srs presentation ronen mendezitsky & alon weiss website protection system
TRANSCRIPT
![Page 1: SRS PRESENTATION Ronen Mendezitsky & Alon Weiss Website Protection System](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e4e5503460f94b44423/html5/thumbnails/1.jpg)
SRS PRESENTATION
Ronen Mendezitsky & Alon Weiss
HASTACWebsite Protection
System
![Page 2: SRS PRESENTATION Ronen Mendezitsky & Alon Weiss Website Protection System](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e4e5503460f94b44423/html5/thumbnails/2.jpg)
Overview
An online security system for ASP.NET websites
Helps fighting brute-force attacks on secured systems
Uses innovative methods to stop rogue OCR software that cracks the widely-used CAPCHA
Adds an image (“Challenge”) that has a question embedded. The user must answer it in order to log-in or register.
![Page 3: SRS PRESENTATION Ronen Mendezitsky & Alon Weiss Website Protection System](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e4e5503460f94b44423/html5/thumbnails/3.jpg)
Contract
What ASP.NET webmasters need: The most non-intrusive software
component to plug-in to their website, easily deployed and maintained
A friendly and simple utility to remotely configure the system
The system should use minimal CPU, HDD, and bandwidth resources.
![Page 4: SRS PRESENTATION Ronen Mendezitsky & Alon Weiss Website Protection System](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e4e5503460f94b44423/html5/thumbnails/4.jpg)
Research
Most Capchas today are either low-grade and crude Unix scripts, or in-house developed
Most of them have been either reverse engineered or easily cracked using rogue OCR programs in real-time
Captchas are becoming more complex in order to deal with these rogue programs
![Page 5: SRS PRESENTATION Ronen Mendezitsky & Alon Weiss Website Protection System](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e4e5503460f94b44423/html5/thumbnails/5.jpg)
Top-Level Design
Requirements and boundaries for design: Variable Complexity
Simple yet full-featured management software Allow for a much larger Q&A space
Fast response Minimal resource usage Easy integration Generated image should be small and
compressible
![Page 6: SRS PRESENTATION Ronen Mendezitsky & Alon Weiss Website Protection System](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e4e5503460f94b44423/html5/thumbnails/6.jpg)
The Problem
Password-protected websites encounter: Brute-force attacks consume a lot of
bandwidth Cracking attempts by automated bots Creation of accounts in bulk by automated
bots Account list is generated by bots and
posted on the internet, which is then used by bots to leech off the site.
![Page 7: SRS PRESENTATION Ronen Mendezitsky & Alon Weiss Website Protection System](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e4e5503460f94b44423/html5/thumbnails/7.jpg)
The Customers
Asp.net websites (around 30%)
Apache Microsoft Sun
NCSA Other
![Page 8: SRS PRESENTATION Ronen Mendezitsky & Alon Weiss Website Protection System](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e4e5503460f94b44423/html5/thumbnails/8.jpg)
Competition
Product: Strongbox Vendor: Ray Morris ( bettercgi.com ) Link:
http://www.bettercgi.com/strongbox/
Price: 150$ per site (one-time) A 5 letter image-based code protection.
![Page 9: SRS PRESENTATION Ronen Mendezitsky & Alon Weiss Website Protection System](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e4e5503460f94b44423/html5/thumbnails/9.jpg)
Competition
Product: T4wsentry.pl Vendor: Fisher Technologies, Inc. Link:
http://www.tools4webmasters.com/t4wsentry.htm
Price: 65$ per site (one-time) a Perl script that requires the user to log-
in from a specific page, in order to access the restricted area of the website
![Page 10: SRS PRESENTATION Ronen Mendezitsky & Alon Weiss Website Protection System](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e4e5503460f94b44423/html5/thumbnails/10.jpg)
Competition
Product: Pennywize Vendor: Zarvon P/L Link: http://www.pennywize.com/ Price: 30$-170$ (monthly rate)
An IP-Based protection system
![Page 11: SRS PRESENTATION Ronen Mendezitsky & Alon Weiss Website Protection System](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e4e5503460f94b44423/html5/thumbnails/11.jpg)
Competition
Product: BotDetect Vendor: LANAP software Link: http://www.lanapsoft.com Price: 60$-100$ per site (one-time) Supports up to 50 different CAPTCHA
types at variable length and image size, producing different file formats
![Page 12: SRS PRESENTATION Ronen Mendezitsky & Alon Weiss Website Protection System](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e4e5503460f94b44423/html5/thumbnails/12.jpg)
The Proposed product
A challenge is introduced to a user at the log-in page in a form of an image.
Each image contains many elements A challenge is embedded in the image Answering the challenge correctly allows
successful human verification
![Page 13: SRS PRESENTATION Ronen Mendezitsky & Alon Weiss Website Protection System](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e4e5503460f94b44423/html5/thumbnails/13.jpg)
Challenges
Making Question and Answer space be as large as possible
Use as little bandwidth as possible SQL Database access and HDD I/O should be
minimal Image manipulation algorithms should be
developed to render OCR useless The system has to be user friendly, both to the
user and to the website administrator The system should be upgradable with plug-ins
![Page 14: SRS PRESENTATION Ronen Mendezitsky & Alon Weiss Website Protection System](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e4e5503460f94b44423/html5/thumbnails/14.jpg)
Criteria for success
Success: Meeting all the requirements described
Failure: Poor integration, Challenge & Response quality, and resource usage. Bad plug-in support
![Page 15: SRS PRESENTATION Ronen Mendezitsky & Alon Weiss Website Protection System](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e4e5503460f94b44423/html5/thumbnails/15.jpg)
Use Cases
A webmaster of a single website that has no protection and a lot to secure requires authentication to his sensitive content
A group of webmasters wish to create a single sign-in solution for their websites
A specific service requires high-fidelity human authentication, such as e-voting systems, polls, forms, public & free e-mail services, all to avoid mass junk data from being stored or sent using the service.
![Page 16: SRS PRESENTATION Ronen Mendezitsky & Alon Weiss Website Protection System](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e4e5503460f94b44423/html5/thumbnails/16.jpg)
Initial Plan and Progress
Research and Development of the HASTAC algorithmResearch brute-force techniques of CAPTCHA-protected websitesInvestigate integration methods with current ASP.NET websitesBuild administration interface ("Back-Office") for the system
Define the main software modules and their integration
Perform stress-testing on the algorithm
![Page 17: SRS PRESENTATION Ronen Mendezitsky & Alon Weiss Website Protection System](https://reader035.vdocuments.site/reader035/viewer/2022072013/56649e4e5503460f94b44423/html5/thumbnails/17.jpg)
SRS PRESENTATION
Ronen Mendezitsky & Alon Weiss
HASTACWebsite Protection
System