Recent studies show that 20.4% of the internet traffic originates from automated agents. To identify and block such ill-intentioned traffic, mechanisms that verify the humanness of the user are widely deployed, with CAPTCHAs being the most popular. Traditional CAPTCHAs require extra user effort (e.g., solving mathematical puzzles), which can severely downgrade the end-user's experience, especially on mobile, and provide sporadic humanness verification of questionable accuracy. More recent solutions like Google's reCAPTCHA v3, leverage user data, thus raising significant privacy concerns. To address these issues, we present zkSENSE: the first zero-knowledge proof-based humanness attestation system for mobile devices. zkSENSE moves the human attestation to the edge: onto the user's very own device, where humanness of the user is assessed in a privacy-preserving and seamless manner. zkSENSE achieves this by classifying motion sensor outputs of the mobile device, based on a model trained by using both publicly available sensor data and data collected from a small group of volunteers. To ensure the integrity of the process, the classification result is enclosed in a zero-knowledge proof of humanness that can be safely shared with a remote server. We implement zkSENSE as an Android service to demonstrate its effectiveness and practicality. In our evaluation, we show that zkSENSE successfully verifies the humanness of a user across a variety of attacking scenarios and demonstrates 92% accuracy. On a two years old Samsung S9, zkSENSE's attestation takes around 3 seconds (when visual CAPTCHAs need 9.8 seconds) and consumes a negligible amount of battery.
翻译:最近的研究显示,20.4%的互联网流量来自自动化代理商。为了识别和阻止这种恶意的流量,对用户人性进行核查的机制被广泛采用,而CAPTCHA是最受欢迎的。传统的CAPTCHA需要额外的用户努力(例如解决数学谜题),这可以严重降低最终用户的经验,特别是在移动方面,并且对可疑的准确性进行零星的人性核查。最近的一些解决方案,如谷歌的RECAPTCHA v3, 利用用户数据,从而引起严重的隐私问题。为了解决这些问题,我们提出了zkSENESE:第一个以零知识为基础的用户人性验证系统是移动设备最受欢迎的。zkSENSAE将人类性证明推向边缘:用户的自我保存和无缝。zkSENE通过使用公开提供的传感器数据和从一小群志愿者收集的数据来分类移动设备的移动传感器输出结果。为了保证移动机机的准确性机能性,SAL8 和SODERS的精确度, 显示一个在远程服务器上运行的精确度,我们可以将SO值的数值转换为S。