I have developed a CAPTCHA that can instantly detect and neutralize an
automated attack. This is an offshoot of the 3-D CAPTCHA concept that I have
previously described. The 3-D CAPTCHA involved generating unique images by
placing a random assortment of computer generated 3-D objects together to form
a unique image. A person would then demonstrate their humanity by identifying
a number of specified attributes found within this uniquely generated image.
I have previously described this at my website with the anti-spam method that
it was designed for:
http://home.nyc.rr.com/spamsolution/An%20Effective%20Solution%20for%20Spam.htm
The updated innovation involves this CAPTCHA?s unique ability to detect
automated attacks and instantly alter itself.
The first line of defense is to have as large a library of unique objects as
possible. We will imagine an active library of at least several hundred
different objects. As a new feature a secret reserve library of objects will
also exist; I will explain its function below.
THE SPAMMER ATTACKS
Now let us imagine a spammer who has created a bot that can recognize an object
(such as a chicken) from the active library.
A 3-D CAPTCHA demands that a user identify 4 different attributes within a
given challenge. The spammer?s program is able to frequently recognize a
?chicken? when it appears in a CAPTCHA. The spammer?s program cycles through a
tremendous number of CAPTCHAs, correctly identifying the chicken each time it
appears. The spammer has reduced a 4 guess challenge to a 3 guess challenge.
It is now feasible for a spammer to launch a brute force attack.
THE EMAIL SERVICE PROVIDER?S COMPUTER AUTOMATICALLY IDENTIFIES AND NEUTRALIZES
THE ATTACK
On an average day there are only about five instances when a ?chicken? is
correctly identified while the other three attributes are incorrectly
identified. The email service provider?s computer starts to see the following:
-Suddenly over one hour there are 1,000 instances when a chicken is correctly
identified while the remaining three attributes are incorrectly identified.
-It is instantly obvious that a brute force attack is occurring and that the
?chicken? has become compromised. The ?chicken? is automatically removed from
the library and replaced by a ?guitar? from the secret reserve library. The
brute force attack is completely neutralized without any human intervention.
- The effort that the spammer has put into characterizing the ?chicken? has
yielded only a couple of successfully solved CAPTCHA.
-The spammer puts in a lot of effort to characterize 50 different objects used
in the CAPTCHA but the above process repeats and those 50 objects disappear
almost instantly only to be replaced by 50 objects from the secret reserve
library.
-The spammer gives up completely.
I think we can now embrace the concept that we can create CAPTCHA that are
beyond any practical attack that a spammer can generate.
Michael G. Kaplan
--
_______________________________________________
NEW! Lycos Dating Search. The only place to search multiple dating sites at
once.
http://datingsearch.lycos.com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg