Professional Documents
Culture Documents
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMM.2020.3013376, IEEE
Transactions on Multimedia
1
1520-9210 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Carleton University. Downloaded on August 06,2020 at 01:46:57 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMM.2020.3013376, IEEE
Transactions on Multimedia
2
of simply increasing content complexity? The key lies in security of CAPTCHAs have been studied. A fundamental
finding the algorithm limitation compatible to the scheme of requirement of CAPTCHAs necessitates that be designed to
character image. One candidate is the vulnerability to visual be easy for humans but difficult for computers. In traditional
distortions. We have conducted data analysis and observed CAPTCHA design, the trade-off between usability and se-
that human and algorithm exhibit different vulnerability to curity is difficult to balance. The three traditional designs
visual distortions (the observations are detailed in Section III). are most common: background confusion, using lines and
This inspires us to exploit those distortions friendly to human collapsing [18]. But there are some studies that use auto-
but obstructing algorithm to pollute the original character generated methods to synthesis CAPTCHA images, e.g., using
CAPTCHA. Specifically, adversarial perturbation [12] exactly GANs, instead of manual design [19]. These auto methods,
meets this requirement: adversarial attack1 and CAPTCHA which are applied to both character-based CAPTCHA and
share the common intention that human is imperceptible to but image-based CAPTCHA, are novel approaches for generating
algorithm is significantly affected by the same distortion. The CAPTCHAs, but they still attempt to increase content com-
notorious characteristic of adversarial perturbation for visual plexity of CAPTCHAs.
understanding turns out to be the desired one for CAPTCHA To overcome the limitations of traditional character-based
design. CAPTCHAs, other designs have been proposed, e.g., 3D-based
Inspired by this, we employ adversarial perturbation to CAPTCHAs, Animated CAPTCHAs [18]. 3D approaches to
design robust character-based CAPTCHA in this study. Cur- CAPTCHA design involve the rendering of 3D models to an
rent state-of-the-art cracking solution views CAPTCHA OCR image [20], [21]. However, it has been demonstrated that this
(Optical Character Recognition) as a sequential recognition approach is easy to attacks [22], [23]. Animated CAPTCHAs
problem [13]–[17]. To remove the potential distortions, further attempt to incorporate a time dimension into the design. The
image preprocessing operations are typically added before addition of a time dimension is assumed to increase the
OCR. Correspondingly in this study, we propose to simul- security of the resulting CAPTCHA. Nevertheless, techniques
taneously attack multiple targets to address the sequential that can successfully attack the CAPTCHAs design have been
recognition issue (Section IV-A), differentiably approximate developed [24].
image preprocessing operations (Section IV-C) and stochastic The last few years have witnessed deep learning plays
image transformation (Section IV-D) in the adversarial exam- an important role in the field of artificial intelligence. The
ple generation process to cancel out their potential influence. recognition rate of character-based CAPTCHAs increases
Moreover, since we have no knowledge about the detailed year by year. George et al. proposed a hierarchical model
algorithm the cracking solution used (e.g., neural network called the Recursive Cortical Network (RCN) that incorporates
structure), the generated adversarial examples are expected neuroscience insights in a structured probabilistic generative
to be resistant to unknown OCR algorithms in the black-box model framework, which significantly improved the recogni-
cracking. This study resorts this issue to ensemble adversarial tion rate [25]. To remove the interference in the background,
training by generating adversarial examples effective towards Ye et al. proposed the GAN-based approach for automati-
multiple algorithms (Section IV-B). In summary, the contribu- cally transforming training data and constructing solvers for
tions of this study are two-fold: character-based CAPTCHAs [26]. The convolutional neural
• We have discovered the different vulnerability between network shows a powerful performance in the recognition of
human and algorithm on visual distortions. Based on various characters, including Chinese characters [27]. But the
the observations, adversarial perturbation is employed to convolutional neural network has low recognition accuracy in
improve the robustness of character-based CAPTCHA. confusion class. To solve this problem, Chen et al. proposed
• Corresponding to the characteristics of typical OCR a novel method of selective learning confusion class for
cracking solutions, we proposed a novel methodology character-based CAPTCHAs recognition [28]. As the com-
addressing issues including sequential recognition, indif- plexity of character-based CAPTCHAs increases, the methods
ferentiable image preprocessing, stochastic image trans- based on combining convolutional neural network and recur-
formation and black-box cracking. rent neural network achieve state-of-the-art performance [13]–
[17]. In this paper, we employ the architecture consists of
convolution neural network (CNN) layers and long short-term
II. R ELATED W ORK
memory (LSTM) as the default OCR algorithm. We also test
A. character-based CAPTCHAs our CAPTCHAs on the latest method [17] in Section V-D,
In online services, character-based CAPTCHAs are the most which is an attention-based model that also consists of CNN
popular protection to deter character recognition programs. layers and LSTM.
Since the initial goal of CAPTCHA, friendly design and
1Adversarial attack refers to the process of adding small but B. adversarial example
specially crafted perturbation to generate adversarial examples mis- While deep learning has achieved great performance, it
leading algorithm. To avoid confusion with the process of attacking also has some security problems. Recent work has discovered
CAPTCHA, in this study, we use “adversarial attack” to indi-
cate the generation of adversarially distorted CAPTCHAs and use that the existing machine learning models, not just deep
“CAPTCHA crack” to indicate the attempt of passing CAPTCHA neural networks, are vulnerable to adversarial example [12].
with algorithms. Given a trained classifier F with model parameters W , a
1520-9210 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Carleton University. Downloaded on August 06,2020 at 01:46:57 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMM.2020.3013376, IEEE
Transactions on Multimedia
3
valid input x and with corresponding ground truth prediction gradients lead adversarial attack methods using a single sample
y, i.e., y = F (x) with model parameters W . It is often of the randomness to incorrectly estimate the true gradient.
to get a similar input x0 is close to x according to some Goodfellow et al. [30] first proposed adversarial training
distance metric d(x, x0 ), and cause y 6= F (x0 ) with model method, adversarial examples are regarded as training samples
parameters W . An example x0 with this property is known to fit the model until these samples are classified correctly. The
as a untargeted adversarial example. A more powerful but idea is effective and general for all types of adversarial attacks.
difficult example called targeted adversarial example is more This makes the network more robust against the adversarial
than a misclassification example, i.e., t is a target label and examples, but cost expensive computation, especially at a large
t 6= y, t = F (x0 ) with model parameters W . scale, e.g., the ImageNet [36] scale. In general, the existing
Prior work that considers adversarial examples can be defensive methods cannot completely eliminate adversarial
generally classified into two categories: white-box attack and attacks.
black-box attack. White-box attack has full knowledge of Many researchers have found that adversarial example can
the trained classifier F including the model architecture and be applied in other tasks, such as semantic segmentation [37],
model parameters W . Black-box attack has no or limited face detection [38], and even speech recognition [39] and
knowledge of the trained classifier F . Black-box setting is translation [40]. The majority of the published papers have fo-
apparently harder than white-box setting for attackers because cused on how to eliminate the impact of adversarial examples
of the leaked gradient information. It seems that black-box in application. Li et al. [41] evaluated adversarial examples
attack is impossible, but adversarial examples that affect among different detection services, such as violence, politi-
one model can often affect another model, which is called cian, and pornography detection. Ling et al. [42] proposed a
transferability [29]. In the paper, we rely on the transferability uniform platform for comprehensive evaluation on adversarial
and deploy ensemble-based approaches to generate adversarial attacks and defenses in application, which can benefit future
CAPTCHAs. adversarial examples research. In contrast, studies on employ-
Szegedy et al. [12] first pointed out adversarial exam- ing adversarial examples against the malicious algorithm are
ples and proposed a box-constrained LBFGS method to find relatively limited. Osadchy et al. [43] employed adversarial
adversarial examples. To decrease expensive computation, examples to design CAPTCHAs and analyzed security and
Goodfellow et al. [30] proposed the fast gradient sign method good usability of CAPTCHAs. But they only considered these
(FGSM) to generate adversarial examples by performing a data types like MNIST and ImageNet instead of CAPTCHA
single gradient step. Kurakin et al. [31] extended this method data types. Zhang et al. [44] studied the robustness of adver-
to an iterative version, and find out that adversarial examples sarial examples on different types of CAPTCHA and gave the
can influence physical world. Dong et al. [32] further extended suggestions that how to improve the security of CAPTCHA
the fast gradient sign method family by proposing momentum- using adversarial examples. Shi et al. [45] improved the
based iterative algorithms. In addition, there are some more effectiveness of the adversarial example by using the Fourier
powerful methods called optimization-based attack methods. transform to generate CAPTCHA images in the frequency
Deepfool [33] is an attack technique optimized for the L2 domain. However, they only considered generating adversarial
distance metric. This method is based on the assumption that examples on CNN systems, which is essentially the adversarial
the decision boundary is partly linear, then the distance and attack algorithm based on the classification task. In contrast,
direction of the data points to the decision boundary can the current state-of-the-art CAPTCHA cracking system con-
be calculated approximately. C&W [34] is another targeted sists of feature extraction module and sequential recognition
optimization-based method. It achieves its goal by increasing module (CNN + LSTM). Shi et al. [46] deployed character-
the probability of target label. based adversarial CAPTCHAs on a large-scale online platform
To defend against adversarial examples, several adversarial and tested the proposed CAPTCHAs on convolutional recur-
defensive methods have been proposed, which has been an ac- rent neural networks [47]. However, they ignored experiments
tive field of AI research. Referring to [35], we generally divide and discussions on adversarial defense technologies, such as
adversarial defensive methods into two categories. Athalye image binarization and adversarial training. In Section V-D, we
et al. [35] identify gradient masking, or called obfuscated compare our method with ACs [45] to prove that considering
gradients, which leads to a false sense of security in defenses the sequential recognition is essential. In Section V-B, we
against adversarial examples. The authors addressed that the show the necessity of considering image preprocessing.
reason why many adversarial defenses can defend against
adversarial examples is that the fast and optimization-based III. DATA A NALYSIS
methods cannot succeed without useful gradient information. To justify the feasibility of employing algorithm limitations
The most common gradient masking methods include input for CAPTCHA design and motivate our detailed solution, this
transformation and stochastic gradients. Input transformation section conducts data analysis to answer two questions: (1)
techniques, e.g., image cropping and image binarization, cause Whether human and algorithm have different vulnerability to
the gradients to be non-existent or incorrect. In this paper, visual distortion? (2) What characteristics to consider when
image binarization will definitely result in non-differentiable employing distortions to design robust CAPTCHA?
if gradient masking is not overcome. Some adversarial defense Text-based CAPTCHA is the most widely deployed scheme
methods cause the network itself is randomized or the input requiring subjects to recognize characters from 0-9 and A-
is randomly transformed. These methods based on stochastic Z. Due to its simplicity, character-based CAPTCHA is very
1520-9210 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Carleton University. Downloaded on August 06,2020 at 01:46:57 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMM.2020.3013376, IEEE
Transactions on Multimedia
4
1.1 1.1
1 1
0.9 0.9
Recognition accuracy
Recognition accuracy
0.8 0.8
0.7 0.7
0.6 0.6
0.5 0.5
0.4 0.4
0.3 0.3
0.2 0.2
0.1 algorithm human 0.1 algorithm human
0 0
0 1 2 3 4 5 6 7 8 9 10 0 1 2 3 4 5 6 7 8 9 10
Distortion level Distortion level
(c)Recognition accuracy on Gaussian distorted characters (d)Recognition accuracy on adversarially distorted characters
Fig. 2. Human v.s. algorithm vulnerability analysis results on Gaussian and adversarial distortions
1520-9210 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Carleton University. Downloaded on August 06,2020 at 01:46:57 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMM.2020.3013376, IEEE
Transactions on Multimedia
5
if we design CAPTCHA by adding Gaussian white noise, generation framework consists of three modules: multi-target
as the noise level increases, the resultant CAPTCHAs will attack, ensemble adversarial training, and image preprocessing
critically confuse humans instead of obstructing the cracking differentiable approximation. The proposed framework and its
OCR algorithms. relation to CAPTCHA cracking are illustrated on the right of
For adversarially distorted CAPTCHAs, we observed quite Fig. 4.
opposite recognition results. Fig. 2(d) shows that humans
are more robust to the adversarial perturbations, while OCR A. Multi-target Attack towards Sequential Recognition
algorithm is highly vulnerable as the adversarial distortion Typical CAPTCHAs usually contain more than one char-
increases. This is not surprising since adversarial perturbation acter for recognition, e.g. the example CAPTCHAs contain
is specially crafted to change the algorithm decision under 4 characters. Therefore, state-of-the-art CAPTCHA cracking
the condition of not confusing human. This characteristic of solutions are forced to address a sequential character recogni-
adversarial perturbation demonstrates one important limitation tion problem at the OCR stage [48]. Specifically, OCR stage
of algorithm regards to human ability, which perfectly satisfies consists of three sub-modules as feature extraction, sequential
the requirement of robust CAPTCHA: algorithm tends to fail, recognition, and output decoding. Feature extraction is basi-
while human remains successful. Therefore, we are motivated cally realized by a convolutional neural network to encoding
to employ adversarial examples to design robust CAPTCHA the input image as neural feature. Sequential recognition is
to distinguish between algorithm and human. typically realized by a recurrent neural network to process the
issued image neural feature and output multiple tokens includ-
B. Characteristics Affecting Robust CAPTCHA Design ing characters (0-9, A-Z) and blank token ∅2 Output decoding
The previous subsection observes that adversarial pertur- serves to transform the sequential tokens into final character
bation is effective to mislead state-of-the-art OCR algorithm, recognition results, by merging sequentially duplicated tokens
which shows its potential to be employed to design robust and removing blank ∅ tokens. For example, the original token
CAPTCHA. However, typical CAPTCHA cracking solution sequence “aa∅b∅∅ccc∅dd” will be transformed to “abcd”.
involves beyond OCR, e.g., image preprocessing operations While CAPTCHA cracking views OCR as a sequential
like binarization and Gaussian filtering will be applied to recognition problem, standard adversarial perturbation is de-
remove distortions before issuing to the OCR module. Fig. 3(a) signed to attack single target. In this study, we propose to
illustrates the adversarially distorted CAPTCHA images before attack multiple targets corresponding to the multiple tokens
and after binarization preprocessing. It is easy to conceive that derived from OCR sequential recognition. The generated ad-
the effectiveness of adversarial perturbation will be critically versarial CAPTCHA image is expected to simultaneously mis-
affected by image preprocessing operations. classify all the character tokens. For specific token sequence
We further quantified this affection by analyzing the OCR t, all the characters appearing in t constitute the original set
performance on the same adversarially distorted CAPTCHA Θ, while the remaining characters from (0-9, A-Z) constitute
images from previous subsection. The recognition accuracies the adversary set Θ̄. Denoting the raw image as x and the
on the CAPTCHAs before and after binarization preprocessing corresponding adversary image as x0 , the multi-target attack
are plotted and compared in Fig. 3(b). It is shown that is formulated as the following optimization problem:
after removing most distortions via image binarization, OCR min d(x, x0 ) + λ ·
X
[max F (x0 )θj i − F (x0 )θθ̄i ]+ (1)
algorithm demonstrates basically stable performance in recog- 0
x
θi ∈Θ
j6=θ̄i i
1520-9210 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Carleton University. Downloaded on August 06,2020 at 01:46:57 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMM.2020.3013376, IEEE
Transactions on Multimedia
6
recognized
characters “R4GQ” Output decoding ① Multi-target Attack ② Ensemble
Adversarial Training
“RR 444 GGQQ” 𝜃𝑖 𝜃𝑖 + 𝐾
min 𝑑 𝑥, 𝑥 ′ + 𝜆 [max 𝐹 𝑥 ′ 𝑗 − 𝐹 𝑥′ ഥ𝑖 ]
𝜃
𝑥′ ഥ𝑖 𝐹෨ 𝑥 ′ = 𝛼𝑘 𝐽𝑘 (𝑥′)
Optical Character Sequential recognition 𝜃𝑖
𝑗≠𝜃
𝑘=1
Recognition “RR 444 G GQQ”
PK
When the original set Θ contains only one character, the where αk is the ensemble weight with k=1 αk = 1. In most
multi-target attack reduces to single-target attack as the stan- cases, αk = 1/K except that one model is more important than
dard adversarial perturbation. In fact, according to the mech- others. Among the three sub-modules of OCR stage, feature
anism of output decoding in CAPTCHA cracking, we only extraction has the most model choices (e.g. various CNN
need to misclassify any one of the character tokens to invalid structures as GoogLeNet [50], ResNet [51]) which can be eas-
the final recognition result. The above equation in Eqn. (1) ily implemented into different CAPTCHA cracking solutions.
provides a general case of attacking flexible numbers of Therefore, this study addresses the black-box cracking issue
character tokens. In practice, the number of attacked characters by attacking multiple feature extraction models. Specifically,
is one important parameter to control the model performance. the training data and basic structure of Ji (x0 ) and F (x0 ) are
More attacked characters guarantee higher success rate to identical except for the different CNN structures in the feature
resist crack, yet leading to more derived distortions and human extraction sub-module. On the number of CNN structures, the
recognition burden. The quantitative influence of attacked larger the value of K, the stronger the generalization capability
character number on the image distortion level and algorithm of the derived adversarial CAPTCHA images. However, an
recognition rate is discussed in Section V-C. excessive K value will lead to high computational complexity
and trivial weight αk to underemphasize single model. Refer-
ring to previous studies on ensemble adversarial attack [52],
B. Ensemble Adversarial Training towards Black-box Crack
3 ∼ 5 models achieve a good balance between transferability
As mentioned in Section I, CAPTCHA cracking may and practicality. In this study, we select K = 3 and evenly set
employ multiple OCR algorithms for character recognition. αk = 1/3. The experimental results in [52] show that under
At the stage of designing CAPTCHA, it is impractical to the same training set, the adversarial examples can achieve
target one specific OCR algorithm, which requires to design stronger transferability when the network structure is more
adversarial CAPTCHA images that are effective to as many similar, and it is reasonable to choose the model with large
OCR algorithms as possible. Fortunately, it is recognized that structure difference to employ ensemble adversarial training.
adversarial perturbation is transferable between models: if The performance of employing ensemble adversarial training
an adversarial image remains effective for multiple models, to resist different OCRs is reported in Section V-D.
it is more likely to transfer to other models as well [29].
Inspired by this, in order to improve the resistance to unknown
C. Differentiable Approximation towards Image Preprocess-
cracking models, we propose to generate adversarial images
ing
simultaneously misleading multiple models.
Specifically, given K white-box OCR models with their cor- The data observations in Section III-B demonstrate the
responding the output of the second-to-last layer as J1 , ..., JK , distortion removal consequences from binarization operation,
we re-formulate the objective function in Eqn. 1 by replacing requiring us to consider the affection of image preprocessing
F (x0 ) with F̃ (x0 ) defined as follows: in adversarial image generation. To address this, we regard
K
image preprocessing operation as part of the entire end-to-
F̃ (x0 ) =
X
αk Jk (x0 ) (2) end solution so that we can generate corresponding adversarial
k=1
images effectively to mislead the whole cracking solution.
1520-9210 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Carleton University. Downloaded on August 06,2020 at 01:46:57 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMM.2020.3013376, IEEE
Transactions on Multimedia
7
According to the usability to be incorporated into the end-to- input x controlled by the adversary to the “true” input t(x)
end solution, image preprocessing operations can be roughly perceived by the OCR rather than optimizing the objective
divided into two categories as either differentiable or non- function of a single example. We then re-formulate the second
differentiable. For each category, we select one representative term in Eqn. (4) by replacing x, x0 with t(x), t(x0 ) defined as
operation to address in this study, i.e., Gaussian filtering follows:
and image binarization. Regarding the differentiable Gaussian X
0
x 2 Et∼T [max F̃ (φ(t(x0 )))θj i − F̃ (φ(t(x0 ))))θ̄θi ]+ (5)
filtering operation, g(x0 ) = √2πσ 1
e− 2σ2 , we can readily θi ∈Θ
j6=θ̄i i
1520-9210 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Carleton University. Downloaded on August 06,2020 at 01:46:57 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMM.2020.3013376, IEEE
Transactions on Multimedia
8
TABLE I
T HE RECOGNITION OF DIFFERENT COMPLEXITY LEVELS OF CAPTCHA S IN THE DIFFERENT SETTINGS . T HE RESULTS OF ALGORITHMS ARE OBTAINED
AFTER G AUSSIAN FILTERING AND IMAGE BINARIZATION .
1520-9210 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Carleton University. Downloaded on August 06,2020 at 01:46:57 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMM.2020.3013376, IEEE
Transactions on Multimedia
9
300 300
250
250
Image distortion
Image distortion
200
200
150
150
100
50 100
10 12 14 16 18 20 22 24 26 28 30 1 2 3 4
Distortion level Number of characters attacked
(a) Image distortion (a) Image distortion
1 1
0.9 0.9
Algorithm recognition
Algorithm recognition
0.8 0.8
0.7 0.7
0.6 0.6
0.5 0.5
0.4 0.4
0.3 0.3
0.2 0.2
0.1 0.1
0 0
10 12 14 16 18 20 22 24 26 28 30 1 2 3 4
Distortion level Number of characters attacked
(b) Algorithm recognition accuracy (b) Algorithm recognition accuracy
Fig. 7. The influence of λ on derived image distortion and cracking Fig. 8. The influence of |Θ| on derived image distortion and cracking
recognition accuracy. recognition accuracy.
1520-9210 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Carleton University. Downloaded on August 06,2020 at 01:46:57 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMM.2020.3013376, IEEE
Transactions on Multimedia
10
TABLE II
T RANSFERABILITY OF ADVERSARIAL IMAGES GENERATED BETWEEN PAIRS OF MODELS . T HE ELEMENT (i, j) REPRESENTS THE ACCURACY OF THE
ADVERSARIAL IMAGES GENERATED FOR MODEL i ( ROW ) TESTED OVER MODEL j ( COLUMN ).
Testing Model
Training Model
4ConvNet ResNet DenseNet GoogLeNet GoogLeNet w/ Average
Method No Attack 93% 84% 95% 97% 94% 93%
4ConvNet 54% 68% 82% 71% 70% 69%
ACs ResNet 47% 63% 73% 53% 64% 60%
DenseNet 53% 70% 60% 71% 71% 65%
4ConvNet 1% 3% 13% 7% 16% 8%
ResNet 8% 0% 3% 12% 11% 7%
rCAPTCHA DenseNet 16% 2% 3% 23% 27% 14%
Ensemble 0% 2% 1% 3% 7% 3%
GoogLeNet w/ 12% 11% 18% 3% 1% 9%
to attack even all 4 characters, the derived CAPTCHAs are summarizes the black-box cracking recognition accuracy under
generally friendly to human and not bringing extra recognition different training-testing pairs. For example, the value of
burden. As shown in Fig. 8(b), the increase of |Θ| enhances 91% at element (1, 1) represents the recognition accuracy of
the confidence to mislead the cracking algorithm and obtains original CAPTCHA images on 4ConvNet. The value of 0%
consistently lower recognition accuracy. With the introduction at element (8, 1) indicates the recognition accuracy trained
of multi-attack towards sequential recognition, the proposed with ensembled 3 white-box models and tested on 4ConvNet.
rCAPTCHA method possess the flexibility to attack arbitrary Lower accuracy value means superior resistant performance to
number of characters. In our experiments, to guarantee the cracking solutions and better transferability of the method.
resistance capability, we fixed |Θ| = 4.
In the top half of Table II (ACs), the adversarial CAPTCHAs
without considering the sequential recognition obtain higher
D. Robustness towards Different OCRs average accuracies than rCAPTCHA. The accuracies of ACs
To compare the generalization and transferability of our are no lower than 60% when image preprocessing and im-
proposed rCAPTCHA method and ACs [45], we imple- age transformation are not involved. It is expected that the
mented different cracking methods and examined their recog- employing image preprocessing and image transformation can
nition accuracy on the generated CAPTCHAs. For gener- increase the accuracy, and 60% means that these adversar-
ating CAPTCHAs of our method, we respectively trained ial CAPTCHAs are almost recognized by the OCR. This
3 OCR models with different CNN structures, which are demonstrates when excluding controlled variables, considering
denoted as 4ConvNet, mini-ResNet and mini-DenseNet. For the sequential recognition problem is more important than
generating CAPTCHAs of [45], we trained the same OCR adopting Fourier transform during the generation of adversarial
as above, except that the sequential recognition sequential CAPTCHAs. In the bottom half of Table II (rCAPTCHA),
recognition sub-module (LSTM) of OCR is replaced by 4 par- we can observe that the adversarial images generated with
allel recognition networks (fully-connected layer). For testing one model perform well on their own models but generally
CAPTCHAs, we trained 2 OCR models. One is the same OCR perform poorly on other models. However, if we generate
with CNN structure of mini-GoogLeNet, the other is mini- the CAPTCHA images with ensemble training of 3 models,
GoogLeNet w/ attention [17], which also uses mini-GoogLeNet the testing recognition accuracies for all 5 models are no
but adopts the attention mechanism in LSTM. 4ConvNet uses higher than 7%. This demonstrates the transferability of the
four convolutional layers for feature extraction. The LSTM proposed rCAPTCHA method in employing ensemble training
input required a fixed-size feature vector, so we modified the towards black-box cracking. Specially, the value of 7% at
native network. mini-XNets are employed due to the quicker element (8, 4) demonstrates our method can perform well
convergence times and low resolution of CAPTCHA images: on GoogLeNet w/ attention (GoogLeNet w/). The reason
mini-ResNet consists of five ResBlocks and two convolutional is that the network structure of the current state-of-the-art
layers, mini-DenseNet consists of four DenseBlocks with four OCR model is similar (CNN + LSTM). We also generate
convolutional layers, and mini-GoogLeNet consists of two the adversarial images on GoogLeNet w/ attention (the last
Inception modules with six convolutional layers. row), which validates the generalization of our proposed
Three models of 4ConvNet, mini-ResNet, mini-DenseNet are mechanism. It is expected with more models implemented in
selected as white-boxs, with the remaining mini-GoogLeNet ensemble training, the resistant performance towards arbitrary
model and mini-GoogLeNet w/ attention as the black-boxs. black-box cracking methods will be guaranteed. In practical
The black-box models are regard as the potential OCR crack- applications, we can carefully select white-box models with
ing to simulate the alternative cracking choices in real-world typically different structures to improve the generalization and
applications. Averaged over 100 tested CAPTCHAs, Table II transferability to specific models.
1520-9210 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Carleton University. Downloaded on August 06,2020 at 01:46:57 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMM.2020.3013376, IEEE
Transactions on Multimedia
11
TABLE III
D ISTRIBUTION OF TRANSFORMATIONS
TABLE IV
T HE RECOGNITION OF RAW IMAGES AND ADVERSARIAL IMAGES . T HE
RESULT ARE OBTAINED AFTER STOCHASTIC TRANSFORMATION .
1520-9210 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Carleton University. Downloaded on August 06,2020 at 01:46:57 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMM.2020.3013376, IEEE
Transactions on Multimedia
12
by using differentiable approximation and expectation can system towards cracking. Character-based CAPTCHA, which
circumvent these defenses. Prior work has shown that most is most friendly and effective to human, to validate this idea
of adversarial defenses are based on obfuscated gradients, with the simplest scheme. This idea is expected to easily adopt
in this study: (1)image non-differentiable preprocessing is a to generate robust image-based and other CAPTCHAs.
kind of shattered gradients, which are nonexistent or incorrect It is noted that similar to the game competition between ad-
gradients caused either intentionally through non-differentiable versarial attack and defense, with more CAPTCHA designers
operations or unintentionally through numerical instability; employing adversarial attack to resist cracking, future cracking
(2) stochastic image transformation is a kind of stochastic solutions are expected to employ adversarial defense tech-
gradients, which depend on test-time randomness [35]. But niques for self-enhancement. We hope this study could draw
if the obfuscated gradient information can be approximated, it attention of future CAPTCHA designing on the competition
can only provide a false sense of security. between adversarial attack and defense. Moreover, with the
There is another kind of adversarial defense technology development of deep learning and other AI algorithms, we
called adversarial training, which is not dependent on obfus- are confronted with critical security-related problems when
cated gradient. Adversarial training solves a min-max game algorithms are maliciously utilized towards human. In this
through a conceptually simple process: train on adversarial case, it is necessary to get aware of the limitations of current
examples until the model learns to classify them correctly [30]. algorithms and appropriately employ them to resist the abuse
To further validate the adversarial defense, we study the ad- use of algorithms.
versarial training approach of [56] in this subsection. For this
scenario, we generated/selected 500 adversarial CAPTCHA R EFERENCES
images for testing. Then we started to fine-tune the model with
[1] A. M. Turing, “Computing machinery and intelligence-am turing,” Mind,
the 50, 000 steps. However, due to the complexity of OCR vol. 59, no. 236, p. 433, 1950.
model, compared with the common CNN model, standard [2] M. Naor, “Verification of a human in the loop or identification via the
adversarial training does not show the effectiveness as usual. turing test,” 1996.
[3] L. Von Ahn, B. Maurer, C. McMillen, D. Abraham, and M. Blum, “re-
After training with 50, 000 steps, the accuracy of OCR is captcha: Human-based character recognition via web security measures,”
still 0%. So we relax the constraints of standard adversarial Science, vol. 321, no. 5895, pp. 1465–1468, 2008.
training to examine whether the idea of adversarial training [4] A. A. Chandavale, A. M. Sapkal, and R. M. Jalnekar, “Algorithm to
break visual captcha,” in 2009 International Conference on Emerging
will work. Then we fine-tune the model on the same 500 Trends in Engineering & Technology, 2009, pp. 258–262.
adversarial images as testset. The results are shown in Fig. 11, [5] G. Mori and J. Malik, “Recognizing objects in adversarial clutter:
from combined results we make the following observations. Breaking a visual captcha,” in 2003 IEEE Computer Society Conference
on Computer Vision and Pattern Recognition, vol. 1, 2003, pp. I–I.
As training data increases, adversarial training significantly [6] S. Sivakorn, I. Polakis, and A. D. Keromytis, “I am robot:(deep) learning
improves the accuracy of the OCR model. But its shortcom- to break semantic image captchas,” in 2016 IEEE European Symposium
ings also obvious that the time cost is gradually increasing. on Security and Privacy (EuroS&P), 2016, pp. 388–403.
[7] K. He, X. Zhang, S. Ren, and J. Sun, “Delving deep into rectifiers:
Moreover, if a cracker wants to use adversarial training, he is Surpassing human-level performance on imagenet classification,” in
supposed to have access to the training dataset we use and the 2015 IEEE Conference on Computer Vision and Pattern Recognition
parameter in algorithm we choose, e.g., distance function to (CVPR), 2015, pp. 1026–1034.
[8] J. F. Gemmeke, D. P. Ellis, D. Freedman, A. Jansen, W. Lawrence, R. C.
minimize the modification and so on. Moore, M. Plakal, and M. Ritter, “Audio set: An ontology and human-
We discussed adversarial defense technology on adversarial labeled dataset for audio events,” in 2017 IEEE International Conference
on Acoustics, Speech and Signal Processing (ICASSP), 2017, pp. 776–
CAPTCHAs we proposed. The defense technologies based on 780.
obfuscated gradients cannot hinder the type of CAPTCHAs. [9] P. Rajpurkar, J. Zhang, K. Lopyrev, and P. Liang, “Squad: 100,000+
The adversarial training based on non-obfuscated gradients is questions for machine comprehension of text,” 2016.
[10] M. R. Ogiela, N. Krzyworzeka, and L. Ogiela, “Application of
still effective but limited to practicality. knowledge-based cognitive captcha in cloud of things security,” Con-
currency and Computation: Practice and Experience, vol. 30, no. 21, p.
e4769, 2018.
VI. CONCLUSION [11] D. Geman, S. Geman, N. Hallonquist, and L. Younes, “Visual turing test
for computer vision systems,” Proceedings of the National Academy of
This study designs robust character-based CAPTCHAs to Sciences, vol. 112, no. 12, pp. 3618–3623, 2015.
resist cracking algorithms by employing their unrobustness to [12] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow,
adversarial perturbation. We have conducted data analysis and and R. Fergus, “Intriguing properties of neural networks,” in 2014
International Conference on Learning Representations (ICLR), 2014.
observed human and algorithm’s different vulnerabilities to [13] Q. Liu, L. Wang, and Q. Huo, “A study on effects of implicit and
visual distortions. Based on the observation, robust CAPTCHA explicit language model information for dblstm-ctc based handwriting
(rCAPTCHA) generation framework is introduced with three recognition,” in 2015 International Conference on Document Analysis
and Recognition (ICDAR), 2015, pp. 461–465.
modules of multi-target attack, ensemble adversarial training, [14] T. M. Breuel, “High performance text recognition using a hybrid
differentiable approximation to image preprocessing, and ex- convolutional-lstm implementation,” in 2017 IAPR International Con-
pectation to stochastic image transformation. Qualitative and ference on Document Analysis and Recognition (ICDAR), vol. 1, 2017,
pp. 11–16.
quantitative experimental results demonstrate the effectiveness [15] M. Jenckel, S. S. Bukhari, and A. Dengel, “Transcription free lstm ocr
of generated CAPTCHAs in resisting cracking algorithms. model evaluation,” in 2018 International Conference on Frontiers in
We ascribe the main contribution not as proposing a specific Handwriting Recognition (ICFHR), 2018, pp. 122–126.
[16] H.-R. Shin, J.-S. Park, and J.-K. Song, “Ocr for drawing images using
CAPTCHA system, but as introducing the idea of exploiting bidirectional lstm with ctc,” in 2019 IEEE Student Conference on
algorithm unrobustness to increase the robustness of automated Electric Machines and Systems (SCEMS 2019), 2019, pp. 1–4.
1520-9210 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Carleton University. Downloaded on August 06,2020 at 01:46:57 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMM.2020.3013376, IEEE
Transactions on Multimedia
13
[17] Y. Zi, H. Gao, Z. Cheng, and Y. Liu, “An end-to-end attack on text [41] X. Li, S. Ji, M. Han, J. Ji, Z. Ren, Y. Liu, and C. Wu, “Adversarial
captchas,” IEEE Transactions on Information Forensics and Security, examples versus cloud-based detectors: A black-box empirical study,”
vol. 15, pp. 753–766, 2019. IEEE Transactions on Dependable and Secure Computing, 2019.
[18] Y.-W. Chow, W. Susilo, and P. Thorncharoensri, “Captcha design and [42] X. Ling, S. Ji, J. Zou, J. Wang, C. Wu, B. Li, and T. Wang, “Deepsec: A
security issues,” in Advances in Cyber Security: Principles, Techniques, uniform platform for security analysis of deep learning model,” in 2019
and Applications, 2019, pp. 69–92. IEEE Symposium on Security and Privacy (SP), 2019, pp. 673–690.
[19] H. Kwon, Y. Kim, H. Yoon, and D. Choi, “Captcha image generation [43] M. Osadchy, J. Hernandez-Castro, S. Gibson, O. Dunkelman, and
systems using generative adversarial networks,” IEICE TRANSACTIONS D. Pérez-Cabo, “No bot expects the deepcaptcha! introducing immutable
on Information and Systems, vol. 101, no. 2, pp. 543–546, 2018. adversarial examples, with applications to captcha generation,” IEEE
[20] M. E. Hoque, D. J. Russomanno, and M. Yeasin, “2d captchas from Transactions on Information Forensics and Security, vol. 12, no. 11, pp.
3d models,” in Proceedings of the IEEE SoutheastCon 2006, 2006, pp. 2640–2653, 2017.
165–170. [44] Y. Zhang, H. Gao, G. Pei, S. Kang, and X. Zhou, “Effect of adver-
[21] C. R. Macias and E. Izquierdo, “Visual word-based captcha using 3d sarial examples on the robustness of captcha,” in 2018 International
characters,” 2009. Conference on Cyber-Enabled Distributed Computing and Knowledge
[22] V. D. Nguyen, Y.-W. Chow, and W. Susilo, “On the security of text-based Discovery (CyberC), 2018, pp. 1–109.
3d captchas,” Computers & Security, vol. 45, pp. 84–99, 2014. [45] C. Shi, X. Xu, S. Ji, K. Bu, J. Chen, R. Beyah, and T. Wang, “Adversarial
[23] Q. Ye, Y. Chen, and B. Zhu, “The robustness of a new 3d captcha,” captchas,” arXiv preprint arXiv:1901.01107, 2019.
in 2014 IAPR International Workshop on Document Analysis Systems, [46] C. Shi, S. Ji, Q. Liu, C. Liu, Y. Chen, Y. He, Z. Liu, R. Beyah, and
2014, pp. 319–323. T. Wang, “Text captcha is dead? a large scale deployment and empirical
[24] V. D. Nguyen, Y.-W. Chow, and W. Susilo, “Breaking an animated study,” in Proceedings of the 2020 ACM Conference on Computer and
captcha scheme,” in International Conference on Applied Cryptography Communications Security, 2020.
and Network Security, 2012, pp. 12–29. [47] B. Shi, X. Bai, and C. Yao, “An end-to-end trainable neural network
[25] D. George, W. Lehrach, K. Kansky, M. Lázaro-Gredilla, C. Laan, for image-based sequence recognition and its application to scene
B. Marthi, X. Lou, Z. Meng, Y. Liu, H. Wang et al., “A generative text recognition,” IEEE Transactions on Pattern Analysis and Machine
vision model that trains with high data efficiency and breaks text-based Intelligence, vol. 39, no. 11, pp. 2298–2304, 2015.
captchas,” Science, vol. 358, no. 6368, p. eaag2612, 2017. [48] T. M. Breuel, A. Ul-Hasan, M. A. Al-Azawi, and F. Shafait, “High-
[26] G. Ye, Z. Tang, D. Fang, Z. Zhu, Y. Feng, P. Xu, X. Chen, and Z. Wang, performance ocr for printed english and fraktur using lstm networks,”
“Yet another text captcha solver: A generative adversarial network based in 2013 12th International Conference on Document Analysis and
approach,” in Proceedings of the 2018 ACM SIGSAC Conference on Recognition, 2013, pp. 683–687.
Computer and Communications Security, 2018, pp. 332–348. [49] F. Liao, M. Liang, Y. Dong, T. Pang, X. Hu, and J. Zhu, “Defense against
[27] Y. Lv, F. Cai, D. Lin, and D. Cao, “Chinese character captcha recognition adversarial attacks using high-level representation guided denoiser,” in
based on convolution neural network,” in 2016 IEEE Congress on 2018 IEEE Conference on Computer Vision and Pattern Recognition
Evolutionary Computation (CEC), 2016, pp. 4854–4859. (CVPR), 2018, pp. 1778–1787.
[28] J. Chen, X. Luo, Y. Liu, J. Wang, and Y. Ma, “Selective learning [50] C. Szegedy, W. Liu, Y. Jia, P. Sermanet, S. E. Reed, D. Anguelov,
confusion class for text-based captcha recognition,” IEEE Access, vol. 7, D. Erhan, V. Vanhoucke, and A. Rabinovich, “Going deeper with con-
pp. 22 246–22 259, 2019. volutions,” in 2015 IEEE Conference on Computer Vision and Pattern
[29] N. Papernot, P. McDaniel, and I. Goodfellow, “Transferability in ma- Recognition (CVPR), 2015, pp. 1–9.
chine learning: from phenomena to black-box attacks using adversarial [51] K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image
samples,” arXiv preprint arXiv:1605.07277, 2016. recognition,” in 2016 IEEE Conference on Computer Vision and Pattern
[30] I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing Recognition (CVPR), 2016, pp. 770–778.
adversarial examples,” in 2015 International Conference on Learning [52] Y. Liu, X. Chen, C. Liu, and D. Song, “Delving into transferable adver-
Representations (ICLR), 2015. sarial examples and black-box attacks,” 2017 International Conference
[31] A. Kurakin, I. J. Goodfellow, and S. Bengio, “Adversarial examples on Learning Representations (ICLR), 2017.
in the physical world,” in 2017 International Conference on Learning [53] A. Athalye, L. Engstrom, A. Ilyas, and K. Kwok, “Synthesizing robust
Representation Workshop, 2017. adversarial examples,” in 2018 International Conference on Machine
[32] Y. Dong, F. Liao, T. Pang, H. Su, J. Zhu, X. Hu, and J. Li, “Boosting Learning (ICML), 2018, pp. 284–293.
adversarial attacks with momentum,” in 2018 IEEE Conference on [54] M. D. Zeiler and R. Fergus, “Visualizing and understanding convolu-
Computer Vision and Pattern Recognition (CVPR), 2018, pp. 9185– tional networks,” in 2014 European Conference on Computer Vision
9193. (ECCV), 2014, pp. 818–833.
[33] S.-M. Moosavi-Dezfooli, A. Fawzi, and P. Frossard, “Deepfool: a simple [55] R. R. Selvaraju, M. Cogswell, A. Das, R. Vedantam, D. Parikh, and
and accurate method to fool deep neural networks,” in 2016 IEEE D. Batra, “Grad-cam: Visual explanations from deep networks via
Conference on Computer Vision and Pattern Recognition (CVPR), 2016, gradient-based localization,” in 2017 IEEE International Conference on
pp. 2574–2582. Computer Vision (ICCV), 2017, pp. 618–626.
[34] N. Carlini and D. Wagner, “Towards evaluating the robustness of neural [56] A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “To-
networks,” in 2017 IEEE Symposium on Security and Privacy (SP), wards deep learning models resistant to adversarial attacks,” in 2018
2017, pp. 39–57. International Conference on Learning Representations (ICLR), 2018.
[35] A. Athalye, N. Carlini, and D. A. Wagner, “Obfuscated gradients give a
false sense of security: Circumventing defenses to adversarial examples,”
2018 International Conference on Machine Learning (ICML), pp. 274–
283, 2018.
[36] J. Deng, W. Dong, R. Socher, L.-J. Li, K. Li, and L. Fei-Fei, “Imagenet:
A large-scale hierarchical image database,” in 2009 IEEE Conference on
Computer Vision and Pattern Recognition (CVPR), 2009, pp. 248–255.
[37] C. Xie, J. Wang, Z. Zhang, Y. Zhou, L. Xie, and A. Yuille, “Adversarial
examples for semantic segmentation and object detection,” in 2017 IEEE
International Conference on Computer Vision (ICCV), 2017, pp. 1369–
1378.
[38] M. Sharif, S. Bhagavatula, L. Bauer, and M. K. Reiter, “Accessorize to
a crime: Real and stealthy attacks on state-of-the-art face recognition,”
in 2016 ACM Sigsac Conference on Computer and Communications
Security, 2016, pp. 1528–1540.
[39] N. Carlini and D. Wagner, “Audio adversarial examples: Targeted attacks
on speech-to-text,” in 2018 IEEE Security and Privacy Workshops
(SPW), 2018, pp. 1–7.
[40] J. Li, S. Ji, T. Du, B. Li, and T. Wang, “Textbugger: Generating
adversarial text against real-world applications,” in 2019 Annual Network
and Distributed System Security Symposium, 2019.
1520-9210 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Carleton University. Downloaded on August 06,2020 at 01:46:57 UTC from IEEE Xplore. Restrictions apply.