Investigation of Dynamic Cognitive Game CAPTCHAs
Existing captcha solutions on the Internet are a major source of user frustration. Game captchas are an interesting and, to date, little studied approach claiming to make captcha solving a fun activity for the users. One broad form of such captchas – called Dynamic Cognitive Game (DCG) captchas – challenge the user to perform a game-like cognitive task interacting with a series of dynamic images. We pursue a comprehensive analysis of a representative category of DCG captchas. We formalize, design and implement such captchas, and dissect them across: (1) fully automated attacks, (2) human-solver relay attacks, and (3) usability. Our results suggest that the studied DCG captchas exhibit high usability and, unlike other known captchas, offer some resistance to relay attacks, but they are also vulnerable to our novel dictionary-based automated attack.
Dynamic Cognitive Game (DCG) CAPTCHAs are a promising new generation of interactive CAPTCHAs aiming to provide improved security against automated and human-solver relay attacks. Unlike existing CAPTCHAs, defeating DCG CAPTCHAs using pure automated attacks or pure relay attacks may be challenging in practice due to the fundamental limitations of computer algorithms (semantic gap) and synchronization issues with solvers. To overcome this barrier, we propose two hybrid attack frameworks, which carefully combine the strengths of an automated program and offline/online human intelligence. These hybrid attacks require maintaining the synchronization only between the game and the bot similar to a pure automated attack, while solving the static AI problem (i.e., bridging the semantic gap) behind the game challenge similar to a pure relay attack. As a crucial component of our framework, we design a new DCG object tracking algorithm, based on color code histogram, and show that it is simpler, more efficient and more robust compared to several known tracking approaches. We demonstrate that both frameworks can effectively defeat a wide range of DCG CAPTCHAs.
Static snapshots of 4 game instances of a representative DCG captcha analysed in the study (targets are static; objects are mobile)
People
Faculty
Student
- Manar Mohamed (@UAB; PhD 2016; now Visiting Assistant Professor at Miami University)
- Song Gao (@UAB; PhD 2014; now Software Engineer at Google)
- Michael Georgescu (@UAB; BS 2014)
External Collaborators:
- Paul C. van Oorschot (@Carleton University; Professor)
- Wei-Bang Chen (@Virginia State University; Assistant Professor)
- Ponnurangam Kumaraguru (@Indraprastha Institute of Information Technology, India; Assistant Professor)
- Niharika Sachdeva (@Indraprastha Institute of Information Technology, India; PhD student)
Publication
- A Three-Way Investigation of a Game-CAPTCHA: Automated Attacks, Relay Attacks and Usability.
Manar Mohamed, Niharika Sachdeva, Michael Georgescu, Song Gao, Nitesh Saxena, Chengcui Zhang, Ponnurangam Kumaraguru, Paul C. Van Oorschot and Wei-Bang Chen
In ACM Symposium on Information, Computer and Communications Security (ASIACCS), June 2014.
[pdf] - Dynamic Cognitive Game CAPTCHA Usability and Detection of Streaming-Based Farming
Manar Mohamed, Song Gao, Nitesh Saxena, and Chengcui Zhang
In the Workshop on Usable Security (USEC), co-located with NDSS, February 2014.
[pdf] - Gaming the Game: Defeating a Game CAPTCHA with Efficient and Robust Hybrid Attacks
Song Gao, Manar Mohamed, Nitesh Saxena, and Chengcui Zhang
In Security and Forensics Track, IEEE International Conference on Multimedia and Expo (ICME), July 2014
[pdf]