Anti-bot Strategies Based on Human Interactive Proofs Alessandro Basso and Francesco Bergadano 15 Contents 15.1 Automated Tools ......................... 273 15.2 Human Interactive Proof ................. 275 15.3 Text-Based HIPs ......................... 276 15.4 Audio-Based HIPs ....................... 278 15.5 Image-Based HIPs ....................... 279 15.5.1 ESP-PIX ........................... 279 15.5.2 Bongo ............................. 279 15.5.3 KittenAuth ......................... 280 15.5.4 Asirra .............................. 280 15.5.5 IMAGINATION .................... 282 15.5.6 ARTiFACIAL ....................... 282 15.5.7 EasyPIC and MosaHIP .............. 283 15.5.8 Issues of Image-Based HIPs .......... 287 15.6 Usability and Accessibility ................ 288 15.7 Conclusion .............................. 289 References .................................... 289 he Authors .................................. 291 Human Interactive Proofs (HIPs) are a class of tests used to counter automated tools. HIPs are based on the discrimination between actions executed by hu- mans and activities undertaken by computers. Sev- eral types of HIPs have been proposed, based on hard-to-solve Artificial Intelligence problems, and they can be classified in three major categories: text- based, audio-based and image-based. In this chap- ter, we give a detailed overview of the currently used anti-bot strategies relying on HIPs. We present their main properties, advantages, limits and effective- ness. 15.1 Automated Tools he rapid and extremely large growth of Internet has determined the necessity of automatize several web- related activities, by means of properly devised tools. Some of these programs are created with the pur- pose of supporting humans in carrying out time- consuming and boring operations. Instead, others are developed with the aim of undertaking activ- ities which are considered illegal or inappropriate with commonly accepted rules and habits of web utilization [15.1]. Being a serious threat to security and data integrity of web applications and Internet sites, automated tools have been constantly fought by the Internet community, through the use of sev- eral, more or less effective, defense strategies. An automated tool, also known as robot (bot) or scanner, is a computer program that executes a se- quence of operations continuously, without the need of human interaction [15.1]. A typical example of a web robot is a mirroring tool, a program that auto- matically performs a copy of a web site by download- ing all its resources. It must traverse the web’s hyper- text structure of a retrieved document and to fetch recursively all the referenced documents. Another common name for such a program is “spider”. How- ever, it should be noted that such a term may be mis- leading, since the word “spider” gives the erroneous impression that the robot itself moves through the Internet. In reality, robots are implemented as a sin- gle sotware system that retrieves information from remote sites using standard web protocols [15.2]. he increasing complexity of Internet services and the lack of information regarding secure web ap- plication development are among the reasons which motivate the existence of bots. A web bot is gener- 273 © Springer 2010 , Handbook of Information and Communication Security (Eds.) Peter Stavroulakis, Mark Stamp