srs presentation ronen mendezitsky & alon weiss website protection system
TRANSCRIPT
SRS PRESENTATION
Ronen Mendezitsky & Alon Weiss
HASTACWebsite Protection
System
Overview
An online security system for ASP.NET websites
Helps fighting brute-force attacks on secured systems
Uses innovative methods to stop rogue OCR software that cracks the widely-used CAPCHA
Adds an image (“Challenge”) that has a question embedded. The user must answer it in order to log-in or register.
Contract
What ASP.NET webmasters need: The most non-intrusive software
component to plug-in to their website, easily deployed and maintained
A friendly and simple utility to remotely configure the system
The system should use minimal CPU, HDD, and bandwidth resources.
Research
Most Capchas today are either low-grade and crude Unix scripts, or in-house developed
Most of them have been either reverse engineered or easily cracked using rogue OCR programs in real-time
Captchas are becoming more complex in order to deal with these rogue programs
Top-Level Design
Requirements and boundaries for design: Variable Complexity
Simple yet full-featured management software Allow for a much larger Q&A space
Fast response Minimal resource usage Easy integration Generated image should be small and
compressible
The Problem
Password-protected websites encounter: Brute-force attacks consume a lot of
bandwidth Cracking attempts by automated bots Creation of accounts in bulk by automated
bots Account list is generated by bots and
posted on the internet, which is then used by bots to leech off the site.
The Customers
Asp.net websites (around 30%)
Apache Microsoft Sun
NCSA Other
Competition
Product: Strongbox Vendor: Ray Morris ( bettercgi.com ) Link:
http://www.bettercgi.com/strongbox/
Price: 150$ per site (one-time) A 5 letter image-based code protection.
Competition
Product: T4wsentry.pl Vendor: Fisher Technologies, Inc. Link:
http://www.tools4webmasters.com/t4wsentry.htm
Price: 65$ per site (one-time) a Perl script that requires the user to log-
in from a specific page, in order to access the restricted area of the website
Competition
Product: Pennywize Vendor: Zarvon P/L Link: http://www.pennywize.com/ Price: 30$-170$ (monthly rate)
An IP-Based protection system
Competition
Product: BotDetect Vendor: LANAP software Link: http://www.lanapsoft.com Price: 60$-100$ per site (one-time) Supports up to 50 different CAPTCHA
types at variable length and image size, producing different file formats
The Proposed product
A challenge is introduced to a user at the log-in page in a form of an image.
Each image contains many elements A challenge is embedded in the image Answering the challenge correctly allows
successful human verification
Challenges
Making Question and Answer space be as large as possible
Use as little bandwidth as possible SQL Database access and HDD I/O should be
minimal Image manipulation algorithms should be
developed to render OCR useless The system has to be user friendly, both to the
user and to the website administrator The system should be upgradable with plug-ins
Criteria for success
Success: Meeting all the requirements described
Failure: Poor integration, Challenge & Response quality, and resource usage. Bad plug-in support
Use Cases
A webmaster of a single website that has no protection and a lot to secure requires authentication to his sensitive content
A group of webmasters wish to create a single sign-in solution for their websites
A specific service requires high-fidelity human authentication, such as e-voting systems, polls, forms, public & free e-mail services, all to avoid mass junk data from being stored or sent using the service.
Initial Plan and Progress
Research and Development of the HASTAC algorithmResearch brute-force techniques of CAPTCHA-protected websitesInvestigate integration methods with current ASP.NET websitesBuild administration interface ("Back-Office") for the system
Define the main software modules and their integration
Perform stress-testing on the algorithm
SRS PRESENTATION
Ronen Mendezitsky & Alon Weiss
HASTACWebsite Protection
System