Dynamic CAPTCHA

Mohammad Shirali-Shahreza * and Sajad Shirali-Shahreza

*

Sharif University of Technology, Computer Science Department, Tehran, IRAN Tel: +98-912-2236349 Fax: +98-21-88842469 E-mail: shirali@cs.sharif.edu Sharif University of Technology, Engineering Department, Tehran, IRAN Tel: +98-912-3864799 Fax: +98-21-88842469 E-mail: shirali@ce.sharif.edu

Abstract Registration websites use CAPTCHA (Completely Automated Public Turing test to tell Computers and Human Apart) systems to prevent the bot programs from wasting their resources. But sometimes the CAPTCHA test is difficult for human users to pass because the users have different ages, languages, etc. In this paper we propose a solution for this problem. The registration system can select a kind of CAPTCHA system among different available CAPTCHA systems regarding to the users needs such as user language and disabilities. For example if the user has non-English language, the system chooses a CAPTCHA method which does not need English language knowledge.

I.

INTRODUCTION

Nowadays, many daily human activities such as education, commerce, and talks are carried out through the Internet. In most websites, especially commercial and administrative ones, it is needed to fill out registration forms for using the websites. Unfortunately, there are individuals who write programs to make automatic false registration in these websites. These programs automatically fill out the forms with incorrect information to enroll in the site. This wastes a large volume of the resources of the site. Therefore, it is necessary to use a system to distinguish human users from computer programs. This method should be done automatically because examination of a large bulk of registration on the Internet websites by human forces requires a great deal of time and expense. For this purpose, CAPTCHA (Completely Automated Public Turing test to tell Computers and Human Apart) systems are invented. CAPTCHA systems are used to distinguish between human users and computer programs automatically. These systems are based on Artificial Intelligence (AI) topics. They are similar to Turing test [1], but in these systems the judge is a computer [2]. The main focus of these methods is on questions that the human user can easily answer but the present computer programs cannot answer easily. One of the methods used in CAPTCHA is the use of pictures of words. It is a method based on the weak points of optical character recognition (OCR) programs. OCR programs are used for automatically reading the texts, but they have difficulty in reading texts printed with a low

quality or reading manuscripts. So, this defect of the OCR programs can be taken advantage of by changing the picture of a word so that it can be recognized only by a human user but not by any OCR program. Examples of these methods are Gimpy [2] (Fig. 1) and Persian/Arabic Baffle Text [3]. However, these methods usually disturb the users and also cannot be run on all systems. For example in mobile phones, it is difficult to type words. Therefore some methods in which they do not use OCR systems have been presented so far. Some of these methods are Implicit CAPTCHA [4], Text-to-Speech method [5], and Drawing CAPTCHA [6]. In the next section we will explain some of proposed CAPTCHA methods. In some registration pages which has a CAPTCHA test, in addition to the current CAPTCHA test which is usually OCRbased, there is another kind of CAPTCHA test which user can select in case of having problem with the current CAPTCHA test such as Text-to-Speech [5] method. But sometimes the second method is also difficult for the user to pass. In this paper we propose a solution for this problem. In this method, instead of using one or two pre-defined CAPTCHA systems in the registration system, the system can select an appropriate CAPTCHA system among different available CAPTCHA systems regarding to the information entered in the first steps of registration. The details of our suggested method are explained in the third section. In the final section the conclusion will be made.

Fig. 1.

A sample of Gimpy method [2].

978-1-4244-2336-1/08/$25.00 2008 IEEE

436 2008 International Symposium on Communications and Information Technologies (ISCIT 2008)

II.

RELATED WORKS

It was first in 1997 when Andrei Broder et al devised a system to distinguish human users from computer programs. In the same year, Altavista web site used this method to tell computer programs and human apart. In this method, a distorted English word was shown to the user and the user was asked to type it. Distortion was so that OCR programs could not recognize the word [8]. These systems were known as CAPTCHA systems and are now used in most well-known web sites like Yahoo! and Microsoft for user registration. Besides this method, in recent years, methods have been proposed for overcoming these methods and automatically recognizing such word images [9, 10]. In this section we will review some of CAPTCHA methods. First we survey some Non- OCR-Based CAPYCHA methods. Then we review some OCR-Based CAPYCHA methods. Implicit CAPTCHA Method In the Implicit CAPTCHA methods [4], the user has to make a simple click. For example, the picture of a mountain is shown to the user and he/she is asked to click on its top (Fig. 2) or a number of words are shown in an image and the user is asked to click on a specific word. This method is an easier way for the users although it is costlier. Collage CAPTCHA Method The Collage CAPTCHA method [11] is another CAPTCHA method which is developed by authors. In this method the images of some different objects (for example six objects such as airplane, car, apple, orange, pineapple and ball) are chosen. Then some effects such as rotating are done on the images and they merged to create a single image (Fig. 3). This image is shown to the user and he/she is asked to click on a certain object (for example on the image of the apple). Collage CAPTCHA requires a database of labeled images. It is an easy CAPTCHA for users because in this method the user must find the object image which its name is shown. B. A.

Fig. 3.

Collage CAPTCHA method [11].

Text-to-Speech conversion method In the Text-to-Speech conversion method [5], instead of showing an image, a sound is played which has been obtained by converting text to speech by certain programs. The user must recognize and type the played word. Considering the many complexities of speech, it is very difficult for computer programs to recognize the played words. This method is also used by GMail [12]. D. Drawing CAPTCHA Method Drawing CAPTCHA Method [6] is for devices using stylus like PDA (Personal Digital Assistant). In this method, numerous dots are drawn on a screen with noisy background and the user is asked to connect certain dots to each other (Fig. 4). In view of the problems that computers face in recognizing the dots from the noise, only a human user can easily identify the special dots and connect them to each other. Unlike the other CAPTCHA methods, the users of any language in any age group can use this program. We can run it on devices with more limited resources than the computer. In the following, we survey some OCR-Based CAPTCHA Methods.

C.

Fig. 2.

Implicit CAPTCHA method [4].

2008 International Symposium on Communications and Information Technologies (ISCIT 2008)

437

H. Paypal Website Method Paypal Website [15] provides services regarding the electronic payments. This website also uses the method in which a word is displayed with a background, in order to distinguish between the human users and the computer software. Unfortunately, the Paypal website does not provide any details on this method. Dynamic Visual Method This method [16] is Embedding information within dynamic visual patterns. For instance, they are published in a background of black circles. Thereafter, this picture is displayed in order to distinguish between the human users and computer software. Despite the difficulties in recognition of these words by the computer software, reading these figures for human users will also be difficult. HotMail Website Method In the registration of Hotmail e-mail service [17], related to the Microsoft Company, another method for distinguishing between the human users and computer software is used. In this method, as we can see in Figure 5, a series of English letters are randomly selected and following modification of the shape of those letters, the pictures of the letters are shown to the user and the user should type these words correctly. In this method, the studies conducted for recognition of letters are used. Since in the systems adopted for recognition of letters, segmentation of letters is more difficult than recognition of letters, therefore the letters shapes have been changed such that their segmentation from each other will not be easily possible. In Figure 5, it is observed that by placing arcs the segmentation of words has been made difficult as much as possible. Hence, although segmentation of these letters is simple for humans, it is not possible with the use of existing software. In this method, due to placing arcs between the letters, some letters are read in other forms at times and sometimes additional letters are established. Scatter Type Method In the Scatter Type method [18], the main emphasis is on segmentation of letters. The letters are changed such that their segmentation would not be possible. For this purpose, each of the words is cut into pieces and these pieces are thereafter displaced. This activity makes it difficult for the letters to be separated by the existing methods for recognition of letters because in this method each letter is segmented into numerous small pieces. On the other hand, the letters are selected randomly so the vocabulary would not be used for predicting the words. K. J. I.

Fig. 4.

A sample of Drawing CAPTCHA method [6]

Gimpy Method The Gimpy method [7] has been prepared at the Carnegie Mellon University for distinguishing between the human users and the computer software. In this method, a word is selected from the vocabulary and it is modified by making changes such as adding black and white lines and making non-linear changes, and it is later portrayed as a picture. Meanwhile, the user should correctly type that word. Since this method selects its words from an 850-word vocabulary therefore it can be easily broken into during the attacks [9]. Until 2004, Yahoo! website used a simple edition of this method named EZ-Gimpy in order to distinguish between the human users and computer software to prevent the definition of continuous user accounts by destructive computer software. Baffletext Method In Baffletext method [13], the meaningless words which are not included in the British vocabulary are produced and their pictures are modified. These figures can have different degrees of easiness and hardness. In this method one can make figures hardly recognizable, but in these cases the human users also hardly recognize the presented words. G. Hand-Written CAPTCHA Method The other method [14] is usage of hand-written words. In this method, databases of the handwritten names of American cities (which have been selected from the letters posted by the people) have been prepared. In order to distinguish between the human users and computer software, the picture of a city name is selected and shown to the user and the user then should type the name of that city correctly. In this method, the picture of the words is of poor quality and some of them would be difficult to read even for the human users. F.

E.

Fig. 5.

A sample of CAPTCHA method used in Hotmail website [18]

438

2008 International Symposium on Communications and Information Technologies (ISCIT 2008)

III.

OUR SUGGESTED METHOD

As we see in the previous section, different CAPTCHA methods are designed with different goals. A single CAPTCHA method may have different advantages, but cannot be used easily by all users. So in the systems which use one or two CAPTCHA methods, some users may experience difficulties. In this paper we propose a solution for this problem. In some registration pages which has a CAPTCHA test, in addition to the default CAPTCHA test which is usually an OCR-based CAPTCHA, there is another kind of CAPTCHA test which user can select in case of having difficulties with the default CAPTCHA test such as Text-to-Speech [5] method. But sometimes the second method is also not easy for the user to pass. Here we propose a solution for this problem. The main idea of our solution is that instead of using a predefined CAPTCHA system in the registration system, the system selects a kind of CAPTCHA system among different available CAPTCHA systems based on the information the user entered in the first steps of registration or provided by the user web browser provided. The best available CAPTCHA is then used in the final steps of registration process. The first information which we are using is the user language. The web browsers usually sent the default language which the user is set for retrieving the page in the users native language. This information can be used to select a CAPTCHA with the user native language. This can help nonEnglish users a lot, because the default CAPTCHA methods are OCR-Based methods which are designed for English language. For example a method such as multilingual CAPTCHA method [19] can be selected and shown in the user language. The multilingual CAPTCHA method [19] is based on choices of an object shown on the screen. The user interface of this method is multilingual. At the beginning of the test, the user chooses his/her native language. After that, all of the messages are shown in the selected language. The messages are translated using an online translator (Figure 6). For using Multilingual CAPTCHA in our method, the language which the messages should be shown is derived from the information gathered from the user automatically. In addition, this feature can enable the web designers to design easier website for local users in non-English countries. They can use a default non-English OCR-Based method such as Persian/Arabic Baffletext method [3] which is designed for Persian and Arabic language, but also offer an English CAPTCHA for international and foreign users. The Persian/Arabic Baffletext method [3] is designed for Persian and Arabic languages. It uses techniques such as adding lines and background, considering the special features of Persian and Arabic languages. For example, it does not add noise to the image. The reason is that dots, which are very important in these languages, are similar to noise.

Fig. 6.

A sample of Multilingual CAPTCHA method in French language [19]

Another information which we use is the especial needs of user. There are two types of needs which must be considered. The first one is the limitations of users device. This information is usually sent by the users browser or can be deduced from information provided by browser such as user browser type and version. For example if the user is using a mobile phone to visit our website, then normal OCR-Based CAPTCHA methods are difficult for the user because mobile phones usually do not have a complete keyboard and entering a combination of letters and numbers is difficult. In addition these devices have small displays which may have low resolution. In these situations, an appropriate CAPTCHA method which can be used easily on the user device such as the CAPTCHA method described in [20] is showed to the user. In that method, a multi-digits number (for example six digits) is generated. Then the program draws these digits numbers in a crooked shape. For each digit, a random font is chosen. Then the digit is drawn using selected font with a random degree of skew. Finally these images are placed next to each other to form a six-digit number. This method creates black and white images in order that the users can also see the images on the mobile phones which have a black and white screen. This image is shown to the user and he must type it. The second type of users needs is the users restrictions. This information may be sent by the users client or gathered from the user in the early parts of registration, such as an option in the first page to provide more accessibility features. For example a blind user cannot solve the visual CAPTCHA methods such as OCR-Based methods and needs a non visual CAPTCHA such as Text-To-Speech method [5] or a CAPTCHA which is especially designed for this group of users such as methods presented in [21] and [22].

2008 International Symposium on Communications and Information Technologies (ISCIT 2008)

439

In the method proposed in [21], a simple mathematical problem is created according to predefined patterns and converted to speech using a Text-To-Speech (TTS) system. Then the sound is played for the user and he/she must enter the answer of the question. The method described in [22] shows the image of an object for the user and plays a sound of that object for the user so that blind users can recognize the object. For example it plays the birds sign when it shows the image of the bird. IV. CONCLUSIONS CAPTCHA (Completely Automated Public Turing test to tell Computers and Human Apart) methods are designed to distinguish between computer programs and human users to block computer programs from abusing the systems offered for human users. During recent years, different CAPTCHA methods are proposed with different goals considering targeted users and attacks methods. One default CAPTCHA method is not suitable for all users, especially disabled and non-English users and is one of the problems which users are encountered with CAPTCHA systems. In this paper, we propose a solution for this problem. We present a method for selecting an appropriate CAPTCHA system from a collection of CAPTCHA systems regarding to the information provided by the user and the information which is gathered automatically. It is suggested to not use complex CAPTCHA method because complex CAPTCHA method which requires various abilities. The suggested method provides a more user friendly system for human users with different needs, while protect the system resources from abusing by computer programs. REFERENCES
[1] A. Turing, Computing Machinery and Intelligence, Mind, vol. 59, no. 236, October 1950, pp. 433-460. [2] L. von Ahn, M. Blum, and J. Langford, Telling Humans and Computers Apart Automatically, Communications of the ACM, vol. 47, no. 2, February 2004, pp. 57-60. [3] M.H. Shirali-Shahreza and M. Shirali-Shahreza, Persian/Arabic Baffletext CAPTCHA, Journal of Universal Computer Science (J.UCS), vol. 12, no. 12, December 2006, pp. 1783-1796. [4] H. S. Baird, and J. L. Bentley, "Implicit CAPTCHAs," Proceedings of SPIE/IS&T Conf. on Document Recognition and Retrieval XII (DR&R2005), San Jose, 2005, pp. 191-196. [5] T. Y Chan, "Using a Text-to-Speech Synthesizer to Generate a Reverse Turing Test," Proceedings of the 15th International Conf. on Tools with Artificial Intelligence, 2003, pp. 226-232. [6] M. Shirali-Shahreza and S. Shirali-Shahreza, "Drawing CAPTCHA," Proceedings of the 28th International Conference Information Technology Interfaces (ITI 2006), Cavtat, Dubrovnik, Croatia, June 19-22, 2006, pp. 475-480.

[7] M. Blum, L. von Ahn, and J. Langford, The CAPTCHA Project, (Completely Automatic Public Turing Test to tell Computers and Humans Apart), School of Computer Science, CarnegieMellon University, November 2000, http://www.captcha.net [8] H. S. Baird and K. Popat, "Human Interactive Proofs and Document Image Analysis," Proceedings of 5th IAPR International Workshop on Document Analysis Systems, Princeton, LNCS 2423, 2002, pp. 507-518. [9] G. Mori and J. Malik, "Recognizing Objects in Adversarial Clutter: Breaking a Visual CAPTCHA," Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Madison, USA, 2003, pp. 134-141. [10] G. Moy et al, "Distortion Estimation Techniques in Solving Visual CAPTCHAs," Proceedings of the 2004 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, vol. 2, 2004, pp. 23-28. [11] M. Shirali-Shahreza and S. Shirali-Shahreza, "Collage CAPTCHA," Proceedings of the 20th IEEE International Symposium Signal Processing and Application (ISSPA 2007), Sharjah, United Arab Emirates, February 12-15, 2007. [12] Google, GMail, https://www.gmail.com [13] M. Chew, and H. S. Baird, "BaffleText: a Human Interactive Proof," Proceedings of the 10th SPIE/IS&T Document Recognition and Retrieval Conference (DR&R2003), Santa Clara, CA, 2003, pp. 305-316. [14] A. Rusu and V. Govindaraju, Handwritten CAPTCHA: using the difference in the abilities of humans and machines in reading handwritten words, Proceedings of the Ninth International Workshop on Frontiers in Handwriting Recognition (IWFHR-9), Tokyo, Japan, 2004, pp. 226 - 231. [15] PayPal, PayPal Registration, https://www.paypal.com/, last visited: 22 July 2007. [16] W.H. Liao and C. Chang, Embedding information within dynamic visual patterns, Proceedings of the IEEE International Conference on Multimedia and Expo 2004 (ICME04), Taipei, Taiwan, 2004, vol. 2, pp. 895-898. [17] Microsoft, Microsoft Hotmail, http://www.hotmail.com/, last visited: 22 July 2007. [18] H. S. Baird, and T. Riopka, "ScatterType: a Reading CAPTCHA Resistant to Segmentation Attack," Proceedings of the IS&T/SPIE Document Recognition & Retrieval XII Conference, CA, 2005, pp. 197-207. [19] M.H. Shirali-Shahreza and M. Shirali-Shahreza, "Multilingual CAPTCHA," Proceedings of 5th IEEE International Conference on Computational Cybernetics (ICCC 2007), Gammarth, Tunisia, October 19-21, 2007, pp. 135-139. [20] M. Shirali-Shahreza and S. Shirali-Shahreza, "Passwordless Login System for Mobile Phones Using CAPTCHA," Proceedings of the 49th International Symposium ELMAR-2007 focused on Mobile Multimedia, Zadar, Croatia, September 12-14, 2007, pp. 243-246. [21] J. Holman, J. Lazar, J.H. Feng, and J. D'Arcy, Developing usable CAPTCHAs for blind users, Proceedings of the 9th international ACM SIGACCESS Conference on Computers and Accessibility (Assets '07), October 15 - 17, 2007, pp. 245-246. [22] M. Shirali-Shahreza and S. Shirali-Shahreza, "CAPTCHA for Blind People," Proceedings of the 7th IEEE International Symposium on Signal Processing and Information Technology (ISSPIT 2007), Cairo, Egypt, December 15-18, 2007, pp. 995998.

440

2008 International Symposium on Communications and Information Technologies (ISCIT 2008)