Use of Human Cognition in HIP Design via EmotIcons to Defend BOT Attacks Mir Tafseer Nayeem Department of Computer Science and Information Technology (CIT) Islamic University of Technology (IUT) Board Bazar, Gazipur-1704, Bangladesh e-mail: mtnayeem@yahoo.com Md. Saddam Hossain Mukta Department of Computer Science and Information Technology (CIT) Islamic University of Technology (IUT) Board Bazar, Gazipur-1704, Bangladesh e-mail: mukta944@gmail.com Samsuddin Ahmed CSE Discipline, Chittagong University(CU), Chittagong, Bangladesh. e-mail: sambd86@gmail.com Md. Mahbubur Rahman Department of Computer Science and Engineering (CSE) Bangladesh University of Engineering and Technology(BUET),Dhaka,Bangladesh. e-mail: mahbub_cse89@yahoo.com Abstract — Many services in the internet including Email, search engine, social networking are provided with free of charge due to enormous growth of web users. With the expansion of web services, denial of service (DoS) attacks by malicious automated programs (e.g. web bots) is becoming a serious problem of web service accounts. In order to avoid tremendous attack from malicious computer programs, HIP, or Human Interactive Proofs has been introduced to distinguish humans from computers. HIPs are designed to be easy for humans but hard for machines. Unfortunately, the existing HIPs tried to maximize the difficulty for automated programs to pass tests by increasing distortion or noise. Consequently, it has also become difficult for potential users too. In our proposed technique we resolve this problem by making use of human cognitive processing abilities through emoticons focusing mainly on users. Features like language independence, using this for advertising purpose, ease of use interface for the touch- based smart-phone users, easy tuning of security and usability level make it very attractive to web service providers. In the result section, a microscopic large-scale user study was conducted involving 118 users to investigate the actual user views compare to existing state of the art CAPTCHA systems like ESP-PIX and Asirra in terms of usability and security and found our system can be solved with 88.04% average success rate in less than 7 seconds. Keywords- CAPTCHA; HIPs; Usability ;Security; OCR; Web Services; Cognitive Psychology; EmotIcons. I. INTRODUCTION A CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) or HIP (Human Interactive Proof) is an automatic security mechanism used to determine whether the user is a human or a malicious computer program .It is a program that generates and grades tests that are human solvable, but intends to be beyond the capabilities of current computer programs [1]. It has become the most widely used standard security technology to prevent automated computer program attacks. With the expansion of Web services, denial of service (DoS) attacks by malicious automated programs (e.g., bots) are becoming a serious problem as masses of Web service accounts are being illicitly obtained, bulk spam e-mails are being sent, and mass spam blogs (splogs) are being created. Thus, the Turing test is becoming a necessary technique to discriminate humans from malicious automated programs [1]. In the original Turing Test, a human judge was allowed to ask a series of questions to two players, one of which was a computer and the other a human. Both players pretended to be human, and the judge had to distinguish between them [2]. CAPTCHAs are similar to Turing Test in that they distinguish humans from computers, but they differ in that the judge is now a computer. The CAPTCHA is usually a simple visual test or puzzle that a human can complete without much difficulty, but an automated program cannot understand. The test usually consists of letters, numbers or their combination with overlapping and intersection. A typical example of a text-based CAPTCHA challenge is shown in Figure 1. The CAPTCHA images may be distorted in some way or shown against an intricate background to keep them from being easily read by Optical Character Recognition (OCR) software ) or other image recognition systems. Currently, in order to defend malicious programs from issuing advertisements or other useless information recklessly, message boards of BBS, blog and wiki have widely used CAPTCHA challenges as a defense mechanism [1],requiring that users must input the correct letters to leave a message. CAPTCHs have a wide variety of applications on the web such as: 1. Offer a plausible solution against email worms and spams. 2. Protect Web pages from being crawled by search engines. 3. Pinkas and Sander [3] have suggested using CAPTCHAs to prevent dictionary attacks in password systems. 4. Collecting valid online polls where voters should show they are human before being allowed to vote. 5. CAPTCHA also plays a significant role in limiting usage rate. For example, the automatic use of a particular service is allowed unless such use goes beyond a certain extent and affects other users. 6. Several companies (Google, Yahoo!, Microsoft, etc.) offer free email services. Unfortunately ―Web bots‖ which is a script capable of registering for thousands of email accounts every minute, wasting precious web space. This situation has been improved by requiring users to prove they are human before they can get a free email account. Moreover, some spammers have found a creative way to provide their bots with CAPTCHA solving capabilities using pornographic sites, outsource the CAPTCHA- solving task to humans. For example, when a bot is faced