in CAPTCHA design: FunCAPTCHA case analysis</atitle><jtitle>Computers &amp; security</jtitle><date>2017-09</date><risdate>2017</risdate><volume>70</volume><spage>744</spage><epage>756</epage><pages>744-756</pages><issn>0167-4048</issn><eissn>1872-6208</eissn><abstract>Human Interactive Proofs (HIPs 11Human Interaction Proof, or also Human Interactive Proof. or CAPTCHAs 22Completely Automated Public Turing test to tell Computers and Humans Apart.) have become a first-level security measure on the Internet to avoid automatic attacks or minimize their effects. All the most widespread, successful or interesting CAPTCHA designs put to scrutiny have been successfully broken. Many of these attacks have been side-channel attacks. New designs are proposed to tackle these security problems while improving the human interface. FunCAPTCHA is the first commercial implementation of a gender classification CAPTCHA, with reported improvements in conversion rates. This article finds weaknesses in the security of FunCAPTCHA and uses simple machine learning (ML) analysis to test them. It shows a side-channel attack that leverages these flaws and successfully solves FunCAPTCHA on 90% of occasions without using meaningful image analysis. This simple yet effective security analysis can be applied with minor modifications to other HIPs proposals, allowing to check whether they leak enough information that would in turn allow for simple side-channel attacks.</abstract><cop>Amsterdam</cop><pub>Elsevier Ltd</pub><doi>10.1016/j.cose.2017.05.005</doi><tpages>13</tpages><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier ISSN: 0167-4048
ispartof Computers & security, 2017-09, Vol.70, p.744-756
issn 0167-4048
1872-6208
language eng
recordid cdi_proquest_journals_1967360615
source Elsevier ScienceDirect Journals
subjects Artificial intelligence
CAPTCHA
Cybersecurity
Gender classification
HIP
Image analysis
Machine learning
Network security
Side-channel attack
Studies
title Using machine learning to identify common flaws in CAPTCHA design: FunCAPTCHA case analysis
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-25T21%3A23%3A41IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Using%20machine%20learning%20to%20identify%20common%20flaws%20in%20CAPTCHA%20design:%20FunCAPTCHA%20case%20analysis&rft.jtitle=Computers%20&%20security&rft.au=Hern%C3%A1ndez-Castro,%20Carlos%20Javier&rft.date=2017-09&rft.volume=70&rft.spage=744&rft.epage=756&rft.pages=744-756&rft.issn=0167-4048&rft.eissn=1872-6208&rft_id=info:doi/10.1016/j.cose.2017.05.005&rft_dat=%3Cproquest_cross%3E1967360615%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=1967360615&rft_id=info:pmid/&rft_els_id=S0167404817301128&rfr_iscdi=true