balancing usability and security in a video captcha
play

Balancing Usability and Security in a Video CAPTCHA Kurt Alfred - PowerPoint PPT Presentation

Sep 23, 2022 •12 likes •272 views

Balancing Usability and Security in a Video CAPTCHA Kurt Alfred Kluever Richard Zanibbi Google, Inc. Rochester Institute of Technology kak@google.com rlaz@cs.rit.edu Symposium on Usable Privacy and Security (SOUPS) 2009 July 15th-17th,

  1. Balancing Usability and Security in a Video CAPTCHA Kurt Alfred Kluever Richard Zanibbi Google, Inc. Rochester Institute of Technology kak@google.com rlaz@cs.rit.edu Symposium on Usable Privacy and Security (SOUPS) 2009 July 15th-17th, 2009, Mountain View, CA, USA

  2. Symposium on Usable Privacy and Security (SOUPS) 2009 July 15th-17th, 2009, Mountain View, CA, USA

  3. Overview • Motivation + Brief History • Desirable CAPTCHA Properties • Video CAPTCHA + Research Goal • Methodology • Data sources • Generating + Grading Challenges • Attack Simulation • Two User Studies • Results + Comparison to Existing Work Kurt Alfred Kluever Balancing Usability and Security in a Video CAPTCHA Richard Zanibbi

  4. Motivation: Abuse of Online Services Generate accounts to abuse free services Send SPAM from free email accounts Take advantage of free offers Buy hundreds of tickets for scalpers Brute force passwords QUICKVOTE Which is the best Computer Science Post spam to blogs Grad School in the US? Berkeley MIT Poison online polls CMU Princeton Cornell Stanford vote Kurt Alfred Kluever Balancing Usability and Security in a Video CAPTCHA Richard Zanibbi

  5. Desirable CAPTCHA Properties Automated • The generation and grading of challenges is automatic Open • Underlying databases/algorithms are publicly available Usable* • Frequently passed by humans Secure* • Frequently failed by machines “ A CAPTCHA is a program that can generate and grade tests that it itself cannot pass (much like some professors). ” -Luis von Ahn Kurt Alfred Kluever Balancing Usability and Security in a Video CAPTCHA Richard Zanibbi

  6. Existing CAPTCHA Types Natural language processing • “What is 4 times the number of legs a kangaroo has?” Character recognition • “Type the letters you see in this image.” Image understanding • “What are these images of?” / “Is this image upright?” Automatic speech recognition • “1-6-3-9-2-7” / Old radio broadcasts Kurt Alfred Kluever Balancing Usability and Security in a Video CAPTCHA Richard Zanibbi

  7. Character Recognition-based Kurt Alfred Kluever Balancing Usability and Security in a Video CAPTCHA Richard Zanibbi

  8. Image Recognition-based Kurt Alfred Kluever Balancing Usability and Security in a Video CAPTCHA Richard Zanibbi

  9. Video CAPTCHA Task: Submit three tags, aiming to match one in a set of automatically generated ground truth tags. Kurt Alfred Kluever Balancing Usability and Security in a Video CAPTCHA Richard Zanibbi

  10. Public Video Dataset: YouTube.com Generate a random YouTube ID...Good luck • 64 possible characters; 11 characters long • > 150 million videos on YouTube (August 2008) Random walk (randomized local search) • Query with a dictionary* word • Randomly choose a video • Randomly choose a tag • Repeat for a random depth • [1, 100] Kurt Alfred Kluever Balancing Usability and Security in a Video CAPTCHA Richard Zanibbi

  11. Generating Challenges Use random walk to select a challenge video From Related Videos set, add n additional tags (sorted by cosine similarity over tag sets) • black box algorithm (hard* to compute it ourselves) Remove tags estimated to be more frequent than a threshold t Kurt Alfred Kluever Balancing Usability and Security in a Video CAPTCHA Richard Zanibbi

  12. Tag Frequency Distribution 10,000 1000 Tags with ≥ 1.0% frequency Random Walk: Tags with ≥ 0.5% frequency 86,368 unique 100 videos Tags with ≥ 0.1% frequency 10 30k 60k 90k 120k 150k Kurt Alfred Kluever Balancing Usability and Security in a Video CAPTCHA Richard Zanibbi

  13. Estimated Tag Frequencies Random walk of 86k YouTube videos Many tags do not appear in our original dictionary Kurt Alfred Kluever Balancing Usability and Security in a Video CAPTCHA Richard Zanibbi

  14. Grading Challenges Normalize Input • Lowercase, no punctuation or stop words, only 3 tags Stemming • Add word stems to ground truth (Porter algorithm) • Adds at most 3 additional tags (‘dogs’ -> ‘dog’) Levenshtein Edit Distance • Allows for insertions, deletions, and substitutions • Normalized threshold of 0.8 Kurt Alfred Kluever Balancing Usability and Security in a Video CAPTCHA Richard Zanibbi

  15. Testing the Hypothesis One may increase usability while maintaining security against a frequency-based attack in a video CAPTCHA by intelligently extending the set of user-supplied and ground truth tags. n Number of related tags added. t Pruning threshold. s Use stemming? l Use inexact match? Kurt Alfred Kluever Balancing Usability and Security in a Video CAPTCHA Richard Zanibbi

  16. Attack Tags Used ˆ S c ( A ) t Best Attack Tags # Pruned 1.0 [music, video, live] 0 0.1377 0.01 [dj, remix, vs] 37 0.0291 0.009 [girl, school, el] 44 0.0256 0.008 [animation, michael, star] 49 0.0237 0.007 [concert, news, day] 67 0.0207 0.006 [fantasy, dragon, rb] 92 0.0179 0.005 [islam, humor, blues] 129 0.0148 0.004 [real, bass, 12] 184 0.0120 0.003 [uk, spoof, pro] 302 0.0090 0.002 [seven, jr, patrick] 570 0.0060 0.001 [ff, kings, ds] 1402 0.0030 Kurt Alfred Kluever Balancing Usability and Security in a Video CAPTCHA Richard Zanibbi

  17. Attack Success Rates: Random Walk (against 5000 videos) Kurt Alfred Kluever Balancing Usability and Security in a Video CAPTCHA Richard Zanibbi

  18. Two User Studies User Study 1 User Study 2 Emails, flyers, word of Age group 18-24 74.82% (107) 77.71% (143) mouth 25-34 13.28% (19) 11.95% (22) 35-44 3.496% (5) 4.891% (9) 45-54 4.195% (6) 2.173% (4) 55-65 2.797% (4) 2.717% (5) Number of participants 65-74 0.699% (1) 0.543% (1) 75+ 0.699% (1) 0.0% (0) • User Study 1: Gender Male 79.02% (113) 83.69% (154) Female 20.97% (30) 16.30% (30) • Highest level of education completed 233 -> 143 (61.3%) Some High School 0.0% (0) 0.543% (1) High School 2.797% (4) 4.891% (9) • User Study 2: Some College 46.85% (67) 47.82% (88) Associate’s 4.895% (7) 6.521% (12) Bachelor’s 33.56% (48) 30.43% (56) • 300 -> 184 (61.3%) Master’s 11.18% (16) 4.347% (8) Professional Degree 0.699% (1) 0.0% (0) PhD 0.0% (0) 5.434% (10) Online collection Number of online videos watched per month 0-4 17.48% (25) 17.93% (33) 5-14 30.76% (44) 30.43% (56) 15-30 23.07% (33) 20.65% (38) 31+ 28.67% (41) 30.97% (57) Have you ever uploaded a video before? Yes 60.83% (87) 64.67% (119) No 39.16% (56) 35.32% (65) Kurt Alfred Kluever Balancing Usability and Security in a Video CAPTCHA Richard Zanibbi

  19. Human Success Rates: Manual Selection (First User Study) Kurt Alfred Kluever Balancing Usability and Security in a Video CAPTCHA Richard Zanibbi

  20. Human Success Rates: Random Walk (Second User Study) Kurt Alfred Kluever Balancing Usability and Security in a Video CAPTCHA Richard Zanibbi

  21. Completion Times and User Feedback Completion times (in seconds) • User Study 1: median = 20.6 ( μ = 29.7, σ = 34.7) • User Study 2: median = 17.1 ( μ = 22.0, σ = 23.6) Which task is faster? • User Study 1: 16%: neither, 64%: text , 20%: video • User Study 2: 13%: neither, 60%: text , 27%: video Which task is more enjoyable? • User Study 1: 23%: no pref, 15%: text, 62%: video • User Study 2: 22%: no pref, 20%: text, 58%: video Kurt Alfred Kluever Balancing Usability and Security in a Video CAPTCHA Richard Zanibbi

  22. Comparison with Existing Work Success Rates CAPTCHA Type Human Machine Microsoft Text-based 0.90 [3] 0.60 [28] Baffletext Text-based 0.89 [4] 0.25 [4] Handwritten Text-based 0.76 [23] 0.13 [23] ASIRRA Image-based 0.99 [6] 0.10 [9] τ = � 15 , 0 . 003 , T , T � Video 0.77 0.02 τ = � 25 , 0 . 006 , T , T � 0.86 0.05 τ = � 90 , 0 . 006 , T , T � 0.90 0.13 Perhaps not a replacement, but an alternative? Kurt Alfred Kluever Balancing Usability and Security in a Video CAPTCHA Richard Zanibbi

  23. Conclusions First video-based CAPTCHA and it is: • Automated • Open • Usable • Secure Usability/security tradeoff Pass rates are comparable to existing CAPTCHAs ~60% of participants reported that Video CAPTCHAs were more enjoyable than text-based CAPTCHAs Kurt Alfred Kluever Balancing Usability and Security in a Video CAPTCHA Richard Zanibbi

  24. Future Work Collaborative filtering to improve ground truth tags • Improve existing tags on poorly labeled videos Computer vision attacks • Detect text in video frames, recognize it, submit it Content-based Video Retrieval attacks • Look for similar videos in database + submit their tags Audio analysis attacks • Extract important words from video + submit them Further user studies with audio-only or video-only Kurt Alfred Kluever Balancing Usability and Security in a Video CAPTCHA Richard Zanibbi

  25. Thank You Online Demonstration: http://sudbury.cs.rit.edu/ Thanks to Kurt Alfred Kluever Balancing Usability and Security in a Video CAPTCHA Richard Zanibbi

  26. Questions? Image Credit: xkcd.com Kurt Alfred Kluever Balancing Usability and Security in a Video CAPTCHA Richard Zanibbi

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IPv6 Stateless Address Autoconfiguration: Balancing Between Security, Privacy and Usability Ahmad

IPv6 Stateless Address Autoconfiguration: Balancing Between Security, Privacy and Usability Ahmad

IPv6 Stateless Address Autoconfiguration: Balancing Between Security, Privacy and Usability Ahmad AlSadeh, Hosnieh Rafiee, Christoph Meinel Hasso-Plattner-Institut, University of Potsdam, Germany IPv6 StateLess Address Auto- Configuration

330 views • 20 slides
Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security

Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security

Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security Browser SSL Password Encryption warnings schemes usability IT Security 40M consumer 153M end user Thousands of credit cards credentials

785 views • 39 slides
Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Phd course on Formal modelling and analysis of interactive systems Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone United Nations University International Institute for Software Technology

1.76k views • 109 slides
Personal Health Informa0on on Display Balancing Needs, Usability

Personal Health Informa0on on Display Balancing Needs, Usability

Personal Health Informa0on on Display Balancing Needs, Usability and Legisla3ve Requirements Erlend Andreas GJRE a,b , Inger Anne TNDEL b , Maria B. LINE

201 views • 9 slides
APTCHA I am Andreas Charalampous, April 2020 Contents 1. Introduction to Captcha 2. Paper 1:

APTCHA I am Andreas Charalampous, April 2020 Contents 1. Introduction to Captcha 2. Paper 1:

CS682 - Advanced Security Topics Instructor: Elias Athanasopoulos APTCHA I am Andreas Charalampous, April 2020 Contents 1. Introduction to Captcha 2. Paper 1: Re: Captchas Understanding Captcha-Solving Services in an economic context 3.

1.24k views • 84 slides
Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Introduction Security-usability threat model Security and usability evaluation Summary Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe Oxford University Computing Laboratory Availability,

829 views • 23 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 24: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science & Engineering

219 views • 5 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 25: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science & Engineering

419 views • 4 slides
Outline Tor experiences and challenges (contd) Usability and security CSci 5271

Outline Tor experiences and challenges (contd) Usability and security CSci 5271

Outline Tor experiences and challenges (contd) Usability and security CSci 5271 Announcements intermission Introduction to Computer Security Usability and Voting combined slides Usable security example areas Stephen McCamant Elections

305 views • 8 slides
networks via security policies and audio CAPTCHA PhD Thesis Yannis Soupionis Department of

networks via security policies and audio CAPTCHA PhD Thesis Yannis Soupionis Department of

SPAM prevention in Voice over IP networks via security policies and audio CAPTCHA PhD Thesis Yannis Soupionis Department of Informatics, Athens University of Economics and Business July 4, 2011 Outline 2 Introduction Spam over

1.09k views • 56 slides
Bullet Cache Balancing speed and usability in a cache server Ivan Voras

Bullet Cache Balancing speed and usability in a cache server Ivan Voras

Bullet Cache Balancing speed and usability in a cache server Ivan Voras <ivoras@freebsd.org> What is it? People know what memcached is... mostly Example use case: So you have a web page which is just dynamic enough so you

657 views • 40 slides
traditional CAPTCHA and its replacement Dr Scott Hollier A11y Bytes Perth 2018 Technology for

traditional CAPTCHA and its replacement Dr Scott Hollier A11y Bytes Perth 2018 Technology for

The death of traditional CAPTCHA and its replacement Dr Scott Hollier A11y Bytes Perth 2018 Technology for everyone What is CAPTCHA? Completely Automated Public Turing test to Tell Computers and Humans Apart (CAPTCHA) Purpose: to

304 views • 13 slides
Balancing Broad Data Access With Usability at Scale Austin Wilt 1 Data Product Management at

Balancing Broad Data Access With Usability at Scale Austin Wilt 1 Data Product Management at

April 18, 2019 Balancing Broad Data Access With Usability at Scale Austin Wilt 1 Data Product Management at Slack 3 Key Data PM Principles Increase curation as you broaden the audience Balance foundational investments with immediate value

349 views • 18 slides
Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security Evaluation with Comparative Analysis Robbie MacGregor 5 th Who Are You?! Adventures in Authentication (WAY), Santa Clara, CA, USA, 2019. I did a thing so

132 views • 10 slides
Outline Usability and security (contd) Elections and their security CSci 5271 Introduction

Outline Usability and security (contd) Elections and their security CSci 5271 Introduction

Outline Usability and security (contd) Elections and their security CSci 5271 Introduction to Computer Security Announcements intermission Day 24: Electronic voting System security of electronic voting Stephen McCamant Exercise sets 2

424 views • 10 slides
On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis

On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis

On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis Defense, Bochum, Germany, May 29, 2019 User Authentication Competing requirements of security and usability . [1] Common Factors: Knowledge ( Password ,

619 views • 34 slides
NIST P-256 has a cube-root ECDL algorithm D. J. Bernstein University of Illinois at Chicago,

NIST P-256 has a cube-root ECDL algorithm D. J. Bernstein University of Illinois at Chicago,

NIST P-256 has a cube-root ECDL algorithm D. J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven Joint work with: Tanja Lange Technische Universiteit Eindhoven eprint.iacr.org/2012/318 , eprint.iacr.org/2012/458

769 views • 63 slides
Conditionals: between language and reasoning Class 1 - Introduction

Conditionals: between language and reasoning Class 1 - Introduction

Conditionals: between language and reasoning Class 1 - Introduction www.ivanociardelli.altervista.org/conditionals ivano.ciardelli@lmu.de Two switches Imagine a long hallway with a light in the middle and with two switches, one at each end.

1.37k views • 57 slides
ConversationStory! Fri Dec 8 11:08:37 CST 2017 github: ConversationStory! Dr Bean (

ConversationStory! Fri Dec 8 11:08:37 CST 2017 github: ConversationStory! Dr Bean (

ConversationStory! Fri Dec 8 11:08:37 CST 2017 github: ConversationStory! Dr Bean ( ) Recording 30 seconds. Each person must tell his/her story and answer 2 Uploading files If you cant find your partner, do it with someone

181 views • 4 slides
Kangaroo: An Efficient Constraint-Based Local Search System Using Lazy Propagation M.A.Hakim

Kangaroo: An Efficient Constraint-Based Local Search System Using Lazy Propagation M.A.Hakim

Kangaroo: An Efficient Constraint-Based Local Search System Using Lazy Propagation M.A.Hakim Newton 1 , 2 , Duc Nghia Pham 1 , 2 , Abdul Sattar 1 , 2 , Michael Maher 1 , 3 , 4 1 National ICT Australia, 2 IIIS, Griffith University 3 CSE, University

427 views • 26 slides
International Challenge on Informatics and Computational Thinking Informatics Europe Best

International Challenge on Informatics and Computational Thinking Informatics Europe Best

International Challenge on Informatics and Computational Thinking Informatics Europe Best Practices in Education Award 2015 Valentina Dagiene, Wolfgang Pohl www.bebras.org Informatics @ School www.bebras.org ~ 1980: hardware, algorithms

586 views • 17 slides
AMMI Introduction to Deep Learning 8.4. Optimizing inputs Fran cois Fleuret

AMMI Introduction to Deep Learning 8.4. Optimizing inputs Fran cois Fleuret

AMMI Introduction to Deep Learning 8.4. Optimizing inputs Fran cois Fleuret https://fleuret.org/ammi-2018/ Thu Sep 6 16:00:44 CAT 2018 COLE POLYTECHNIQUE FDRALE DE LAUSANNE Maximum response samples Fran cois Fleuret AMMI

686 views • 45 slides
A SAT-Based Approach for Index Calculus on Binary Elliptic Curves Monika Trimoska Sorina Ionica

A SAT-Based Approach for Index Calculus on Binary Elliptic Curves Monika Trimoska Sorina Ionica

A SAT-Based Approach for Index Calculus on Binary Elliptic Curves Monika Trimoska Sorina Ionica Gilles Dequen MIS Laboratory, University of Picardie Jules Verne AfricaCrypt 2020 Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based

327 views • 19 slides
Squeezing a key through a carry bit Sean Devlin, Filippo Valsorda One month later a = a - b

Squeezing a key through a carry bit Sean Devlin, Filippo Valsorda One month later a = a - b

Squeezing a key through a carry bit Sean Devlin, Filippo Valsorda One month later a = a - b The code x = a a = a + p a = a - b mod p a = a - b a = a - b The code x = a t = a a = a + p a = a - b t += p mod p a ?> t a = a - b

695 views • 52 slides

More recommend