Text

theses

Completely Automated Public Turing test to tell Computers and Humans Apart or CAPTCHA, play a pivotal role in governing access to resources made available on the World Wide Web. In an age where online resources can be exploited by those with the ability to leverage automation to utilize these resources outside of their intended use cases, CAPTCHAs provide a method for testing if a particular user who wishes to conduct an activity or consume a resource is a human or a bot. CAPTCHAs achieve this security through the use of a hard AI problem as a challenge response to a request for resources - specifically a task that is easy for a human to solve quickly but difficult or impossible for a computer to solve in the same amount of time. When used in conjunction with other methods of online access and form control, CAPTCHAs can help secure the Web from automated exploitation, bots, spam, and other such abuses. CAPTCHAs are a perpetually evolving area of research, due in part to their function as a security method and consequently are forever embroiled in an arms race between blackhats developing new attacks against best-of-breed CAPTCHAs currently deployed and whitehats trying to defend their resources against these attacks with new styles of CAPTCHA and techniques to defeat attack methods. This dissertation focuses primarily on Image Recognition CAPTCHAs or IRCs, as the CAPTCHA of choice to provide reasonable security for the Web while maintaining acceptable usability for humans. Two attack methods researched for defeating IRC challenges are discussed, one which focuses on outright attempts at image classification through the use of a specialized neural network (HTMs), and another which utilizes web services to exploit metadata associated with images to circumvent performing the image classification task and still correctly answer the challenge. Two defensive methods researched and developed for securing IRC challenges against these types of attacks are also discussed. The first method focuses on the addition of noise to an image to prevent an attacker from being able to effectively leverage web services to gather metadata and other useful data typically needed by computer vision algorithms, such as structure, patterns, or colors from the image. The second is designed to stop computer vision (CV) algorithms and web services from being able to extract contextual information and metadata from an image through the application of a series of image filters, yet allow a human to still discern this information. User studies are provided for both defensive methods to test the real world usability of the method in practice on an IRC, as well as the CAPTCHA design style they were implemented in, of which we provide a number of variations. An in-depth discussion on CAPTCHA theory and design considerations as well as an overview of some new, original CAPTCHA designs are presented for the reader. Analysis and speculation for the future direction CAPTCHAs could develop is provided as well. Finally, coverage of the design and implementation of a scalable and robust IRC that relies on a human being able to detect contextual information from an image to solve the challenge is demonstrated as the culmination of this body of research.

ETD_7714

Ph.D.

Includes bibliographical references

by David Lorenzi

doi:10.7282/T3DF6TJP

ETD doctoral

The author owns the copyright to this work.