Skip to main content

All about uncertainties and traps: Statistical oracle-based attacks on a new CAPTCHA protection against oracle attacks

Hernández-Castro, Carlos Javier, Li, Shujun, R-Moreno, María D. (2020) All about uncertainties and traps: Statistical oracle-based attacks on a new CAPTCHA protection against oracle attacks. Computers & Security, 92 . Article Number 101758. ISSN 0167-4048. (doi:10.1016/j.cose.2020.101758) (KAR id:80266)

Abstract

CAPTCHAs are security mechanisms that try to prevent automated abuse of computer services. Many CAPTCHAs have been proposed but most have known security flaws against advanced attacks. In order to avoid a kind of oracle attacks in which the attacker learns about ground truth labels via active interactions with the CAPTCHA service as an oracle, Kwon and Cha proposed a new CAPTCHA scheme that employ uncertainties and trap images to generate adaptive CAPTCHA challenges, which we call “Uncertainty and Trap Strengthened CAPTCHA” (UTS-CAPTCHA) in this paper. Adaptive CAPTCHA challenges are used widely (either explicitly or implicitly) but the role of such adaptive mechanisms in the security of CAPTCHAs has received little attention from researchers. In this paper we present a statistical fundamental design flaw of UTS-CAPTCHA. This flaw leaks information regarding ground truth labels of images used. Exploiting this flaw, an attacker can use the UTS-CAPTCHA service as an oracle, and perform several different statistical learning-based attacks against UTS-CAPTCHA, increasing any reasonable initial success rate up to 100% according to our theoretical estimation and experimental simulations. Based on our proposed attacks, we discuss how the fundamental idea behind our attacks may be generalized to attack other CAPTCHA schemes and propose a new principle and a number of concrete guidelines for designing new CAPTCHA schemes in the future.

Item Type: Article
DOI/Identification number: 10.1016/j.cose.2020.101758
Uncontrolled keywords: CAPTCHA, Uncertainty, Trap images, Machine learning, Image classification, Oracle attacks, Statistical attacks
Subjects: Q Science > QA Mathematics (inc Computing science) > QA 75 Electronic computers. Computer science
Q Science > QA Mathematics (inc Computing science) > QA 76 Software, computer programming,
T Technology > TK Electrical engineering. Electronics. Nuclear engineering > TK5101 Telecommunications > TK5105 Data transmission systems > TK5105.5 Computer networks > TK5105.875.I57 Internet
T Technology > TK Electrical engineering. Electronics. Nuclear engineering > TK5101 Telecommunications > TK5105.888 World Wide Web
T Technology > TK Electrical engineering. Electronics. Nuclear engineering > TK7800 Electronics > TK7880 Applications of electronics > TK7882.P3 Pattern recognition systems
Divisions: Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing
University-wide institutes > Institute of Cyber Security for Society
Funders: Engineering and Physical Sciences Research Council (https://ror.org/0439y7842)
Depositing User: Shujun Li
Date Deposited: 26 Feb 2020 14:00 UTC
Last Modified: 04 Mar 2024 19:11 UTC
Resource URI: https://kar.kent.ac.uk/id/eprint/80266 (The current URI for this page, for reference purposes)

University of Kent Author Information

  • Depositors only (login required):

Total unique views for this document in KAR since July 2020. For more details click on the image.