Defensive Adversarial CAPTCHA: A Semantics-Driven Framework for Natural Adversarial Example Generation

TL;DR

This paper introduces a semantics-driven framework called DAC for generating high-fidelity adversarial CAPTCHAs that are effective against deep neural network attacks and indistinguishable from genuine CAPTCHAs for humans.

Contribution

The paper proposes a novel LLM-guided adversarial CAPTCHA generation framework that enhances diversity, semantic richness, and robustness in both white-box and black-box attack scenarios.

Findings

DAC generates CAPTCHAs that defend against unknown models.

The generated CAPTCHAs are indistinguishable to humans and DNNs.

BP-DAC achieves efficient misclassification in black-box scenarios.

Abstract

Traditional CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) schemes are increasingly vulnerable to automated attacks powered by deep neural networks (DNNs). Existing adversarial attack methods often rely on the original image characteristics, resulting in distortions that hinder human interpretation and limit their applicability in scenarios where no initial input images are available. To address these challenges, we propose the Unsourced Adversarial CAPTCHA (DAC), a novel framework that generates high-fidelity adversarial examples guided by attacker-specified semantics information. Leveraging a Large Language Model (LLM), DAC enhances CAPTCHA diversity and enriches the semantic information. To address various application scenarios, we examine the white-box targeted attack scenario and the black box untargeted attack scenario. For target attacks, we introduce two latent noise variables that are alternately guided in the diffusion step to achieve robust inversion. The synergy between gradient guidance and latent variable optimization achieved in this way ensures that the generated adversarial examples not only accurately align with the target conditions but also achieve optimal performance in terms of distributional consistency and attack effectiveness. In untargeted attacks, especially for black-box scenarios, we introduce bi-path unsourced adversarial CAPTCHA (BP-DAC), a two-step optimization strategy employing multimodal gradients and bi-path optimization for efficient misclassification. Experiments show that the defensive adversarial CAPTCHA generated by BP-DAC is able to defend against most of the unknown models, and the generated CAPTCHA is indistinguishable to both humans and DNNs.