Utilizing OCR Technology to Prevent Inconsistent Actions Triggered by a Cookie Banner Button

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：64

、訪客IP：18.226.226.221

姓名

連育陞(Yu-Sheng Lian) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

(Utilizing OCR Technology to Prevent Inconsistent Actions Triggered by a Cookie Banner Button)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 (2028-6-30以後開放)

摘要(中)

歐盟在2018年5月25日，開始實行通用資料保護規則(GDPR)，這項規則規定與歐洲相關的網站必須告知用戶並取得用戶的同意才能在網站上使用他們的個人資訊，包含cookies。
雖然這項規定看似合理，但獲取同意的方式導致用戶必須在每個新造訪的網站上進行一次點擊的行為，以獲得最佳的網頁體驗。然而，在這樣的情況下，不經意的讓使用者養成了快速的「接受」網站要求的內容，才得以快速的瀏覽所想要的內容。而這樣的習慣可能導致使用者在不知不覺中「接受」了攻擊者在網路上要求的惡意行為。
因此我們利用光學字元辨識(OCR)技術開發了一款Chrome的擴充元件，為瀏覽器增添了視覺感知的能力。讓過去僅僅只是以監聽器的方式運作的瀏覽器，增加了視覺分析的能力，透過模擬使用者的眼睛，並分析所見的內容，進而調查監聽到的行為與網頁組件文本之間，是否有言行舉止前後不一的現象，最後採取適當的預防措施。

摘要(英)

On May 25, 2018, the European Union implemented the General Data Protection Regulation (GDPR), which regulates that websites related to Europe must inform users and obtain their consent to utilize their personal data, including cookies, on web pages.
While this regulation may seem reasonable, the method of obtaining consent has resulted in users having to click on the "Accept" buttons on every new website to achieve the best website experience. However, inadvertently developing a habit of automatically agreeing without fully understanding the implications may lead to unknowingly consenting to malicious activities perpetrated by individuals with deceptive intentions on the internet.
Therefore, we developed a browser extension utilizing OCR technology to provide the Chrome browser with visual perception capabilities. This extension allows the browser, which traditionally relies solely on listener actions, to simulate the visual content perceived by users. By analyzing the text on the buttons, we aim to detect inconsistencies between the observed behavior and the intended purpose of webpage components, and subsequently implement preventive measures.

關鍵字(中)

★ 資料保護規則
★ 光學字元辨識
★ 擴充元件
★ 點擊劫持

關鍵字(英)

★ GDPR
★ OCR
★ extension
★ Clickjacking
★ cookie banner

論文目次

中文摘要 i
Abstract ii
Acknowledgments iii
Table of Contents iv
List of Figures vi
Chapter I. Introduction 1
Chapter II. Background 3
2.1 Clickjacking 3
2.2 OCR 3
2.2.1 How does OCR work? 4
2.2.2 What are the benefits of OCR? 5
2.2.3 Tesseract OCR 5
2.3 Chrome Extension 6
2.4 Legal History of Cookie Banners 7
Chapter III. Related Work 9
3.1 Early Research on Clickjacking: Analysis of Attacks and Defenses 9
3.2 Advancements in Clickjacking Defense Mechanisms Over Time 11
3.3 Clickjacking Defense Mechanisms in Recent Times 12
Chapter IV. Threat Model 14
4.1 Vulnerabilities 14
4.2 Possible New Attacks 16
Chapter V. System Design 17
5.1 Design Principle 17
5.2 Eye of Horus (EoH) 18
5.2.1 Detector of EoH 19
5.2.2 Analyzer of EoH 20
5.2.3 Judger of EoH 21
Chapter VI. Evaluation 22
6.1 Experiment I: The Accuracy of Tesseract OCR 23
6.2 Experiment II: The performance of Tesseract OCR faces up to real-world cookie banner buttons 29
6.2.1 Problems 31
6.3 Observation of the consent texts on cookie banner buttons 31
6.4 Observation of the download buttons 32
6.5 Detection accuracy of EoH 33
Chapter VII. Discussion 35
7.1 Results 35
7.2 Limitation and Future Work 36
Chapter VIII. Conclusion 39
Reference 40

參考文獻

[1] Gustav Rydstedt, Wichers, Jmanico, MichaelCoates, Till Maas, Ajay, Michael Monsivais, Arun Kumar V, Abhinav, Neil Smithline, kingthorin, Shai Alon, "Clickjacking," OWASP, [Online]. Available: https://owasp.org/www-community/attacks/Clickjacking. [Accessed 07 2023].
[2] Lin-Shung Huang, Alex Moshchuk, Helen J. Wang, Stuart Schecter, & Collin Jackson, "Clickjacking: Attacks and Defenses," 21st USENIX Security Symposium (USENIX Security 12), pp. 413--428, aug 2012.
[3] U. U. Rehman, W. A. Khan, N. A. Saqib and M. Kaleem, "On Detection and Prevention of Clickjacking Attack for OSNs," 2013 11th International Conference on Frontiers of Information Technology, pp. 160-165, 2013.
[4] Shamsi, Jawwad A. and Hameed, Sufian and Rahman, Waleed and Zuberi, Farooq and Altaf, Kaiser and Amjad, Ammar, "Clicksafe: Providing Security against Clickjacking Attacks," 2014 IEEE 15th International Symposium on High-Assurance Systems Engineering, pp. 206-210, 2014.
[5] Mingxue Zhang and Wei Meng and Sangho Lee and Byoungyoung Lee and Xinyu Xing, "All Your Clicks Belong to Me: Investigating Click Interception on the Web," 28th USENIX Security Symposium (USENIX Security 19), pp. 941--957, aug 2019.
[6] "What Is OCR (Optical Character Recognition)?," Amazon, [Online]. Available: https://aws.amazon.com/what-is/ocr/?nc1=h_ls. [Accessed 07 2023].
[7] European Parliament and Council, "Directive 2002/22/EC of the European Parliament and Council," European Parliament and Council, 2002. [Online]. Available: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32002L0022.
[8] European Parliament and Council, "Directive 2002/58/EC of the European Parliament and Council," European Parliament and Council, 2002. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002L0058. [Accessed 07 2023].
[9] European Parliament and Council, "Directive 2009/136/EC of the European Parliament and Council," European Parliament and Council, 2009. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32009L0136.
[10] E. P. a. Council, "Regulation (EU) 2016/679 of the European Parliament and of the Council," European Parliament and Council, 2016. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504.
[11] CloudFare, What is the ePrivacy Directive?.
[12] CloudFare, What is the General Data Protection Regulation (GDPR)?.
[13] The European Commission, "Proposal for an ePrivacy Regulation," The European Commission, 2022. [Online]. Available: https://digital-strategy.ec.europa.eu/en/policies/eprivacy-regulation.
[14] Chrome Developers, "API reference," [Online]. Available: https://developer.chrome.com/docs/extensions/reference/.
[15] Google, Tesseract OCR, GitHub, 2008.
[16] Amazon Alexa, "Alexa Top Websites - Last Save," ExpiredDomains.net, [Online]. Available: https://www.expireddomains.net/alexa-top-websites/.

指導教授

許富皓(Fu-Hau Hsu)

審核日期

2023-7-20

推文