Sharif University of Technology. Azadi Street, Tehran, Iran shirali@cs.sharif.edu. Sajad Shirali-Shahreza. Computer Engineering Department. Sharif University of ...
Drawing CAPTCHA Mohammad Shirali-Shahreza Computer Science Department Sharif University of Technology Azadi Street, Tehran, Iran [email protected]
Sajad Shirali-Shahreza Computer Engineering Department Sharif University of Technology Azadi Street, Tehran, Iran [email protected]
Abstract. Nowadays, many daily human
from daily shopping to education and commerce are all carried out on the Internet. One of the common actions in most web sites, esp. commercial and administrative ones, is to fill out registration forms for certain purposes. After filling out the forms by entering the required information, the individuals will be allowed to connect to that web site to carry out certain jobs. Unfortunately, however, there are individuals nowadays who break the law by doing such vandalistic acts as writing programs to make automatic false registration in the web site. These programs automatically fill out a form with incorrect information to enroll in the site. This wastes a large volume of the resources of the site in favor of the profit-seeking programmers or reduces the performance of the system. Such attacks are known as 'Denial of Services' or DoS. Various methods have been presented in order to prevent such attacks, aiming at distinguishing human users from computer programs. The main characteristic of these methods should be their automaticity so as to be implemented only by using the computer because examination of a large bulk of registration on the Internet web sites by human forces requires a great deal of time and expense and in some cases, such as web sites providing email services, using human force for examining the registration forms is practically impossible. Therefore, it is necessary to use automatic systems to distinguish human users from computer programs. In the discussions of artificial intelligence (AI), a test known as the Turing test is used for providing the intelligence of a computer. In this test, a human person and a computer are put in two different rooms and a human interrogator in a third room asks them questions. If the interrogator cannot recognize which room the computer is in and which room the human, it is said that the computer has passed the Turing test.
activities such as education, commerce, talks, etc. are carried out through the Internet. In cases such as the registering in websites, some hackers write programs to make automatic false enrolments which waste the resources of the website while this may even stop the entire website from working. Therefore, it is necessary to tell apart human users from computer programs which is known as CAPTCHA (Completely Automated Public Turing test to tell Computers and Human Apart). CAPTCHA methods are mainly based on the weak points of OCR (Optical Character Recognition) systems while using them are undesirable to human users and esp. difficult in tools such as PDA’s or mobile phones that lack a big keyboard. On the other hand, the use of Internet services has also expanded on such devices. This paper has attempted to provide a method to tell apart human users from computer programs by drawing lines with the PDA light pens. In this method, numerous dots are drawn on a screen with noisy background, some of which are diverse from the others, which the user has to connect them to each other. Considering the weakness of computers in identifying these dots, the human user can be recognized from the computer program. The proposed method was implemented by the Java programming language.
Keywords. Completely Automated Public Turing test to tell Computers and Human Apart (CAPTCHA), Human-Computer Interaction, Implicit CAPTCHA, Optical Character Recognition (OCR), PDA, Mobile Phone.
1. Introduction Many aspects of human life have been affected by the expansion of the world-wide web, so that, in industrial countries, many daily affairs
A similar method to the Turing test should be used to distinguish human users from computer programs with the difference that the human interrogator should be replaced by a computer, which should ask questions to distinguish the human user from the computer program. This method is called CAPTCHA (Completely Automated Public Turing test to tell Computers and Human Apart). The main focus of this method is, therefore, on questions that the human user can easily answer but which the present computer programs are hardly likely to be able to answer. Among the other methods used for distinguishing human users from computer programs is the use of pictures of words. It is a method based on the weak points of optical character recognition (OCR) programs. OCR programs are used for automatically reading the texts, but they have difficulty reading texts printed with a low quality or reading manuscripts and can only recognize high-quality typed texts that use common standard formats. So, this defect of the OCR programs can be taken advantage of by changing the picture of a word so that it can be recognized only by a human user but not by any OCR program. Section 2 will further elaborate on the methods used for this purpose. The CAPTCHA method is now used in big web sites such as the Yahoo! or Hotmail for registration of users. Besides this method, in recent years, methods have been proposed for overcoming these methods and automatically recognizing such word images [10, 11]. However, these methods usually disturb the users and also cannot be run on all systems because in mobile phones for example, it is very difficult to type words while there is an increasing need to tell apart human users from computer programs even in such small portable devices as mobile phones and PDA’s. An example is the increasing e-banking services or email services on mobile phones and PDA’s for which it is necessary to use CAPTCHA methods so as to prevent any hacking. This paper, by considering the special characteristics of PDA’s and the difficulty in using the keyboard in these devices, presents a new CAPTCHA method by drawing lines with the PDA light pen. In this method, numerous dots are drawn on a screen with noisy background and the user is asked to connect certain dots to each other. In view of the problems that computers face in recognizing the
dots from the noise, only a human user can easily identify the special dots and connect them to each other. In section 3, a full description of this idea and its experimental result is provided. Unlike the other CAPTCHA methods, the users of any language in any age group can use this program and run it on devices with more limited resources than the computer. In section 4, the advantages and disadvantages of this method will be discussed. Section 5 is the final conclusion.
2. Previous works It was first in 1997 when Ander Broder et al devised the CAPTCHA method. In the same year, Altavista web site used this method to tell computer programs and human apart. In this method, a distorted English word was shown to the user and the user was asked to type it (Fig. 1). Distortion was so that OCR programs could not recognize the word [2]. These systems were known as CAPTCHA systems and are now used in most well-known web sites such as Yahoo! and Microsoft. Below we further elaborate on these methods.
Figure 1. An Altavista CAPTCHA word [2]
2.1. The Gimpy method [4] The Gimpy method was prepared at Carnegie Mellon University to distinguish human users from computer programs. In this method, a word was chosen from a dictionary and, after applying such changes as adding black or white lines, making linear changes, etc, it was shown as an image and the user was asked to type it properly. As this method uses its word from a dictionary with 860 words, it can easily be broken in [10]. Yahoo! uses a simp1e version of this method, known as EZ-Gimpy (Fig. 2), for recognizing human users from computer programs in preventing consecutive definition of user accounts by destructive computer programs.
476
Figure 2. Some Yahoo CAPTCHA words [15]
2.2. The Baffletext method [6] In the Baffletext method, words that are not provided in English dictionaries are produced, and then the picture of the word is changed with different degrees of ease or difficulty. Although words with a high degree of difficulty can be used in this method, the produced words will also be difficult for human users to distinguish.
2.3. Using handwritten words [13] The other method is to use handwritten words. In this method a databank of the handwritten names of American cities, extracted from letters mailed by people, is prepared. In order to tell humans and computer programs apart, the image of the name of a city is selected and shown to the user and the user is asked to type it correctly. This method contains word images with a bad quality, some of which are hard to recognize even for human users.
and, after making some changes to the characters, their images are shown to the user and he is asked to type them. This method has employed researches on OCR systems. These researches show that character segmentation is the most difficult task of an OCR system. Therefore, attempt has been made to change the words so that they cannot be easily separated from each other. As it is seen in Fig. 3, attempt has been made by using some curves to make it separation of the words as difficult as possible. As a result, although separation of these characters is simple for human users, this cannot be done by the present programs. In this method, because of putting curves in between characters, sometimes some of the characters are read differently and sometimes additional characters are created.
Figure 3. Some Hotmail CAPTCHA words [9]
2.7. The Scatter Type method [3]
2.4. The PayPal method [12] The PayPal web site provides services for electronic payment of money. It uses distorted words, to tell human users and computer programs apart. Unfortunately, PayPal has not published any details of the method. However, considering the large distance of the characters, it is apparently not difficult for OCR programs to recognize the characters.
2.5. Using dynamic visual patterns [8] In this method, words are printed on a background of visual patterns, e.g. the text is printed on a background of black circles and then show for recognizing human users from computer programs. In spite of the fact that it is difficult for computer programs to recognize these words, they are difficult for human user to read as well.
2.6. The Hotmail method [9] In the Hotmail email service registration, which belongs to Microsoft Corporation, another CAPTCHA method is used. In this method, a string of English characters is randomly selected
Similarly to 2.6, this method mainly emphasizes the separation of characters, i.e. the characters are tried to be changed so that they cannot be separated easily. For this purpose, each of the characters is broken into pieces and then the pieces are moved. This makes it difficult for the present OCR systems to separate the characters because the characters in this method are broken into a large number of pieces. On the other hand, the characters are randomly selected so that a dictionary cannot be used to predict the words.
2.8. The Pessimal Print method [7] This method is based on one of the major weaknesses of the present-day OCR systems, i.e. their inability to recognize characters printed with a low quality. Therefore, it has been attempted to lower the quality of the printed characters artificially so as to prevent the activity of destructive programs. However, this method does not well resist attacks and the words may be restored to their primary quality by reversing the changes to make the words recognizable by the OCR systems [10].
477
2.9. Implicit CAPTCHA [1] The common methods to tell human users and computer programs apart usually troubles the users because he has to read a text that is usually very difficult to read and then type it. However, in the Implicit CAPTCHA methods, the user has to make a simple click. For example, the picture of a mountain is shown to the user and he is asked to click on its top or a number of words are shown in an image and the user asked to click on a specific word. This seems to be an easier method for the users although it is costlier. This method has many similarities to our suggested method. We will compare these two methods in section 3.
2.10. The PIX recognition method [4]
presence of dots in more than half of the letters, the right-to-left direction, etc, there is no need to make additional changes in the pictures and the Persian/Arabic OCR programs are unable to recognize the words. Despite the possibility of easy implementation of this method, it can be used only for telling apart Arabic or Persian-language users. It can be said in brief that methods used nowadays for telling human users and computer programs apart are usually difficult for human users to use and most individuals are reluctant to use them [1]. Our suggested method, however, is very simple and it can be passed by all users.
3. Suggested algorithm
In this method, usual pictures (instead of pictures of words) are used to tell human users and computer programs apart. A library of pictures with different subjects is prepared for this method and a number of these pictures that have a similar subject is selected and shown to the user while asking the user to select the subject of the picture from among the subjects shown. However, this method requires a large space for keeping the pictures and the library should also be very extensive, which requires large expenses.
2.11. Text-to-Speech conversion method [5] In this method, instead of showing an image, a sound is played which has been obtained by converting text to speech by certain programs. The user must recognize and type the word. Considering the many complexities of speech, it is very difficult for computer programs to recognize the played words. Similarly to method 2.10, this also requires a great deal of space and expense. This method is also used by PayPal [12].
2.11. Persian/Arabic CAPTCHA [14] In this method, pictures of Persian or Arabic words are shown only by adding some noise to their images for the purpose of telling apart human users from computer programs. Because of certain characteristics of the Persian and Arabic scripts, such as the connected letters,
In this paper, a method has been presented for telling apart human users from computer programs by drawing. This is a good method for devices that have no keyboard or have a small keyboard which is very difficult to use and, instead, they use light pens or touch screen displays. In this method, a large number of dots are randomly drawn on the screen. A small number of these dots are somehow distinguished from other dots, e.g. by creating holes within the dots or some dots are drawn as square and some others as diamond. Some noise is also added to the picture. Now the user is asked to connect these different dots. The software can bear a certain number of incorrect lines, e.g. 10 at most, so as to prevent cheating or hacking. If the user connects the lines correctly, it can be concluded that it is a human user and he is given permission to carry out the operation. Because of the presence of noise in the picture, the computer program has difficulty to recognize the specified dots. Also there is a trade-off between the method resistance to computer attacks and simplicity of method for human users. We have designed our method so that all users can use it easily, while computers can not break it easily. On the other hand, it is not possible to make heavy processing in small devices such as mobile phones or PDA’s. Therefore, the software cannot identify these dots easily. It should be considered that only PDA’s and mobile phones are allowed to login the system. If a PC computer identified, it isn’t allowed to login, therefore no PC
478
computer can used for breaking the CAPTCHA method. Perhaps at first glance our drawing CAPTCHA method looks like the Implicit CAPTCHA method (method 2.9). However, they have major differences. For example, in the Implicit CAPTCHA method, a picture is displayed to the user while the size of the pictures are usually very large and take a long time to download. However, only a small program is downloaded in our method. In addition, the pictures used in the Implicit CAPTCHA method usually have a big size and many colors, and their quality will reduce while being displayed on the screen of small devices. On the other hand, in the Implicit CAPTCHA method, before putting any picture in the software, the spot places have to be manually specified (e.g. the location of the summit, forest, mountain foot, etc to be specified one to one and manually). This requires a lot of time and manpower. In our suggested method, however, specified dots are determined automatically. Also, as there are a limited number of these spot places in the Implicit CAPTCHA method and their location is also known, the computer programs can identify all the specified dots easily. As it was mentioned, pictures usually have a large size. Therefore, Implicit CAPTCHA method requires a lot of spaces, which is very costly. In addition, exchange of pictures between the website and the user wastes a great deal of the network resources and requires a wide bandwidth. Indeed one can consider the suggested method somehow as an implicit CAPTCHA optimized for use in small devices and devices with limited resources. In this project, our suggested method was implemented by the Java programming language. This software was embedded in a webpage in the form of a Java Applet. Java Applets are software in the Java language that can be run on webpages through the world-wide-web. After being put on the website, the program was tested (Fig. 4). The software placed 100 square dots in the desired form on a dotted background. Then three diamond dots were put on that screen. Because square and diamond are similar, it is difficult for computer to distinguish them. There isn’t any background to simplify the method for human users.
Figure 4. An screenshot of drawing CAPTCHA project
Now the user was asked to draw three lines to connect the diamond dots. If the user connected the diamond dots to each other correctly, he passed the test. The user could make up to seven mistakes in drawing the lines. Our method is tested by many users from different ages. For example our method tested by a five year’s kid and she can join the points easily.
4. Advantages and disadvantages 4.1. Advantages 1. No keyboard is needed in this method. Therefore, it can be run on devices without a keyboard and also devices in which it is difficult to use their keyboard, such as PDA’s or mobile phones, e.g. Sony Ericsson P900 mobile phones have special pencil for drawing on their screens so this method can be used on these mobile phones. 2. It can be used by all ages, even children. 3. As no text is used, this method can be used by the users of any language and is not limited to any specific users. 4. It does not require much processing and can be run on small devices and machines with limited resources. 5. It does not require many resources (such as the 2.9 or 2.10 method for keeping pictures) and can be run on small websites as well.
479
6. As the size of our CAPTCHA program is very small, it requires little time and a small bandwidth for downloading it from a website. 7. As it is a client-side program, after one time downloading the program, three is no need to download the program again or reconnect to the server. 8. Unlike the other CAPTCHA methods which are OCR-based, this method only needs to draw some simple lines. Sometimes even human users have difficulty recognizing the displayed words but such a problem does not exist in this method. Also our CAPTCHA method is very easy to use and takes little time to pass while not bothering the users.
4.2. Disadvantages 1. By using a powerful hardware, one may run programs that remove noise from the picture and identify the proposed dots. 2. The requested points may be difficult to recognize from other dots even by human users.
5. Conclusion This paper presents a new CAPTCHA method for telling apart human users from computer programs by drawing lines. The method can also be used on devices having touch screens. It is also suitable for disabled people. More intelligent programs can be created so that, other than drawing random dots, simple but random shapes are drawn so as to make it more difficult for computer programs to identify the dots. This method can be used for making Internet registration safer and simpler.
6. References [1] H. S. Baird, and J. L. Bentley, "Implicit CAPTCHAs," Proc. SPIE/IS&T Conf. on Document Recognition and Retrieval XII (DR&R2005), San Jose, 2005, p. 191-196. [2] H.S. Baird, and K. Popat, "Human Interactive Proofs and Document Image Analysis," Proc. 5th IAPR International Workshop on Document Analysis Systems, Princeton, LNCS 2423, 2002, p. 507-518. [3] H. S. Baird, and T. Riopka, "ScatterType: a Reading CAPTCHA Resistant to Segmentation Attack," Proc. of the
IS&T/SPIE Document Recognition & Retrieval XII Conf., CA, 2005, pp. 197-207. [4] M. Blum et al, The CAPTCHA Project, "Completely Automatic Public Turing Test to tell Computers and Humans Apart," Dept. of Computer Science, Carnegie-Mellon University, Nov. 2000, http://www.captcha.net [10/29/2005] [5] Chan T.Y., "Using a text-to-speech synthesizer to generate a reverse Turing test," Proc. of the 15th IEEE International Conference on Tools with Artificial Intelligence, 2003, p. 226-232. [6] Chew M. and Baird H. S., 2003, "BaffleText: a Human Interactive Proof," Proc., 10th SPIE/IS&T Document Recognition and Retrieval Conf. (DRR2003), Santa Clara, CA, pp. 305-316. [7] Coates A.L et al, "Pessimal Print: A Reverse Turing Test," in Proc. 6th Int. Conf. on Document Analysis and Recognition, Seattle, WA, USA, 2001, p. 1154-1158. [8] W. H. Liao, and C. Chang, "Embedding information within dynamic visual patterns," Proc. of IEEE Int. Conf. on Multimedia and Expo, vol. 2, 2004, p. 895-898. [9] Microsoft Hotmail, http://www.hotmail.com/ [11/9/2005] [10] G. Mori, and J. Malik, "Recognizing Objects in Adversarial Clutter: Breaking a Visual CAPTCHA," Proc. of IEEE CS Society Conf. on Computer Vision and Pattern Recognition, Madison, 2003, pp. 134-141. [11] G. Moy et al, "Distortion estimation techniques in solving visual CAPTCHAs," Proc. of the 2004 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, vol. 2, 2004, p. 23-28. [12] PayPal registration, https://www.paypal.com/us/cgi-bin/ webscr?cmd=_registration-run [11/9/2005] [13] A. Rusu, and V. Govindaraju, "Handwritten CAPTCHA: using the difference in the abilities of humans and machines in reading handwritten words," Proc. 9th International Workshop on Frontiers in Handwriting Recognition, 2004, p. 226-231. [14] M.H. Shirali-Shahreza, and M. ShiraliShahreza, "PERSIAN/ARABIC CAPTCHA," Proceedings of the IADIS International Conference on Applied Computing 2006 (AC2006), San Sebastian, Spain, 25-28 February 2006, p. 258-265. [15] Yahoo! mail, http://mail.yahoo.com/ [11/9/2005]
