ITR/SY: Mandatory Human Participation: A New Paradigm for Building Secure Systems
Georgia Tech Research Corporation, Atlanta GA
Investigators
Abstract
Currently, automatic attacks are a major threat to computer security. For example, the cheapest home PC can try thousands of "probes" against a targeted system. A brute-force password (or PIN number) guessing program can generate and try tens of thousands of candidate passwords each second. Or a home PC could attempt to flood a web site with thousands of "bogus" requests. While there methods that attempt to stop such attacks they all can be defeated to some degree. We propose a new approach to this security based on technology that can tell the difference between robots and humans. Thus, we can disallow automatic attacks. Our technology allows a new kind of restriction: now systems can insist that only humans have access to their valuable resources and they can disallow robots. The proposed solution to the problem is inspired by Turing's test for artificial intelligence. The fundamental idea of the solution is for a computer system to first ask the author of every transaction to solve a puzzle before accepting or executing the transaction. The content of the puzzle will be based on grand challenge problems in the domains of pattern recognition, visual interpretation, and natural language understanding. These problems have the essential property that people can solve them easily while computers are not likely to solve them in the foreseeable future. A typical puzzle would consist of the computer system sending the agent a bit-mapped image and the agent replying with an ascii string. The image might include a picture and a question and a question about that picture, such as "Please type the following handwritten word" or "Which of the objects in this picture are edible?" The computer system determines whether the transaction author is a human based on the answer supplied. This puzzle-solving process leads to a new framework for building secure computer systems. In this framework, a human being has to be directly involved (by solving the puzzle and typing in the answer) in the authentication or other processes that are vulnerable to automatic attacks, referred to as Mandatory Human Participation (MHP). Apparently, no automatic attack to the protected process would be possible under this framework. Our proposed research is to build a pilot system that can be used to demonstrate the basic idea of MHP. This will be based mostly on character based methods. We then, plan to carefuly test and measure how well our system performs and how well it is received by users.
View original record on NSF Award Search →