A significant problem facing the Internet community is that on-line businesses and organizations are vulnerable to malicious attacks. Recently, attacks have been committed using a wide arsenal of attack techniques and tools targeting both the information maintained by the online businesses and their IT infrastructure. For example, recently identified attacks have been committed using a combination of attack techniques at the network and application levels. Attackers use different tools to execute different attack techniques. Each such attack tool is designed to exploit weaknesses identified in one of the target's defense layers.
An example for such an attack tool is a Web robot, also known as a botnet or bot (which will be referred to hereinafter as a “bot”). A bot is a software application programmed to execute automated tasks over the Internet. Typically, bots are programmed to perform tasks that are simple and structurally repetitive at higher rate than a human end user. Commonly, malicious users often use a bot as a means to execute denial-of-service (DoS) attacks, HTTP or HTTPS flood attacks, click frauds, and to spam large amounts of content over the Internet.
Anti-bot techniques typically attempt to verify that a transaction is initiated by a legitimate client application (e.g., web browser) and is under control of the user. Examples for such techniques are a SYN cookie, a web redirect (e.g., 302 HTTP redirect message), a JavaScript challenge, CAPTCHA, and the like.
In a CAPTCHA action, an image is sent to the user device. The image includes alphanumeric characters that are difficult to recognize for an OCR program, but are visible to a human. The user is verified if the characters as entered by the user correspond to the characters in the image.
The JavaScript challenge requires the client (web browser) to include a JavaScript engine (or enable execution of a JavaScript) in order to view the web page or to perform any action in a webpage. Other JavaScript redirect challenges invite the browser on the client device to respond to such a message by a request for a new URL specified in the redirected message, or to wait for an input from the user. The SYN cookie techniques validate the IP address of the client issuing the transaction. However, such a technique can be easily bypassed by an attack tool (or an application) that owns a real IP address (not a spoofed address). Current attack tools executing bots are designed to implement redirection mechanisms by default. For example, the JavaScript redirect challenge can be bypassed using a parser and without any JavaScript engine operable in the attack tool. A simple parser is sufficient to bypass the challenge as the JavaScript are static with constant information that should be revealed.
The CAPTCHA action has been determined to be more effective, over the other actions, in confirming that a transaction is issued by a human and not malware. However, at the same time, this technique negatively affects the user experience while accessing the web services. The redirect challenges, on the other hand, are seamless for a legitimate user.
Therefore, it would be advantageous to provide an efficient solution for detecting malicious bots and verifying legitimate clients.