International Journal of Video & Image Processing and Network Security IJVIPNS-IJENS Vol: 11 No: 05 9 117005-8383 IJVIPNS-IJENS © October 2011 IJENS I J E N S Abstract— Nowadays, due to enormous growth of web users many services in the internet including Email, search engine, social networking are provided with free of charge. With the expansion of Web services, denial of service (DoS) attacks by malicious automated programs (e.g., web bots) is becoming a serious problem of web service accounts. CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a human authentication mechanism that generates and grades tests to determine whether the user is a human or a malicious computer program. These tests are easier for humans to solve and tough for automated bots. According to our study, the existing CAPTCHA techniques tried to maximize the difficulty for automated programs to pass tests by increasing distortion or noise. Consequently, it has also become difficult for humans too. In our proposed solution, we try to make use of human cognitive processing abilities into our CAPTCHA design. The suggested approach move and select is a 2-layer test, desired to improve security and reduce the solving time of human. In the result section we have studied both the usability and security issues of our design. The user studies indicate that this CAPTCHA can be solved with 99.04% average success rate in less than 10 seconds. Index Term — CAPTCHA, Cognitive Psychology, DOS, HIP, Move & Select, OCR, Security, Usability Web Services etc. I. INTRODUCTION ACAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) or HIP (Human Interactive Proof) is an automatic security mechanism used to determine whether the user is a human or a malicious computer program .It is a program that generates and grades tests that are human solvable, but intends to be beyond the capabilities of current computer programs [1]. It has become the most widely used standard security technology to prevent automated computer program attacks. With the expansion of Web services, denial of service (DoS) attacks by malicious automated programs (e.g., bots) are becoming a serious problem as masses of Web service accounts are being illicitly obtained, bulk spam e-mails are being sent, and mass spam blogs (splogs) are being created. Thus, the Turing test is becoming a necessary technique to discriminate humans from malicious automated programs [2]. In the original Turing Test, a human judge was allowed to ask a series of questions to two players, one of which was a computer and the other a human. Both players pretended to be human, and the judge had to distinguish between them [3]. CAPTCHAs are similar to Turing Test in that they distinguish humans from computers, but they differ in that the judge is now a computer. The CAPTCHA is usually a simple visual test or puzzle that a human can complete without much difficulty, but an automated program cannot understand. The test usually consists of letters, numbers or their combination with overlapping and intersection. The CAPTCHA images may be distorted in some way or shown against an intricate background to keep them from being easily read by Optical Character Recognition (OCR) software. Currently, in order to prevent malicious programs from issuing advertisements or other useless information recklessly, message boards of BBS, blog and wiki have widely used CAPTCHA mechanism, requiring that users must input the correct letters to leave a message. CAPTCHs have a wide variety of applications on the web such as: Worms and Spam: CAPTCHAs also offer a plausible solution against email worms and spam: only accept an email if you know there is a human behind the other computer. Online Polls: In November 1999, http://www.slashdot.com released an online poll asking for the best graduate school in computer science. IP addresses of voters were recorded in order to prevent single users from voting more than once .However, students at Carnegie Mellon figured out a way to stuff the ballots using programs that voted for CMU thousands of times. CMU's score started growing rapidly. The next day, students at MIT wrote their own voting program and the poll became a contest between voting “bots”. But CAPTCHAs offer a solution: voters should show they are human before being allowed to vote. Free Email Services: Several companies (Google, Yahoo!, Microsoft, etc.) offer free email services, “bots” that signed up for thousands of email accounts every minute. This situation has been improved by requiring users to prove they are human before they can get a free email account. Moin Mahmud Tanvee 1 , Mir Tafseer Nayeem 2 , Md. Mahmudul Hasan Rafee 3 1 moin.mahmud38@gmail.com, 2 mtnayeem@yahoo.com, 3 mahmudul_rafee@yahoo.com 1,2,3 Department of Computer Science and Information Technology (CIT) Islamic University of Technology (IUT) Board Bazar, Gazipur-1704, Bangladesh Move & Select: 2-Layer CAPTCHA Based on Cognitive Psychology for Securing Web Services