JP7227444B2 - Access authentication method using random dot pattern CAPTCHA - Google Patents

Description

The present invention relates to CAPTCHA technology for preventing fraudulent actions using automatic programs for Web services.

In recent years, automatic programs called bots have been used to acquire a large number of email addresses from web services and send spam emails to them, or to acquire accounts and passwords to access web services and access them by impersonating users. Fraudulent activities by spambots, etc. have been viewed as a problem.

In order to prevent such a problem, a method called CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) has been developed to distinguish humans from automated programs. CAPTCHA is a kind of challenge/response type test, and is a technology that presents a user with a question that is easy for a human to answer but difficult for an automatic program to answer, and identifies the user as a human if the user answers correctly.

Character string CAPTCHAs and image CAPTCHAs (see FIG. 5) are often used at many Web service providing sites as a means of preventing malware attacks. Various schemes have been proposed for the character string CAPTCHA, such as Gimpy [7], EZ-Gimpy [7], r-Gimpy [8], and reCAPTCHA [9]. Gimpy is a character string CAPTCHA that, for example, displays 5 sets of different words as one set in an image, and prompts you to answer 3 of the displayed words. EZ-Gimpy and r-Gimpy are simplifications of Gimpy, displaying a distorted image of a single word or a character string in which alphabets and numbers are arranged randomly, and prompting the user to enter the answer in a text box. It is the string CAPTCHA. reCAPTCHA introduces character images that could not be read by OCR software when converting newspaper articles and books into electronic books as part of the authentication procedure, and allows humans (users) to decode them to improve both electronic book conversion and security. This is the character string CAPTCHA to be used. Advantages of the character string CAPTCHA include ease of incorporation into websites and high resistance to brute force attacks by bots.

However, due to recent improvements in OCR (optical character recognition) technology and machine learning (AI) technology, conventional character string CAPTCHAs can easily be broken through, so there is a demand for more advanced CAPTCHAs. Therefore, Non-Patent Document 1 proposes a method of using meaning generated each time from meaningless information. More specifically, it is a technique in which a background of random dots is used as meaningless information, and a correct pattern composed of random dots is moved on the background for each frame. In this method, as shown in FIG. 6, after the user views a question video in which a correct pattern composed of random dots moves from 1 to 2 on a background of random dots, the user inputs the coordinates that are considered to be the correct pattern. Correctness judgment is performed by performing an operation, and if correct coordinates are input, it is regarded as a human being.

According to the "law of common destiny" in Gestalt psychology, it is known that the human brain has the ability to recognize multiple things that occur at the same time and change in the same way as a single entity. It is That is, a human being can recognize the random dots moving from 1 to 2 in FIG. and bots.

Nguyen Suangia, 5 others, "SNOW NOISE CAPTCHA: Proposal of Video CAPTCHA Using Meaningless Information", Research Report Computer Security, 2014-CSEC-64, No. 29, February 2014

However, the CAPTCHA described in Non-Patent Document 1 is fragile in that it can extract multiple still image frames from a moving image by an automatic program and analyze the position and shape of the correct pattern using the difference between those still image frames. had a nature. In addition, since the area of the correct answer pattern exists in the same window as the question video, there is concern about accidental breakthrough by a brute force attack using a bot.

The present invention has been devised in view of the above problems, and is a random dot pattern CAPTCHA that utilizes the ability of humans to recognize moving objects, which is difficult to analyze by an automatic program and can prevent accidental breakthrough by brute force attack. intended to provide

For this reason, the CAPTCHA of the present invention includes a base layer displaying a random dot pattern, a layer displaying a random character string, and an arbitrary number of 0 or more displaying a random dot pattern different from the base layer. The first feature is that foreground layers are superimposed and moving images in which each layer moves in a different direction are displayed as frame images.

A second feature is that the arbitrary number of foreground layers equal to or greater than 0 display random dot patterns different from each other.

The access authentication method using the random dot pattern CAPTCHA of the present invention is a method for determining whether or not a user is human via a network. a step of generating an arbitrary number of 0 or more foreground layers on which dot patterns are displayed; a step of generating a layer consisting of character strings; the base layer, the layer consisting of the character strings, and the arbitrary number 0 or more; foreground layers are superimposed, each layer moves in a different direction, and a moving image is displayed as a frame image, and the character string of the frame image is answered.

The present invention has the following excellent effects.
(1) The present invention can be widely applied to the field of user authentication technology used for web services.
(2) The user's operation burden is small, and mechanical authentication requests from mechanical login programs such as bots can be rejected.
(3) Since human beings have the ability to recognize moving objects, humans can be reliably distinguished from bots, and the safety and reliability of web services provided can be improved.

It is a figure which shows the concept of the random dot pattern CAPTCHA in this invention. It is a figure which shows the layer structure of random dot pattern CAPTCHA in this invention, and the movement of the random dot in each layer. 4 is a flow chart showing a procedure for authenticating a random dot pattern CAPTCHA in the present invention; FIG. 10 is a diagram showing verification of resistance to optical flow of the random dot pattern CAPTCHA in the present invention; It is a figure which shows the conventional character string CAPTCHA and image CAPTCHA. 1 is a diagram showing a conventional SNOW NOISE CAPTCHA; FIG. 1 is an explanatory diagram showing an example in which an authentication system according to an embodiment of the present invention is installed in a networking system; FIG.

Hereinafter, embodiments of the random dot pattern CAPTCHA in the present invention will be described with reference to the drawings. The random dot pattern CAPTCHA in the present invention is designed based on the character string CAPTCHA based on the approach of using the meaning generated each time from meaningless information, and the character string that appears on the random dots is Whether the user is a human or a bot is judged based on whether or not the user can read it.

FIG. 1 is a diagram showing the concept of a random dot pattern CAPTCHA in the present invention, showing one frame of CAPTCHA. Here, the start position in FIG. 1 means the position where the CAPTCHA is started and the character starts to be displayed, and the current position means the position of the character string displayed when the frame is extracted. The white wavy line in FIG. 1 represents the trajectory along which the displayed character string moves. As shown in FIG. 1, by simply moving a white character string on a random dot pattern background, the character string can be easily read by extracting several frames and using the differences between them. , unable to prevent fraud.

Therefore, in the present invention, the foreground of the transparent random dot pattern is superimposed on the background serving as the basic layer and the layer in which the character string is displayed. was obfuscated. Although JavaScript (registered trademark) is used as the CAPTCHA development language, it is not particularly limited, and many programming languages such as C, C++, C#, Objective C, Java (registered trademark), Perl, PHP, Any one such as Visual Basic®, Python®, Ruby, Delphi®, Flash®, or other programming language may be utilized.

The random dot pattern is obtained by filling pixels with black or white dots with a probability of 1/2. , G, B)=(0, 0, 0). CAPTCHA adopts a method of drawing as a canvas element of HTML5, and as shown in FIG. Arbitrary n pieces of the foreground layer 13 of the transparent random dot pattern are overlaid and drawn. As shown in FIG. 2B, for example, when two foreground layers 13 are superimposed, the transparency of the foreground layers 13a and 13b is set to 0.4, and the random dot patterns of the layers move in different directions. configured to As long as the character string layer 12 can be appropriately recognized, the foreground layer 13 does not necessarily have to be provided, and multiple foreground layers 13 with high transparency (or with an initial value of 0) may be superimposed. Therefore, the number of foreground layers 13 is not limited, and the number of foreground layers 13 may be any number of 0 or more.

Next, an authentication procedure using the random dot pattern CAPTCHA in the present invention will be explained. In the authentication procedure, as shown in FIG. 3, when the CAPTCHA program starts operating (S1), a random dot pattern for the background, a random dot pattern for the character string to be displayed, and two types of random dot patterns for interference are generated. Each character is generated (S2), and a character string is created by combining arbitrary characters (S3). The generated random dots and character strings are developed on the respective layers 11, 12, 13a, and 13b shown in FIG. S4). The user inputs the displayed character string into a text box specified in advance (S5), clicks the button for sending the answer, and after answering, the character string entered by the user and the displayed character string are combined. It is determined whether or not they match completely (S6), and the process ends (S7).

A random dot pattern is used to generate a character string and a background, and only the basic layer 11 and the character string layer 12 shown in FIG. The patterned character string is mixed with the background of the random dot pattern and cannot be recognized, making it impossible to extract the correct character string only from the frame image. However, in this case, there is a method of extracting two frames and using the difference between them to find a character string on layer 12, or a method called optical flow, in which the movement of an object in pixel units is represented by a vector, and the displayed character By using a method that extracts the shape of characters by tracking the movement of a row and applying OCR to the shape of the character strings extracted by these methods, it becomes possible to decipher the characters by an automatic program, and a brute force by a bot is possible. It is difficult to say that it has high resistance to attacks.

Therefore, in the present invention, a foreground layer is generated with a random dot pattern that is different from the background and the displayed character string, and displayed over the background and the displayed character string so that the foreground layer functions as an obstructing object. Therefore, it is configured so that it cannot be deciphered by the attack method described above. To confirm the functionality of the foreground layer, we verified whether the characters can be decoded by optical flow before and after adding the foreground layer for obstruction. FIG. 4(A) shows the result of applying optical flow before adding the foreground layer, and FIG. 4(B) shows the result of applying optical flow after adding the foreground layer. At the positions enclosed by the ellipses shown in FIG. 4A, there is a possibility that the positions of the characters can be identified and the characters can be read. On the other hand, in FIG. 4B, it became impossible to even specify the position of the character. Therefore, it was shown that the random dot pattern CAPTCHA in the present invention has high resistance to attacks using optical flow.

<Evaluation experiment>
Practicality such as whether the random dot pattern CAPTCHA in the present invention can be answered by the user was verified. Briefly, 20 subjects were asked to answer CAPTCHA 10 times, and after measuring the correct answer rate and the required time, a questionnaire survey was conducted and evaluated using SUS (System Usability Scale).

The test subjects were 20 students, and a general operating procedure was explained. As for the operation procedure, we instructed them to decipher the character strings displayed in the question video, enter them in the specified text boxes, and then click the answer transmission button. As the question animation for the test subject to answer, a random dot pattern and a character string were automatically generated for each question animation. As for the required time, the time from when the question video was displayed to when the answer transmission button was clicked was recorded. The following 10 items were included in the questionnaire survey.
(1) I want to use this CAPTCHA often.
(2) I felt that using this CAPTCHA was so complicated that I needed an explanation.
(3) I thought that this CAPTCHA could be used easily.
(4) I feel that I need professional support to use this CAPTCHA.
(5) I felt that the content and navigation in this CAPTCHA had a sense of unity.
(6) I felt that there were many inconsistencies in this CAPTCHA.
(7) I think most people will immediately understand how to use this CAPTCHA.
(8) I felt that this CAPTCHA was very difficult to operate.
(9) I am confident that I can use this CAPTCHA.
(10) I think there are many things you should know before you start using this CAPTCHA.
The odd-numbered items of the questionnaire survey were questions with positive content, and the even-numbered items were questions with negative content.

The SUS was counted and scored by the following method.
<Aggregation method>
For the 10 questionnaire items, processing is performed to subtract 1 from the score of odd numbered items and subtract 5 from the score of even numbered items. When the score of each item is N1 to N10, the total score S is expressed by the following formula.

ＳＵＳは、平均スコアが６８とされており、スコアが高いほどシステムとして良好な評価とされる。ユーザビリティに優れた上位１０％に入るには、８０．３を超えるスコアが必要とされている。

SUS has an average score of 68, and the higher the score, the better the system. A score above 80.3 is required to be in the top 10% for usability.

The execution environment for verification is as follows.
OS: Windows (registered trademark) 10 (64bit)
CPU: Intel (R) Core (TM) i7-4770S CPU @ 3.10 GHz
Memory: 8GB
Resolution: 1,920 x 1,200

被験者２０名、計２００回の解答において、５回が不正解と判定されたものの、平均正答率は９７．５％と高い正答率を得ている。その主な理由は、表示された文字をそれと似た文字（例えば、「ｉ」と「ｌ」など）と読み間違えて回答を送信したためであった。尚、正答率や所要時間は、表示された文字列の文字数、動き方やスピード、ランダムドットパターンのサイズなどパラメータに依存するものと考えられる。
＜ユーザビリティ評価＞
表１に示すように、アンケート調査の平均ＳＵＳスコアは８９で、上述した優れたユーザビリティを示すスコア８０．３を超える結果となった。したがって、本発明によるＣＡＰＴＣＨＡは、実用的であると言える。 <Experimental results>
Twenty subjects answered the CAPTCHAs of the present invention ten times each, and the average correct answer rate, average required time, maximum required time, and minimum required time obtained from a total of 200 data, as well as the average score of usability evaluation by SUS are shown in Table 1.

Among 20 subjects, 200 answers in total, 5 were judged to be incorrect, but the average correct answer rate was as high as 97.5%. The main reason was that the displayed letters were misread as similar letters (eg, 'i' and 'l') and the responses were sent. The percentage of correct answers and the required time are considered to depend on parameters such as the number of characters in the displayed character string, the manner and speed of movement, and the size of the random dot pattern.
<Usability Evaluation>
As shown in Table 1, the average SUS score of the questionnaire survey was 89, which exceeded the above score of 80.3 indicating excellent usability. Therefore, it can be said that the CAPTCHA according to the present invention is practical.

<Example>
FIG. 7 shows an example of installing CAPTCHA according to the present invention in a networked system. As shown in FIG. 7, it comprises at least one server 21, a network 22, and at least one input terminal 23. FIG. Server 21 provides the authentication services described above and may be, without limitation, any computing device and/or components thereof. Since the hardware configuration of the computing device of the server 21 is known, its detailed description is omitted. As shown in FIG. 7, the server 21 includes a display control unit 211 that generates a random character string or random dot pattern background and displays it to the user, an input reception unit 212 that can receive an answer input by the user, A determination unit 213 is provided for determining whether or not the character string input by the user and the displayed character string completely match.

The network 22 connects the server 21 and the input terminal 23 so as to be able to communicate with each other by a wired or wireless method. Examples thereof include the Internet, an intranet, a wide area network, and a personal network.

The input terminal 23 is a computing device owned by the user, and includes, but is not limited to, personal computers, mobile phones, PDAs, feature phones, smart phones, tablet computers, and other intelligent devices. .

In the present invention, the random dot pattern is created by filling the pixels with black or white dots with a probability of 1/2. A random dot pattern may be formed, and the color of the random dot pattern is not limited.

11 basic layer 12 character string layer 13 foreground layer 21 server 22 network 23 input terminal 211 display control unit 212 input reception unit 213 judgment unit

Claims (1)

A method for determining whether a user is human over a network, comprising generating a base layer displaying a random dot pattern and at least one foreground layer displaying a random dot pattern different from the base layer. and generating a layer in which a random character string is displayed ;
a step of superimposing the base layer, the layer on which the character string is displayed , and the foreground layer, and displaying a moving image in which each layer moves in a different direction of the random dot pattern displayed on each layer as a frame image; ,
An access authentication method using a random dot pattern CAPTCHA, characterized in that a character string of the frame image is given as an answer.

Images