Enhancing Cyber Security through the use of Synthetic Handwritten CAPTCHAs

Online services which allow users to contribute content and interact remotely over the internet in some manner are common today. Many of these services, like spam control for blogs and email account sign-up, require that they be accessed only by humans and not machines (automated scripts or bots). One method of differentiating between humans and bots is by using a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). A number of different genres of CAPTCHAs exist (text-based, visual, auditory, and cognitive). Text-based CAPTCHAs are popular because automatic recognition of degraded, noisy, distorted text with background clutter is still a challenging task for machines, but is a task that humans perform with relative ease. However, recently a significant number of printed-text based CAPTCHAs have been successfully attacked by bots, thereby rendering the services they protect vulnerable to attack. Thus there is an urgent need for exploring alternate CAPTCHAs and this serves as the prime motivation for our research. We have explored three primary tracks of investigation in this thesis. First, we have defined CAPTCHA design principles based on an exploit-avoid-resist paradigm. Second, we have improved the effectiveness of text-based CAPTCHAs by substituting printed text with handwritten text and then layering on additional cognitive tasks. We have developed a fullyautomated framework for synthetic handwriting generation for this purpose. Prior work in this area has focused on synthesizing handwritten textlines to conform to a particular user’s style. We have developed fully automated techniques for simulating non writer-specific handwriting by extracting principal curves from handwritten characters which serve as a set of control points to allow character-level distortion. We have used novel techniques for character baseline detection and ligature parameterization to construct the textlines. A parameterized sinusoid-based function is used to allow random perturbation of these textlines. We have generated CAPTCHAs of varying machine-difficulty levels and have shown them to be more effective than machineprinted CAPTCHAs. Finally, we have developed a new class of interaction-based CAPTCHAs, which require an entity to interact with the challenge in order to gain access to the solution space. Traditional textbased CAPTCHAs can be solved if an entity can successfully complete a recognition task. Traditional image-based CAPTCHAs can be solved if an entity can successfully complete the twin tasks of cognition and recognition. We show how the interaction-based CAPTCHA combines the best of both worlds and then adds a third layer of complexity by requiring an entity to successfully complete three tasks – interaction, cognition, and recognition – to be able to solve a CAPTCHA challenge. Specifically, we have developed a 3D shadow CAPTCHA which uses aspects of 3D scene rendering, ray casting, and perspective projection to present unique challenges to machines while remaining intuitive for humans to solve.