Presentation is loading. Please wait.

Presentation is loading. Please wait.

CAPTCHAs: Breaking & Building A Presentation of Academic Research r3dfish & dr_dave.

Published byGavin Rogers Modified over 8 years ago

Similar presentations

Presentation on theme: "CAPTCHAs: Breaking & Building A Presentation of Academic Research r3dfish & dr_dave."— Presentation transcript:

1 CAPTCHAs: Breaking & Building A Presentation of Academic Research r3dfish & dr_dave

2 A little humor…

3

4 dr_dave BS in Computer Information Systems @ ASU MS in Computer Science @ NJIT MS in Information Technology @ Rutgers 5 th year PhD Candidate in IS/IT @ Rutgers University Work on CAPTCHA Attacks and Designs Enjoy all types of information security research

5 r3dfish BS in Computer Information Systems @ ASU DefCon 17 speech “Hadoop: Apache’s open source implementation of Google’s Map/Reduce framework” HackedExistence.com Youtube.com/HackedExistence

6 CAPTCHA Completely Automated Public Turing test to tell Computers and Humans Apart – Human or Bot? – Prevents abuse by bots/blackhats – Protects scarce resources

7 Why Use CAPTCHAs? Challenges faced by web service provider – Cost of security vs. cost of operation of service – Tolerance level for bot activity? Attackers can pay humans to solve challenges – CAPTCHA mitigates attacks from bots by creating a challenge that uses a “hard” AI problem – An effective CAPTCHA costs money to break

8 Three Major Types Text BasedImage BasedAudio Based

9 Design Criteria for Evaluation Usability – Can the users understand the challenge? – Can the users solve it quickly? – Can impaired users solve it? (blind, deaf, etc.) Scalability – Accommodate a large numbers of users? – Can the challenge be generated without humans? Robustness – Resiliency to attacks? – Real Time Content input for challenge generation

10

11 Common CAPTCHA Breaking Techniques Optical Character Recognition (OCR) Segmentation Filtration Computer Vision Algorithms – Object recognition – Scene tagging/Image annotation Machine Learning Models (Support Vector Machines etc.) Deep Learning Models (Neural Networks) Speech to Text (audio CAPTCHA translation) … and many more novel methods specific to certain styles of CAPTCHAs

12 Automated Breaking Tools Standalone automated breakers are great for non changing CAPTCHA services Can now also send difficult challenges to a human solving service (e.g. DeathByCAPTCHA) Can share custom algorithms for defeated unique CAPTCHA challenges with community Examples: – GSA CAPTCHA Breaker ($147) – DeCaptcher ($2 per 1,000 images) – CAPTCHA Sniper ($97)

13 Example of CAPTCHA Breaker

14

15 Image Annotation Services Alchemy, NeuralTalk etc.

16 Text CAPTCHAs are Dead! Deep Learning models and other novel methods can defeat text CAPTCHAs easily More robust text challenges impact usability

17 Current Best-Of Breed CAPTCHAs Behavior Based Models Risk Based Models Multi-layered Challenges

18

19 Our “Hard AI” Problem Human Emotion Recognition – Contextual Information contained in image Is it impossible for a computer to perform this task? – No, but it is not a trivial challenge Success is highly dependent upon specific criteria – Video/Image properties, composition etc. – Tolerances of detection algorithms

20 Facial Cues for Measurement

21

22

23

24

25

26

27

28 Generating a Sample CAPTCHA Challenge 1.Use image scraper to gather images of faces expressing one or more of the 8 emotions detectable by Emotion API 2.Use Emotion API to recognize faces and emotions expressed 3.Save this information into database 4.Perform image distortions on images until RIS and Emotion API return “garbage”/ 0 results 5.Ask user to demonstrate humanity by matching an equivalent emoticon to the emotion being expressed by a face in the CAPTCHA challenge 6.Evaluate correctness of response and Pass or Fail

29 Application Design Flow Open Source Python Scraper Uses Google’s Image Search Microsoft’s Project Oxford Emotion API GIMP Image Filters – ScriptFu Built on Django

30 Python Scraper

31 Microsoft Cognitive Services

32 MS Emotion API Part of MS Cognitive Services – a REST API Algorithm that detects 8 different emotions in human faces and provides a bounding box for facial recognition

33 MS Emotion API Works for up to 64 people in a single image Image formats: JPEG, PNG, BMP, GIF(the first frame) Accepts images < 4MB. The detectable face size is between 36x36 and 4096x4096 pixels The faces are ranked by face rectangle size in descending order Frontal and near-frontal faces = best results

34

35 Creating Image Security Relies on MS Emotion API to detect emotions of faces in images initially Images are then modified and presented to the user Modified image must no longer be recognizable by the Emotion API User is asked to provide emotion as challenge response

36 GIMP Filter Example

37 Example of Distortion Chain Original ImageInformation Removal Image Destruction Warping/Distortion Final Image “Garbage” Information AddedPerspective Change i(1)i(2) i(3) i(4) i(5)

38 Stopping Emotion API Error: “0 face detected” is our success case, when the Emotion API can no longer identify the face or the emotion

39 Stopping Reverse Image Search Attacks

40 CAPTCHA Challenge Ver 1.0 Images provide guarantee for stopping Emotion API No guarantee for Reverse Image Search – filters not severe enough Designed to test for usability – not for security (yet) Experimenting with # of emotions

41 Sample Guesses for Ver. 1 Gathered responses from friends and other PhD students Gathered over the course of two weeks Instructed to match the emotion in the image to the emoji that most closely represents the emotion

42 Emotion/Guess Matrix – Run 1

43 Test Run 1 Results When we showed images depicting neutral, users guessed neutral 96% of the time correctly…

44 Test Run 1 Results 73% of the time users clicked neutral in an image challenge, they were correct…

45 CAPTCHA Challenge Ver 2.0 Reduced set of emotions to simplify challenge Designed to see if usability improved

46 Emotion/Guess Matrix – Run 2

47 Test Run 2 Results When we showed images depicting neutral, users guessed neutral 94% of the time correctly…

48 Test Run 2 Results 83% of the time users clicked neutral in an image challenge, they were correct…

49 Analysis of Design Criteria Usability – People can easily recognize faces and emotions they are expressing – Warping/distortions can prove too severe for humans to interpret emotion – Currently no options for blind users Scalability – Emotion API provides way to automate emotional tagging – Scraping social media or #hashtags for new images Robustness – Resistant to RIS and CV attacks – Variety in method of challenge expression (e.g. map opposite emotions (happy vs sad), match emoticon to emotion, select all faces expressing the following emotion etc. – Warping/Distortions can be reversed by image processing (no one way image processing functions) – Potential for specialized machine learning algos / neural networks to learn emotional patterns and conduct attacks on CAPTCHA (e.g. deep learning)

50 Limitations of Current Design Image Scraper – “worse” images as you crawl deeper into results of a search term – Potential database attacks depending on image sources Emotion API – The emotions ‘contempt’ and ‘disgust’ are experimental – Some faces may not be detected due to technical challenges, e.g. very large face angles (head-pose), large occlusion, etc.

51 Limitations Cont. Image Distortions – Usability issues – Reversibility issues

52 http://HackedExistence.com

53 Resources https://www.microsoft.com/cognitive- services/en-us/emotion-api https://www.microsoft.com/cognitive- services/en-us/emotion-api http://cseweb.ucsd.edu/~mmotoyam/usec10- recaptchas.pdf http://cseweb.ucsd.edu/~mmotoyam/usec10- recaptchas.pdf http://www.lancaster.ac.uk/staff/yanj2/ccs10.pdf https://cdn.elie.net/publications/the-end-is-nigh- generic-solving-of-text-based-captchas.pdf https://cdn.elie.net/publications/the-end-is-nigh- generic-solving-of-text-based-captchas.pdf https://www.blackhat.com/docs/asia- 16/materials/asia-16-Sivakorn-Im-Not-a-Human- Breaking-the-Google-reCAPTCHA-wp.pdf https://www.blackhat.com/docs/asia- 16/materials/asia-16-Sivakorn-Im-Not-a-Human- Breaking-the-Google-reCAPTCHA-wp.pdf

Download ppt "CAPTCHAs: Breaking & Building A Presentation of Academic Research r3dfish & dr_dave."

Similar presentations

Review of AI from Chapter 3. Journal May 13  What advantages and disadvantages do you see with using Expert Systems in real world applications like business,

Review of AI from Chapter 3. Journal May 13  What advantages and disadvantages do you see with using Expert Systems in real world applications like business,
Stopping cheaters since 15-06-2012 By: Tigran Gasparian.

Stopping cheaters since By: Tigran Gasparian.
CAPTCHA Completely Automated Public Turing test to tell Computers and Humans Apart A Computer Program that can generate and grade test that: Most Humans.

CAPTCHA Completely Automated Public Turing test to tell Computers and Humans Apart A Computer Program that can generate and grade test that: Most Humans.
A Low-cost Attack on a Microsoft CAPTCHA Yan Qiang, 2008-12-9.

A Low-cost Attack on a Microsoft CAPTCHA Yan Qiang,
563.10.3 CAPTCHA Presented by: Sari Louis SPAM Group: Marc Gagnon, Sari Louis, Steve White University of Illinois Spring 2006.

CAPTCHA Presented by: Sari Louis SPAM Group: Marc Gagnon, Sari Louis, Steve White University of Illinois Spring 2006.
Breaking an Animated CAPTCHA Scheme

Breaking an Animated CAPTCHA Scheme
Jeff Yan School of Computing Science Newcastle University, UK (Joint work with Ahmad Salah El Ahmad) Usability of CAPTCHAs Or “usability issues in CAPTCHA.

Jeff Yan School of Computing Science Newcastle University, UK (Joint work with Ahmad Salah El Ahmad) Usability of CAPTCHAs Or “usability issues in CAPTCHA.
UPM, Faculty of Computer Science & IT, 2009 1 A robust automated attendance system using face recognition techniques PhD proposal; May 2009 Gawed Nagi.

UPM, Faculty of Computer Science & IT, A robust automated attendance system using face recognition techniques PhD proposal; May 2009 Gawed Nagi.
 Image Search Engine Results now  Focus on GIS image registration  The Technique and its advantages  Internal working  Sample Results  Applicable.

 Image Search Engine Results now  Focus on GIS image registration  The Technique and its advantages  Internal working  Sample Results  Applicable.
CAPTCHA Prabhakar Verma “08MC30”.

CAPTCHA Prabhakar Verma “08MC30”.
Computer Vision Group University of California Berkeley Recognizing Objects in Adversarial Clutter: Breaking a Visual CAPTCHA Greg Mori and Jitendra Malik.

Computer Vision Group University of California Berkeley Recognizing Objects in Adversarial Clutter: Breaking a Visual CAPTCHA Greg Mori and Jitendra Malik.
Human Computation CSC4170 Web Intelligence and Social Computing Tutorial 7 Tutor: Tom Chao Zhou

Human Computation CSC4170 Web Intelligence and Social Computing Tutorial 7 Tutor: Tom Chao Zhou
Accessibility Tools in Microsoft Office 2010 and 2013 ADA Conference 2014 Norah Sinclair Tessa Greenleaf.

Accessibility Tools in Microsoft Office 2010 and 2013 ADA Conference 2014 Norah Sinclair Tessa Greenleaf.
Machine Learning Damon Waring 22 April 2003. 2 of 15 Agenda Problem, Solution, Benefits Problem, Solution, Benefits Machine Learning Overview/Basics Machine.

Machine Learning Damon Waring 22 April of 15 Agenda Problem, Solution, Benefits Problem, Solution, Benefits Machine Learning Overview/Basics Machine.
VEHICLE NUMBER PLATE RECOGNITION SYSTEM. Information and constraints Character recognition using moments. Character recognition using OCR. Signature.

VEHICLE NUMBER PLATE RECOGNITION SYSTEM. Information and constraints Character recognition using moments. Character recognition using OCR. Signature.
Recognizing some of the modern CAPTCHAs Dmitry Nikulin LCME, Saint-Petersburg, 2011.

Recognizing some of the modern CAPTCHAs Dmitry Nikulin LCME, Saint-Petersburg, 2011.
Part 2  Access Control 1 CAPTCHA Part 2  Access Control 2 Turing Test Proposed by Alan Turing in 1950 Human asks questions to another human and a computer,

Part 2  Access Control 1 CAPTCHA Part 2  Access Control 2 Turing Test Proposed by Alan Turing in 1950 Human asks questions to another human and a computer,
Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.

Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.
Face Detection And Recognition For Distributed Systems Meng Lin and Ermin Hodžić 1.

Face Detection And Recognition For Distributed Systems Meng Lin and Ermin Hodžić 1.
CSE 548 Advanced Computer Network Security Document Search in MobiCloud using Hadoop Framework Sayan Cole Jaya Chakladar Group No: 1.

CSE 548 Advanced Computer Network Security Document Search in MobiCloud using Hadoop Framework Sayan Cole Jaya Chakladar Group No: 1.

Similar presentations

Ads by Google