Smart Verification Code
There’s no such thing as a peaceful world. We feel like so because someone take on the burdens". Nowadays, machine attack scripts are flying in the Internet world. Protecting the quiet and good years of hundreds of millions of users has become a glorious mission of the verification code technology, and has been completely penetrating into people's daily lives. It has resisted hundreds of millions of machine script attacks without being noticed. As an "invisible angel", it has become an indispensable part of online life.
Traditional verification codes use rules for human-machine discrimination. Common traditional verification codes include the following categories:
(1)Character input verification code: Enter the characters in the picture in the verification code input box, and distinguish the credible and suspicious users by comparing the input data with the ground truth data. The character recognition cost of this type of verification code is low, and the existing technology has been able to accurately recognize most characters; it requires users’ key input, the experience is not good and the disturbance is high.
(2)Arithmetic verification code: Calculate the value of the mathematical expression in the verification code picture and fill it in the input box. The operators in this type of verification code expression are easy to confuse, which makes the user misunderstood, causing secondary calculations and increasing the user's disturbance; it requires user key input, and the experience is not friendly; it is easy to be identified by cracking, the cost of cracking is low, and the reinforce surface of the attack and defense iterations is narrow.
(3)Cognitive verification code: Use common sense and other life information to find the sub-picture in the picture that meets the verification code requirements. This type of verification code requires the user to have an understanding of daily information, and the user coverage is small; the user acceptance is low and the experience is poor.
The above-mentioned types of traditional verification codes are all displayed in the form of answering questions and decide if the user is trusted or not by judging whether the user's answer is correct. These codes face the problem of poor user experience and are easy to be cracked. The ever-evolving attackers, the growing defense area, and the cost loss that cannot be ignored, put forward higher and higher protection requirements for the verification code technology. The traditional verification code is no longer competent. Based on feature extraction and analysis of the user's environmental information , equipment information and behavior data,, The new verification code aims to form a multi-dimensional construction of anti-simulation, anti-counterfeiting and anti-violent cracking protection network.
Huawei Cloud’s Intelligent CAPTCHA Service (ICS)is a service that provides intelligent human-machine identification verification. By introducing AI technology and analyzing user behavior characteristics and environmental characteristics through big data analysis and machine learning engines on the cloud, hidden relationships can be effectively mined and utilized. Thus, it can achieve high availability, high concurrency, low latency, and accurate identification of machine traffic, greatly reducing user losses.
ICS first collects user's behavior data through the self-developed human-machine space-time trajectory positioning coordinate system, and then analyzes the collected user trajectory data, so as to further extract statistics of dimensions including coordinates, time, distance, speed, acceleration, angle, angular velocity Information, and whether there is a back-off behavior. The feature information collected afterwards will be input into a machine learning classification model such as random forests, which outputs the probability of human-machine discrimination.
In addition, the ICS service also introduces a better experience of non-aware verification code service when using verification codes.
The traditional verification code is essentially a passive defense strategy. It not only increases the disturbance to normal users, and its verification process is also not easy resulting poor user experience. Is there any way to avoid verification? The answer is yes. ICS changed passive defense to active verification, and launched a smart non-sensing verification system that can identify users' identity without verification, that is, incubating smart non-sensing verification code service.
Before the user initiates a login request, the user's identity is pre-judged by combining the static environment information such as geographic location, malicious features, IP devices, the dynamic behavior information such as the mouse and mouse trajectory, and other pre-interception security technologies. The user will be presented with different verification forms based on the insensitive judgment results. If the user is determined to be a normal human, it will be released; if it is determined to be a machine, it will be intercepted; if there are doubts, other forms of verification codes will pop up for further verification. The dual intelligent non-sensing verification based on static information and dynamic behavior can not only satisfy the most essential human-machine discrimination demands of the verification code, but also reduce user disturbance and improve the experience.
Trusted users are directly verified and passed to reduce user interruption, as shown in the picture below:
For suspicious users, sliding verification would pop up to accurately identify humans and machines, which increases the cost of machine attacks. The sliding verification code in the ICS platform is shown in the following figure. Its security design is based on the following three aspects: the background picture is diverse in color and style; the position of the gap is random; it requires double judgment of the rule and the model: first judge the position of the dragged slider, if it is within the allowable error range, the mouse track data is then transferred to the model and the track data is analyzed, and finally the suspicious probability is output by the model.
For malicious users, point-and-click verification would pop up, which further increases the cost of attacks through dynamic semantic understanding, making it more difficult for malicious users to do evil. The display form of point-and-click verification codes in the ICS platform is shown below. Its security design is based on the following six aspects: the color and style of the background picture are diverse; the Chinese characters in the picture are random; the total number of Chinese characters in the picture is random within a certain range; the position and tilt angle of all Chinese characters in the picture are random; The font and color of Chinese characters are random; noise, interference lines or interference frames can be added to the picture to increase the difficulty of image text recognition.
Finally, the ICS verification code applies the "image visual confrontation" theory in the verification code image processing to improve the defense against the automatic cracking scripts based on computer vision. The visual confrontation theory points out that the neural network is too sensitive to the local image texture, while its perception of the overall contour is not strong. Therefore, it is possible to "deceive" the neural network by adding random noise signals to the picture, so as to achieve the purpose of defense. The following figure is a famous example of confrontational learning theory:
As shown in the picture, the noise signal in the middle is added to the Alpine picture on the left to get the picture on the right. This has no misleading effect on humans for category judgment. However, the same machine learning model would confidently believe that this is a picture of a dog. When generating ICS verification code pictures, similar interference noises areadded randomly in the key areas, and these noises are all iterative noises that are updated regularly, which further increases the cost of cracking.
The ICS smart verification code service can be applied to all scenarios that may be attacked by machine behavior, including but not limited to the following seven scenarios:
• Login: To prevent damage to user interests caused by database collision attacks and brute force attacks.
• Registration: To prevent the registration of thousands of invalid garbage every day brought by the registration machine, and standardize the operation from the source.
• SMS: To prevent the economic loss and malicious harassment caused by indiscriminate SMS interface.
• Voting: To prevent unfair competition caused by false voting and maintain the ecological health of the website.
• Social: To prevent malicious filling or commenting on blog forums, and promote a simple and refreshing social environment.
• Search: To prevent malicious crawlers from crawling information, avoid excessive consumption of machine resources and illegal theft of information by third parties.
• Payment: To prevent "yellow party" from maliciously brushing tickets, and safeguard the legitimate rights and interests of ordinary ticket buyers and the brand reputation of ticketing websites.
The advantages of ICS intelligent verification code service products are reflected in the following four aspects:
• Accurate identification: Relying on big data analysis and multi-dimensional collection for comprehensive identification, the accuracy rate of risk identification is higher than 98.5%.
• Intelligent security: The learning engine evolves itself, forming a four-layer AI defense against forgery, tampering, replay, and disturbance
• Ultimate experience: Intelligent combination of multiple verification products and real-time decision platform realizes the balance of security and user experience
• Risk visualization: An overall control of the security situation is offered through console risk visualization, which provides Web page machine traffic identification, verification traffic statistics and attack access statistics.