User:SelimLakhdar/sandbox

In the 1950s, Alan Turing was the first who was wondering about how to differentiate between human and machine behavior. He was trying to determine if a computer can think.^[1] He invented the Turing Test which consists in trying to differentiate between human and robot by a challenge–response test. This first consideration was not meant to be automatized. In fact, the test was administrated and verified by a human.

With the growth of Internet users and the apparition of the first web services, the necessity of automatically distinguish between normal human actions, and automated actions through bots was necessary.^[2]

The first attempt lights up to different attacks to break the system which light up new ways to build a strong HIP. This revealed that building a HIP is not an easy task.^[3] The generated challenge has to be as easy as possible for humans to pass, and hard as possible for computers to solve it.^[4]

Over the years, the most common representation of a HIP is visually distorted images of a string of letters and numbers that can be understood by human but not by bots.^[5]

This approach was criticized due to its negligence for disabled persons. Other alternatives were introduced like, the audio based CAPTCHA, the puzzle based CAPTCHA.^[6][7]

One of the main idea behind building new HIPs systems is using unsolved AI problems for generating and verifying the challenge. Indeed, using problems that cannot be solved effectively/efficiently by any feasible machine could be a great progress in that field if hackers could break it. This idea was also encouraged by the popularizing of the 1024 integer factoring problem for cryptographic protocols.^[8][9][10]

HIPs systems are used to secure services from automated attacks. Generally, they are deployed in the front-end layer, where the interaction of the user is checked to perform a request to the server. This point shows that HIPs are used as a preventive method to control access to the back-end layer.

Some notorious usages are :^[11][12]

• Preventing comment spam.
• Protecting website registration.
• Protecting email addresses from crawlers.
• Preventing dictionary attacks (Brute-force attack).
• Traking online bots: interactions of social networks.
• Search Engine Bots.

CAPTCHAs are also used to mitigate the risk of password eavesdropping attack to discourage password phishing from some malwares. Specifically, in the TLS protocol to counter the MITM attack.^[13]

Designing a HIP is a complex problem. In fact, it's a trade-off between security and accessibility.^[14][15][16] Finding the right equilibrium between accessibility and strength against attacks is difficult. The HIP has to be difficult to solve for a computer, while remaining easy for a human.^[17][18] An automated script should not be successful more than 1 in 10,000 tries or have success rate of 0.1%, and that a human should be successful at least 90% of the time.^[19]

Samaras et al. leaded a study in the human recognition field to understand how the human brain analyses and understands an image.^[20] Various researchers attempted to explain the functioning of the human mind in terms of more basic processes, such as speed of processing, controlled attention and working memory capacity to build more resistant HIPs.^[21]

The CAPTCHA is the most used system despite it doesn't provide an acceptable trade-off between security and accessibility.^[22][23] According to a survey led in the US, 37 millions users are blind and that's an important concern about text-based CAPTCHA. Indeed, CAPTCHA is the greatest security-related problem for users with disabilities, especially for blind users.^[24] Even the new audio-based CAPTCHA are still inaccessible for certain users.^{[25][26][27][28]}

The security aspect in a HIP system is very important. It's the key to prevent computer bots from bypassing the system, while remaining timely resolvable for humans. The properties that make a problem hard to solve, and resistant to bot attacks, are discussed by Bergadano et al.^[29] A CAPTCHA is considered robust to attacks if the success rate of attacks is less than 0.01%. However, it is also desired that the CAPTCHA be usable, i.e. the human success rate should be at least 90%.^[30] Other studies revised the value of robustness of CAPTCHA to bot attacks from 0.01% to 1%, citing it as more meaningful.^[31]

Through the time, using AI to build such systems was explored. Using hard unsolved AI problems to generate challenges was also a way to advance in that field.^[32][33] But, finding a suitable AI problem that can automate the generation of the challenge is not an easy task.^[34][35] Text recognition is a field of interest in AI, well-oriented (aligned) text is already recognized by computer programs, researchers worked on the distorted text, or more commonly the handwriting text recognition. The difficulty of recognizing distorted text came from the segmentation problem, the challenge for AI is to break the interlacing between words,^[36][37] but this seems to not be relevant anymore.^[38][39]

The most used technique to bypass a text-based CAPTCHA is segmentation.^[40] The more effects for designing a strong HIP are combined, more the HIP is secured.^[41]. Adding noise, lines, random arcs, rotation, scaling and distortion are common used techniques^[42][43]

The capability of generating many instances of the problem is also an aspect of interest for scalability.^[44] Another concern is trying to avoid parallel attacks (Brute Force^{[disambiguation needed]}).^[45][46]

Beyond the preceding rules to design a strong HIP system, publishing the source code seems to be the most effective way to improve the system against attacks. CAPTCHAs systems which rely on private databases or algorithms to generate their challenges are prohibited. This rise a risk of an adversary generating all possible tests and using a hash function to look up the answer in a pre-computed database or trying to do reverse engineering.^[47][48]

First implementation of CAPTCHA (/kæp.tʃə/, an acronym for "completely automated public Turing test to tell computers and humans apart") was trying to achieve some goals like an easy generation of multiple instance of the challenge and an easy usage.^[49] The most wide used HIP scheme is the CAPTCHA, which was introduced in 2000.^[50] It relies on the gap between human and robot for analyzing visual information. It uses text/image deformation and distortion to build the challenge.^[51]

Since then, HIPs evolved and many other implementations appeared. Many fields were studied, like gender recognition, facial expression understanding, body parts finding, nudity deciding, naive drawing understanding, handwriting understanding, speech recognition, filling in words.^[52]

We can classify CAPTCHAs in different categories : ^[53]

• Visual CAPTCHA

CAPTCHA that relies on the generation of a visual challenge. They are not adapted for disabled persons.

• Text-Based CAPTCHA

It relies on text deformation, distortion, adding noise like arcs, to generate the challenge. This scheme is the most used one because it uses alphanumeric symbols which are directly accessible with the keyboard. Some notorious implementation are Pessimal Print, BaffleText, ScatterType, GIMPY, EZ-GIMPY.

• Image-Based CAPTCHA

It relies on image recognition. Indeed, it based on the difficulty for bots to understand images. This is usually performed through recognizing some aspects of an image, or grouping same images. Implementation of such CAPTCHAs are Bongo, ESP-Pix, Asirra, Imagination, and ARTiFACIAL.

• Moving Objects CAPTCHA

This kind of CAPTCHAs is recent. It uses animation to display CAPTCHA, where users are asked to type what they have seen or perceived. The generation of challenge remain hard to implement.

• Non-Visual CAPTCHA

Those CAPTCHAs were introduced for disabled users. The challenge relies on sound recognition or semantic understanding.

• Semantic CAPTCHA

It relies on the gap in sentence understanding between humans and bots. Example of generated challenge can be a simple question like "What's the color of the sky ?". Those CAPTCHAs are vulnerable to attack using a computational knowledge engine, such as Wolfram Al-pha or even a search engine.

• Audio CAPTCHA

Use sound deformation of a sentence. Adding noise.

• Others approaches

Other approaches can be done by combining those different technique to come with a hybrid one. One example of this type is HIPUU CAPTCHA which uses image and audio-based CAPTCHA.^[54]

The security is a continuous game between hackers/researchers and security engineering.^[55][56] We can quote the PWNtcha project " PWNtcha stands for "Pretend We’re Not a Turing Computer but a Human Antagonist", as well as PWN capTCHAs. This project’s goal is to demonstrate the inefficiency of many captcha implementations. "^[57]

Work was also done on automatically recognize HIPs scheme to build a generic way to broke CAPTCHAs.^[58][59]

Optical character recognition is used to recognize/identify a content of a document. It relies on multiple techniques, like binarization to removes noise pixels.^[60] After pixel cleaning, edge detection is more effective. Another important technique is the segmentation to separate and detect letters.^[61] If those techniques aren't efficient to break the HIP, Using the segmentation result with an SVM for character recognition can work.^[62]

Machine learning is a widely used technique to break CAPTCHA. It consists in designing an automated solver. Most HIPs are pure recognition tasks that can easily be broken using machine learning.^[63]

The use of machine learning based attacks is a concern in building HIPs.^[64] In August 2014, Bursztein et al. presented the first generic CAPTCHA-solving algorithm based on reinforcement learning and demonstrated its efficiency against many popular CAPTCHA schemas. They concluded that text-distortion-based CAPTCHAs schemes should be considered insecure moving forward.^[65]

One of possible attacks on a CAPTCHA system is to redirect the challenge to another user to solve it. This technique was firstly used on pornographic websites.^[66][67]

• Sauer, Graig; Holman, Jonathan; Lazar, Jonathan; Hochheiser, Harry; Feng, Jinjuan (25 March 2010). "Accessible privacy and security: a universally usable human-interaction proof tool". Universal Access in the Information Society. 9 (3): 239–248. doi:10.1007/s10209-009-0171-2. S2CID 16917166.
• Rui, Yong; Liu, Zicheng (1 June 2004). "ARTiFACIAL: Automated Reverse Turing test using FACIAL features". Multimedia Systems. 9 (6): 493–502. doi:10.1007/s00530-003-0122-3. S2CID 23473341.
• Lorenzi D., Vaidya J., Uzun E., Sural S., Atluri V. (2012) Attacking Image Based CAPTCHAs Using Image Recognition Techniques. In: Venkatakrishnan V., Goswami D. (eds) Information Systems Security. ICISS 2012. Lecture Notes in Computer Science, vol 7671. Springer, Berlin, Heidelberg
• von Ahn, Luis; Blum, Manuel; Langford, John (1 February 2004). "Telling humans and computers apart automatically". Communications of the ACM. 47 (2): 56–60. doi:10.1145/966389.966390. S2CID 724926. VerificationOfAHumanInTheLoop.
• Moradi, Mohammad; Keyvanpour, MohammadReza (August 2015). "CAPTCHA and its Alternatives: A Review". Security and Communication Networks. 8 (12): 2135–2156. doi:10.1002/sec.1157. CAPTCHAandItsAlternatives:AReview.
• Baecher, Paul; Fischlin, Marc; Lior, Gordon; Robert, Langenberg; Lützow, Michael; Schröder, Dominique. "CAPTCHAs: The Good, the Bad, and the Ugly" (PDF). TheGood,theBad,andtheUgly. {{cite journal}}: Cite journal requires |journal= (help)
• von Ahn L., Blum M., Hopper N.J., Langford J. (2003) CAPTCHA: Using Hard AI Problems for Security. In: Biham E. (eds) Advances in Cryptology — EUROCRYPT 2003. EUROCRYPT 2003. Lecture Notes in Computer Science, vol 2656. Springer, Berlin, Heidelberg id=CAPTCHA:UsingHardAIProblemsforSecurity
• Chen X., Lin X. (2013) Research and Implementation of CAPTCHA Based on Ajax. In: Yin Z., Pan L., Fang X. (eds) Proceedings of The Eighth International Conference on Bio-Inspired Computing: Theories and Applications (BIC-TA), 2013. Advances in Intelligent Systems and Computing, vol 212. Springer, Berlin, Heidelberg
• Czerwinski, Mary; Simard, Patrice; Larson, Kevin; Chellapilla, Kumar (1 January 2005). "Computers beat Humans at Single Character Recognition in Reading based Human Interaction Proofs (HIPs)". Microsoft Research. Retrieved 9 January 2019.
• Chellapilla, Kumar; Larson, Kevin; Simard, Patrice; Czerwinski, Mary (2005). "Designing Human Friendly Human Interaction Proofs (HIPs)". Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM: 711–720. doi:10.1145/1054972.1055070. ISBN 1581139985. S2CID 10798614.
• Rui, Yong; Liu, Zicheg (2003). "Excuse Me, but Are You Human?". Proceedings of the Eleventh ACM International Conference on Multimedia. ACM: 462–463. doi:10.1145/957013.957113. ISBN 1581137222. S2CID 14904788.
• Popat, Kris; Baird, Henry S. (19 August 2002). "Human Interactive Proofs and Document Image Analysis". Document Analysis Systems V. Lecture Notes in Computer Science. 2423. Springer, Berlin, Heidelberg: 507–518. doi:10.1007/3-540-45869-7_54. ISBN 978-3-540-44068-0.
• Zhu, Bin B.; Yan, Jeff; Li, Qiujie; Yang, Chao; Liu, Jia; Xu, Ning; Yi, Meng; Cai, Kaiwei (2010). "Attacks and Design of Image Recognition CAPTCHAs". Proceedings of the 17th ACM Conference on Computer and Communications Security. ACM: 187–200. doi:10.1145/1866307.1866329. ISBN 9781450302456. S2CID 1445671. AttacksandDesignofImageRecognitionCAPTCHAs.
• Fidas, Christos; Hussmann, Heinrich; Belk, Marios; Samaras, George (2015). "iHIP: Towards a User Centric Individual Human Interaction Proof Framework". Proceedings of the 33rd Annual ACM Conference Extended Abstracts on Human Factors in Computing Systems. ACM: 2235–2240. doi:10.1145/2702613.2732748. S2CID 4659690.
• Samaras, George; Spanoudis, George; Fidas, Christos; Germanakos, Panagiotis; Belk, Marios (21 July 2013). "Studying the Effect of Human Cognition on Text and Image Recognition CAPTCHA Mechanisms". Human Aspects of Information Security, Privacy, and Trust. Lecture Notes in Computer Science. 8030. Springer, Berlin, Heidelberg: 71–79. doi:10.1007/978-3-642-39345-7_8. ISBN 978-3-642-39344-0. S2CID 38350753. StudyingTheEffectOfHumanCognitionOnTextAndImageRecognitionCAPTCHAMechanisms.
• Calca, Joseph; Atluri, Vijayalakshmi; Sural, Shamik; Aich, Achyuta; Vaidya, Jaideep; Lorenzi, David (29 May 2017). "EmojiTCHA: Using Emotion Recognition to Tell Computers and Humans Apart". ICT Systems Security and Privacy Protection. IFIP Advances in Information and Communication Technology. 502. Springer, Cham: 281–295. doi:10.1007/978-3-319-58469-0_19. ISBN 978-3-319-58468-3. S2CID 19282524.
• Nishigaki, Masakatsu; Yoneyama, Yuta; Kani, Junya; Fujita, Masahiro; Ikeya, Yuki (22 June 2014). "An Image-Based CAPTCHA Using Sophisticated Mental Rotation". Human Aspects of Information Security, Privacy, and Trust. Lecture Notes in Computer Science. 8533. Springer, Cham: 57–68. doi:10.1007/978-3-319-07620-1_6. ISBN 978-3-319-07619-5.
• Jalwana M.A.A.K., Khan M.M., Ilyas M.U. (2014) Automatic Identification of CAPTCHA Schemes. In: Bebis G. et al. (eds) Advances in Visual Computing. ISVC 2014. Lecture Notes in Computer Science, vol 8888. Springer, Cham
• Blum, Manuel; Abraham, David; McMillen, Colin; Maurer, Benjamin; Ahn, Luis von (12 September 2008). "reCAPTCHA: Human-Based Character Recognition via Web Security Measures". Science. 321 (5895): 1465–1468. doi:10.1126/science.1160379. ISSN 1095-9203. PMID 18703711. S2CID 18371056.
• Mori, G.; Malik, J. (2003). "Recognizing objects in adversarial clutter: breaking a visual CAPTCHA". 2003 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, 2003. Proceedings. 1: I. doi:10.1109/CVPR.2003.1211347. ISBN 0-7695-1900-8. S2CID 1053619.
• Thakkar, Ankit; Patel, Kajol (25 March 2017). "A Simple and Efficient Text-Based CAPTCHA Verification Scheme Using Virtual Keyboard". Information and Communication Technology for Intelligent Systems (ICTIS 2017) - Volume 2. Smart Innovation, Systems and Technologies. 84. Springer, Cham: 121–126. doi:10.1007/978-3-319-63645-0_13. ISBN 978-3-319-63644-3.
• M. Tariq, Banday; N. A., Sha (2009). "Study of CAPTCHAs for Securing Web Services" (PDF). arxiv.org. arXiv:1112.5605. Retrieved 9 January 2019.
• Ahn, Luis von; Blum, Manuel; Langford, John (2003). "Telling Humans and Computers Apart (Automatically) or How Lazy Cryptographers Do AI". Communications of the ACM. 47: 60. CiteSeerX 10.1.1.57.9117.
• Bursztein, Elie; Martin, Matthieu; Mitchell, John (2011). "Text-based CAPTCHA Strengths and Weaknesses". Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM: 125–138. doi:10.1145/2046707.2046724. ISBN 9781450309486. S2CID 3362043.
• Sauer, Graig; Lazar, Jonathan; Hochheiser, Harry; Feng, Jinjuan (2010). "Towards A Universally Usable Human Interaction Proof: Evaluation of Task Completion Strategies". ACM Trans. Access. Comput. 2 (4): 15:1–15:32. doi:10.1145/1786774.1786776. ISSN 1936-7228. S2CID 14715538.
• Simard, Patrice Y. (2004). "Using machine learning to break visual human interaction proofs (HIPs". Advances in Neural Information Processing Systems 17, Neural Information Processing Systems (NIPS'2004. MIT Press: 265–272. CiteSeerX 10.1.1.87.1082. Retrieved 9 January 2019.
• Fateman, Richard J.; Coates, Allison L.; Baird, Henry S. (1 April 2003). "PessimalPrint: a reverse Turing test". International Journal on Document Analysis and Recognition. 5 (2–3): 158–163. doi:10.1007/s10032-002-0089-1. ISSN 1433-2833. S2CID 5223340. Pessimalprint.
• Baird, Henry S.; Chew, Monica (13 January 2003). "BaffleText: a human interactive proof". Document Recognition and Retrieval X. 5010. International Society for Optics and Photonics: 305–317. doi:10.1117/12.479682. S2CID 12757.
• Baird, Henry S.; Moll, Michael A.; Wang, Sui-yu (2005). "ScatterType: a legible but hard-to-segment CAPTCHA". In Proceedings of the 8th International Conference on Document Analysis and Recognition, Seoul, Korea. CiteSeerX 10.1.1.151.2648. Scattertype.
• Mori, G.; Malik, J. (2003). "Recognizing objects in adversarial clutter: breaking a visual CAPTCHA". 2003 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, 2003. Proceedings. 1: I. doi:10.1109/CVPR.2003.1211347. ISBN 0-7695-1900-8. S2CID 1053619. GIMPY.
• Lupkowski, P.; Urbanski, M. (October 2008). "SemCAPTCHA—user-friendly alternative for OCR-based CAPTCHA systems". 2008 International Multiconference on Computer Science and Information Technology: 325–329. doi:10.1109/IMCSIT.2008.4747260. ISBN 978-83-60810-14-9. S2CID 14437411. SemCAPTCHA.
• Celestino, Joaquim; Fernandez, Marcial; Santos, André dos; Ximenes, Pablo (29 October 2006). "A CAPTCHA in the Text Domain". On the Move to Meaningful Internet Systems 2006: OTM 2006 Workshops. Lecture Notes in Computer Science. 4277. Springer, Berlin, Heidelberg: 605–615. doi:10.1007/11915034_84. ISBN 978-3-540-48269-7. ACaptchaInTheTextDomain.
• Bergadano, Francesco; Basso, Alessandro (2010). "Anti-bot Strategies Based on Human Interactive Proofs". Handbook of Information and Communication Security. Springer, Berlin, Heidelberg: 273–291. doi:10.1007/978-3-642-04117-4_15. ISBN 978-3-642-04116-7.
• Chellapilla K., Larson K., Simard P.Y., Czerwinski M. (2005) Building Segmentation Based Human-Friendly Human Interaction Proofs (HIPs). In: Baird H.S., Lopresti D.P. (eds) Human Interactive Proofs. HIP 2005. Lecture Notes in Computer Science, vol 3517. Springer, Berlin, Heidelberg
• Nishigaki, Masakatsu; Yoneyama, Yuta; Kani, Junya; Fujita, Masahiro; Ikeya, Yuki (22 June 2014). "An Image-Based CAPTCHA Using Sophisticated Mental Rotation". Human Aspects of Information Security, Privacy, and Trust. Lecture Notes in Computer Science. 8533. Springer, Cham: 57–68. doi:10.1007/978-3-319-07620-1_6. ISBN 978-3-319-07619-5. AnImage-BasedCAPTCHAUsingSophisticatedMentalRotation.
• Elson, Jeremy; Douceur, John R.; Howell, Jon; Saul, Jared (2007). "Asirra: a Captcha that exploits interest-aligned manual image categorization". In Proceedings of ACM CCS 2007: 366–374. CiteSeerX 10.1.1.187.8153.
• Datta, Ritendra; Li, Jia; Wang, James Z. (2005). "IMAGINATION: A Robust Image-based CAPTCHA Generation System". Proceedings of the 13th Annual ACM International Conference on Multimedia. ACM: 331–334. doi:10.1145/1101149.1101218. S2CID 3175921.
• Cui, J.; Mei, J.; Wang, X.; Zhang, D.; Zhang, W. (November 2009). "A CAPTCHA Implementation Based on 3D Animation". 2009 International Conference on Multimedia Information Networking and Security. 2: 179–182. doi:10.1109/MINES.2009.298. ISBN 978-0-7695-3843-3. S2CID 15470365.
• Kluever, Kurt Alfred; Zanibbi, Richard (2009). "Balancing Usability and Security in a Video CAPTCHA". Proceedings of the 5th Symposium on Usable Privacy and Security. ACM: 14:1–14:11. doi:10.1145/1572532.1572551. ISBN 9781605587363. S2CID 15491724.