International Conference on Advances in Computing, Communication and Control (ICAC3’09)

THINK-AN IMAGE BASED CAPTCHA MECHANISM

(TESTIFYING HUMAN BASED ON INTELLIGENCE AND
KNOWLEDGE)
V.Srikanth C.Vishwanathan Udit Asati
School of Computing Sciences School of Computing Sciences School of Computing Sciences
VIT University VIT University, Vellore, Tamil VIT University Vellore,
Vellore,Tamil Nadu, India Nadu, India Tamil Nadu, India
srikkanth_srik@yahoo.co.in vishwanathanc@gmail.com uditasati.vit@gmail.com

N.Ch.Sriman Narayana Iyengar

School of Computing Sciences
VIT University, Vellore, TamilNadu, India
nchsniyr@gmail.com

ABSTRACT
There is a need for a CAPTCHA as a result of the abuse of
automated ‘bots’ [6]. The problem of spamming resulted as the bots
intruded into the internet [3]. However, there were many solutions
provided for stopping these bots from entering the internet. The
best and most feasible solution proposed till now has been the
CAPTCHA or the fuzzy text recognition. But the latest news that
hurt the organisations that use CAPTCHA is that the bots started Figure-1: Shows the present day CAPTCHA
recognizing these fuzzy texts. In this paper we propose a novel yet
simple idea which can serve as a replacement to CAPTCHA. There different puzzle. Since this method is very easy to generate and cost
have been several image based CAPTCHA’s proposed and as well efficient this was implemented, though there are various other
defeated [1]. But our alternative systems that were proposed as a test to tell human and
Idea THINK is in the same lines yet is fool proof. In this paper we computer apart.
suggest that a real time image is used which will portray some
The news that recently took the IT world by surprise–The
action or show some object that the user is expected to identify the
CAPTCHA [11] (Completely Automatic Public Turing Test to Tell
object and type the answer. No choices will be given to the user
Computer and Human Apart) is no longer fool proof as bots started
thereby eliminating the option of identifying the answer by
recognising the fuzzy text. Hence there is a need to replace the
probability.
existing technology to distinguish between a human and a machine.
KEY WORDS This made us to come up with THINK (Testifying Human based
CAPTCHA, real-time image, keywords, THINK, Questions, Time- On Intelligence and Knowledge). THINK is much easier and fun to
out, counter, image and Fuzzy-Text. solve for the users. The users will be confronting an image based
on which a question will be posed. The user is required to text the
1. INTRODUCTION answer i.e., type the answer. The answer is present in the database
CAPTCHA involves a fuzzy text that has to be identified by the in the form of keywords. If the users answer matches with any of
user to distinguish between human and bots [8]. An example of the keywords then it is concluded that the user is a human and
fuzzy text CAPTCHA is shown below: access is granted else access is denied.

The user is required to identify the fuzzy text shown in the image. 2. METRICS
If the user recognizes the text correctly as “tame” then it is The various metrics that need to be satisfied for a good system to
concluded that the user is human else the user is required to solve a tell human and computer apart according to [7] are:

Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that
copies bear this notice and the full citation on the first page. To copy
otherwise, or republish, to post on servers or to redistribute to lists,
requires prior specific permission and/or a fee.
ICAC3’09, January 23–24, 2009, Mumbai, Maharashtra, India.
Copyright 2009 ACM 978-1-60558-351-8…$5.00.
2.1 Consistency
When presented with the same system, how reproducible is a user’s
answer? The level of consistency will clearly vary across the
various systems and the acceptable level will vary across for the
different systems (some systems may be easy and some may be
complicated).
2.2 Entropy

421
 International Conference on Advances in Computing, Communication and Control (ICAC3’09)
Entropy means whether two users will answer the same question in
the same way? How hard is it to guess the answer for the user given
a particular system?
2.3 Fun
A good system should not require any specialized knowledge or
complicated actions, and should have a low barrier to entry.
Relatedly, it should not be too time consuming or tedious. It is an
important fact that fun may also markedly affect the other
parameters.
2.4 Ease of generation
How easy is it to generate a question in a particular system that
makes the system efficient. The time taken to generate a question
must be very less and as well the least cost must be involved for
such process. Whether the questions can be automatically generated
by the computer or it requires human intervention? Whether these
can randomly be displayed to the user?
2.5 Implementation
Finally, how easy is it to implement? Does it require complex and
elaborate graphics, or can it be implemented for a text-only system?
How accessible is the system?
Based on the above given metrics we have come up with a system
which removes the flaws in previously proposed systems.
3. A STUDY ON EXISTING SYSTEMS
3.1 Fuzzy text recognition
The first successful implementation of this idea was a system
where the user is presented with fuzzy letters, and asked to read
them. Andrei Broder et. Al are believed to be the first to have
actually implemented such a system, while at AltaVista. There, it
was used to foil bots trying to submit URLs into the AltaVista
index. This work was soon followed by others. There, Coates et. Al
suggested the idea of “Pessimal Print”- text manipulated in ways
designed to be hard for OCR software. In [4] Luis von Ahn coined
the term CAPTCHA and proposed a similar scheme named
“Gimpy”.
After it became clear that CAPTCHA’s were useful and not just a
research curiosity, they began to spring up everywhere, largely in a
security context: as a way to prevent denial-of-service attacks or
comment spam, or as a way of slowing down brute-force attacks.
3.2 Other related approaches
In the same lines of work, [4] von Ahn et. al proposed some
Figure-2: Shows an ESP-PIX CAPTCHA
422
handful of other CAPTCHA’s:”Bongo”- a visual pattern
recognition puzzle, “Eco”- a sound recognition puzzle, and ”Pix”-
label-the-object puzzle. In “Pix”, the user is presented with blurred
images of an object, and asked a question like “What are these
images of?” An implementation of Pix, known as ESP-Pix, is
shown in Figure.
Speech CAPTCHAs, where words are said over white noise, seem
to show promise [9], but getting sound to work just right in a Web
browser, e.g., can be an inconvenience at best and a major
annoyance at worst. Despite the existence of these other techniques,
fuzzy text CAPTCHA’s remain the most popular because of their
ease of generation and its cost efficiency. But since these fuzzy
texts CAPTCHA’s as described earlier have been recognized by
bots they can no longer be used as they cannot solve the very
purpose of their introduction.
3.3 Corpus based CAPTCHA’S
Another interesting trend is the move towards corpus-based
CAPTCHAs, like re-CAPTCHA [10]. ReCAPTCHA is a project to
digitize books by turning words that trigger OCR errors into
CAPTCHAs. The scheme works as follows: the user is presented
with two blurry words, one that the computer knows and one that it
does not, in a random order. The human reads both words, and
submits the answer. If the users answer to the known word is
correct, his answer to the unknown word is used as a vote for the
actual correct answer.
4. OUR PROPOSAL-THINK
Instead of fuzzy text we introduce a randomly generated real time
image which shows some object or will portray some action. Eg. A
person eating ice cream or two players playing tennis, etc,. The
user is expected to identify the action or the object. These images
are always real time images. This system requires human
intervention. That is human beings are used to shoot the real time
images (one such image is shown in figure-3). Questions are
framed related to the picture by the human and as well the expected
answers ie., the keywords. The work of the computer is to
randomly throw these images with questions to the user and
compare the answers given by the users with the key words and
conclude whether the user is a human or a bot based on the answer.
It is to be noted that the repetition of images will be avoided by
removing the image its question and the related keywords from the
Figure-3: A Sample of a real-time image used in THINK
 International Conference on Advances in Computing, Communication and Control (ICAC3’09)
database as soon as that particular entry is used. Though these types
of systems already exists in graphical password system, in
graphical password system a set of options is given along with
question to the user. In such cases there is a very high probability
that the automated systems may select the correct answer based on
permutations. But in this system, since the user is requested to type
the answers, the work is not that easy for the automated systems
whereas it is very easy for six sensed humans. Though the bots are
facilitated with the help of artificial intelligence (A.I), the A.I of the
present day systems is not that much developed to identify an
action from a given real time image [2] nor it can identify a real
time object shown. Our system is illustrated by the following
example:
The figure shows an image that is used in our system. It shows an
image of a television. This is a real time image and the automated
machines cannot guess the answer if the question for the above
shown image is: Identify the object shown in the image? But for
humans, it is very easy to answer this question. Considering the
same question, identify the object shown in the image? The key
words (answer) are set as television, TV, tele. If the user’s answer
contains any one of the above key words then it is identified that
the user is a human and he is allowed to proceed further else it is
identified as an automated system and the access is denied.
Consider the user’s answer is: a television then it is concluded that
the user is a human; if the answer is a tele even then the user is
identified as human. If the answer is a monitor or if the answer is
irrelevant to the question then the user is identified as an automated
system and the access is denied.
4.1 Time out feature
There is an important feature called the time out feature where
there is a countdown timer which starts to count down as soon as
the question is thrown to the user by the computer. Once the time
limit expires the user has to face a new question which he is
expected to solve to get access. This feature to an extent prevents
the automated systems from answering the question as mostly these
systems are supported by knowledge based systems which takes
some time to browse through the directory and give the correct
answer. Whereas a normal human takes very less time to solve
these questions.
4.2 Algorithm used to implement THINK:
1) Initiate the required counter by 0 and objects for GUI.
2) Connect to the database.
3) Retrieve a random record consisting of image and the related
question.
4) Display the image and question.
5) Start a new thread for verification of answer and keeping
track of time.
6) Increment the counter by 1 and make the thread sleep for 1
sec.
7) Check if user pressed any buttons.
8) If user pressed the submit button, suspend the thread and
compare the answer entered by user to one loaded from
database.
9) If answer is a substring in users answer exit displaying
message of acceptance.
10) If user clicks cancel button, exit from the program closing
database connection.
11) If answer is wrong do nothing and display error message.
12) If counter reaches 59 repeat step 3 and reset the counter and
go to step 6.
423
13) Continue till user clicks the cancel button or closes the
program.
14) Stop.
5. SNAPSHOT OF THINK
As shown in the snapshot (figure-4) the user is posed with an image
and the question as shown in the figure-4. The user is required to
enter the answer in the text box provided and is required to press
the submit button to get access provided the answer given is
authenticated. For example shown in the snap shot the picture
shows a television and the question posed is relevant to it which
says “Identify the object shown in the image?”. The answer entered
by the user is “television” which is the correct answer and hence he
gets access into the account.
Since generating the “ THINK” puzzle for every single login
attempt may be too expensive for the web server, and because it
also represents added work that the user most likely would be
reluctant to deal with every time. According to [5] it can be applied
on the following conditions:
1. Prompt for the username and password
2. Check to see if the client has a valid cookie
3. If user gives:
a. Password correct: Accept and give access directly
without the need to solve the” THINK” puzzle
b. Password incorrect: Give the user a “THINK” puzzle, if
the user solves it give access else reject access and throw
Figure-4: Shows the Snapshot of THINK
a new question for the user to solve to get access.
6. HOW THINK IS SUPERIOR
Our system is a modification of the other image based CAPTCHA
models. In the esp-pix model the user is required to select the
answers and moreover the images used are not real time images and
there is very high possibility and probability that these images can
be located in the internet whereas in case of “THINK” ie., in our
system we use the real time images and there is no possibility that
these images can be located in the internet. If the images found in
the internet or any freeware images are used then there is a good
probability that the automated system can crack the answer as it
gives the system an opportunity to search for the answers which is
the reason for the failure of the image related CAPTCHA’s
whereas in our system that is eliminated as we use real –time
 International Conference on Advances in Computing, Communication and Control (ICAC3’09)
images. In one other proposed solution to distinguish between the
users and the human, the user is expected the arrange the jumbled
images in sequence to get the original image which is not within
the scope of a common human being and hence the test has to be as
simple and efficient to make sure that it is within the scope of every
common person and out of scope for the bots. As identified
previously choosing an answer is rather easier than giving the
answer by own which we exploit to our convenience to come up
with a system that satisfies all the requirements to serve as a
successful and efficient system to distinguish between a human and
a computer.
7. EXPERIMENTAL RESULTS
The THINK was implemented and tested on many users almost all
the users found that a THINK puzzle is much easier to solve than a
fuzzy text. Considerably it took less time to crack the THINK
puzzle than the CAPTCHA or other related challenges. The fun
factor as described in the metrics becomes a major factor in
THINK. The THINK puzzle is fun to solve for the users as it
requires the user to interpret a real time image and it is a refreshing
concept as the users are concerned and hence they find the THINK
puzzle much easier and enjoy solving the puzzle. The table
illustrated below shows the users and the time which they took to
solve the puzzle. The feedback for the THINK puzzle is very good
as the users found the THINK very easy to solve in terms of the
difficulty of the challenge and is strictly out of scope for bots as the
image used is a real time image.
Table-1: Shows the users and the time taken to solve THINK
USERS TIME TAKEN
IN SECONDS
USER 1 10
USER 2 11
USER 3 09
USER 4 10
USER 5 13
USER 6 11
USER 7 09
USER 8 10
It is clearly evident from the table that the time taken to solve
THINK is less than 20 seconds. The puzzle was tested among all
kinds of people and hence by taking the average of the time taken it
can be concluded that THINK is even time efficient.
8. CONCLUSIONS AND FUTURE WORKS
Our future works involve matching the user’s answers with the
keywords based on the meaning of the answer. This involves fuzzy
logic and if this is implemented the system will be much more user
friendly as it gives user another chance to identify the keyword
based on the clue given after the user gives at least a similar
meaning in the first round of authentication for eg., consider a
picture showing an apple if the user answers is fruit he is again
posed with a question what fruit? Thus it gives the user another
chance to get the keyword correct ie., apple. Thus we have come up
with a novel yet practical and an easily implementable solution to
distinguish between a human and an automated system. We
initially have formulated some metrics based on which a good
CAPTCHA can be evaluated and finally conclude by proposing a
424
system which satisfies all the metrics. It is more secure and
efficient in terms of performance when compared to the present day
systems or any other system proposed till date.
9. REFERENCES
[1] A CAPTCHA Mechanism by exchanging Image Blocks by
Wen-Hung Liao – Department of Computer Science, National
Chengchi University, Taipei, Taiwan. Proceedings of the 18th
International Conference on Pattern Recognition (ICPR’06).
[2] CAPTCHA: Using Hard AI Problems for security by Luis
Von Ahn, Manuel Blum, Nicholas J. Hopper and John
Langford – Computer Science Dept., Carnegie Mellon
University, Pittsburgh, PA 15213, USA
[3] Filtering Short Message Spam of Group Sending Using
CAPTCHA by PeizhouHe Young Sun Wei Zheng Xiangming
Wen. Beijing Univ of Posts and Telecomm. Beijing :
Knowledge discovery and Data Mining 2008, WKDD 2008,
International Workshop
[4] Luis von Ahn, Manuel Blum and John Langford. Telling
humans and computer apart automatically. Communications of
ACM 47:5660,2004.
[5] Mark D. Lillibridge, Martin Abadi, Krishna Bharat, and
Andrei Z. Broder. Method for selectively restricting access to
computer systems, February 27 2001. U. S. Patent No.
6,195,698.
[6] Moni Naor. Verification of a Human in the loop or
Identification via the Turing Test.
http://www.wisdom.weizmann.ac.il/~naor/PAPERS/human_a
bs.html.1996
[7] POSH: A generalized CAPTCHA with security applications
by Waseem S. Daher. Massachusetts Institute of Technology.
http://creativecommons.org/licenses/by/3.0/ or Creative
Commons, 559 Nathan Abbott Way, Stanford, CA 94305.
[8] Philip Brighten Godfrey. Text-Based CAPTCHA algorithms.
In First Workshop on Human Interactive Proofs,
UnpublishedManuscript.2002.
http://www.aladdin.cs.cmu.edu/hips/events/abs/godfreyb_abst
ract.pdf.
[9] Shih Chilin, Greg Kochanski and Daniel Lopresti. A reverse
turing test using speech. In International Conference on
Spoken Language Processing, pages 1357-1360, Denver,
Colorado, 2002.
[10] Luis von Ahn. Re-CAPTCHA. http:// www.recaptcha.net,
2007.
[11] Shujun Li and Heung-Yeung Shum. Secure Human-Computer
Identification (Interface) Systems against Peeping Attacks:
SecHCI. Cryptology ePrint Archive, Report 2005/268, 2005.
http://eprint.iacr.org.