1. SRS PRESENTATION Ronen Mendezitsky & Alon Weiss Website Protection System

2. Overview  An online security system for ASP.NET websites  Helps fighting brute-force attacks on secured systems  Uses innovative methods to stop rogue OCR software that cracks the widely-used CAPCHA  Adds an image (“Challenge”) that has a question embedded. The user must answer it in order to log- in or register.

3. Contract  What ASP.NET webmasters need:  The most non-intrusive software component to plug-in to their website, easily deployed and maintained  A friendly and simple utility to remotely configure the system  The system should use minimal CPU, HDD, and bandwidth resources.

4. Research  Most Capchas today are either low-grade and crude Unix scripts, or in-house developed  Most of them have been either reverse engineered or easily cracked using rogue OCR programs in real-time  Captchas are becoming more complex in order to deal with these rogue programs

5. Top-Level Design  Requirements and boundaries for design:  Variable Complexity Simple yet full-featured management software Allow for a much larger Q&A space  Fast response  Minimal resource usage  Easy integration  Generated image should be small and compressible

6. The Problem  Password-protected websites encounter:  Brute-force attacks consume a lot of bandwidth  Cracking attempts by automated bots  Creation of accounts in bulk by automated bots  Account list is generated by bots and posted on the internet, which is then used by bots to leech off the site.

7. The Customers  Asp.net websites (around 30%)

8. Competition  Product: Strongbox  Vendor: Ray Morris ( bettercgi.com )  Link: http://www.bettercgi.com/strongbox/http://www.bettercgi.com/strongbox/  Price: 150$ per site (one-time)  A 5 letter image-based code protection.

9. Competition  Product: T4wsentry.pl  Vendor: Fisher Technologies, Inc.  Link: http://www.tools4webmasters.com/t4wsentry.htm http://www.tools4webmasters.com/t4wsentry.htm  Price: 65$ per site (one-time)  a Perl script that requires the user to log-in from a specific page, in order to access the restricted area of the website

10. Competition  Product: Pennywize  Vendor: Zarvon P/L  Link: http://www.pennywize.com/ http://www.pennywize.com/  Price: 30$-170$ (monthly rate)  An IP-Based protection system

11. Competition  Product: BotDetect  Vendor: LANAP software  Link: http://www.lanapsoft.comhttp://www.lanapsoft.com  Price: 60$-100$ per site (one-time)  Supports up to 50 different CAPTCHA types at variable length and image size, producing different file formats

12. The Proposed product  A challenge is introduced to a user at the log-in page in a form of an image.  Each image contains many elements  A challenge is embedded in the image  Answering the challenge correctly allows successful human verification

13. Challenges  Making Question and Answer space be as large as possible  Use as little bandwidth as possible  SQL Database access and HDD I/O should be minimal  Image manipulation algorithms should be developed to render OCR useless  The system has to be user friendly, both to the user and to the website administrator  The system should be upgradable with plug-ins

14. Criteria for success  Success: Meeting all the requirements described  Failure: Poor integration, Challenge & Response quality, and resource usage. Bad plug-in support

15. Use Cases  A webmaster of a single website that has no protection and a lot to secure requires authentication to his sensitive content  A group of webmasters wish to create a single sign- in solution for their websites  A specific service requires high-fidelity human authentication, such as e-voting systems, polls, forms, public & free e-mail services, all to avoid mass junk data from being stored or sent using the service.

16. Initial Plan and Progress Research and Development of the HASTAC algorithm Research brute-force techniques of CAPTCHA-protected websites Investigate integration methods with current ASP.NET websites Build administration interface ("Back-Office") for the system  Define the main software modules and their integration  Perform stress-testing on the algorithm

17. SRS PRESENTATION Ronen Mendezitsky & Alon Weiss Website Protection System