Zhouhang Cheng

Bio: Zhouhang Cheng is an academic researcher from Xidian University. The author has contributed to research in topics: CAPTCHA & Usability. The author has an hindex of 2, co-authored 3 publications receiving 27 citations.

An End-to-End Attack on Text CAPTCHAs

Abstract: Text-based CAPTCHAs are the most widely used CAPTCHA scheme. Most text-based CAPTCHAs have been cracked. However, previous works have mostly relied on a series of preprocessing steps to attack text CAPTCHAs, which was complicated and inefficient. In this paper, we introduce a simple, generic, and effective end-to-end attack on text CAPTCHAs without any preprocessing. Through a convolutional neural network and an attention-based recurrent neural network, our attack broke a wide range of real-world text CAPTCHAs that are deployed by the top 50 most popular websites ranked by Alexa.com. In addition, this paper comprehensively analyzed the security of most resistance mechanisms of text-based CAPTCHAs through experiments. Experimental results prove that the anti-segmentation principle can be completely broken under deep learning attacks without any segmentation or preprocessing steps in contrast to commonly held beliefs.

Image-based CAPTCHAs based on neural style transfer

Abstract: Over the last few years, completely automated public turing test to tell computers and humans apart (CAPTCHA) has been used as an effective method to prevent websites from malicious attacks, however, CAPTCHA designers failed to reach a balance between good usability and high security. In this study, the authors apply neural style transfer to enhance the security for CAPTCHA design. Two image-based CAPTCHAs, Grid-CAPTCHA and Font-CAPTCHA, based on neural style transfer are proposed. Grid-CAPTCHA offers nine stylized images to users and requires users to select all corresponding images according to a short description, and Font-CAPTCHA asks users to click Chinese characters presented in the image in sequence according to the description. To evaluate the effectiveness of this techniques on enhancing CAPTCHA security, they conducted a comprehensive field study and compared them to similar mechanisms. The comparison results demonstrated that the neural style transfer decreased the success rate of automated attacks. Human beings have achieved a successful solving rate of 75.04 and 84.49% on the Grid-CAPTCHA and Font-CAPTCHA schemes, respectively, indicating good usability. The results prove deep learning can have a positive effect on enhancing CAPTCHA security and provides a promising direction for future CAPTCHA study.

Two Novel Image-Based CAPTCHA Schemes Based on Visual Effects

Abstract: CAPTCHA is a security mechanism designed to differentiate between computers and humans, and is used to defend against malicious bot programs. Text-based and image-based CAPTCHAs are two of the most widely deployed schemes, but most of the existing CAPTCHA schemes are either too difficult for humans to solve or not safe enough since a lot of researchers have attacked them successfully. These CAPTCHAs are also language-dependent and they cannot be automatically generated. So it is urgent to explore new possible schemes of CAPTCHA. In this paper, we mainly made two contributions to CAPTCHA. First, we propose two novel image-based CAPTCHA schemes based on visual effects. DeRection is one CAPTCHA scheme that takes advantage of human ability on capturing deformed regions of an image in the case of contrast. CONSCHEME is another one that capitalizes on human ability of understanding the content in a three-dimensional space. We conducted preliminary experiments over more than 110 users to verify the usability and security of two schemes. Second, by analyzing the characteristics of these two schemes proposed in this paper and comparing them with the existing image-based ones, we propose a set of new guidelines for the design of image-based CAPTCHA.

Simple and Easy: Transfer Learning-Based Attacks to Text CAPTCHA

Abstract: CAPTCHA, or Completely Automated Public Turing Tests to Tell Computers and Humans Apart, is a common mechanism used to protect commercial accounts from malicious computer bots, and the most widely used scheme is text-based CAPTCHA. In recent years, newly emerged deep learning techniques have achieved high accuracy and speed in attacking text-based CAPTCHAs. However, most of the existing attacks have various disadvantages, the attack process made high complexity or manually collecting and labeling a large number of samples to train a deep learning recognition model is time-consuming and expensive. In this paper, we propose a transfer learning-based approach that greatly reduces the attack complexity and the cost of labeling samples, specifically, by pre-training the model with randomly generated samples and fine-tuning the pre-trained model with a small number of real-world samples. To evaluate our attack, we tested 25 online CAPTCHAs achieving success rates ranging from 36.3% to 96.9%. To further explore the effect of the training sample characteristics on the attack accuracy, we elaborately imitate some samples and apply a generative adversarial network to refine the samples, sequentially we use these two kinds of generated samples to pre-train the models, respectively. The experimental results demonstrate that the similarity between randomly generated samples and elaborately imitated samples has a negligible impact on the attack accuracy. Instead, transfer learning is the key factor; it reduces the cost of data preparation while preserving the model's attack accuracy.

Gotta CAPTCHA ’Em All: A Survey of 20 Years of the Human-or-computer Dilemma

Abstract: A recent study has found that malicious bots generated nearly a quarter of overall website traffic in 2019 [102]. These malicious bots perform activities such as price and content scraping, account...

An End-to-End Attack on Text-based CAPTCHAs Based on Cycle-Consistent Generative Adversarial Network

Abstract: As a widely deployed security scheme, text-based CAPTCHAs have become more and more difficult to resist machine learning-based attacks. So far, many researchers have conducted attacking research on text-based CAPTCHAs deployed by different companies (such as Microsoft, Amazon, and Apple) and achieved certain results.However, most of these attacks have some shortcomings, such as poor portability of attack methods, requiring a series of data preprocessing steps, and relying on large amounts of labeled CAPTCHAs. In this paper, we propose an efficient and simple end-to-end attack method based on cycle-consistent generative adversarial networks. Compared with previous studies, our method greatly reduces the cost of data labeling. In addition, this method has high portability. It can attack common text-based CAPTCHA schemes only by modifying a few configuration parameters, which makes the attack easier. Firstly, we train CAPTCHA synthesizers based on the cycle-GAN to generate some fake samples. Basic recognizers based on the convolutional recurrent neural network are trained with the fake data. Subsequently, an active transfer learning method is employed to optimize the basic recognizer utilizing tiny amounts of labeled real-world CAPTCHA samples. Our approach efficiently cracked the CAPTCHA schemes deployed by 10 popular websites, indicating that our attack is likely very general. Additionally, we analyzed the current most popular anti-recognition mechanisms. The results show that the combination of more anti-recognition mechanisms can improve the security of CAPTCHA, but the improvement is limited. Conversely, generating more complex CAPTCHAs may cost more resources and reduce the availability of CAPTCHAs.