research-article

Boosting the transferability of adversarial CAPTCHAs

Authors:

Qiao YanAuthors Info & Claims

Volume 145, Issue C

https://doi.org/10.1016/j.cose.2024.104000

Published: 01 October 2024 Publication History

Abstract

Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is a test to distinguish humans and computers. Since attackers can achieve high accuracy in recognizing the CAPTCHAs using deep learning models, geometric transformations are added to the CAPTCHAs to disturb deep learning model recognition. However, excessive geometric transformations might also affect humans’ recognition of the CAPTCHA. Adversarial CAPTCHAs are special CAPTCHAs that can disrupt deep learning models without affecting humans. Previous works of adversarial CAPTCHAs mainly focus on defending the filtering attack. In real-world scenarios, the attackers’ models are inaccessible when generating adversarial CAPTCHAs, and the attackers may use models with different architectures, thus it is crucial to improve the transferability of the adversarial CAPTCHAs. We propose CFA, a method to generate more transferable adversarial CAPTCHAs focusing on altering content features in the original CAPTCHA. We use the attack success rate as our metric to evaluate the effectiveness of our method when attacking various models. A higher attack success rate means a higher level of preventing models from recognizing the CAPTCHAs. The experiment shows that our method can effectively attack various models, even when facing possible defense methods that the attacker might use. Our method outperforms other feature space attacks and provides a more secure version of adversarial CAPTCHAs.

Highlights

•

We emphasize the importance of improving the transferability of adversarial CAPTCHAs, as it has not been discussed before.

•

We propose CFA, a method for generating more transferable adversarial CAPTCHAs by altering the robust content features in the original CAPTCHA.

•

We propose weighted gradient aggregation based on the confidence in the selection process in CFA, which can further enhance the performance of the adversarial CAPTCHAs.

References

[1]

Alsuhibany S.A., A survey on adversarial perturbations and attacks on CAPTCHAs, Appl. Sci. 13 (7) (2023) 4602,. URL https://www.mdpi.com/2076-3417/13/7/4602.

[2]

Carlini N., Wagner D., Towards evaluating the robustness of neural networks, 2017, arXiv:1608.04644 [cs]. arXiv:1608.04644, URL http://arxiv.org/abs/1608.04644.

[3]

Dong Y., Pang T., Su H., Zhu J., Evading defenses to transferable adversarial examples by translation-invariant attacks, in: 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR, IEEE, Long Beach, CA, USA, 2019, pp. 4307–4316,. URL https://ieeexplore.ieee.org/document/8953425.

[4]

Ganeshan A., B.S. V., Radhakrishnan V.B., FDA: Feature disruptive attack, in: 2019 IEEE/CVF International Conference on Computer Vision, ICCV, IEEE, Seoul, Korea (South), 2019, pp. 8068–8078,. URL https://ieeexplore.ieee.org/document/9008248.

[5]

Goodfellow I.J., Bulatov Y., Ibarz J., Arnoud S., Shet V., Multi-digit number recognition from street view imagery using deep convolutional neural networks, 2014, arXiv:1312.6082 [cs], URL http://arxiv.org/abs/1312.6082.

[6]

Goodfellow I.J., Shlens J., Szegedy C., Explaining and harnessing adversarial examples, 2015, arXiv:1412.6572 [cs, stat], arXiv:1412.6572, URL http://arxiv.org/abs/1412.6572.

[7]

He X., Li Y., Qu H., Dong J., Improving transferable adversarial attack via feature-momentum, Comput. Secur. 128 (2023),. URL https://linkinghub.elsevier.com/retrieve/pii/S0167404823000457.

Digital Library

[8]

He K., Zhang X., Ren S., Sun J., Deep residual learning for image recognition, in: 2016 IEEE Conference on Computer Vision and Pattern Recognition, CVPR, IEEE, Las Vegas, NV, USA, 2016, pp. 770–778,. URL http://ieeexplore.ieee.org/document/7780459.

[9]

Huang X., Belongie S., Arbitrary style transfer in real-time with adaptive instance normalization, in: 2017 IEEE International Conference on Computer Vision, ICCV, IEEE, Venice, 2017, pp. 1510–1519,. URL http://ieeexplore.ieee.org/document/8237429.

[10]

Huang G., Liu Z., van der Maaten L., Weinberger K.Q., Densely connected convolutional networks, 2018, arXiv:1608.06993 [cs], URL http://arxiv.org/abs/1608.06993.

[11]

Ilyas A., Santurkar S., Tsipras D., Engstrom L., Tran B., Madry A., Adversarial examples are not bugs, they are features, 2019, arXiv:1905.02175 [cs, stat], arXiv:1905.02175, URL http://arxiv.org/abs/1905.02175.

[12]

Jirasuwankul N., Effect of text orientation to OCR error and anti-skew of text using projective transform technique, in: 2011 IEEE/ASME International Conference on Advanced Intelligent Mechatronics, AIM, IEEE, Budapest, Hungary, 2011, pp. 856–861,. URL http://ieeexplore.ieee.org/document/6027057.

[13]

Krizhevsky A., Learning multiple layers of features from tiny images, 2009.

[14]

Kurakin A., Goodfellow I., Bengio S., Adversarial examples in the physical world, 2017, arXiv:1607.02533 [cs, stat], arXiv:1607.02533, URL http://arxiv.org/abs/1607.02533.

[15]

Liang K., Xiao B., StyLess: Boosting the transferability of adversarial examples, in: 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR, IEEE, Vancouver, BC, Canada, 2023, pp. 8163–8172,. URL https://ieeexplore.ieee.org/document/10205443.

[16]

Madry A., Makelov A., Schmidt L., Tsipras D., Vladu A., Towards deep learning models resistant to adversarial attacks, 2019, arXiv:1706.06083 [cs, stat], arXiv:1706.06083, URL http://arxiv.org/abs/1706.06083.

[17]

Matsuura Y., Kato H., Sasase I., Adversarial text-based CAPTCHA generation method utilizing spatial smoothing, in: 2021 IEEE Global Communications Conference, GLOBECOM, 2021, pp. 1–6,.

Digital Library

[18]

Osadchy M., Hernandez-Castro J., Gibson S., Dunkelman O., Perez-Cabo D., No bot expects the DeepCAPTCHA! introducing immutable adversarial examples, with applications to CAPTCHA generation, IEEE Trans. Inform. Forens. Secur. 12 (11) (2017) 2640–2653,. URL https://ieeexplore.ieee.org/document/7954632.

Digital Library

[19]

Papernot N., McDaniel P., Jha S., Fredrikson M., Celik Z.B., Swami A., The limitations of deep learning in adversarial settings, in: 2016 IEEE European Symposium on Security and Privacy, EuroS & P, IEEE, Saarbrucken, 2016, pp. 372–387,. URL http://ieeexplore.ieee.org/document/7467366.

[20]

Sandler M., Howard A., Zhu M., Zhmoginov A., Chen L.-C., MobileNetV2: Inverted residuals and linear bottlenecks, 2019, arXiv:1801.04381 [cs], URL http://arxiv.org/abs/1801.04381.

[21]

Selvaraju R.R., Das A., Vedantam R., Cogswell M., Parikh D., Batra D., Grad-CAM: Why did you say that?, 2017, arXiv:1611.07450 [cs, stat], URL http://arxiv.org/abs/1611.07450.

[22]

Shi C., Ji S., Liu Q., Liu C., Chen Y., He Y., Liu Z., Beyah R., Wang T., Text captcha is dead? A large scale deployment and empirical study, in: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, ACM, Virtual Event USA, 2020, pp. 1391–1406,. URL https://dl.acm.org/doi/10.1145/3372297.3417258.

Digital Library

[23]

Shi C., Xu X., Ji S., Bu K., Chen J., Beyah R., Wang T., Adversarial CAPTCHAs, IEEE Trans. Cybern. (2021) 1–14,. URL https://ieeexplore.ieee.org/document/9440853.

[24]

Simonyan K., Zisserman A., Very deep convolutional networks for large-scale image recognition, 2015, arXiv:1409.1556 [cs], URL http://arxiv.org/abs/1409.1556.

[25]

Szegedy C., Liu Wei, Jia Yangqing, Sermanet P., Reed S., Anguelov D., Erhan D., Vanhoucke V., Rabinovich A., Going deeper with convolutions, in: 2015 IEEE Conference on Computer Vision and Pattern Recognition, CVPR, IEEE, Boston, MA, USA, 2015, pp. 1–9,. URL http://ieeexplore.ieee.org/document/7298594.

[26]

Szegedy C., Vanhoucke V., Ioffe S., Shlens J., Wojna Z., Rethinking the inception architecture for computer vision, in: 2016 IEEE Conference on Computer Vision and Pattern Recognition, CVPR, IEEE, Las Vegas, NV, USA, 2016, pp. 2818–2826,. URL http://ieeexplore.ieee.org/document/7780677.

[27]

Szegedy C., Zaremba W., Sutskever I., Bruna J., Erhan D., Goodfellow I., Fergus R., Intriguing properties of neural networks, 2014, arXiv:1312.6199 [cs], arXiv:1312.6199, URL http://arxiv.org/abs/1312.6199.

[28]

Tan W.R., Chan C.S., Aguirre H.E., Tanaka K., Improved ArtGAN for conditional synthesis of natural image and artwork, IEEE Trans. Image Process. 28 (1) (2019) 394–409,. conference Name: IEEE Transactions on Image Processing.

Digital Library

[29]

Terada T., Nguyen V.N.K., Nishigaki M., Ohki T., Improving robustness and visibility of adversarial CAPTCHA using low-frequency perturbation, in: Barolli L., Hussain F., Enokido T. (Eds.), Advanced Information Networking and Applications, in: Lecture Notes in Networks and Systems, Springer International Publishing, Cham, 2022, pp. 586–597,.

[30]

von Ahn L., Blum M., Hopper N.J., Langford J., CAPTCHA: Using hard AI problems for security, in: Biham E. (Ed.), Advances in Cryptology — EUROCRYPT 2003, Springer Berlin Heidelberg, Berlin, Heidelberg, 2003, pp. 294–311.

[31]

Wang Z., Guo H., Zhang Z., Liu W., Qin Z., Ren K., Feature importance-aware transferable adversarial attacks, in: 2021 IEEE/CVF International Conference on Computer Vision, ICCV, IEEE, Montreal, QC, Canada, 2021, pp. 7619–7628,. URL https://ieeexplore.ieee.org/document/9711337.

[32]

Yang, H., 2014. captcha: A captcha library that generates audio and image CAPTCHAs URL https://github.com/lepture/captcha.

Index Terms

Boosting the transferability of adversarial CAPTCHAs
1. Computing methodologies
  1. Machine learning
    1. Machine learning approaches
      1. Neural networks
2. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Social aspects of security and privacy
    2. Usability in security and privacy
  2. Security services
    1. Authentication
      1. Biometrics

Index terms have been assigned to the content through auto-classification.

Recommendations

CAPTCHAs Are Still in Danger: An Efficient Scheme to Bypass Adversarial CAPTCHAs
Information Security Applications
Abstract
Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is a challenge that is used to distinguish between humans and robots. However, attackers bypass the CAPTCHA schemes using deep learning (DL) based solvers. To ...
DeT: Defending Against Adversarial Examples via Decreasing Transferability
Cyberspace Safety and Security
Abstract
Deep neural networks (DNNs) have made great progress in recent years. Unfortunately, DNNs are found to be vulnerable to adversarial examples that are injected with elaborately crafted perturbations. In this paper, we propose a defense method named ...
Improving the transferability of adversarial attacks via self-ensemble
Abstract
Deep neural networks have been used extensively for diverse visual tasks, including object detection, face recognition, and image classification. However, they face several security threats, such as adversarial attacks. To improve the resistance ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Computers and Security

Computers and Security Volume 145, Issue C

Oct 2024

444 pages

Issue’s Table of Contents

Elsevier Ltd.

Publisher

Elsevier Advanced Technology Publications

United Kingdom

Publication History

Published: 01 October 2024

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

0
Total Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 22 Feb 2025

Other Metrics

View Author Metrics

Citations

View Options

View options

Figures

Tables

Media

View Issue’s Table of Contents