The present invention relates to a method, system, and computer program for verifying that a user is a human being instead of an automated agent.
The use of automated agents to gain unauthorized access to websites is an ever-increasing problem. For instance, automated registration techniques may be used by hackers in DoS (denial of service) attacks on websites. Furthermore, large-scale unauthorized access to websites which transmit an SMS message to users after registration can result in the flooding of telecommunication networks by a huge number of SMS messages. Automated agents have made it easier for hackers to launch large-scale disruptive attacks on websites, by effectively automating the hacking process.
Traditional mechanisms for distinguishing between human users and automated agents (attempting to gain access to a website) are typically based on the presentation of textual challenges to the would-be user. In particular, these systems construct a string comprising letters and/or numbers, form an image of the string, and then distort the image. The systems then present the image to the would-be user and request the user to essentially reproduce the string contained therein. However, these prior art human verification systems have limited use, insofar as individual characters in a string can only be distorted by a limited amount, if the characters therein are still to be recognizable by a user. For example, a very limited amount of distortion can be applied to the letter “m” if it is to be distinguished from the letter “w”.
Furthermore, these traditional human verification systems do not make full advantage of the cognitive reasoning facilities of human beings. In particular, since the answer to the challenge presented to the would-be user is inherently a string, the challenge presented to the user does not avail of their ability to extrapolate from, and apply abstract reasoning to, the challenge.
Existing systems have attempted to overcome these limitations with limited success. US Patent Publication No. 2004/0199597 describes a method and system for image verification to prevent messaging abuse. More particularly, US 2004/0199597 describes a generic verification system in which a challenge response mechanism plays a role. However, US 2004/0199597 does not describe the process by which the challenge to a would-be user is effectively created.
Similarly, U.S. Pat. No. 6,195,698 describes a method for selectively restricting access to computer systems. In particular, this patent describes a challenge response mechanism for preventing automated agents from accessing the services or resources. However, the method described in U.S. Pat. No. 6,195,698 is based on the concept of textual string representation, and is subject to the limitations described above.
One aspect of the present invention provides an operation for verifying that a prospective user of a website is human. In one embodiment, this operation comprises the steps of: selecting a graphics image from an image repository, with this graphics image depicting an object; distorting the image; presenting the image to the user; requesting the user to identify, within a pre-defined time interval, the object depicted in the image; determining that the user is a human in the event the user correctly identifies the object within the pre-defined time interval; and allowing the user to gain access to the website in the event that the user is determined as being human.
By placing a time limit on the time interval in which a user can provide a correct identification of a displayed object, this embodiment attempts to harness the conceptual and cognitive reasoning facilities of human users to distinguish them from automated agents.
According to a further embodiment of the present invention, additional steps are performed, including: interrogating a browser of the user to determine the language with which the browser is configured; retrieving a name of the object from a dictionary of a language that matches the language of the browser; and determining that the user is human, in the event the user provides, within the pre-defined time interval, a name which matches the name of the object that is retrieved from the dictionary.
By utilizing the specific language of the user's browser, this embodiment further harnesses the associative linguistic reasoning of human users to distinguish them from automated agents.
Various embodiments of the invention are herein described by way of example, with reference to the accompanying Figures in which:
In one embodiment of the present invention, when a server (hosting a website) receives a registration request from a would-be user, a distorted image is generated (for example, a house, cat, bird, cake, or hand). The distorted image is then shown to the would-be user, and the user must provide the correct name of the object depicted in the image to gain access to the website. At the heart of this embodiment is the observation that humans are typically capable of much faster pattern recognition and abstract conceptual reasoning than even the most sophisticated automated pattern recognition systems currently available. Accordingly, a human being will typically recognize a distorted image much faster than any of these sophisticated pattern recognition systems. Additionally, by placing a time limit on the time interval in which a user can provide a correct identification of a displayed object, this embodiment attempts to harness the conceptual and cognitive reasoning facilities of human users to distinguish them from automated agents.
The challenge to the user is further enhanced by restricting the correct identification to the language of the internet browser which issued the challenge. Restated, if the user's browser was configured for the Chinese language, then the user, on attempting to gain access to the required website, would be required to provide the name of the displayed object in the Chinese language.
In a further embodiment, the browser of the would-be user is queried to determine 20 the language with which the browser has been configured. After determining which language to use, the name of the image depicted in the graphic is retrieved 22 from a language pack which matches the language of the user's browser. The user is then requested to provide the name of the depicted object, and the name provided by the user is retrieved 24. If the name provided by the user matches 27 the name retrieved from the language pack, the operation determines that the user is a human 26 and allows the user to complete their registration with the website. However, if the name provided by the user does not match 27 the name retrieved from the language pack (or the user does not provide a name within a pre-defined time limit), the process is repeated. Another image containing the above-mentioned distortions is retrieved from the repository 10, and the process is repeated by presenting this next object to the user to be identified.
Similar considerations apply if the system has a different topology, or it is based on other networks. Alternatively, the computers have a different structure, including equivalent units, or consist of other data processing entities (such as PDAs, mobile phones, and the like).
Although various representative embodiments of this invention have been described above with a certain degree of particularity, those skilled in the art could make numerous alterations and modifications to the disclosed embodiments without departing from the spirit or scope of the inventive subject matter set forth in the specification and claims.
Number | Date | Country | Kind |
---|---|---|---|
08152642.8 | Mar 2008 | EP | regional |