Seeing Through the Mask: Rethinking Adversarial Examples for CAPTCHAs
Yahya Jabary, Andreas Plesner, Turlan Kuzhagaliyev, Roger Wattenhofer
TL;DR
This paper demonstrates that by applying masks to images, modern classifiers can be significantly fooled, revealing that current CAPTCHAs and image recognition models are still vulnerable despite advances.
Contribution
The study introduces a mask-based perturbation method that significantly reduces classifier accuracy, challenging assumptions about model robustness against adversarial modifications.
Findings
Mask addition drops Acc@1 by over 50% for most models.
Robust models like vision transformers experience an 80% accuracy drop.
Masks preserve human solvability while fooling classifiers.
Abstract
Modern CAPTCHAs rely heavily on vision tasks that are supposedly hard for computers but easy for humans. However, advances in image recognition models pose a significant threat to such CAPTCHAs. These models can easily be fooled by generating some well-hidden "random" noise and adding it to the image, or hiding objects in the image. However, these methods are model-specific and thus can not aid CAPTCHAs in fooling all models. We show in this work that by allowing for more significant changes to the images while preserving the semantic information and keeping it solvable by humans, we can fool many state-of-the-art models. Specifically, we demonstrate that by adding masks of various intensities the Accuracy @ 1 (Acc@1) drops by more than 50%-points for all models, and supposedly robust models such as vision transformers see an Acc@1 drop of 80%-points. These masks can therefore…
Peer Reviews
Decision·ICLR 2025 Conference Withdrawn Submission
The paper proposes more aggressive perturbations to apply to images, as the limit is not imperceptibility bu rather semantic preservation for humans in CAPTCHA. The experiments are conducted using five models including ConvNeXt, EVA02, ResNet, ViT-H-14 and RoBERTa-L. The results show that proposed masks can reduce accuracy of these models.
There are no comparison methods in the main results, e.g., Table 1 and 2. It is difficult to understand the advantage of proposed methods compared other adversarial samples. The novelty is limited. The paper proposes to apply different masks to images for constructing the datasets, and then calculates the accuracy of images in the constructed dataset. It is better to show some visualizations, e.g., images with masks at various intensities.
Strengths: - The method of introducing periodic noise into image CAPTCHAs to challenge the imperceptibility constraints in adversarial attacks is both novel and well-founded. - The dataset and experimental setup are extensive and well-executed, offering compelling evidence for the conclusions drawn.
I have significant concerns about the effectiveness of the periodic noise method. It appears that the authors trained their models on standard images and then evaluated them using masked images, which understandably results in a substantial drop in performance. If an attacker were to learn how to apply this periodic mask technique and train with noisy images, the validity of this approach would be greatly undermined.
1. The writing is clear and easy to understand. 2. The paper inspects the adversarial examples from a new perspective, which holds an assumption different from traditional ones on stealthiness. Instead, the attack, in this case, preserves "functionality" for human beings. The angle is refreshing. 3. The experiments include some of the largest and most advanced transformer models, which is an outstanding point.
1. **The experiments are only conducted on a portion of ImageNet, up to 5000**. This makes all the insights gained less convincing. 2. **Many contributions or claims are not validated**. - *"The simplicity and ease of execution of the proposed attacks make them readily available to large-scale CAPTCHA systems."*: While the attack might seem "too easy," have you tried to deploy it in a large-scale CAPTCHA system? If not, how much resources will the attack consume? Is it memory-efficient and time
1. The paper introduces a new approach by using visibly perturbed images for CAPTCHAs, potentially enhancing security mechanisms. 2. It aims to leverage the discrepancies in human and machine perception and the existence of AI-hard tasks where humans surpass machines, which could provide new insights into CAPTCHA design. 4. The detailed description of the method and results is useful and easy to follow, making the findings accessible to readers.
1. While the paper mentions leveraging differences in perception, it lacks a thorough analysis of how vision models interpret adversarial examples. This is particularly relevant given their stated contribution of understanding the difference in human and machine perception. 2. The authors do not consider existing literature that demonstrates vulnerabilities in hCaptcha and successful large-scale attacks, such as "A Low-Cost Attack Against the hCaptcha System" by Hossen and Hei. The authors need
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsUser Authentication and Security Systems · Advanced Malware Detection Techniques · Spam and Phishing Detection