1 / 17

SRS Presentation

HASTAC. Website Protection System. SRS Presentation. Ronen Mendezitsky & Alon Weiss. Overview. An online security system for ASP.NET websites Helps fighting brute-force attacks on secured systems Uses innovative methods to stop rogue OCR software that cracks the widely-used CAPCHA

falala
Download Presentation

SRS Presentation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HASTAC Website Protection System SRS Presentation Ronen Mendezitsky & Alon Weiss

  2. Overview • An online security system for ASP.NET websites • Helps fighting brute-force attacks on secured systems • Uses innovative methods to stop rogue OCR software that cracks the widely-used CAPCHA • Adds an image (“Challenge”) that has a question embedded. The user must answer it in order to log-in or register.

  3. Contract • What ASP.NET webmasters need: • The most non-intrusive software component to plug-in to their website, easily deployed and maintained • A friendly and simple utility to remotely configure the system • The system should use minimal CPU, HDD, and bandwidth resources.

  4. Research • Most Capchas today are either low-grade and crude Unix scripts, or in-house developed • Most of them have been either reverse engineered or easily cracked using rogue OCR programs in real-time • Captchas are becoming more complex in order to deal with these rogue programs

  5. Top-Level Design • Requirements and boundaries for design: • Variable Complexity • Simple yet full-featured management software • Allow for a much larger Q&A space • Fast response • Minimal resource usage • Easy integration • Generated image should be small and compressible

  6. The Problem • Password-protected websites encounter: • Brute-force attacks consume a lot of bandwidth • Cracking attempts by automated bots • Creation of accounts in bulk by automated bots • Account list is generated by bots and posted on the internet, which is then used by bots to leech off the site.

  7. The Customers • Asp.net websites (around 30%)

  8. Competition • Product: Strongbox • Vendor: Ray Morris ( bettercgi.com ) • Link: http://www.bettercgi.com/strongbox/ • Price: 150$ per site (one-time) • A 5 letter image-based code protection.

  9. Competition • Product: T4wsentry.pl • Vendor: Fisher Technologies, Inc. • Link: http://www.tools4webmasters.com/t4wsentry.htm • Price: 65$ per site (one-time) • a Perl script that requires the user to log-in from a specific page, in order to access the restricted area of the website

  10. Competition • Product: Pennywize • Vendor: Zarvon P/L • Link: http://www.pennywize.com/ • Price: 30$-170$ (monthly rate) • An IP-Based protection system

  11. Competition • Product: BotDetect • Vendor: LANAP software • Link: http://www.lanapsoft.com • Price: 60$-100$ per site (one-time) • Supports up to 50 different CAPTCHA types at variable length and image size, producing different file formats

  12. The Proposed product • A challenge is introduced to a user at the log-in page in a form of an image. • Each image contains many elements • A challenge is embedded in the image • Answering the challenge correctly allows successful human verification

  13. Challenges • Making Question and Answer space be as large as possible • Use as little bandwidth as possible • SQL Database access and HDD I/O should be minimal • Image manipulation algorithms should be developed to render OCR useless • The system has to be user friendly, both to the user and to the website administrator • The system should be upgradable with plug-ins

  14. Criteria for success • Success: Meeting all the requirements described • Failure: Poor integration, Challenge & Response quality, and resource usage. Bad plug-in support

  15. Use Cases • A webmaster of a single website that has no protection and a lot to secure requires authentication to his sensitive content • A group of webmasters wish to create a single sign-in solution for their websites • A specific service requires high-fidelity human authentication, such as e-voting systems, polls, forms, public & free e-mail services, all to avoid mass junk data from being stored or sent using the service.

  16. Initial Plan and Progress • Research and Development of the HASTAC algorithm • Research brute-force techniques of CAPTCHA-protected websites • Investigate integration methods with current ASP.NET websites • Build administration interface ("Back-Office") for the system • Define the main software modules and their integration • Perform stress-testing on the algorithm

  17. HASTAC Website Protection System SRS Presentation Ronen Mendezitsky & Alon Weiss

More Related