Research trends on CAPTCHA: A systematic literature

The advent of technology has crept into virtually all sectors and this has culminated in automated processes making use of the Internet in executing various tasks and actions. Web services have now become the trend when it comes to providing solutions to mundane tasks. However, this development comes with the bottleneck of authenticity and intent of users. Providers of these Web services, whether as a platform, as a software or as an Infrastructure use various human interaction proof’s (HIPs) to validate authenticity and intent of its users. Completely automated public turing test to tell computer and human apart (CAPTCHA), a form of IDS in web services is advantageous. Research into CAPTCHA can be grouped into two -CAPTCHA development and CAPTCH recognition. Selective learning and convolutionary neural networks (CNN) as well as deep convolutionary neural network (DCNN) have become emerging trends in both the development and recognition of CAPTCHAs. This paper reviews critically over fifty article publications that shows the current trends in the area of the CAPTCHA scheme, its development and recognition mechanisms and the way forward in helping to ensure a robust and yet secure CAPTCHA development in guiding future research endeavor in the subject domain.


INTRODUCTION
The advent of the Internet has been very advantageous to the society and it has impacted significantly all sectors of the economy [1]. Education, commerce, finance, health, transportation have all migrated from the manual and redundant way of carrying out their day-to-day activities to an automated and integrated process [2], [3]. With this migration comes the quest for accessibility at every point in time irrespective of destination and region. Hence all automated processes are integrated into a common infrastructure called web services and are generally accessed through an infrastructures commonly referred to as service-oriented architecture (SOA) [4]- [6]. Honeypots [7]- [10], intrusion detection systems (IDS) and human interaction proofs (HIPs) are both forms of SOA [11]. While IDS focuses and sensing changes that may occur within a system as a result of external interference, HIPs on the other hand allows a system to ascertain the category to which its users belong when usage is being done over a network [12]. Essentially, this is done over three broad categories viz; to distinguish computer-bots from humans, distinguish a class of humans from another and to distinguish a particular human from another. Independently, virtually all intrusion detection systems (IDS) have been found to be vulnerable to manipulations and attacks in a way that, in record time too. Questions may revolve around everyday life and activities such as "A sick person is taken to?", "Fishes live in what?", forms the baseline for the structure of Semantic CAPTCHAs. However, these kinds of CAPTCHAs are not limited to single-answer questions, often times, questions with more than one answer can be asked.

Related work
Pope and Kaur [28] considered the volume of e-commerce sites in use around the world and thought about CAPTCHAs as a protection mechanism, thereby highlighting the difference between human users and computers programs in their work. In their work which can be classified under CAPTCHA development/design, CAPTCHAs can easily provide a programmable way to discern humans from computers and thereby keeping computer bots away from e-commerce sites and in the process reduce spamming activities. Authors proposed an image composed of pseudorandom letters and numbers placed either in front of an obfuscating background or run through some degradation algorithm to make optical character recognition (OCR) of the final image impractical. This work was at that time a huge success, however, overtime, it has become vulnerable to blind-guessing just as it is with dictionary attacks.
In 2005, Chellapilla and Simard [29] worked on breaking HIPs using machine l learning. In their work which can be classified under CAPTCHA recognition, it was observed that tasks where machine learning algorithms were not as good as Human solutions. Having this in mind, they discovered that machine learning is a very suitable method for detecting recognition tasks, a concept upon which most HIPs are formulated. Thus, they came up with effective HIP (utilized in MSN passport) models which leveraged on challenging character-segmentation tasks to confuse machine learning algorithms.
Shahreza and Shahreza [30] in their work capitalized on the ability of human to be intuitive and to solve mathematical problem to develop CAPTCHAs. In this research which can be categorized under CAPTCHA development, an elementary mathematical problem deployed in form of an image is generated according to a predefined pattern. The entire problem is saved and portrayed to the user in form of an image to be deciphered by user. The solution to this problem hinges on the human intuitive abilities of understanding text of question, detection of question images, understanding the problem, and solving the problem, which is a daring task for a bot program to have all those functionalities. However, this technique is only limited to users with the ability to solve computational problems. Genuine users without prior knowledge of solving elementary mathematical problem will find themselves in the same predicament as bot programs and this defeats the purpose of CAPTCHAs.
In 2008, Kluever [31] made an attempt at using video-tagging (content-based labelling of videos) as a CAPTCHA task for humans to solve. The work which comes under CAPTCHA development extracts videos from public domains (e.g. YouTube) and uses such as CAPTCHA problems. Experiments were conducted with over one hundred and eighty human participants and their responses were analyzed using some metrics. The threshold for passing this CAPTCHA challenge would be an individual successfully providing about three (3) words describing the video just watched. Their work proved to be a huge success at the time considering about 70% to 90% of respondents tagged the video using three words as compared to the 13% success rate of computer bots in tagging same video. A major setback to this work is that a problem is encountered when tag frequency estimates are not publicly available. Also, network distortion can be a major hindrance here. Hindle et al. [32] worked on a CAPTCHA that uses reverse-engineering in its identification and recognition. The authors whose work can be categorized under CAPTCHA recognition, solved real-world CAPTCHAs by using simple available image processing techniques which includes bitmap comparison, thresholding, fill-flood segmentation, dilation, and erosion. This was accomplished through the use of blackbox and white-box methodologies for reverse engineering and solving CAPTCHAs. Their model however only focuses on Image-processing CAPTCHAs which makes it vulnerable to bots' program specifically targeted at Image processing.
Banday and Shah [33] also worked on a CAPTCHA design of images that are clickable and can be flipped. The work which falls under the CAPTCVHA development category presented clickable image-based CAPTCHA techniques. The technique presents users with a CAPTCHA image composed of several intertwined sub-images. The proposed technique grants improved security than that of normal OCR-based techniques, consumes less web page area and improves the user-friendliness of the web page. The model however were found to be defaulting as it has issues relating with distortion and presentation dimension.
Yamamoto et al. [34] in their work proposed to capitalize on the ability of humans to identify strangeness as presented in a CAPTCHA. Their research work categorized under CAPTCHA recognition utilized sentences as interpreted and translated by machines in the development of a new CAPTCHA series. SS-CAPTCHA (CAPTCHA using Strangeness in sentences) as depicted performs its function by checking how well humans can distinguish between natural sentences as constructed by humans and those that are generated by machine-translation. In their work, a system randomly presents P natural sentences created by humans (NSs) and Q garbage sentences generated from a natural sentence by a machine translator (GSs) to a user. A combination of both generated sentences (P+Q) sentences are then randomly placed. The quest then is for the user to select the set of natural sentences from the sequence of (P+Q) sentences. A successful selection of all humanly generated sentences certifies the user to be human while one or more errors certifies the user to be a bot program. A major pitfall of this CAPTCHA is that of comprehension of the user. Also, language barrier comes into play here and message translators cannot be an option.
Almazyad et al. [35] in their work which can be categorized under CAPTCHA development, proposed a multi-modal CAPTCHA. Most CAPTCHAs largely depends on the ability of enhanced distortion on text images making them unrecognizable to the techniques being utilized in its recognition, and these textbased schemes are in widespread use especially for applications for social networking sites, email generation, eCommerce and other online auction sites. Their work focuses on a new technique to build a CAPTCHA which is multi-modal (picture and text based). An image is being presented on the screen and many text labels layered over it. The task becomes that of the user to match the correct name of the image in context to its text label in the pool that are scattered all over it. Looking at their research, it is extra-work for humans to solve multi-layer CAPTCHA tests, and it can be frustrating for humans when the tests are cumbersome.
Raj et al. [36] introduced a new image-based CAPTCHA simply in graphical form. The CAPTCHA has advantages over other text-based CAPTCHAs in that, no malicious program could perform any segmentation, thresholding, shape matching nor random guessing for edge-detection. During its analysis process for security checks, the mechanism showed better results. However, future algorithms were found to break the graphics CAPTCHA.
In 2014, Nguyen [37] worked on systematically investigating the security strength of text-based CAPTCHAs by focusing on text animation (2D, 3D and 4D). In doing this, a tool box was developed with novel algorithms and attacks to help analyze the alternative to the security of design paradigms. In his work which can be categorized under CAPTCHA recognition, he showed that segmentation-resistance, a widely accepted design in the creation of text-based CAPTCHAs, still remains an indispensable design principle that applies to animated CAPTCHAs like 2D, 3D and 4D. Thus, he proposed a segmentation-resistant CAPTCHA scheme that identified both the character and its location. His approach highly enhanced the principle of segmentation-resistance thereby paving the way for the design of more secured and usable CAPTCHAs. However, the work solely focused on strengthening the development of just one kind of CAPTCHA-textbased.
Woo et al. [38] in their research work focused more on a special kind of Image CAPTCHA-3D CAPTCHA. Image processing has transformed from plain text to 2D and then to 3D. Prior to their work, previous works had already focused on offline pre-processing techniques in breaking 3D CAPTCHAs. In their work grouped under CAPTCHA development, a novel 3D object-based CAPTCHA scheme was proposed to layer the image to be displayed over a 3D object. The prototype developed was presented as a proof of concept that 3D object-based CAPTCHA scheme is an anti-spam mechanism for websites. Their approach was first to ask a user to decipher the 3D object rotation task, e.g. Sketcha. After this, a user will have to solve the 3D text CAPTCHA. It is believed that 3D text recognition, as well as 3D object rotation, while easy for human to solve is a difficult task for a simple machine to solve accurately. The limitation to this work is that there are so many novel approaches that exposes its vulnerability to state-of-the-art vision programs.
Abinaya et al. [39] in their work shed lighter on the important features that distinguish phishing websites from legitimate ones and assess how good rule-based data mining classification techniques are in predicting phishing websites and which classification technique is proven to be more reliable. The authors explored the use of images in the preservation of the privacy of image captcha by segmenting the original image captcha into shares that can then be stored in separate database servers in a way that the real image captcha would only be made available when both segmented images are simultaneously available. In essence, they proposed that the individual sheet images would not necessarily reveal the identity of the real image CAPTCHA. Once the real image captcha is revealed to the user it can be used as the password. A limitation to this work is the fact that either transparent images or layers are required to reveal the information.
Castro et al. [40] in their work categorized under CAPTCHA recognition, analyzed Capy CAPTCHA (a text-based and puzzle-based Image CAPTCHA) for existing vulnerabilities from the perception of a computer bot. In their work, a side-channel attack was presented that does not solve either of the recognition challenges. Rather, a low-cost attack was proposed that leverages on the continuity of the image's size and measurement. The major limitation with this design decision is that it is vulnerable to attacks of significant difference between image sizes that are wide apart (say 10pixels apart).
Chen et al. [41] focused on CAPTCHA recognition and in their work, they reviewed recent developments in the text-based CAPTCHA recognition field. Also, they proposed a CAPTCHA recognition scheme for text-based CAPTCHAs that utilizes a five-stage mechanism in its operation. The mechanisms includes preprocessing, segmentation, combination, recognition, post-processing amongst others.
Chen et al. [42] in their work proposed an attack on hollow CAPTCHA with the aid of merging and accurate-filling. The work which can be categorized as CAPTCHA recognition proposes a framework that supports individual character components through character segmentation that aids classification. The process involves repairing the character contours by a thinning operation and a contour-filling algorithm is then applied to solidify the characters. Segmentation is then introduced to separate the characters and this is closely followed by the utilization of the nearest neighbor algorithm to obtain individual characters void of redundancy. Finally, a convolutionary neural network is introduced to acquire final recognition results. Conclusively, the results from the experiment shows that the proposed method has a higher success rate and a superior efficiency in attack when compared with existing typical attack methods on hollow CAPTCHAs.
Divyashree [43] in his work grouped under CAPTCHA development proposed incorporation of password transmission into the CAPTCHA verification process to aid in determination of the strength of the password especially in certain environment. The Author therefore proposes two unified real-time authentication mechanisms which he named cognitive CAPTCHA and honeypot generation for protecting the information being provided over internet. The significant contribution in his work is the generation of an allinclusive, non-reusable cognitive CAPTCHA rather than relying on external CAPTCHA services for authentication. The essence of designing cognitive CAPTCHA was to have unrestricted access and control of Image conversion in real-time, and this makes the inclusion of a honeypot trap to give a deviation for the spam bots to get trapped thereby eliminating the robot spams. Honeypots and cognitive CAPTCHA are generated in real-time within the website, risks of relying on CAPTCHA service providers, facing denial of services and bearing its cost are completely eliminated.
Yu and Darling [44] in their work categorized under CAPTCHA recognition, presented a low-cost approach which capitalizes on the operation of open-source libraries for an AI-based chosen-plaintext attack. Samples were generated in large quantities from the Python CAPTCHA open-source libraries in modules and then edited in order to track the character's profile placed in the image. Segmentation then occurs by means of a customized convolutionary neural network (CNN) through peak segmentation. Characters present in the segmented samples were then identified using a process called TensorFlow object detection. The experimental results showed that the proposed TensorFlow object detection merged with convolutionary neural network (TOD+CNN) model could break open-source CAPTCHA libraries and could even go further to break external Claptcha-like CAPTCHAs such as Delta40 benchmark.
Ma et al. [45] in their work categorized under CAPTCHA recognition, presented an adaptive median filtering algorithm using divide and conquer that recognizes and breaks CAPTCHA. In their research, they improved efficiency through correlation after the filtering window data was sorted. Next was the adaptive readjustment of the size of the filtering window in order to eliminate the noise density. Superior performance was achieved when compared with the conventional median filters which gives their work an edge. However, one adverse effect of their experiment is that the denoising effect is very poor with images that appear blurry or stroked (examples of that will include Gimppy as well as other 2D, 3D and 4D CAPTCHAs). The effect of the denoising on blurry images causes faulty or wrong recognition. As a recommendation for future work, the Authors planned to further improve the filtering performance under higher noise intensity and severe distortion. Zhang et al. [46] in their work were much more concerned about who is solving a CAPTCHA, a human or a computer bot (which they called a typer). Not only that, but also, when a human is solving, is it intentional or a decoy. In their work which is categorized under CAPTCHA development, it is opined that in modern times, development of CAPTCHAs is being crowdsourced into strange and foreign web applications allowing unsuspecting users (also known as typers) solve the CAPTCHAs for bots unknowingly. The work proposed the introduction of personal (login) information into the CAPTCHA and by extension break the linkup between attackers and the typers. An analysis of the existing CAPTCHA solving mechanism was conducted and this resulted to the introduction of a principle for blocking the typers. The methodology was subsequently tested with two web applications and the resultant effect was the incorporation of a generation algorithm to tolerate human error and in the process complicate matters for typers. While it is a known fact that typers can randomly guess attack albeit at a very low success rate, a legitimate user (human, with intent) would accurately solve same CAPTCHA within seconds.
Recently, in the area of object recognition, the results that has been obtained with the help of DCNN cannot be over-emphasized. Every research work in the area of object recognition has been all about improvement in performance of DCNN. Beginning from Image recognition [47], handwriting recognition [48], face recognition [49] and also CAPTCHA recognition [50]. CNN are neural networks having tied parameters for a range of neurons. Like other neural networks, they are made up of several filtering layers and each layer applies an affine transformation to the vector input followed by an elementwise non-linearity.
However, for convolutional networks, the affine transformation are usually implemented as a discrete convolution in the place of a fully general matrix multiplication which other network uses. This sole attribute of convolutional networks makes them computationally efficient in that it allows them scale to large images and also builds equivariance to translation into the model. DCNN on the other hand has a high performance which is very much dependent on supervised learning of model parameters. Also, considering the fact that DCNN has a low recognition accuracy in confusion class makes it the directional path to tread when it comes to CAPTCHA development.
Chen et al. [51] in their work proposed a two-stage DCNN class that allows the integration of both the all-class DCNN and also the confusion class DCNN. In their work, categorized under CAPTCHA recognition, they developed a two-staged deep convolutionary neural network (DCNN) framework that uses selective learning confusion class (SLCC) for Text-based CAPTCHA recognition. Contrary to what exists in other frameworks, their work improved accuracy by equipping confusion class samples on DCNN. In doing this, a confusion relation matrix was constructed that focus attention on relationship between classes as opposed to the number of confusing characters in each class. A set partition algorithm was proposed and this algorithm divided multiple subsets based on confusion relation matrix. The CAPTCHA recognition accuracy of confusion classes was thereby increased by training and validating learning algorithm as proposed.
Results from the experiment shows that compared with the existing methods for CAPTCHA recognition, the proposed method delivered higher success rate than its counterparts. In doing this, they were able to construct a relational class that enhances the relationship between other confusion classes which further made analysis of all-class DCNN possible. Furthermore, partition algorithms that divides confusion class into multiple subsets was introduced, and with these, validating and training interactive learning algorithm was produced. The result of their work was an improved text-based CAPTCHA recognition accuracy by 1.4% to 39.4%.

RESEARCH MODEL
Kitchenham and Charters [52] presented a model for carrying out systematic literature review which was adopted alongside the fundamentals towards a seamless conduct of study as presented by Höst and Alagić [53].

Research question
The focus of this study is to provide an answer to the research question below:

What is the trend of research work and the level of interest that researchers are picking in CAPTCHA design and recognition, with a special review of the latest and most researched issues and category?
In order to aid a definitive answer to this question, a review of current works in literature was carried out.

Reasons for considering studies in this review in this field
In recent times, the process of gathering relevant information on intrusion detection systems based on diverse literature was topmost on web security. However, the work was finally restricted to the CAPTCHA domains, this is in tandem with the work of [54], [55]. The detailed inclusion and exclusion criteria applied to this review are illustrated in the Table 1.

Strategies for searching for relevant publications
Diverse steps were considered in the process of gathering literatures. Elsevier, Journal of Science, Researchgate, ScienceDirect, ACM Digital Library, IEEEXplore and SpringerLink were key players in this quest. Search terms were particularly in the following categories of interest: Intrusion detection systems, CAPTCHAs, CAPTCHA development and recognition, and current trends in CAPTCHA. Every of the categories of search terms were used either in isolation or concatenated using the regular Boolean operators "AND" and "OR". Table 1 as shown below is the systematic literature and information search strategy.
A test for synonyms engaged in the literature was adopted using a selection and combination of keywords and this assisted in covering a variety of latest and relevant publications on CAPTCHA development in CNN. The search terms below were engaged. The following combinations of search terms were applied: CAPTCHA OR CAPTCHA review or intrusion detection systems or CAPTCHA recognition or CAPTCHA development or CAPTCHA literature review or CAPTCHA mechanism or recent works on CAPTCHA or Application of AI techniques in CAPTCHA or CNN in CAPTCHA or DCNN and Information technology or computer science.

RESULTS AND DISCUSSION
Initially, this search mechanism utilized above produced a total selection of n=258 publications; out of these, n=173 were chosen from databases (search steps 1 and 2, Table 2). Also, n=25 were selected through open search on websites and establishing contacts with individuals (search steps 3-5, Table 2). In step 1, we took off n=130 articles based on the relevance to the study and consideration of the language of communication, title and deletion of duplicates. The remaining n=128 publications were then reviewed, and a further n=58 got eliminated for not meeting the inclusion criteria as indicated in Table 2.

4307
The final step of selection had us focusing on the impact of CNN and DCNN on CAPTCHA development and recognition with a comprehensive discussion including all authors, and this led to the inclusion of an additional study from the references list in one of the publications on DCNN. Conclusively, 70 studies were identified to have fulfilled all the established selection criteria and were thereby included in this review.

Search string
The research scope was never in doubt right from inception with a directional search geared towards the concept, prediction techniques, research gaps, and suggestions. The Research question and choice of words were a direct product of the problem definition, and this is what pointed us to only standard and referred databases [57]. The combination of keywords was essentially to test for titles of articles that are similar and to ensure an in-depth coverage of relevant publications on CAPTCHA design in intrusion detection systems [58]. The different search string combinations are as listed in section 3.3 earlier.

Purpose of review
This review is an array of research areas focused on intrusion detection systems, employed machine learning techniques, and CAPTCHA development and recognition. Worthy of note is the fact that although CAPTCHA reviews have been regularly carried out, no systematic literature review for current trends in CAPTCHA development and recognition is in existence but rather in CAPTCHA as an IDS or the workability of different types of CAPTCHA. The works of [59]- [61] are on IDS generally using specific approaches but not reviews. CAPTCHA development and recognition using hybrid approaches. In [62], hybrid approaches were employed to solve CAPTCHAs but yet, none is a systematic literature review in that domain to give directions of research. Different algorithmic CAPTCHAs also received attention in various ways based on diverse approaches, [63]. Furthermore, a hybrid approach; and hybrid approaches utilizing Machine Learning concepts like CNN and DCNN in [64], [65]; while [66] is a study on CAPTCHA which also doubles as survey on CAPTCHA development techniques. Review of different kinds of CAPTCHA techniques was done in [67]- [69].

Research challenges
Bias is a significant challenge when it comes to systematic reviews of literatures. Hence, in ensuring there was no bias in the search categorization, inclusion or exclusion criteria were introduced to help the decision-making process, it was ensured that selected papers were thoroughly scrutinized by each of the collaborating researchers for this work. Table 3 shows details of this. Although, the choice of search strings was strategic in determining the list of papers utilized, a minute change in the strings used for this work would have produced different set of relevant publications from what is presented here. However, our systematic review could still have an element of bias, because the databases consulted, indexed more of the renowned conferences and journals on the subject of machine learning in development and recognition of CAPTCHA; hence, the views of low class publications are ignored. Conclusively, searching further non-English sources will definitely afford a reduction in the possible bias in the study.
From this review, it was observed that a lot of work went into intrusion detection system from 2001 to date. The volume of publications in the domain in the decade at the turn of the millennium was almost doubled between 2011 and 2015, and also having a few review publications for the analysis. Also, there was a consistent increase in the number of publications from 2011, showing more attention in algorithmic infusion into CAPTCHA development using machine learning in the academia. The last few years 2018 and 2019 precisely have witnessed an unprecedented high in publications. Majority of these publications for 2018 and 2019 might not be readily available for analysis; which is evident in the drop in the number of publications accessed. Table 4, 62% of the papers analyzed were from journals; 35% came from conferences while the remaining 3% stems from symposiums and workshops as depicted in Figure 2. The exploration of standard and robust databases afforded us the privilege of ignoring the views of low class publications. Furthermore, our focus was on papers written in only English language. The knowledge presented here therefore does not represent the two aforementioned classes which could have significantly afforded a more robust and in-depth analysis.
Findings of this review having the research questions in mind are as follow: Research Question -What is the trend of research work and the level of interest that researchers are picking in CAPTCHA design and recognition, with a special review of the latest and most researched issues and category?
It was discovered that the latest works on CAPTCHAs have a few things in common:  They focus more on either development or recognition of CAPTCHA and;  Machine Learning and Deep Learning algorithms are the new phase of CAPTCHA.  (CNN and DCNN) approaches, intrusion detection system is yet to receive adequate attention even though it takes its toll on cybersecurity and how conglomerates, consortiums and organizations fall victim of this anomaly. Request for information and related texts from colleagues Establishing contact with colleagues in the academia for required helpful information and pointers to the research 5 Full-text journals Elsevier, Journal of Science, Researchgate, ScienceDirect, ACM Digital Library, IEEEXplore and SpringerLink 6 Personal mailing requests to authors of impactful publications for full texts, additional information.
Request for full text of publications not available without a particular subscription or payment Table 4. Yearly distribution of reviewed papers

CONCLUSION
In this survey paper, a systematic literature review has been carried out on current trends in Intrusion Detection Systems with a focus on CAPTCHA development and recognition, in order to understand the trend of research interests so far in CAPTCHAs in the context of development and recognition based on both the currently researched issues. The articles that aided this survey have highlighted deep learning algorithms and machine learning techniques to both detect and design new forms of CAPTCHA in order to further enhance the security systems of web applications with the engagement of several approaches prominent amongst which is the hybrid techniques. Machine learning and deep learning algorithms, types, forms, and security, accuracy and performance measures are of importance in the review. The survey reveals that although CAPTCHAs as a form of Intrusion detection systems is widely accepted in web applications, its workability, performance, accuracy and security is not only based on the algorithm and mechanism put to use, but also a function of the type of CAPTCHA, data pre-processing, how the hybrid techniques are combined, and several other factors. This paper would guide future researchers in their choice of CAPTCHA development and recognition techniques to use and a pointer to available and possible improvements on some of the existing techniques. He is the author of more than 150 research papers in national and international journals, books, book chapters and conference proceeding articles. He has attended many international conferences throughout the world and chaired some technical sessions. His research interest is in the areas of machine intelligence, mobile computing, image processing and exponential technology for smart city development. He had examined several postgraduate theses, dissertations and assessed research publications for professorial appointments both nationally and internationally. He has graduated over 250 Undergraduates, 29 Master's and 13 Doctorate degree students in computer science and information technology. Professor Olugbara was a recipient of many awards that include the International