Machine Learning Based Attack And Defense Approaches On Authentication Code

The advancement of Internet technology has promoted the intelligent and automated development of information systems.As an essential line of defense for the information system,authentication is widely used in almost all information systems.Currently,pattern locks applied to smartphones and text-based captchas applied to websites have emerged along with advances in smart mobile terminal devices and image processing technologies.In this dissertation,we collectively refer to the authentication code.Although there are many new authentication technologies,due to the simple deployment of the authentication code,low cost,easy maintenance,and ease of use,it will remain the most critical authentication method in the current or foreseeable future,especially in the high-security requirements.In the information system,it has become the primary authentication method in the multi-factor authentication scheme.Since the introduction,the security of the authentication code has been highly concerned by security researchers,and it is still a hot research topic.Although there is a large amount of research work to analyze and evaluate the security of the authentication code,the current authentication code faces more and more problems in security,and security threats are becoming more and more serious.There are several reasons for this situation:(1)The existing research methods pay too much attention to a specific authentication code,and do not propose a general security evaluation method,or a comparison of the required conditions,which makes prior attacking methods invalid in real attack scenarios,so that academic circles have not promoted changes in industry;(2)Security research on android pattern lock often requires knowledge of multiple disciplines,such as image processing,machine learning,social engineering,Geometry,etc.;(3)The development and breakthrough of machine learning technology in the past decade has brought new challenges and opportunities to the security of image authentication codes.Previous research work has not fully utilized the advantages of machine learning technology,resulting in existing research methods are not well integrated with the essential problem of authentication code.Considering the above problems,this dissertation makes full use of the advantages of machine learning technology,based on image processing technology,geometry,migration learning technology,from the new perspective and ideas to carry out the following four aspects of the security of the authentication code,the main work is as follows :(1)Propose a new video side-channel attack for pattern lock.Video side-channel attacks are favored by security researchers because of their low attack cost,strong attack capability,and high success rate.The existing attack methods are inconvenient and require professional equipment,and it is difficult to successfully complete the attack process in a real attack scenario.To this end,this paper proposes to infer the graphical password entered by the user based on the motion trajectory of the fingertip in the unlocking video.Specifically,the user unlocks the video clip by using the smartphone camera at any hidden angle,then uses the target tracking algorithm to track the motion trajectory of the user's fingertip,and finally determines the graphical password input by the user by extracting the geometric feature information of the motion trajectory.A large number of experimental results show that the effective attack distance of this method is 2-3 meters,and the attack success rate is above 95%.We also found that this type of attack method is easier to crack complex graphical passwords,subverting people's awareness of the security of graphical passwords,and providing new ideas for the security of graphical passwords.(2)A new character segmentation-based attack approach on text-based captcha is proposed.The existing method based on character segmentation is only effective for a specific text-based captcha scheme and requires a large amount of expert knowledge for adjusting the segmentation parameters,which greatly reduces the attack efficiency,and the small improvement of the verification code can make it invalid.This paper proposes a character segmentation model by using the generator against the network.The model can enlarge the spacing between adjacent characters in the text-based captcha so that the characters in the verification code can be effectively segmented.Based on the character segmentation model,a number of machine learning methods are used to construct the captcha solver.The experimental results show that the character segmentation method can effectively segment the sticky and distorted characters in the text captcha,and the recognition model based on the character segmentation algorithm can break through the six text-based captcha schemes used by mainstream websites in all experiments.(3)Present an end-to-end transfer learning-based attack method on text-based captcha.Breakthroughs in deep learning technology have made text-based captcha face new security challenges.While existing deep learning-based attack methods require real data from millions of target sites,collecting and tagging such a large amount of data becomes very difficult,especially since almost all major websites currently use anti-climbing mechanisms.To reduce the attack cost,this paper constructs a data generation model,which can generate any number of text-based captchas similar to the target website segmentation,and use the data synthesized by the generated model to learn the captcha solver.To further reduce the model over-fitting problem caused by the generated data,the transfer learning technology is used to fine-tune the captcha solver with a small number of target captchas.The experimental results show that the built solver can crack all the verification code schemes used by the current mainstream websites,and the average crack rate is more than 40% higher than the existing methods.(4)Explore the security protection scheme for the authentication code.For the pattern lock,the corresponding protection method is designed by analyzing the key factors of the current video channel attack method.For the text-based captcha,a protection scheme based on the antagonistic sample is proposed.By adding the invisible confrontation sample to the text-based captcha,the attack method based on the deep learning model is invalidated.The experimental results show that the designed protection scheme can effectively resist the existing attack methods without affecting usability.