CAPTCHA - PowerPoint PPT Presentation

1 / 1
About This Presentation
Title:

CAPTCHA

Description:

Security policies and audio CAPTCHA focused on SIP-based VoIP TMHMA Policy Elements (Pattern, Actions) INVITE XML Policy Parser – PowerPoint PPT presentation

Number of Views:52
Avg rating:3.0/5.0
Slides: 2
Provided by: MTheoh
Category:
Tags: captcha | captcha

less

Transcript and Presenter's Notes

Title: CAPTCHA


1
Security policies and audio CAPTCHA focused on
SIP-based VoIP
TMHMA ?????F?????S
Yannis Soupionis, Dimitris Gritzalis
jsoup,dgrit_at_aueb.gr Information Security and
Critical Infrastructure Protection Research
Group Dept. of Informatics, Athens University of
Economics Business (AUEB)
?????????? ??????S????? ?T??O? ATHENS UNINERSITY
OF ECONOMIC AND BUSINESS
CAPTCHA CAPTCHA is a contrived acronym for
"Completely Automated Public Turing test to tell
Computers and Humans Apart. A CAPTCHA challenge
is a test that most humans can pass but current
computer programs cannot pass.
Security Policy and Categorization We propose a
security policy that is consisted of rules, which
can handle and identify the possible SIP-based
attacks during the VoIP
communication. Policies can be sorted into two
basic types according to Sloman M. and Lupu E.,
namely authorization policies and obligation
policies. Authorization policies are used to
define access rights for a subject (management
agent, user, or role). They can be either
positive (permit action on target object), or
negative (forbid action on target object). As
such, authorization policies are used to define
access control rules implemented by several types
of mechanisms in a network security system, such
as packet filters. Obligation policies are
event-triggered condition-action rules are used
to define what kind of activities a subject
(human or automated manager components) must
perform on objects in the target domain. In the
network security context, obligation policies can
be used to specify the functionality of
mechanisms, such as intrusion detection systems
(IDS). We consider the SIP-policy as an
obligation policy.
CAPTCHA challenges are automatically generated
and graded by a computer. Since only humans are
able to return a sensible response, an automated
Turing test embedded in the above protocol can
verify whether there is a
human behind the challenged computer. The
proposed CAPTCHAs must be (a) Easy for humans
to pass. ,(b) Easy for a tester machine to
generate and grad, .and (c) Hard for a software
bot to pass.
CAPTCHA Categories 1. Visual CAPTCHAS Text or
Image based 2. Audio CAPTCHAs Spoken
Character Based 3. Logical CAPTCHAs Simple
question based We have a mother and her
daughter.
Who is
the younger of those two?

Open Issue and Methodology The open issue which
appears with the utilization of a SIP-based
security Policy is that it should consist rules
for identifying a series of attacks which can be
accomplished by using or compromising the
protocol or various applications vulnerabilities
are based upon SIP protocol. The methodology we
follow in order to create a SIP-based security
policy is (a) To analyze the policy into
distinct modules, which perform discrete
procedures. (b) To identify the attributes of
each module (c) To define with a formal and
automated way the connection between those
modules (APIs) (e) To find a strict method to
transform every rule-action to a data
presentation language in order to be easily
integrated to a SIP-Based VoIP environment.
Audio CAPTCHA and SPAM over Internet Telephony
(SPIT) Audio CAPTCHAs were created to satisfy
people that are visual impaired and they want to
register or make use of a service which demands
the answer of a visual CAPTCHA. However, an audio
CAPTCHA would be really useful to defend against
automated unwanted audio messages in a VoIP
Infrastructure. Integration
(f) To identify an efficient way to enforce these
rules in A SIP-Based communication
Policy modules There are five main modules 1.
Application Attributes module which consists of
the attributes which can exploited in order an
attack to be accomplished. The application
attributes are based on (a) protocol attributes,
(b) specific application methods, (c) system
based 2. User/Default Preferences module, which
recognizes the need of some entities to be
treated in a special way 3. Rules and
Countermeasures module, which is based on the
above mentioned attributes and consists of strict
defined rules and the appropriate set of action
for each one. 4. Detection module, which takes
as input the rules and it dynamically checks if a
possible attack is accomplished and it triggers
the appropriate action. 5. Enforcement module,
which is responsible whether the proposed action
should be activated or not.

SIP message exchange for CAPTCHA
Research Question and Methodology How do we
develop an effective CAPTCHA that humans are
willing to take? This question straddles the
fields of human computer interactions (HCI) and
computer security. The methodology we followed
in order to answer adequately to the answer is
(a) to propose a classification of the
characteristics/attributes of an audio CAPTCHA,
(b) to create CAPTCHAs based on various
combinations of the attribues, (c) to identify a
strong publicly free bot, in order to test our
produced CAPTCHAs and (d) to validate our
CAPTCHAs with serious user tests
Audio CAPTCHA Characteristics
Implementation Step 1 Policy Development An
electronic policy should contain policy rules,
which are the condition that is fulfilled in
order to identify that an attack has been set and
the appropriate action to counterfeit it. Step
2 Policy Integration in an SIP-Based VoIP
Infrastructure The SIP parser. It is an automated
process, integrated to the SER server and used to
support the routing of the incoming SIP messages.
The SIP parser can scan SIP messages and extract
the message attributes The XML parser. The parser
reads the XML policy into memory, and provides
easy access to tag values of the document. The
policy enforcement (or decision) point. The input
to it is the parsed xml document, together with
the message attributes. If a condition described
in the policy is met then the appropriate action
is applied.
Automated Bot and Audio Analysis It is made by
Jochem Vorm and it employs frequency and energy
pick detection methods. The choice was based on
the big success rate it has to breach known
audio CAPTCHA (Google gt 30 ) and the minor time
period it needs. In the figures it shows the
transformation of the audio file and the way it
manages to identify the digits. The audio
CAPTCHAs was created after four unsuccessful
tries
User and Bot Success
Integration in a SIP server
  • References
  • S. Dritsas, Y. Soupionis, M. Theoharidou, J.
    Mallios, D. Gritzalis, SPIT Identification
    Criteria Implementations Effectiveness and
    Lessons Learned, in Proc. of the 23rd
    International Information Security Conference
    (SEC-2008), pp. 381-395, Springer, Milan,
    September 2008.
  • Soupionis Y., Tountas G., Gritzalis D., Audio
    CAPTCHA for SIP-based VoIP, in Proc. of the 24th
    International Information Security Conference
    (SEC-2009), pp. 25-38, IFIP AICT 297, Springer,
    Cyprus, May 2009.
  • Soupionis Y., Dritsas S., Gritzalis D., An
    adaptive policy-based approach to SPIT
    management, in Proc. of the 13th European
    Symposium on Research in Computer Security
    (ESORICS 2008), pp. 446-460, Springer, Malaga,
    October 2008.

Yannis Soupionis, Dimitris Gritzalis
Security policies and audio CAPTCHA focused on
SIP-based VoIP
Athens University of Economic and Business
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "CAPTCHA" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!