Akademik Veri Yönetim Sistemi
Journal of Information Security and Applications, cilt.63, 2021 (SCI-Expanded, Scopus)
The security of web applications is protected by firewalls, intrusion detection systems or deep learning-based approaches. Although existing systems perform rules and content-based filtering, they can be bypassed with payloads and advanced bots in different scenarios. CAPTCHA is preferred to prevent bots in web applications to minimize possible risks. Although captcha applications make bot-user distinction, it can be solved with software-based systems. In addition, increasing the difficulty level of CAPTCHA schemes have bringing usage difficulties. In this study, a robust behavior-based CAPTCHA (UNI-CAPTCHA) was developed that detects user-bot without interaction with user. A web application with a landing page, login page, and register page has been developed for UNI-CAPTCHA to learn user and bot behavior. The application was tested with 16 different vulnerability tool bots and real users, creating a unique dataset containing 13 different behaviors. A risk rating was made using the k-Means++ algorithm based on characteristics of user behavior in the dataset. The trained hybrid bi-LSTM + Softmax based UNI-CAPTCHA engine intuitively performs user-bot labeling of requests from the web application simultaneously. It also determines the risk rating of user labels from 1 to 5. The threshold user value (εt) for high protection is determined in the evaluation, and results below εt, its value is evaluated as bot behavior and prevented. In UNI-Captcha, the threshold value of suspicious user behavior is adjusted according to the in-app security risk level. Analysis shows that the UNI-CAPTCHA engine shows better stability, speed, and detection than traditional bot detection and CAPTCHA applications.