There is no doubt that we are spending more time on the Internet these days. We are connected by our computers at home, school, and work, and by our smartphones and tablets. We talk to our family and friends online. We purchase items online almost as much as we do at brick and mortar stores. All of these services we rely upon are potentially vulnerable to attack. Attacks from automated web clients are a significant and growing problem on the Internet today. They come in the form of denials of service, comment spam on web-based forums, click-fraud robots, and ticket-purchasing robots, and they keep our Internet service providers from delivering the highest quality service possible.
Most of us are familiar with the existing tools for safeguarding Internet service: filters and CAPTCHAs—those occasionally unreadable and often nonsensical word tests we have to type to gain access to emails, guest books, or buy tickets to the upcoming Hall and Oats concert. But those out there in the cyber-world intending us harm are always on the lookout for ways around the systems we put in place to protect ourselves from web attacks. Fortunately, there are people out there like Dr. Wu-chang Feng, Associate Professor in the Department of Computer Science at Portland State University, who have made it their mission to stop attackers in their tracks.
Dr. Feng recently presented the results of his endeavors to strengthen web security and combat the automated bots attacking us on the Internet to the office of Innovation & Intellectual Property (IIP). Dr. Feng designed, developed, and implemented a novel web-based proof-of-work (PoW) system as an improvement and alternative to CAPTCHAs that provides configurable PoW protocols in a deployable manner. Unlike CAPTCHAs, which can be difficult to see, can be bypassed using automated algorithms, and can be outsourced by attackers to CAPTCHAs clearinghouses where they pay rock-bottom rates to have thousands of images solved, Dr. Feng’s kaPoW system forces clients to solve puzzles of specific difficulty before service is granted. The specificity of kaPoW’s computational puzzles is one of the most innovative aspects of Dr. Feng’s new technology.
“We get information from a centralized server that we host here at PSU,” Dr. Feng said. “Because of this we have a global view of how spammers or ticket-bots are attacking systems and this view allows us to intelligently respond to the attackers. That is the key to our code: we dynamically adapt the difficulty on the basis of what we see out there on the Internet.”
Automated spammers and ticket-purchasing robots are two kinds of attacks kaPoW are capable of combating. Spammers using web-based email to operate have a little time before complaints from the people they are attacking start funneling into their service providers. Using information gathered at PSU, a client employing the kaPoW puzzle system can deliver a tailor-made puzzle that will determine whether the sender is human or computer. A similar method can be deployed by ticket sales agencies seeking to prevent scalpers from quickly snatching up tickets to events.
Other appealing aspects of kaPoW are the ease with which it may be put to use and the fact that as open-source code for non-commercial users it’s free to use and available at kapow.cs.pdx.edu/.
“People can deploy this system without modifying their web browser or system. All you have to do is drop the extra protection into place,” Dr. Feng said. “It’s as easy as embedding the code into a webpage, a simple cut and paste.”
To help promote the use of Dr. Feng’s kaPoW technology, the office of Innovation & Intellectual Property has filed Provisional and Utility patent applications, and we’re currently working with Dr. Feng on a terms-of-use agreement for users installing kaPoW plug-ins.