The Robustness Of Behavior-verification-based Slider CAPTCHA

CAPTCHA which is Completely Automated Public Turing test to tell Computers and Humans Apart,is a security defense mechanism that is deployed by many websites to verify the legitimacy of users.Text-based CAPTCHAs and image-based CAPTCHAs are widely deployed schemes,but many researches on these CAPTCHAs have revealed that they have high risk of being maliciously attacked.Dynamic Cognitive Game is a CAPTCHA with more interaction with users.It requires users to complete a series of cognitive tasks with game nature,aiming to enhance the users' experience.The behavior-verification-based slider CAPTCHA is a representative DCG CAPTCHA that generally requires users to drag the slider to a specified position or move the mouse according to specified trajectory.During verification,it is necessary not only to judge whether the dragging result is correct but also to analyze and verify the behavior during the sliding process.Although more and more websites deploy behavior-verification-based slider CAPTCHA as the protection mechanism,the robustness and whether it can distinguish legitimate human users and malicious attacks accurately in any scenario are unknown.In this paper,to study the robustness of it,we propose a deep-learning based approach to attack several different behavior-verification-based slider CAPTCHAs.We also introduce a new design of slider CAPTCHA.It hopes to provide a theoretical basis for the website to verify whether the CAPTCHA it deploys is safe,and at the same time to motivate the CAPTCHA designer to propose robust CAPTCHA schemes.The main work of this paper are as follows:(1)A simple and efficient approach is proposed to attack 5 widely deployed behaviorverification-based slider CAPTCHAs which are Taobao CAPTCHA,Geetest CAPTCHA,Netease CAPTCHA,Tencent CAPTCHA and VAPTCHA.The attack process can be divided into two steps,first,detecting the position of notch or target trajectory by an object detection network Faster R-CNN.Then we simulate the behavior of human which contains the movement mode based on the acceleration formula and the movement mode based on the log function proposed in this paper,and then control the mouse to complete the verification.In the end the CAPTCHAs can be cracked with attack success rate ranging from 87.8% to 100%.The experimental results show the most currently deployed behavior-verificationbased slider CAPTCHA are not secure as we imagine.We further discuss whether deep learning technology can improve the robustness of CAPTCHAs by raising the ability of distinguishing the behaviors between human and computers.This paper chooses recurrence plots which is about time and displacement to represent behavior of mouse moving during verification and then uses Convolutional Neural Networks to do binary classification,the classification accuracy can be 98.06%.In order to prove the effectiveness of this method,we implement another two techniques for comparation,one is a time-series classification algorithm with great performance,the other is K-Nearest Neighbor that is a traditional machine learning classification algorithm.(2)This paper also proposes a new slider CAPTCHA based on animated gestures,which is referred to as gesture slider CAPTCHA.The camera maps the user's operation in the real world to the screen,and the users only need to move hands to complete the sliding task of specified trajectory for verification,so we design a hand detection network for real-time detection of hands.Its applicability analysis shows that the CAPTCHA has high human passing rate and short response time,and its security analysis shows the CAPTCHA is difficult to be attacked by illegal users.