Presentation is loading. Please wait.

Presentation is loading. Please wait.

Pattern Recognition Research Lab D. Lopresti & H. S. Baird Henry S. Baird CSE Dept, Lehigh Univ. (Joint work with : Richard Fateman, Allison Coates, Kris.

Similar presentations


Presentation on theme: "Pattern Recognition Research Lab D. Lopresti & H. S. Baird Henry S. Baird CSE Dept, Lehigh Univ. (Joint work with : Richard Fateman, Allison Coates, Kris."— Presentation transcript:

1 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Henry S. Baird CSE Dept, Lehigh Univ. (Joint work with : Richard Fateman, Allison Coates, Kris Popat, Monica Chew, Tom Breuel, Mark Luk, Terry Riopka, Michael Moll, Dan Lopresti, Sui-Yu Wang, Jon Bentley, and Colin Mallows ) Protecting eCommerce from Robots Impersonating Human Users

2 Pattern Recognition Research Lab D. Lopresti & H. S. Baird A Pitfall of the World Wide Web © Peter Steiner, The New Yorker, July 5, 1993, p. 61 (Vol.69, No. 20)

3 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Straws in the wind…  Mid 90’s: spammers trolling for addresses in defense, people start disguising them, e.g. “ baird AT cse DOT lehigh DOT edu ”  1997: abuse of ‘Add-URL’ feature at AltaVista some write programs to add their URL many times to skew search rankings in their favor  Andrei Broder et al (then at DEC SRC) a user action which is legitimate when performed once becomes abusive when repeated many times no effective legal recourse how to block or slow down these programs …

4 Pattern Recognition Research Lab D. Lopresti & H. S. Baird The first known instance… Altavista’s AddURL filter  1999: “ransom note filter” randomly pick letters, fonts, rotations – render as an image every user is required to read and type it in correctly reduced “spam add_URL” by “over 95%”  Weaknesses: isolated chars, filterable noise, affine deformations M. D. Lillibridge, M. Abadi, K. Bharat, & A. Z. Broder, “Method for Selectively Restricting Access to Computer Systems,” U.S. Patent No. 6,195,698, Filed April 13, 1998, Issued February 27, An image of text, not ASCII

5 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Alan Turing ( ) 1936 a universal model of computation 1940s helped break Enigma (U-boat) cipher 1949 first serious uses of a working computer including plans to read printed text (he expected it would be easy) 1950 proposed a test for machine intelligence

6 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Turing’s Test for AI How to judge that a machine can ‘think’: play an ‘imitation game’ conducted via teletypes a human judge & two invisible interlocutors: a human a machine `pretending’ to be human after asking any questions (challenges) he/she wishes, the judge decides which is human failure to decide correctly would be convincing evidence of machine intelligence Modern GUIs invite richer challenges than teletypes…. A. Turing, “Computing Machinery & Intelligence,” Mind, Vol. 59(236), 1950.

7 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Completely Automated Public Turing Tests to Tell Computers & Humans Apart  challenges can be generated & graded automatically (i.e. the judge is a machine)  accepts virtually all humans, quickly & easily  rejects virtually all machines  resists automatic attack for many years (even assuming that its algorithms are known?) NOTE: machines administer, but cannot pass the test! L. von Ahn, M. Blum, N.J. Hopper, J. Langford, “CAPTCHA: Using Hard AI Problems For Security,” Proc., EuroCrypt 2003, Warsaw, Poland, May 4-8, “CAPTCHAs”

8 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Some Typical CAPTCHAs Microsoft eBay/PayPal Yahoo! PARC’s PessimalPrint

9 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Cropping up everywhere…  Used to defend against: skewing search-engine rankings (Altavista, 1999) infesting chat rooms, etc (Yahoo!, 2000) gaming financial accounts (PayPal, 2001) robot spamming (MailBlocks, SpamArrest 2002) In the last two years: Overture, Chinese website, HotMail, CD-rebate, TicketMaster, MailFrontier, Qurb, Madonnarama, Gay.com, … … how many have you seen?  On the horizon: ballot stuffing, password guessing, denial-of-service attacks `blunt force’ attacks (e.g. UT Austin break-in, Mar ’03) …many others D. P. Baron, “eBay and Database Protection,” Case No. P-33, Case Writing Office, Stanford Graduate School of Business, Stanford Univ., 2001.

10 Pattern Recognition Research Lab D. Lopresti & H. S. Baird The Limitations of Image Understanding Technology There remains a large gap in ability between human and machine vision systems, even when reading printed text Performance of OCR machines has been systematically studied: 7 year olds can consistently do better! This ability gap has been mapped quantitatively S. Rice, G. Nagy, T. Nartker, OCR: An Illustrated Guide to the Frontier, Kluwer Academic Publishers: 1999.

11 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Image Degradation Modeling Effects of printing & imaging: We can generate challenging images pseudorandomly H. Baird, “Document Image Defect Models,” in H. Baird, H. Bunke, & K. Yamamoto (Eds.), Structured Document Image Analysis, Springer-Verlag: New York, blur thrs sens thrs x blur

12 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Machine Accuracy is Often a Nearly Monotonic Function of Parameters T. K. Ho & H. S. Baird, “Large Scale Simulation Studies in Image Pattern Recognition,” IEEE Trans. on PAMI, Vol. 19, No. 10, p , October 1997.

13 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Can You Read These Degraded Images? Of course you can …. but OCR machines cannot!

14 Pattern Recognition Research Lab D. Lopresti & H. S. Baird The PessimalPrint CAPTCHA Three OCR machines fail when: OCR outputs – blur = 0.0 & threshold  – threshold = 0.02 & any value of blur ~~~.I~~~ ~~i1~~ N/A ~~I~~ A. Coates, H. Baird, R. Fateman, “Pessimal Print: A Reverse Turing Test,” Proc. 6th IAPR Int’l Conf. On Doc. Anal. & Recogn. (ICDAR’01), Seattle, WA, Sep 10-13, … but people find all these easy to read

15 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Variations & Generalizations  CAPTCHA Completely Automatic Public Turing test to tell Computers and Humans Apart  HUMANOID Text-based dialogue which an individual can use to authenticate that he/she is himself/herself (‘naked in a glass bubble’)  PHONOID Individual authentication using spoken language Human Interactive Proof (HIP) An automatically administered challenge/response protocol allowing a person to authenticate him/herself as belonging to a certain group over a network without the burden of passwords, biometrics, mechanical aids, or special training.

16 Pattern Recognition Research Lab D. Lopresti & H. S. Baird 1st Int’l Workshop on Human Interactive Proofs PARC, Palo Alto, CA, January 9-11, 2002

17 Pattern Recognition Research Lab D. Lopresti & H. S. Baird 2nd Int’l Workshop on Human Interactive Proofs PARC, Palo Alto, CA, January 9-11, 2002 Lehigh University, Bethlehem, PA – May 19-20, 2005

18 Pattern Recognition Research Lab D. Lopresti & H. S. Baird The 2nd HIP Workshop May Lehigh University, Bethlehem, PA Advisory Board: Manuel Blum, CMU Doug Tygar, UCB CS/SIMS Patrice Simard, Microsoft Research Gordon Legge, Univ. Minnesota Organizers: Henry Baird, Dan Lopresti

19 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Weaknesses of Existing CAPTCHAs  English lexicon is too predictable: dictionaries are too small only 1.2 bits of entropy per character (cf. Shannon)  Physics-based image degradations vulnerable to well-studied image restoration attacks, e.g.   Complex images irritate people even when they can read them need user-tolerance experiments

20 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Human Readers Literature on the psychophysics of reading is helpful:  many kinds of familiarity helps, not just English words  optimal word-image size is known: degrees subtended angle  optimal contrast conditions known  other factors measured for the best performance: to achieve and sustain “critical reading speed” BUT gives no answer to: where’s the optimal comfort zone? G. E. Legge, D. G. Pelli, G. S. Rubin, & M. M. Schleske, “Psychophysics of Reading: I. normal vision,” Vision Research 25(2), J. Grainger & J. Segui, “Neighborhood Frequency Effects in Visual Word Recognition,’ Perception & Psychophysics 47, 1990.

21 Pattern Recognition Research Lab D. Lopresti & H. S. Baird The BaffleText CAPTCHA  Nonsense words generate ‘pronounceable’ – not ‘spellable’ – words using a variable-length character n-gram Markov model they look familiar, but aren’t in any lexicon, e.g. ablithan wouquire quasis  Gestalt perception force inference of a whole word-image from fragmentary or occluded characters, e.g. using a single familiar typeface also helps M. Chew & H. S. Baird, “BaffleText: A Human Interactive Proof,” Proc., SPIE/IS&T Conf. on Document Recognition & Retrieval X, Santa Clara, CA, January 23-24, 2003.

22 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Mask Degradations Parameters of pseudorandom mask generator: shape type: square, circle, ellipse, mixed density: black-area / whole-area range of radii of shapes

23 Pattern Recognition Research Lab D. Lopresti & H. S. Baird User Acceptance % Subjects willing to solve a BaffleText… 17% every time they send 39% … if it cut spam by 10x 89% every time they register for an e-commerce site 94% … if it led to more trustworthy recommendations 100% every time they register for an account Out of 18 responses to the exit survey.

24 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Many Are Vulnerable to Character-Segmentation Attack Effective strategy of attack: Segment image into characters Apply aggressive OCR to isolated chars If it’s known (or guessed) that the word is ‘spellable’ (e.g. legal English), use the lexicon to constrain interpretations Patrice Simard (MS Research) reports that this breaks many widely used CAPTCHAs

25 Pattern Recognition Research Lab D. Lopresti & H. S. Baird So, try to generate word-images that will be hard to segment into characters Slice characters up: -vertical cuts; then -horizontal cuts Set size of cuts to constant within a word Choose positions of cuts randomly Force pieces to drift apart: ‘scatter’ horiz. & vert. Change intercharacter space

26 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Character fragments can interpenetrate Not only is it hard to segment the word into characters, …. … it can be hard to recombine characters’ fragments into characters

27 Pattern Recognition Research Lab D. Lopresti & H. S. Baird How Well Can People Read These? We carried out a human legibility trial with the help of ~60 volunteers: students, faculty, & staff at Lehigh Univ. plus colleagues at Avaya Labs Research

28 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Subjects were told they got it right/wrong – after they rated its ‘difficulty’

29 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Subjective difficulty ratings are correlated with illegibility Right: Wrong : 1 Easy Impossible

30 Pattern Recognition Research Lab D. Lopresti & H. S. Baird People Rated These “Easy’ (1/5) aferatic memmari heiwho nampaign

31 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Rated “Medium Hard” (3/5) overch / ovorch wouwould atlager / adager weland / wejund

32 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Rated “Impossible” (5/5) acchown / echaeva gualing / gealthas bothere / beadave caquired / engaberse

33 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Why is ScatterType legible at all?  Should it surprise you that this is legible…?  We speculate that we can read it because: human readers exploit typeface consistency cues … evidence remains in small details of local shape this ability seems largely unconscious

34 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Mean Horizontal Scatter vs Mean Vertical Scatter Mirage: data analysis tool, Tin Kam Ho, Bell Labs. Right: Wrong : 1 Easy Impossible

35 Pattern Recognition Research Lab D. Lopresti & H. S. Baird The Arms Race  When will serious technical attacks be launched? ‘spam kings’ make $$ millions two spam-blocking firms rely on CAPTCHAs  How long can a CAPTCHA withstand attack? especially if its algorithms are published or guessed  Strategy: keep a pipeline of defenses in reserve: continuing partnership between R&D & users

36 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Lots of Open Research Questions  What are the most intractable obstacles to machine vision? segmentation, occlusion, degradations, …?  Under what conditions is human reading most robust? linguistic & semantic context, Gestalt, style consistency…?  Where are ‘ability gaps’ located? quantitatively, not just qualitatively  How to generate challenges strictly within ability gaps? fully automatically an indefinitely long sequence of distinct challenges

37 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Disguised CAPTCHAs Note that many normal navigation aids are CAPTCHAs (though not designed for that purpose)

38 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Implicit CAPTCHAs We are investigating design principles for “implicit CAPTCHAs” that relieve these drawbacks: Challenges disguised as necessary browsing links Challenges that can be answered with a single click while still providing several bits of confidence Challenges that can be answered only through experience of the context of the particular website weave CAPTCHAs into a multi-page “story” can’t be extracted and “farmed-out” to people Challenges that are so easy that failure indicates a failed robot attack

39 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Next Steps at Lehigh  By judicious restrictions on engineering parameters, attempt to ensure human legibility better than 99.5%  Similarly, attempt to ensure 90% of challenges have low subjective difficulty ratings (e.g. 1-3 out of 5)  You are welcome to try out ScatterType: arcturus.cse.lehigh.edu/CAPTCHAs  Also, we invite you to attack it: We’ll send you large batches, with ground-truth Try to train a classifier to break it!

40 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Alan Turing might have enjoyed the irony … A technical problem – machine reading – which he thought would be easy, has resisted attack for 50 years, and now allows the first widespread practical use of variants of his test for artificial intelligence.

41 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Contact Henry S. Baird

42 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Henry S. Baird Michael A. Moll Sui-Yu Wang A Highly Legible CAPTCHA that Resists Segmentation Attacks

43 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Some Typical CAPTCHAs AltaVista eBay/PayPal Yahoo! PARC’s PessimalPrint

44 Pattern Recognition Research Lab D. Lopresti & H. S. Baird All These Are Vulnerable to Segment-then-Recognize Attack Effective strategy of attack: Segment image into characters Apply aggressive OCR to isolated chars If it’s known (or guessed) that the word is ‘spellable’ (e.g. legal English), use the lexicon to constrain interpretations Patrice Simard (MS Research) et al report that this breaks many widely used CAPTCHAs

45 Pattern Recognition Research Lab D. Lopresti & H. S. Baird We try to generate word-images that will be hard to segment into characters Slice characters up: -vertical cuts; then -horizontal cuts Set size of cuts to constant within a word Choose positions of cuts randomly Force pieces to drift apart: ‘scatter’ horiz. & vert. Change intercharacter space

46 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Character fragments can interpenetrate Not only is it hard to segment the word into characters, …. … it can be hard to recombine characters’ fragments into characters

47 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Character fragments can interpenetrate Not only is it hard to segment the word into characters, …. … it can be hard to recombine characters’ fragments into characters

48 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Nonsense Words  We use nonsense (but English-like) words (as in BaffleText): generated pseudorandomly by a stochastic variable-length character n-gram model trained on the Brown corpus … this protects against lexicon-driven attacks  Why not use random strings? We want to help human readers feel confident they have made a plausible choice, so they’ll put up with severe image degradations (Cf. research in psychophysics of reading.) M. Chew & H. S. Baird, “BaffleText: a Human Interactive Proof,” Proc., 10 th SPIE/IS&T Document Recognition and Retrieval Conf., (DRR2003), Santa Clara, CA, January , 2003.

49 Pattern Recognition Research Lab D. Lopresti & H. S. Baird How Well Can People Read These? We carried out a human legibility trial with the help of ~60 volunteers: students, faculty, & staff at Lehigh Univ. plus colleagues at Avaya Labs Research

50 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Subjects were told they got it right/wrong – after they rated its ‘difficulty’

51 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Subjective difficulty ratings were correlated with objective difficulty People often know when they’ve done well This can be used to ensure that challenges aren’t too hard (frustrating, angering) Subjective difficulty level ALL Easy Impossible 5 No. of Challenges Percent answered correctly

52 Pattern Recognition Research Lab D. Lopresti & H. S. Baird The same data, graphically Right: Wrong : 1 Easy Impossible

53 Pattern Recognition Research Lab D. Lopresti & H. S. Baird People Rated These “Easy’ (1/5) aferatic memmari heiwho nampaign

54 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Rated “Medium Hard” (3/5) overch / ovorch wouwould atlager / adager weland / wejund

55 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Rated “Impossible” (5/5) acchown / echaeva gualing / gealthas bothere / beadave caquired / engaberse

56 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Why is ScatterType legible?  Does it surprise you that this is legible…?  I speculate that we can read it because: we exploit typeface consistency … the evidence is small details of local shape this ability seems largely unconscious

57 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Ensuring that ScatterType is Legible We mapped the domain of legibility as a function of engineering choices:  typefaces  characters in the alphabet  cutting & scattering parameters: cut fraction expansion fraction horizontal scatter mean vertical scatter mean h & v scatter variance character separation

58 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Some typefaces remain legible while others degrade quickly

59 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Raising Legibility by Pruning Typefaces

60 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Some Characters Quickly Become Confusable overch ‘ o ’ ‘ e ’ ‘ c ’ confusions

61 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Raising Accuracy by Omitting Characters

62 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Ensuring Legibility  Pruning characters & typefaces raised legibility in the top two difficulty levels to ~ 90%  Next step restrict the range of cutting & scatter parameters

63 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Mean Horizontal Scatter vs Mean Vertical Scatter Mirage: data analysis tool, Tin Kam Ho, Bell Labs. Right: Wrong : 1 Easy Impossible

64 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Cut Fraction Histogram Right: Wrong : 1 Easy Impossible

65 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Character Separation Histogram Right: Wrong : 1 Easy Impossible

66 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Finding Parameter Ranges for High Legibility d = Euclidean distance from origin of Mean Horiz Scatter vs Mean Vertical Scatter

67 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Guided by this Analysis, We Can Define Legibility Regimes Trivial: large cut fraction and small expansion Simple: character separation also decreases Easy: in original trial, correct 81% of time Medium Hard: larger scatter distances degrades legibility noticeably

68 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Other Examples - “Easy” “ wexped ” - difficult to segment ‘ e ’, ‘ x ’ and ‘ p ’. Shows difficulty of achieving 100% legibility “ veral ” - same parameters as above but different font. Not as difficult to segment

69 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Other Examples - “Too Hard” “ thern ” difficult to read, but easier than most with the same parameter values. Font makes a big difference. “ wezre ” satisfactorily illegible, though probably segmentable

70 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Next Steps  By judicious restrictions on engineering parameters, attempt to ensure human legibility better than 99.5%  Similarly, attempt to ensure 90% of challenges have low subjective difficulty ratings (e.g. 1-3 out of 5)  You are welcome to try out ScatterType: arcturus.cse.lehigh.edu/CAPTCHAs  Also, we invite you to attack it: We’ll send you large batches, with ground-truth Try to train a classifier to break it!

71 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Future Work  We have exhausted the experimental data from the 1 st trial  How can we automatically create images with given difficulty?  We have generated many images that seem difficult to segment automatically, but we don’t understand how to guarantee this  We need to understand the effects of typefaces on ScatterType legibility  We want to study character-confusion pairs more  Attacking ScatterType Testing on best OCR systems Invite attacks from other researchers Is it credible if we attack it ourselves, and fail?

72 Pattern Recognition Research Lab D. Lopresti & H. S. Baird Contacts Henry S. Baird Michael Moll


Download ppt "Pattern Recognition Research Lab D. Lopresti & H. S. Baird Henry S. Baird CSE Dept, Lehigh Univ. (Joint work with : Richard Fateman, Allison Coates, Kris."

Similar presentations


Ads by Google