3-D CAPTCHA

Abstract

Many online resources are prone to automated attacks and misuse.

Examples include polls being biased due to massive automated voting, e-mail accounts being opened for the purpose of spreading spam, online talkbacks being used as commercials, and many more.

CAPTCHAs are used to minimize these online malices in way of presenting a challenge which a human is better apt to pass than a machine.

Our project generates an image from a 3D model using a webservice, and then asks the end-user to identify elements in the image.

(Original idea was taken from: 3D CAPTCHA)

Sample Screenshot

demojpg

As can be seen in the image, we have 3 people looking at different objects, we now ask the user to click on a body part of the person looking at one of the objects.
To succeed in the challenge you'll need to identify the object, identify who's looking at it and where to click.
(the red rectangle in the image marks the right answer for this challenge.)

Implementation Notes

Server Side

Our server is implemented in Java.

Web Service
A web service is a software system designed to support interoperable machine-to-machine interaction (and resource consumption) over a network. We used XFire to implement out web service. XFire is a Java framework for development and consumption of web services, it's a Java SOAP framework. It provides support for: Web Service Standards, Object Interfaces, Different Network Transports, etc. SOAP, originally defined as Simple Object Access Protocol, is a protocol specification for exchanging structured information in the implementation of Web Services in computer networks. It relies on XML as its message format and usually relies on other Application Layer protocols. SOAP forms the foundation layer of the web services protocol stack providing a basic messaging framework upon which abstract layers can be built.

We have implemented the project in such a way that allows us to switch the CAPTCHA type to any CAPTCHA.
This is done without having to change the client code.
Upon request we are injecting code into the client's web-page using our web service.
This way, the project is generic for every CAPTCHA challenge.

Database
We used MySQL + Hibernate for our database. Hibernate is an object-relational mapping (ORM) library for the Java language, providing a framework for mapping an object-oriented domain model to a traditional relational database. Hibernate is free as open source software that is distributed under the GNU Lesser General Public License.
Client Side
Our client side is implemented in Java and JavaScript. We chose to implement it using JavaServer Faces (JSF) which is a Java-based Web application framework intended to simplify development of user interfaces for Java EE applications.
Spring Framework
Spring is an open source application framework for the Java platform. We used the Spring framework for Inversion of Control container – in which Objects can be obtained by means of Dependency lookup or Dependency injection. Dependency lookup is a pattern where a caller asks the container object for an object with a specific name or of a specific type. Dependency injection is a pattern where the container passes objects by name to other objects, via either constructors, properties, or factory methods.
Pov Ray
We have used a 3D rendering software which uses its own programming language to model a scene.

We have also used the BlobMan library (Author: Peter Houston) to generate human models and a script (modified) to help us calculate the 2d coordinates out of a 3D vector(Author: Wodzimierz ABX Skiba).

Project Design

Design.jpg

Possible Extensions

1. To make the challenge more difficult to a rival machine learning algorithm with a success probability of R, we can ask the user to supply an answer to more than one challenge.
This way, the probability becomes R#challenges.

2. Use AJAX - for example for (1) and also for redirecting to a user defined success / failure page - in case the user validated the challenge or not.

3. Povray - much can be explored in terms of making the resulting image: a. nicer b. harder for a machine to analyze c. quicker to render.

for a. different lighting can be used for softer shadows.
for b. different ways of distorting the objects can be employed (change scaling, apply warping, etc.).
for c. it is possible to have less ray tracing bounces (the number of times a ray of light bounces from a surface) for better performance.

4. Currently the code being injected to the client web-page using the CAPTCHA includes a link to the image from the server running the web-service - it is an open question whether to first send the image to the client server and from there to the end-user (would require client side code change if we were to change the CAPTCHA) or keep things the way they are.

5. Parallel work - Currently the server works on one computer, if the rate of requests is larger than the rate of generating an image, we need to assign the rendering work to multiple computers / processor cores. Would require us to generate an ID for each input file for povray to use, some other minor changes in code are needed (we hope).

Interesting links

  • A paper discussing a similar approach, the user is asked to identify objects that were distorted in some way (rotation, translation, scaling, warping, lighting).
  • Three sites (1, 2, 3) presenting a different approach for text CAPTCHAs, where the text is written onto a 3D Surface.
  • An article about cracking a CAPTCHA that asks the user to write down a word/digit being voiced.

Source Code

Via Source Forge

Group Members

Keren Segev
Omer Sharav

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License