Skip to main content

All about uncertainties and traps: Statistical oracle-based attacks on a new CAPTCHA protection against oracle attacks

Hernández-Castro, Carlos Javier, Li, Shujun, R-Moreno, María D. (2020) All about uncertainties and traps: Statistical oracle-based attacks on a new CAPTCHA protection against oracle attacks. Computers & Security, 92 . ISSN 0167-4048. (doi:10.1016/j.cose.2020.101758) (Access to this publication is currently restricted. You may be able to access a copy if URLs are provided) (KAR id:80266)

PDF Author's Accepted Manuscript
Language: English

Restricted to Repository staff only until 10 February 2021.

Creative Commons Licence
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Contact us about this Publication
[img]
Official URL
https://doi.org/10.1016/j.cose.2020.101758

Abstract

CAPTCHAs are security mechanisms that try to prevent automated abuse of computer services. Many CAPTCHAs have been proposed but most have known security flaws against advanced attacks. In order to avoid a kind of oracle attacks in which the attacker learns about ground truth labels via active interactions with the CAPTCHA service as an oracle, Kwon and Cha proposed a new CAPTCHA scheme that employ uncertainties and trap images to generate adaptive CAPTCHA challenges, which we call “Uncertainty and Trap Strengthened CAPTCHA” (UTS-CAPTCHA) in this paper. Adaptive CAPTCHA challenges are used widely (either explicitly or implicitly) but the role of such adaptive mechanisms in the security of CAPTCHAs has received little attention from researchers.

In this paper we present a statistical fundamental design flaw of UTS-CAPTCHA. This flaw leaks information regarding ground truth labels of images used. Exploiting this flaw, an attacker can use the UTS-CAPTCHA service as an oracle, and perform several different statistical learning-based attacks against UTS-CAPTCHA, increasing any reasonable initial success rate up to 100% according to our theoretical estimation and experimental simulations. Based on our proposed attacks, we discuss how the fundamental idea behind our attacks may be generalized to attack other CAPTCHA schemes and propose a new principle and a number of concrete guidelines for designing new CAPTCHA schemes in the future.

Item Type: Article
DOI/Identification number: 10.1016/j.cose.2020.101758
Uncontrolled keywords: CAPTCHA, Uncertainty, Trap images, Machine learning, Image classification, Oracle attacks, Statistical attacks
Subjects: Q Science > QA Mathematics (inc Computing science) > QA 75 Electronic computers. Computer science
Q Science > QA Mathematics (inc Computing science) > QA 76 Software, computer programming,
T Technology > TK Electrical engineering. Electronics. Nuclear engineering > TK5101 Telecommunications > TK5105 Data transmission systems > TK5105.5 Computer networks > TK5105.875.I57 Internet
T Technology > TK Electrical engineering. Electronics. Nuclear engineering > TK5101 Telecommunications > TK5105.888 World Wide Web
T Technology > TK Electrical engineering. Electronics. Nuclear engineering > TK7800 Electronics > TK7880 Applications of electronics > TK7882.P3 Pattern recognition systems
Divisions: Faculties > University wide - Teaching/Research Groups > Centre for Cyber Security Research
Faculties > Sciences > School of Computing
Faculties > Sciences > School of Computing > Security Group
Depositing User: Shujun Li
Date Deposited: 26 Feb 2020 14:00 UTC
Last Modified: 27 Feb 2020 11:54 UTC
Resource URI: https://kar.kent.ac.uk/id/eprint/80266 (The current URI for this page, for reference purposes)
Li, Shujun: https://orcid.org/0000-0001-5628-7328
  • Depositors only (login required):

Downloads

Downloads per month over past year