UAB - The University of Alabama at Birmingham

DCG: Investigation of Dynamic Cognitive Game CAPTCHAs

Existing captcha solutions on the Internet are a major source of user frustration. Game captchas are an interesting and, to date, little studied approach claiming to make captcha solving a fun activity for the users. One broad form of such captchas – called Dynamic Cognitive Game (DCG) captchas – challenge the user to perform a game-like cognitive task interacting with a series of dynamic images. We pursue a comprehensive analysis of a representative category of DCG captchas. We formalize, design and implement such captchas, and dissect them across: (1) fully automated attacks, (2) human-solver relay attacks, and (3) usability. Our results suggest that the studied DCG captchas exhibit high usability and, unlike other known captchas, offer some resistance to relay attacks, but they are also vulnerable to our novel dictionary-based automated attack.

Dynamic Cognitive Game (DCG) CAPTCHAs are a promising new generation of interactive CAPTCHAs aiming to provide improved security against automated and human-solver relay attacks. Unlike existing CAPTCHAs, defeating DCG CAPTCHAs using pure automated attacks or pure relay attacks may be challenging in practice due to the fundamental limitations of computer algorithms (semantic gap) and synchronization issues with solvers. To overcome this barrier, we propose two hybrid attack frameworks, which carefully combine the strengths of an automated program and offline/online human intelligence. These hybrid attacks require maintaining the synchronization only between the game and the bot similar to a pure automated attack, while solving the static AI problem (i.e., bridging the semantic gap) behind the game challenge similar to a pure relay attack. As a crucial component of our framework, we design a new DCG object tracking algorithm, based on color code histogram, and show that it is simpler, more efficient and more robust compared to several known tracking approaches. We demonstrate that both frameworks can effectively defeat a wide range of DCG CAPTCHAs.

Static snapshots of 4 game instances of a representative DCG captcha analysed in the study (targets are static;  objects are mobile)

Static snapshots of 4 game instances of a representative DCG captcha analysed in the study (targets are static; objects are mobile)

People

Faculty

Student

  • Manar Mohamed (@UAB; PhD 2016; now Visiting Assistant Professor at Miami University)
  • Song Gao (@UAB; PhD 2014; now Software Engineer at Google)
  • Michael Georgescu (@UAB; BS 2014)

External Collaborators:

  • Paul C. van Oorschot (@Carleton University; Professor)
  • Wei-Bang Chen (@Virginia State University; Assistant Professor)
  • Ponnurangam Kumaraguru (@Indraprastha Institute of Information Technology, India; Assistant Professor)
  • Niharika Sachdeva (@Indraprastha Institute of Information Technology, India; PhD student)

Publication