A Hybrid CAPTCHA Combining Generative AI with Keystroke Dynamics for Enhanced Bot Detection
Ayda Aghaei Nia
TL;DR
This paper tackles bot proliferation in web CAPTCHAs by proposing a hybrid system that combines dynamic, LLM-generated cognitive challenges with keystroke-dynamics-based behavioral biometrics. The architecture uses a secure client-server setup where the LLM creates a novel question, the answer is hashed with SHA-256, and only the question-hash pair is exposed to the client, while the behavioral layer analyzes inter-key latency via $F_i = t_{i+1} - t_i$ and total duration $T_{total} = t_n - t_1$, including statistics $\mu_F$ and $\sigma_F$. A heuristic classifier enforces that the answer hash matches, no paste events occurred, and the biometric features satisfy thresholds $\sigma_F > \theta_{\sigma}$ and $T_{total} > \theta_{t}$ with $\theta_{\sigma} = 20\,\text{ms}$ and $\theta_{t} = 150\,\text{ms}$, yielding strong bot detection in experiments (paste-based and typing-simulation bots) while maintaining usability. The results demonstrate high human usability (87% first-attempt success, 100% within two attempts) and perfect bot detection, underscoring the potential of combining cognitive and behavioral tests for a more secure and user-friendly CAPTCHA paradigm; future work includes ML-based behavioral modeling and multimodal biometrics for enhanced robustness and scalability.
Abstract
Completely Automated Public Turing tests to tell Computers and Humans Apart (CAPTCHAs) are a foundational component of web security, yet traditional implementations suffer from a trade-off between usability and resilience against AI-powered bots. This paper introduces a novel hybrid CAPTCHA system that synergizes the cognitive challenges posed by Large Language Models (LLMs) with the behavioral biometric analysis of keystroke dynamics. Our approach generates dynamic, unpredictable questions that are trivial for humans but non-trivial for automated agents, while simultaneously analyzing the user's typing rhythm to distinguish human patterns from robotic input. We present the system's architecture, formalize the feature extraction methodology for keystroke analysis, and report on an experimental evaluation. The results indicate that our dual-layered approach achieves a high degree of accuracy in bot detection, successfully thwarting both paste-based and script-based simulation attacks, while maintaining a high usability score among human participants. This work demonstrates the potential of combining cognitive and behavioral tests to create a new generation of more secure and user-friendly CAPTCHAs.