FaceDCAPTCHA: Face detection based color image CAPTCHA

https://doi.org/10.1016/j.future.2012.08.013Get rights and content

Abstract

With data theft and computer break-ins becoming increasingly common, there is a great need for secondary authentication to reduce automated attacks while posing a minimal hindrance to legitimate users. CAPTCHA is one of the possible ways to classify human users and automated scripts. Though text-based CAPTCHAs are used in many applications, they pose a challenge due to language dependency. In this paper, we propose a face image-based CAPTCHA as a potential solution. To solve the CAPTCHA, users must correctly identify visually-distorted human faces embedded in a complex background without selecting any non-human faces. The proposed algorithm generates a CAPTCHA that offers better human accuracy and lower machine attack rates compared to existing approaches.

Introduction

Completely Automated Public Turing Test to Tell Computers and Humans Apart or CAPTCHA is designed to distinguish between genuine users and automated scripts  [1]. The objective of CAPTCHA is to ensure proper service to genuine users while minimizing the attacks by bots. CAPTCHAs are being used for several services including web and financial services, and to provide security against malicious attacks. Research in CAPTCHA has focused on developing tests that are easy for humans to solve and difficult for automated approaches. Several kinds of challenges can be posed by automatic scripts. For instance, scripts or bots can put a heavy load on the servers and enforce a DoS attack, generate multiple fake accounts (in case of registration forms) which are not profitable to both the service provider and the client  [2]. Existing CAPTCHA algorithms can be broadly grouped into three classes: (1) text-based, (2) image-based, and (3) video- and audio-based CAPTCHAs.

Text-based CAPTCHAs are the most common and widely used form. These CAPTCHAs require the users to decipher text that has been visually distorted and rendered as an image. AltaVista CAPTCHA, one of the first text CAPTCHAs, was taken from an optical character recognition (OCR) manual. Distortions were incorporated that were known to reduce OCR accuracy  [3]. GIMPY CAPTCHA, similar to the AltaVista CAPTCHA  [3], [4], used English dictionary words. However, Mori and Malik showed that it can be broken and an attack rate of 92% was achieved against EZ-GIMPY  [5], a variant of GIMPY. Further variation by Moy et al.  [6] boosted the attack rate to 99%. A major shortcoming of these early approaches was vulnerability to segmentation, where each character could be identified in isolation. This greatly simplifies attacks using optical character recognition techniques. One solution was proposed to design the CAPTCHA such that one-to-one mapping between characters and outlines was distorted. For example, two characters might be connected or one might be split into multiple parts. In the ScatterType CAPTCHA, for example, individual characters were segmented into pieces and then systematically scattered so that they are difficult to reassemble  [7]. Megaupload CAPTCHA proposed to use overlapping characters whereas MSN CAPTCHA introduced lines connecting individual characters; however, both have high attack rates of 78% or more  [3], [8], [9], [10]. BaffleText’s approach of rendering a mottled black-and-white background and then performing different masking operations with overlapping text was more successful, being attacked in only 25% of the attempts  [11]. Different masking techniques similar to BaffleText have subsequently been incorporated into other CAPTCHAs  [12].

Rather than designing tests to be non-recognizable via OCR, some CAPTCHAs have taken an approach of using handwritten text images already known to fail optical character recognition. A database of text images obtained from handwritten mail addresses that could not be detected automatically were used in such CAPTCHAs. When full city names were used, humans were able to identify the word 100% of the time but the computer success rate was about 9%  [13]. Similarly, reCAPTCHA was designed using the text images scanned from book digitization projects  [12]. In reCAPTCHA, users were presented with two text images (one of a word that was unknown and one whose text had been previously determined) and asked to enter both words. The previously-known word served as the test while the currently-unknown word’s results were stored to help identify that word for future use. Researchers have shown that the success attack rate for reCAPTCHA is between 5% and 30%  [14]. Examples of existing text CAPTCHAs are shown in Fig. 1.

As an alternative to text, several CAPTCHA applications utilize image classification or recognition tasks as part of their test  [15]. One basic image-based CAPTCHA is ESP-PIX in which a collection of images are shown and the user has to select a description from a predefined list of categories  [16], [17]. KittenAuth, a variant of image CAPTCHA, poses images of cats to the user  [18]. Asirra is similar to KittenAuth and uses a closed database to source the images  [19]. These image-based CAPTCHAs demonstrate a common weakness—a small number of possible solutions for which random guessing can have a high likelihood of success. A number of other CAPTCHAs rely upon composites of multiple embedded images rather than discrete images as with the previous models. The Scene Tagging CAPTCHA requires identifying relationships and relative placement of different images  [20]. On the other hand, MosaHIP requires dragging descriptors and dropping them on top of embedded images in a collage  [21]. Recently, a new design technique has been proposed that uses recognition of geometric patterns. The IMAGINATION CAPTCHA combines geometric shape recognition with categorization in a two-step process. Users have to first mark the center point of an embedded image and then select an appropriate category based on a predefined list to describe that image  [22]. The results show a human success rate of approximately 70% with a machine random guess rate of about 0.0005%  [22]. Fig. 2 shows a sample of existing image CAPTCHAs.

Other than text and image CAPTCHAs, video and audio CAPTCHAs have also been proposed. Video-based CAPTCHAs function by posing the tagged videos with descriptive text. In the tests by Kluever, humans achieved an accuracy of 90% in identifying video descriptions while machine attack rates were approximately 13%  [3], [23]. To provide access for visually-impaired users, audio CAPTCHAs are used as an alternative to standard visual CAPTCHAs. These work by playing a recording of words or letters which users are then asked to enter. However, these CAPTCHAs have high computer attack rates using a speech recognition approach  [24], [25], [26]. Specifically, the audio CAPTCHAs used by Digg and Google have a successful attack rate of about 70%  [24].

Making CAPTCHAs resilient to attacks by advanced scripts increases the complexity of the tests and language dependency  [15]. In some cases, the difficulty has reached levels that are hard even for humans to solve. Since image CAPTCHAs provide language independence and improved user convenience compared to traditional approaches, recent research has focused on developing image-based CAPTCHAs  [18], [19], [22]. This research presents a color image CAPTCHA that uses complex face detection as a test. The proposed CAPTCHA is a successor of previously proposed face image-based CAPTCHA  [27]. In the preliminary version  [27], up to five human and non-human face images were selected and embedded on a complex background to create an image CAPTCHA. To solve the CAPTCHA, users had to select all embedded human faces without any false clicks. On a large scale evaluation, we achieved an average accuracy of 80% by human users whereas face detection algorithms achieved 11% accuracy on correctly breaking the CAPTCHA.

In this paper, we present FaceDCAPTCHA—face detection based CAPTCHA, in which four to six distorted face/non-face images are embedded in a complex background and a user has to correctly mark the center of all the face images within a defined tolerance. While generating a CAPTCHA, the proposed algorithm leverages the limitations of state-of-the-art automatic face detection algorithms. The CAPTCHA is created in a way that while it is difficult for automatic face detection algorithms to break, it is easy for human users to solve. Also, by incorporating human response in the parameter optimization process, the performance of the FaceDCAPTCHA is enhanced both in terms of higher human performance and lower attack rates by automatic algorithms. The next section provides the details of the proposed algorithm and Section  3 presents the experimental results and key observations.

Section snippets

The proposed FaceDCAPTCHA algorithm

Even after decades of research in face detection, there are several challenges in designing effective and accurate face detection algorithms. For example, as shown in Fig. 3, combinations of rotation, noise, blur, background, and occluding key facial features such as eyes and mouth can cause face detection algorithms to fail. On the other hand, the human mind is very effective in segmenting natural faces and one can easily detect such faces even with a complex background and partial/hidden

Experimental results and analysis

The proposed FaceDCAPTCHA is evaluated with over 1300 human users and the performance is compared with the automatic face detection algorithm. This section presents the description of images used to generate the CAPTCHA, experimental protocol, and key results.

Conclusion

This paper presents the FaceDCAPTCHA1 algorithm that utilizes the difference between face detection capabilities of humans and automated algorithms. By combining face detection with visual distortions optimized through a training–testing process, it is possible to create a test that is simple for human users to solve while effectively eliminating automated attacks. The proposed methodology offers major benefits over traditional text-based

Gaurav Goswami received his Bachelor in Technology degree in Information Technology in 2012 from the Indraprastha Institute of Information Technology (IIIT) Delhi, India where he is currently pursuing a Ph.D. His main areas of interest are image processing, computer vision and their application in biometrics.

References (32)

  • A. Basso et al.

    Preventing massive automated access to web resources

    Computers and Security

    (2009)
  • S. Shirali-Shahreza, M.H. Shirali-Shahreza, Bibliography of works done on CAPTCHA, in: Proceedings of the 3rd...
  • J. Mirkovic et al.

    A taxonomy of ddos attack and ddos defense mechanisms

    ACM SIGCOMM Computer Communication Review

    (2004)
  • K.A. Kluever, Evaluating the usability and security of a video CAPTCHA, Master’s Thesis, Rochester Institute of...
  • H.S. Baird, K. Popat, Human interactive proofs and document image analysis, in: Document Analysis Systems, 2002, pp....
  • G. Mori, J. Malik, Recognizing objects in adversarial clutter: breaking a visual CAPTCHA, in: Proceedings of the IEEE...
  • G. Moy, N. Jones, C. Harkless, R. Potter, Distortion estimation techniques in solving visual CAPTCHAs, in: Proceedings...
  • H.S. Baird, T. Riopka, Scattertype: a reading CAPTCHA resistant to segmentation attack, in: Proceedings of the SPIE...
  • A.S. El Ahmad, J. Yan, L. Marshall, The robustness of a new CAPTCHA, in: Proceedings of the 3rd European Workshop on...
  • J. Yan, A.S. El Ahmad, A low-cost attack on a Microsoft CAPTCHA, in: Proceedings of the 15th ACM Conference on Computer...
  • P.S. Richard, R. Szeliski, J. Benaloh, J. Couvreur, I. Calinov, Using character recognition and segmentation to tell...
  • M. Chew, H.S. Baird, Baffletext: a human interactive proof, in: Proceedings of the Document Recognition and Retrieval,...
  • L. von Ahn et al.

    ReCAPTCHA: human-based character recognition via web security measures

    Science

    (2008)
  • A. Rusu, V. Govindaraju, Handwritten CAPTCHA: using the difference in the abilities of humans and machines in reading...
  • P. Baecher et al.

    Breaking reCAPTCHA: a holistic approach via shape recognition

    Future Challenges in Security and Privacy for Academia and Industry

    (2011)
  • J. Yan, A.S. El Ahmad, Usability of CAPTCHAs or usability issues in CAPTCHA design, in: Proceedings of the 4th...
  • Cited by (58)

    • BASECASS: A methodology for CAPTCHAs security assurance

      2021, Journal of Information Security and Applications
    • Two-stage human verification using HandCAPTCHA and anti-spoofed finger biometrics with feature selection

      2021, Expert Systems with Applications
      Citation Excerpt :

      A study on IRC is briefed in Table 3, and the numbers of images in respective CDAs are given within parenthesis in column 3. The human faces are used in faceCAPTCHA (Goswami et al., 2012) and faceDCAPTCHA (Goswami et al., 2014). Though, the face as a biometric trait and security analyses are not explored in those works.

    • A survey of CAPTCHA technologies to distinguish between human and computer

      2020, Neurocomputing
      Citation Excerpt :

      In addition, the latest version of No CAPTCHA reCAPTCHA [114] that was developed by Google further improves the usability of image CAPTCHAs, as shown in Fig. 27. However, the security of an image CAPTCHA, which is based on semantic content understanding, also faces the challenge of developing image recognition technology [157,158]. For example, by using deep learning technology that has been popular in recent years, Sivakorn et al. successfully cracked Google's version of No CAPTCHA reCAPTCHA.

    View all citing articles on Scopus

    Gaurav Goswami received his Bachelor in Technology degree in Information Technology in 2012 from the Indraprastha Institute of Information Technology (IIIT) Delhi, India where he is currently pursuing a Ph.D. His main areas of interest are image processing, computer vision and their application in biometrics.

    Brian M. Powell received his M.S. in Computer Science from West Virginia University, USA in 2006. He is currently a Doctoral student in the Lane Department of Computer Science and Electrical Engineering at West Virginia University. His areas of interest are human interactive proofs, human computation, user interface design and computer science education. He is a member of the IEEE, Computer Society and the Association for Computing Machinery. He is also a member of the Phi Kappa Phi, Upsilon Pi Epsilon and Sigma Zeta honor societies. He was the recipient of the West Virginia University Foundation Distinguished Doctoral Fellowship.

    Mayank Vatsa received his M.S. and Ph.D. degrees in computer science in 2005 and 2008, respectively from West Virginia University, Morgantown, USA. He is currently an Assistant Professor at the Indraprastha Institute of Information Technology (IIIT) Delhi, India. He has more than 100 publications in refereed journals, book chapters, and conferences. His research has been funded by the UIDAI and DIT. He is the recipient of FAST award by DST, India. His areas of interest are biometrics, image processing, computer vision, and information fusion. Dr. Vatsa is a member of the IEEE, Computer Society and Association for Computing Machinery. He is also a member of the Golden Key International, Phi Kappa Phi, Tau Beta Pi, Sigma Xi, Upsilon Pi Epsilon, and Eta Kappa Nu honor societies. He is the recipient of 11 best paper and best poster awards in international conferences. He is also an area editor of IEEE Biometric Compendium.

    Richa Singh received her M.S. and Ph.D. degrees in computer science in 2005 and 2008, respectively from West Virginia University, Morgantown, USA. She is currently an Assistant Professor at the Indraprastha Institute of Information Technology (IIIT) Delhi, India. Her research has been funded by the UIDAI and DIT, India. She is a recipient of FAST award by DST, India. Her areas of interest are biometrics, pattern recognition, and machine learning. She has more than 100 publications in refereed journals, book chapters, and conferences. She is also an editorial board member of Information Fusion, Elsevier. Dr. Singh is a member of the CDEFFS, IEEE, Computer Society and the Association for Computing Machinery. She is also a member of the Golden Key International, Phi Kappa Phi, Tau Beta Pi, Upsilon Pi Epsilon, and Eta Kappa Nu honor societies. She is the recipient of 11 best paper and best poster awards in international conferences.

    Afzel Noore received his Ph.D. in Electrical Engineering from West Virginia University, USA. He was a Digital Design Engineer with Philips, India. From 1996 to 2003, he was the Associate Dean for Academic Affairs and Special Assistant to the Dean in the College of Engineering and Mineral Resources, West Virginia University. He is currently a Professor in the Lane Department of Computer Science and Electrical Engineering. His research interests include CAPTCHA based security, computational intelligence, biometrics, software reliability modeling, machine learning, hardware description languages and quantum computing. His research has been funded by NASA, the National Science Foundation, Westinghouse, General Electric, Electric Power Research Institute, the US Department of Energy, the US Department of Justice and the Army Research Lab. He serves on the Editorial Boards of Recent Patents on Engineering, the Open Nanoscience Journal and the International Journal of Multimedia Intelligence and Security. He has over 100 publications in refereed journals, book chapters and conferences. He has received several outstanding teacher and outstanding researcher awards. He is a Senior Member of the IEEE and member of Phi Kappa Phi, Sigma Xi, Eta Kappa Nu and Tau Beta Pi honor societies. He is the recipient of seven best paper and best poster awards in international conferences.

    View full text