A bot is a software application that is configured to execute automated tasks, often over large networks such as the Internet. Bots can be used to perform helpful functions but are often employed for more nefarious purposes. Botnets are collections of coordinated bots that run over one or more systems and can be programmed to execute harmful codes. Because botnets are often implemented using infected home computers or Internet of Things (IoT) devices with random IP addresses, or virtual machines which can regularly change certain identifying characteristics such as MAC address or Internet Protocol (IP) addresses, it can be difficult to identify, track and block attacks initiated by such botnets. Botnets can share an attacked system with legitimate users such that their presence is effectively hidden.
Advanced botnets utilize machine learning techniques to better coordinate the attack. Such machine learning techniques are used to alleviate the Command and Control (C&C) burden, optimize the attack, and circumnavigate counter measures. One common technique used is based on Swarm intelligence allowing for self-organization of botnets.
The Open Web Application Security Project (OWASP) foundation has classified automated threats (Bots) against Web applications into 6 categories: Account Credentials, Availability of Inventory, Abuse of Functionality (other), Payment Cardholder Data, Vulnerability Identification, and Denial of Service (DoS). The nature and operation of threats in each such category is different and should be handled differently. For example, in the “Availability of Inventory” category, threats related to Denial of Inventory, Scalping, and Sniping are executed. On the other hand, threats in the “Vulnerability Identification” category include vulnerability scanning, footprinting, and fingerprinting. As such, different detection and mitigation techniques should be utilized for different types of detected threats.
Existing anti-bot solutions use a simple “human or machine” test to establish trust and security context, i.e., a human is trusted but not machines. Current solutions utilize interactive challenges to verify if a transaction is initiated by a legitimate client application (e.g., a web browser) and is under control of a human. Examples for such challenges are a SYN cookie, a web redirect (e.g., 302 HTTP redirect message), a JavaScript challenge, a CAPTCHA, and the like used individually or orchestrated to a single flow.
Establishing security context and trust based on web challenges suffers from several limitations. For example, such challenges require an interactive session with a client device. Further, for at least a CAPTCHA challenge, a graphical user interface (GUI) is also required. As such, the challenges negatively affect the user experience while accessing the web services. In addition, challenges that require a GUI cannot operate to allow machine-to-machine authentication, such as through Application Programming Interfaces (APIs). This is a major disadvantage since many of today's legitimate clients, such as IoT devices, are not equipped with suitable GUIs. Further, CAPTCHAs can be bypassed using “sweatshops.”
Further, in the related art, existing anti-bot solutions rely on tracking user activities and devices using “fingerprinting” techniques to monitor and identify bot activity. A fingerprint of a computing device is information collected about the device (e.g., a smartphone) for identification. Fingerprints can be used to fully or partially identify individual users or devices even when cookies are turned off. Tracking user activity includes collecting behavioral data over time.
Generating a unique fingerprint for a large number of devices requires the fingerprints to be very sensitive to variations in the collected data, as such fingerprints become less stable over time and, as a result, a device may not exhibit the same fingerprint over time. This adversely affects the value of the collected data. Fingerprinting techniques are also susceptibility to spoofing. A bot may actively modify its fingerprint to alter its historical date or to identify its data as that of another device. Further, anti-bot solutions impose componential penalties when validating fingerprints.
Furthermore, existing anti-bot solutions attempt to cross-correlate the data with device or personal information such as, for example, a user name, a phone number, login credentials, and so on. As such, existing anti-bot solutions breach privacy of users, and thus may not be effective due to privacy regulations. For example, general data protection regulation (GDPR) prohibits sharing devices' fingerprints across sites.
Currently there is no available cyber-security solution that provides both effective detection while maintaining the privacy of the users. Therefore, with malicious bot activity accounting for about a third of all Internet traffic, it would be advantageous to provide an efficient solution that would cure the deficiencies of existing anti-bot solutions.