An End-to-End Attack on Text CAPTCHAs

Yang, Zi; Gao, Haichang; Cheng, Zhouhang; Liu, Yi

doi:10.1109/tifs.2019.2928622

Cited by 50 publications

(42 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The success rates in [24] are similar to ours. Their approach also did not require pre-processing or segmentation and applied attention mechanism to tackle with variable-length strings.…”

Section: A Comparison With Prior Worksupporting

confidence: 88%

“…For more than half of the schemes, the attack achieved a success rate of over 90%. On reCAPTCHA, which has historically proven to be a difficult scheme [24], the finetuned model also achieved good results-51.9%. The lowest accuracy was achieved on the Dajie scheme of 36.3% (a Chinese scheme): this scheme is the most difficult because it has many security features and over 3,000 classes.…”

Section: ) Success Ratementioning

confidence: 88%

“…To obtain an efficient model, they used 2,400 manually labeled samples from each scheme for training. Most recently in 2019, Zi et al [24] proposed an end-to-end attack to solve text CAPTCHAs with a deep learning network; but they trained the recognition models with 10,000 manually labeled CAPTCHAs for each scheme. In particular, to obtain higher accuracy in Google reCAPTCHA, they even used 200,000 manually labeled samples for training the model, which took a lot of time and labor costs.…”

Section: Background a Prior Attacksmentioning

confidence: 99%

“…For each targeted scheme, we observed the security features and tried our best to generate CAPTCHAs that were visually similar to the real CAPTCHAs. Our generation process is the same as in [24]. Fig.…”

Section: B Attack With Simulated Data 1) Simulating Real Captchasmentioning

confidence: 99%

“…In contrast, our approach uses only irrelevant TABLE 5. Comparison between our approach and five prior works [3], [9], [17], [18], [24]. RI = Results by imitated data; RR = Results by randomly generated data.…”

Section: A Comparison With Prior Workmentioning

confidence: 99%

See 4 more Smart Citations

Simple and Easy: Transfer Learning-Based Attacks to Text CAPTCHA

et al. 2020

Self Cite

View full text Add to dashboard Cite

CAPTCHA, or Completely Automated Public Turing Tests to Tell Computers and Humans Apart, is a common mechanism used to protect commercial accounts from malicious computer bots, and the most widely used scheme is text-based CAPTCHA. In recent years, newly emerged deep learning techniques have achieved high accuracy and speed in attacking text-based CAPTCHAs. However, most of the existing attacks have various disadvantages, the attack process made high complexity or manually collecting and labeling a large number of samples to train a deep learning recognition model is time-consuming and expensive. In this paper, we propose a transfer learning-based approach that greatly reduces the attack complexity and the cost of labeling samples, specifically, by pre-training the model with randomly generated samples and fine-tuning the pre-trained model with a small number of real-world samples. To evaluate our attack, we tested 25 online CAPTCHAs achieving success rates ranging from 36.3% to 96.9%. To further explore the effect of the training sample characteristics on the attack accuracy, we elaborately imitate some samples and apply a generative adversarial network to refine the samples, sequentially we use these two kinds of generated samples to pre-train the models, respectively. The experimental results demonstrate that the similarity between randomly generated samples and elaborately imitated samples has a negligible impact on the attack accuracy. Instead, transfer learning is the key factor; it reduces the cost of data preparation while preserving the model's attack accuracy. INDEX TERMS CAPTCHA, security, deep learning, transfer learning. I. INTRODUCTION

show abstract

“…The success rates in [24] are similar to ours. Their approach also did not require pre-processing or segmentation and applied attention mechanism to tackle with variable-length strings.…”

Section: A Comparison With Prior Worksupporting

confidence: 88%

Section: ) Success Ratementioning

confidence: 88%

Section: Background a Prior Attacksmentioning

confidence: 99%

Section: B Attack With Simulated Data 1) Simulating Real Captchasmentioning

confidence: 99%