Professional Documents
Culture Documents
An End-to-End Attack On Text CAPTCHAs
An End-to-End Attack On Text CAPTCHAs
Abstract— Text-based CAPTCHAs are the most widely used aimed at hollow text CAPTCHAs; [3] used a brute-force
CAPTCHA scheme. Most text-based CAPTCHAs have been approach with a high cost; and [4] utilized a Gabor filter,
cracked. However, previous works have mostly relied on a series but the component combination was complex, and the graph
of preprocessing steps to attack text CAPTCHAs, which was
complicated and inefficient. In this paper, we introduce a simple, search was time-consuming. With the development of deep
generic, and effective end-to-end attack on text CAPTCHAs learning, the application of deep learning to CAPTCHA break-
without any preprocessing. Through a convolutional neural ing has become a trend. Reference [5] introduced a convo-
network and an attention-based recurrent neural network, our lutional neural network (CNN) in their attack on Microsoft’s
attack broke a wide range of real-world text CAPTCHAs that CAPTCHA in 2015. In 2018, Tang et al. [6] claimed that they
are deployed by the top 50 most popular websites ranked by
Alexa.com. In addition, this paper comprehensively analyzed the proposed a generic method, and they adopted a CNN as well.
security of most resistance mechanisms of text-based CAPTCHAs However, these methods were mostly based on preprocessing
through experiments. Experimental results prove that the anti- and segmentation techniques, which were complicated and
segmentation principle can be completely broken under deep inefficient.
learning attacks without any segmentation or preprocessing steps In this paper, we propose an end-to-end method that is
in contrast to commonly held beliefs.
simple, generic and effective in breaking text CAPTCHAs.
Index Terms— CAPTCHA, text-based, security, CNN, RNN, This method utilizes an attention-based model that consists of
attention, deep learning. a CNN and a recurrent neural network (RNN). We tested our
I. I NTRODUCTION attack on text CAPTCHAs deployed by the top 50 most popu-
lar websites (ranked by Alexa.com). The experimental results
C APTCHA (Completely Automated Public Turing Test to
Tell Computers and Humans Apart) is used to distinguish
malicious bots from legitimate users [1] by automatically
demonstrated that our model obtained high success rates
without any segmentation or other preprocessing techniques.
Additionally, we conducted a systematic analysis of the
setting up specified tests that are difficult for computers
effectiveness of all common resistance mechanisms under deep
but easy for humans. This technology has almost become a
learning attacks. Our targeted schemes cover almost all real-
standard security mechanism used to prevent automatic voting,
world CAPTCHA design features. The analysis proved that the
registration, spam and dictionary attacks on passwords on
segmentation-resistance principle may no longer be applicable
websites. The most commonly used type of CAPTCHA is
under deep learning attacks. This paper also analyzed the
a text-based CAPTCHA that requires the user to decipher
security of a series of uncommon CAPTCHAs. All target
characters within an image.
CAPTCHAs were broken with high success rates, indicating
To enhance the security of text CAPTCHAs, CAPTCHA
that our model is generic for various CAPTCHA schemes.
designers have made every effort to design CAPTCHAs that
The rest of this paper is organized as follows: Section II
are robust to different automated attacks, and their measures
first briefly introduces the most commonly used CAPTCHA
have included distorting or rotating characters and applying
resistance mechanisms, then summarizes previous methods in
noise or a complex background. In early studies, the process
text-based CAPTCHA breaking; Section III introduces the
of mainstream segmentation-based attacks consisted of three
network structure of our model and the training process in
main steps: preprocessing, segmentation and recognition. Con-
detail; Section IV evaluates the security of a range of real-
sidering that different CAPTCHA schemes may have distinct
world text CAPTCHAs; Section V makes a comprehensive
features due to their unique designs and generation algorithms,
analysis of the effectiveness of existing resistance schemes;
attackers must accordingly design different preprocessing and
Section VI outlooks the development direction of text-based
segmentation methods. It is clear that the whole attack process
CAPTCHAs in the future; and Section VII concludes the
is very tedious and lacks generalization capacity. Some pre-
paper.
vious studies claimed to propose generic methods [2]–[4],
but these methods still have limitations. Reference [2] only
II. BACKGROUND
Manuscript received July 11, 2018; revised April 7, 2019 and May 25,
2019; accepted July 9, 2019. Date of publication July 15, 2019; date of current A. Summary of Resistance Mechanisms
version September 24, 2019. This work was supported by the National Natural
Science Foundation of China under Grant 61472311. The associate editor Text CAPTCHAs are the most commonly used CAPTCHA
coordinating the review of this manuscript and approving it for publication schemes. The intuitiveness and low cost of generation are
was Prof. Karen Renaud. (Corresponding author: Haichang Gao.) the main reasons for the popularity of this type. However,
The authors are with the Institute of Software Engineering, Xidian Univer-
sity, Xi’an 710071, China (e-mail: hchgao@xidian.edu.cn). since the development of image processing techniques, early
Digital Object Identifier 10.1109/TIFS.2019.2928622 text CAPTCHAs are vulnerable to rogue programs due to
1556-6013 © 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY SURATHKAL. Downloaded on September 13,2022 at 15:13:58 UTC from IEEE Xplore. Restrictions apply.
754 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 15, 2020
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY SURATHKAL. Downloaded on September 13,2022 at 15:13:58 UTC from IEEE Xplore. Restrictions apply.
ZI et al.: END-TO-END ATTACK ON TEXT CAPTCHAs 755
of their method remains to be tested. In 2017, Le et al. [18] the ILSVRC2014 image classification task [22], was used as
combined a CNN and an RNN and proposed a end-to-end the CNN feature extractor. Another reason that we choose the
model. The CNN structure consists of six convolutional layers, Inception-v3 network is that the inception block increases the
three max-pooling layers and two fully-connected layers. First, depth and width of network. According to the empirical
the CNN embeds a CAPTCHA image into a fixed-dimensional CNN design principles proposed by [21], increasing the
embedding vector. At each time step, the LSTM concatenates network depth and width tends to contribute to better network
the image embedding, the hidden state and the one-hot pre- performance.
diction of the prior time step as input to predict the one-
hot prediction of each character. But when solving real-world B. Character Recognition
CAPTCHAs, their model requires extra finetuning process, The core of our model is an LSTM. It works as a decoder
making their method a two-stage attack. George et al. [19] to transfer the feature vector f into a text sequence. Compared
proposed a recursive cortical network (RCN) that broke four to a traditional RNN, which performs poor in storing infor-
schemes with success rates ranging from 57.1% to 66.6%. mation over extended time intervals, the LSTM overcomes
For each scheme, nine parameters of this network must be set the weakness of the RNN in long-term dependencies and
manually. Additionally, the average attack speed is 94 seconds, explicitly learns when to store information. In a traditional
which is extremely slow. sequence-to-sequence model, at each time step, the decoder
takes the whole embedding vector f as the input directly.
III. N ETWORK S TRUCTURE This paper introduces the attention mechanism into our model.
Our goal is to recognize the complete character sequence The bottleneck of the traditional encoder-decoder structure
without any segmentation. We use a sequence-to-sequence is that the input is constant, which limits the representation
model similar to that in [20], which was originally designed for capability of the model. The attention mechanism allows the
the text recognition task in natural scenes, in our experiment. decoder to ignore irrelevant information while preserving the
The model is based on a CNN, a long short-term memory most significant information of the feature vector f. In essence,
(LSTM) network and a new attention mechanism. The archi- the attention mechanism assigns different weights to different
tecture is briefly illustrated in Figure 2. The model mainly parts of the feature vector, so that the model can focus on a
consists of two parts: an encoder and a decoder. specific part of the feature vector at each time step, making the
predictions more accurate. This is the fundamental reason why
our method can recognize every individual character without
A. Feature Extraction segmentation.
The encoder of our model is essentially a CNN. The CNN Bahdanau’s [23] team adopted the attention mechanism in
is used to extract features from the whole CAPTCHA image. the RNN encoder-decoder framework to address the machine
Specifically, the function of the CNN is to embed the original translation task. They first calculated the relevance of different
CAPTCHA image into an embedding vector that contains parts of the input and output. Based on this intermediate result,
the global information of the original CAPTCHA image. The they assigned different weights to the context vectors when
feature vector extracted by the encoder is denoted as f = fi, j,c predicting each target word. The attention mechanism helped
(i and j index the location in the feature map, and c indexes them achieve a good performance.
the channels). In [24], Chorowski et al. proposed a location-aware attention
The Inception-v3 network [21], which is the key component mechanism. Their method measured the relevance of each part
of GoogLeNet and achieves excellent performance in of the feature map by integrating information of the hidden
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY SURATHKAL. Downloaded on September 13,2022 at 15:13:58 UTC from IEEE Xplore. Restrictions apply.
756 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 15, 2020
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY SURATHKAL. Downloaded on September 13,2022 at 15:13:58 UTC from IEEE Xplore. Restrictions apply.
ZI et al.: END-TO-END ATTACK ON TEXT CAPTCHAs 757
TABLE I
R ESISTANCE M ECHANISMS OF TARGETED CAPTCHA S CHEMES
The testing samples were input to each of the five trained For each scheme, we collected 10,000 CAPTCHA images
models respectively to output the final prediction. from the corresponding website and manually labeled their
With 10,000 training samples, a success rate of 42.7% answers. Of these, 8500 samples were used for training,
was achieved. As the number of image samples of the train- 1000 for validating and the remaining 500 for testing. We used
ing set increased to 50,000, 100,000, 150,000, and 200,000, the method described in Section IV(A) to calculate the final
the success rate increased to 87.9%, 94.5%, 97.4%, and 98.3% success rates. Table II summarizes the attack results for every
respectively. The average processing time per image was less CAPTCHA scheme. Specifically, Baidu, Jd and 360 deployed
than 0.13 seconds, which is 2 times faster than [12] and more than one kind of CAPTCHA, so we performed our attack
62 times faster than [4]. Obviously, despite the complexity and on their different schemes separately. The final success rates
user-unfriendliness of the Google CAPTCHA, our method has ranged from 74.8% to 97.3%, proving we broke all target
achieved excellent results in both success rate and speed. schemes successfully. The average attack speeds ranged from
0.08 to 0.23 seconds. These results not only far exceeded the
speed of humans but also surpassed those of most traditional
B. Large-Scale Attack methods that are based on segmentation (6.22 seconds per
image for [3], 15 seconds for [4], and 9.05 seconds for [13]).
To evaluate the effectiveness of our attack more compre-
hensively, we chose sixteen CAPTCHA schemes deployed
by eleven websites, including Wikipedia, Baidu, QQ, Sina, C. Comparison With Prior Works
Weibo, Jd, 360, Apple, Yandex, Alipay and Microsoft, which Table III compares the results of our attack with those
are ranked in the top 50 according to the Alexa.com traffic of previous methods. Obviously, our results outperformed
rankings as of February 2018. Their design features cov- all other CAPTCHA crackers. Moreover, our attack doesn’t
ered almost all current mainstream resistance mechanisms, need any segmentation or preprocessing process, unlike tradi-
as shown in Table I. tional text CAPTCHA breaking techniques, thus making our
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY SURATHKAL. Downloaded on September 13,2022 at 15:13:58 UTC from IEEE Xplore. Restrictions apply.
758 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 15, 2020
TABLE II TABLE IV
ATTACK R ESULTS ON THE CAPTCHA S CHEMES ATTACK R ESULTS W ITH D IFFERENT N UMBER OF T RAINING S AMPLES
D EPLOYED BY 11 W EBSITES
TABLE III
C OMPARISON W ITH P REVIOUS W ORKS
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY SURATHKAL. Downloaded on September 13,2022 at 15:13:58 UTC from IEEE Xplore. Restrictions apply.
ZI et al.: END-TO-END ATTACK ON TEXT CAPTCHAs 759
Fig. 4. The effect of the number of training samples on the attack success
rate.
V. C OMPREHENSIVE A NALYSIS
In this section, we first introduced an automatic CAPTCHA
generation system. By imitating the features of real-world
CAPTCHA schemes, we generated five different CAPTCHA
schemes and implemented our attacks on the corresponding
real-world CAPTCHAs. Then, we explored whether it is
possible to train the model with one CAPTCHA scheme and
use the trained model to break another scheme. Next, we com-
prehensively studied the security of the most commonly used Fig. 5. The framework of our CAPTCHA generation system. The system
resistance mechanisms and some special mechanisms such as first generates single characters according to pre-defined parameters; next,
it embeds generated characters into a background image; finally, the system
the mix-background scheme, stylization and two-layer struc- selectively adds global interference.
ture. Taking the Chinese CAPTCHAs as examples, we also
studied the security of large alphabet CAPTCHAs. Finally, TABLE V
we trained a generic model applicable to multiple CAPTCHA ATTACK R ESULTS W ITH S YNTHETIC CAPTCHA S AMPLES
categories.
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY SURATHKAL. Downloaded on September 13,2022 at 15:13:58 UTC from IEEE Xplore. Restrictions apply.
760 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 15, 2020
TABLE VI
ATTACK R ESULTS OF BASELINE M ODELS AND F INE -T UNED M ODELS
For Chinese CAPTCHAs, the font library contains three fonts: synthetic samples. Therefore, the time cost of using synthetic
KaiTi, SimSun and Microsoft YaHei. samples to break CAPTCHAs may be even higher.
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY SURATHKAL. Downloaded on September 13,2022 at 15:13:58 UTC from IEEE Xplore. Restrictions apply.
ZI et al.: END-TO-END ATTACK ON TEXT CAPTCHAs 761
TABLE VII
ATTACK R ESULTS ON D IFFERENT R ESISTANCE M ECHANISM C OMBINATIONS
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY SURATHKAL. Downloaded on September 13,2022 at 15:13:58 UTC from IEEE Xplore. Restrictions apply.
762 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 15, 2020
TABLE IX
U SABILITY A NALYSIS OF THE T WO C OMPLEX CAPTCHA S CHEMES
TABLE X
ATTACK R ESULTS ON S PECIAL R ESISTANCE M ECHANISMS
Fig. 6. The attack success rates on CAPTCHAs that adopt different number
of fonts.
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY SURATHKAL. Downloaded on September 13,2022 at 15:13:58 UTC from IEEE Xplore. Restrictions apply.
ZI et al.: END-TO-END ATTACK ON TEXT CAPTCHAs 763
TABLE XI
ATTACK R ESULTS ON C HINESE CAPTCHA S
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY SURATHKAL. Downloaded on September 13,2022 at 15:13:58 UTC from IEEE Xplore. Restrictions apply.
764 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 15, 2020
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY SURATHKAL. Downloaded on September 13,2022 at 15:13:58 UTC from IEEE Xplore. Restrictions apply.
ZI et al.: END-TO-END ATTACK ON TEXT CAPTCHAs 765
Google CAPTCHA with a success rate of 98.3%, thereby [11] J. Yan and A. S. El Ahmad, “A low-cost attack on a microsoft
outperforming all previous attacks. We also cracked a large CAPTCHA,” in Proc. 15th ACM Conf. Comput. Commun. Secur., 2008,
pp. 543–554.
amount of real-world text CAPTCHAs that are deployed by [12] O. Starostenko, C. Cruz-Perez, F. Uceda-Ponga, and V. Alarcon-Aquino,
the top 50 websites as ranked by Alexa.com. The success rates “Breaking text-based CAPTCHAs with variable word and charac-
ranged from 74.8% to 97.3%. The average speed was less than ter orientation,” Pattern Recognit., vol. 48, no. 4, pp. 1101–1112,
2015.
0.23 seconds per challenge. [13] H. Gao, M. Tang, Y. Liu, P. Zhang, and X. Liu, “Research on the secu-
We comprehensively analyzed the security of eight com- rity of microsoft’s two-layer CAPTCHA,” IEEE Trans. Inf. Forensics
mon resistance mechanisms by attacking seven generated Security, vol. 12, no. 7, pp. 1671–1685, Jul. 2017.
[14] PWNtcha. Pretend We’re Not a Turing Computer but a Human Antag-
CAPTCHA schemes adopting these mechanisms. We also onist. Accessed: Dec. 4, 2009. [Online]. Available: http://caca.zoy.
performed our attack on some special resistance mechanisms org/wiki/PWNtcha
including the mixed-background scheme, stylized scheme and [15] S. Li, S. A. H. Shah, M. A. U. Khan, S. A. Khayam, A.-R. Sadeghi,
and R. Schmitz, “Breaking e-banking CAPTCHAs,” in Proc. 26th Annu.
two-layer scheme. In addition, our method is not only applica- Comput. Secur. Appl. Conf., 2010, pp. 171–180.
ble to common text CAPTCHAs that are based on Roman [16] E. Bursztein, M. Martin, and J. Mitchell, “Text-based CAPTCHA
characters but also to CAPTCHAs that are based on large strengths and weaknesses,” in Proc. 18th ACM Conf. Comput. Commun.
Secur., 2011, pp. 125–138.
alphabets, such as Chinese. Experiments also proved that [17] F. Stark, C. Hazırbas, R. Triebel, and D. Cremers, “CAPTCHA recog-
our method is able to perform selective recognition. Finally, nition with active deep learning,” in Proc. GCPR Workshop New
we examined the feasibility of using one generic model to Challenges Neural Comput., 2015, pp. 1–8.
[18] T. A. Le, A. G. Baydin, R. Zinkov, and F. Wood, “Using synthetic data
attack multiple CAPTCHA schemes. to train neural networks is model-based reasoning,” in Proc. Int. Joint
The experimental results presented in this paper proved Conf. Neural Netw. (IJCNN), May 2017, pp. 3514–3521.
that most real-world text CAPTCHAs are not secure, and [19] D. George et al., “A generative vision model that trains with high
data efficiency and breaks text-based CAPTCHAs,” Science, vol. 358,
the existing resistance mechanisms are also not as effective no. 6368, p. eaag2612, 2017.
as expected. Our experimental results also overturned the [20] Z. Wojna et al., “Attention-based extraction of structured information
segmentation-resistance principle. Instead, the recognition- from street view imagery,” 2017, arXiv:1704.03549. [Online]. Available:
https://arxiv.org/abs/1704.03549
resistance principle may be the development direction for [21] C. Szegedy, V. Vanhoucke, S. Ioffe, J. Shlens, and Z. Wojna, “Rethinking
text-based CAPTCHAs. In addition, new techniques such as the inception architecture for computer vision,” in Proc. IEEE Conf.
adversarial examples could be used to improve the security of Comput. Vis. Pattern Recognit., Jun. 2016, pp. 2818–2826.
[22] O. Russakovsky et al., “ImageNet large scale visual recognition
text-based CAPTCHAs. challenge,” Int. J. Comput. Vis., vol. 115, no. 3, pp. 211–252,
We expect that our work will help to promote the security Dec. 2015.
of text CAPTCHAs. Current text CAPTCHAs are no longer [23] D. Bahdanau, K. Cho, and Y. Bengio, “Neural machine translation by
jointly learning to align and translate,” 2014, arXiv:1409.0473. [Online].
secure. How to design CAPTCHAs that are resistant to deep Available: https://arxiv.org/abs/1409.0473
learning attacks while maintaining user friendliness is an open [24] J. K. Chorowski, D. Bahdanau, D. Serdyuk, K. Cho, and Y. Bengio,
problem and the subject of our ongoing work. “Attention-based models for speech recognition,” in Proc. Adv. Neural
Inf. Process. Syst., 2015, pp. 577–585.
[25] H. Gao et al., “Robustness of text-based completely automated public
turing test to tell computers and humans apart,” IET Inf. Secur., vol. 10,
R EFERENCES no. 1, pp. 45–52, 2016.
[26] J. Chen, X. Luo, Y. Guo, Y. Zhang, and D. Gong, “A survey on breaking
[1] L. Von Ahn, M. Blum, and J. Langford, “Telling humans and computers technique of text-based CAPTCHA,” Secur. Commun. Netw., vol. 2017,
apart automatically,” Commun. ACM, vol. 47, no. 2, pp. 56–60, 2004. Dec. 2017, Art. no. 6898617.
[2] H. Gao, W. Wang, J. Qi, X. Wang, X. Liu, and J. Yan, “The robustness of [27] E. Bursztein, S. Bethard, C. Fabry, J. C. Mitchell, and D. Juraf-
hollow CAPTCHAs,” in Proc. ACM SIGSAC Conf. Comput. Commun. sky, “How good are humans at solving CAPTCHAs? A large
Secur., 2013, pp. 1075–1086. scale evaluation,” in Proc. IEEE Symp. Secur. Privacy, May 2010,
[3] E. Bursztein, J. Aigrain, A. Moscicki, and J. C. Mitchell, “The end is pp. 399–413.
nigh: Generic solving of text-based CAPTCHAs,” in Proc. WOOT, 2014, [28] L. A. Gatys, A. S. Ecker, and M. Bethge, “A neural algorithm of artistic
pp. 1–15. style,” 2015, arXiv:1508.06576. [Online]. Available: https://arxiv.org/
[4] H. Gao et al., “A simple generic attack on text CAPTCHAs,” in Proc. abs/1508.06576
NDSS, 2016, pp. 1–26. [29] J. Johnson, A. Alahi, and L. Fei-Fei, “Perceptual losses for real-time
[5] C. Hong, B. Lopez-Pineda, K. Rajendran, and A. Recasens, “Breaking style transfer and super-resolution,” in Proc. Eur. Conf. Comput. Vis.
microsoft’s CAPTCHA,” Comput. Netw. Secur. Term Projects, MIT, Cham, Switzerland: Springer, 2016, pp. 694–711.
Cambridge, MA, USA, Tech. Rep. 6.857, 2015. [30] A. Algwil, D. Ciresan, B. Liu, and J. Yan, “A security analysis of
[6] M. Tang, H. Gao, Y. Zhang, Y. Liu, P. Zhang, and P. Wang, “Research automated chinese turing tests,” in Proc. 32nd Annu. Conf. Comput.
on deep learning techniques in breaking text-based CAPTCHAs and Secur. Appl., 2016, pp. 520–532.
designing image-based CAPTCHA,” IEEE Trans. Inf. Forensics Security, [31] K. Simonyan, A. Vedaldi, and A. Zisserman, “Deep inside convolu-
vol. 13, no. 10, pp. 2522–2537, Oct. 2018. tional networks: Visualising image classification models and saliency
[7] G. Mori and J. Malik, “Recognizing objects in adversarial clutter: maps,” 2013, arXiv:1312.6034. [Online]. Available: https://arxiv.org/
Breaking a visual CAPTCHA,” in Proc. IEEE Comput. Soc. Conf. abs/1312.6034
Comput. Vis. Pattern Recognit., vol. 1, Jun. 2003, p. 1. [32] K. Chellapilla, K. Larson, P. Y. Simard, and M. Czerwinski, “Computers
[8] G. Moy, N. Jones, C. Harkless, and R. Potter, “Distortion estimation beat humans at single character recognition in reading based human
techniques in solving visual CAPTCHAs,” in Proc. IEEE Comput. Soc. interaction proofs (HIPs),” in Proc. CEAS, 2005, pp. 1–8.
Conf. Comput. Vis. Pattern Recognit. (CVPR), vol. 2, Jun./Jul. 2004, [33] C. Szegedy et al., “Intriguing properties of neural networks,” 2013,
p. 2. arXiv:1312.6199. [Online]. Available: https://arxiv.org/abs/1312.6199
[9] K. Chellapilla and P. Y. Simard, “Using machine learning to break visual [34] I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harness-
human interaction proofs (HIPs),” in Proc. Adv. Neural Inf. Process. ing adversarial examples,” 2014, arXiv:1412.6572. [Online]. Available:
Syst., 2005, pp. 265–272. https://arxiv.org/abs/1412.6572
[10] J. Yan and A. S. El Ahmad, “Breaking visual CAPTCHAs with naive [35] M. Sharif, S. Bhagavatula, L. Bauer, and M. K. Reiter, “A general frame-
pattern recognition algorithms,” in Proc. 23rd Annu. Comput. Secur. work for adversarial examples with objectives,” 2017, arXiv:1801.00349.
Appl. Conf. (ACSAC), Dec. 2007, pp. 279–291. [Online]. Available: https://arxiv.org/abs/1801.00349
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY SURATHKAL. Downloaded on September 13,2022 at 15:13:58 UTC from IEEE Xplore. Restrictions apply.
766 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 15, 2020
Yang Zi is currently pursuing the master’s degree in Zhouhang Cheng is currently pursuing the master’s
computer science with Xidian University. His current degree in computer science with Xidian University.
research interest is captcha. Her current research interest is captcha.
Haichang Gao is currently a Professor with the Yi Liu is currently pursuing the master’s degree in
Institute of Software Engineering, Xidian University. computer science with Xidian University. His current
He has published over 30 papers. He is currently research interest is captcha.
in charge of the National Natural Science Founda-
tion of China Project. His current research interests
include captcha, computer security, and machine
learning.
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY SURATHKAL. Downloaded on September 13,2022 at 15:13:58 UTC from IEEE Xplore. Restrictions apply.