All about uncertainties and traps: Statistical oracle-based attacks on a new CAPTCHA protection against oracle attacks

Hernández-Castro, Carlos Javier; Li, Shujun; R-Moreno, María D.

doi:10.1016/j.cose.2020.101758

Cited by 6 publications

(3 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There have been several proposals to make CAPTCHAs more resilient with little success so far. Using trap images has been shown to be prone to statistical analysis [55], while more recent proposals that create tests by using adversarial examples [91] and the transferability property show more promise. Lately, the area of bot identification has moved towards the security by obscurity paradigm in what some companies call behavioral CAPTCHAs, thus obviating the public part of the acronym.…”

Section: Captchasmentioning

confidence: 99%

Adversarial Machine Learning

Hernández-Castro

Liu

Serban

et al. 2022

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Recent innovations in machine learning enjoy a remarkable rate of adoption across a broad spectrum of applications, including cyber-security. While previous chapters study the application of machine learning solutions to cyber-security, in this chapter we present adversarial machine learning: a field of study concerned with the security of machine learning algorithms when faced with attackers. Likewise, adversarial machine learning enjoys remarkable interest from the community, with a large body of works that either propose attacks against machine learning algorithms, or defenses against adversarial attacks. In particular, adversarial attacks have been mounted in almost all applications of machine learning. Here, we aim to systematize adversarial machine learning, with a pragmatic focus on common computer security applications. Without assuming a strong background in machine learning, we also introduce the basic building blocks and fundamental properties of adversarial machine learning. This study is therefore accessible both to a security audience without in-depth knowledge of machine learning and to a machine learning audience.

show abstract

Section: Captchasmentioning

confidence: 99%

Adversarial Machine Learning

Hernández-Castro

Liu

Serban

et al. 2022

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…However, the progress of AI techniques and computing power has led to the breaking of these CAPTCHA schemes with high success rates [9,46,117,141]. Therefore, to design the next generation CAPTCHA schemes, it is important to move away from schemes based on hard AI problems toward other approaches less vulnerable to learning-based attacks [63]. Recently, big companies such as Google, Alibaba, and Tencent have migrated towards behavior-based CAPTCHA schemes, while there is an initiative aiming at deploying a sensor-based CAPTCHA scheme that uses the same key concept of Invisible CAPPCHA [53] by a company called Brave [10].…”

Section: Resilience To Both Automated and Human Solver Relay Attacksmentioning

confidence: 99%

Gotta CAPTCHA ’Em All: A Survey of 20 Years of the Human-or-computer Dilemma

GuerarMeriem¹,

VerderameLuca²,

Migliardi³

et al. 2021

ACM Comput. Surv.

View full text Add to dashboard Cite

A recent study has found that malicious bots generated nearly a quarter of overall website traffic in 2019 [102]. These malicious bots perform activities such as price and content scraping, account creation and takeover, credit card fraud, denial of service, and so on. Thus, they represent a serious threat to all businesses in general, but are especially troublesome for e-commerce, travel, and financial services. One of the most common defense mechanisms against bots abusing online services is the introduction of Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), so it is extremely important to understand which CAPTCHA schemes have been designed and their actual effectiveness against the ever-evolving bots. To this end, this work provides an overview of the current state-of-the-art in the field of CAPTCHA schemes and defines a new classification that includes all the emerging schemes. In addition, for each identified CAPTCHA category, the most successful attack methods are summarized by also describing how CAPTCHA schemes evolved to resist bot attacks, and discussing the limitations of different CAPTCHA schemes from the security, usability, and compatibility point of view. Finally, an assessment of the open issues, challenges, and opportunities for further study is provided, paving the road toward the design of the next-generation secure and user-friendly CAPTCHA schemes.

show abstract

“…However, the progress of AI techniques and computing power has led to the breaking of these CAPTCHA schemes with high success rates [50], [115,138], [19]. Therefore, in order to design the next generation CAPTCHA schemes, it is important to move away from schemes based on hard AI problems toward other approaches less vulnerable to learning-based attacks [67]. Recently, big companies like Google, Alibaba and Tencent have migrated towards behavior-based CAPTCHA schemes, while there is an initiative aiming at deploying a sensor-based CAPTCHA scheme that uses the same key concept of Invisible CAPPCHA [57] by a company called Brave [20].…”

Section: Resilience To Both Automated and Human Solver Relay Attacksmentioning

confidence: 99%

Gotta CAPTCHA 'Em All: A Survey of Twenty years of the Human-or-Computer Dilemma

Guerar,

Verderame,

Migliardi

et al. 2021

Preprint

View full text Add to dashboard Cite

A recent study has found that malicious bots generated nearly a quarter of overall website traffic in 2019 [100]. These malicious bots perform activities such as price and content scraping, account creation and takeover, credit card fraud, denial of service, etc. Thus, they represent a serious threat to all businesses in general, but are especially troublesome for e-commerce, travel and financial services. One of the most common defense mechanisms against bots abusing online services is the introduction of Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), so it is extremely important to understand which CAPTCHA schemes have been designed and their actual effectiveness against the ever-evolving bots. To this end, this work provides an overview of the current state-of-the-art in the field of CAPTCHA schemes and defines a new classification that includes all the emerging schemes. In addition, for each identified CAPTCHA category, the most successful attack methods are summarized by also describing how CAPTCHA schemes evolved to resist bot attacks, and discussing the limitations of different CAPTCHA schemes from the security, usability and compatibility point of view. Finally, an assessment of the open issues, challenges, and opportunities for further study is provided, paving the road toward the design of the next-generation secure and user-friendly CAPTCHA schemes. CCS Concepts: • Security and privacy → Authentication; Graphical / visual passwords.

show abstract

All about uncertainties and traps: Statistical oracle-based attacks on a new CAPTCHA protection against oracle attacks

Abstract: The version in the Kent Academic Repository may differ from the final published version. Users are advised to check http://kar.kent.ac.uk for the status of the paper. Users should always cite the published version of record.

Cited by 6 publications

References 23 publications

Adversarial Machine Learning

Adversarial Machine Learning

Gotta CAPTCHA ’Em All: A Survey of 20 Years of the Human-or-computer Dilemma

Gotta CAPTCHA 'Em All: A Survey of Twenty years of the Human-or-Computer Dilemma

Contact Info

Product

Resources

About