On the surface, bot detection seems simple: You want to accurately detect bad bots with a low rate of false positives (to avoid blocking legitimate human users and good bots) and a low rate of false negatives (to ensure that you’re detecting ALL bad bots). Go below the surface though, and the challenges of detection become much more complex.
There’s a good reason why analyst firm Forrester has cited attack detection as one of the major selection considerations for bot management solutions. The quality of detection determines the quality of the solution. And as attacking bots become ever more sophisticated, detection becomes ever more challenging.
To illustrate these points, consider the example of a bot attack aimed at cracking passwords. A bot management solution could apply several methodologies to detect the attack by:
- Identifying the average activity rates and abnormal rates of unsuccessful login attempts. Unfortunately, this approach is not sufficiently accurate and, more importantly, does not identify the attack source. Thus, any mitigation will be ineffective or will have a significant customer experience impact.
- Looking at each source IP address and correlating activity over time to allow detection of active IPs generating unsuccessful login attempts. However, if the attack source is dynamically rotating its IP addresses, this methodology will be blind to the attack.
- Correlating the activity over time for each source by device fingerprint. But again, if the attack source is dynamically modifying its device fingerprint, the methodology will miss the mark.
A more sophisticated detection will correlate activity over time across IPs, device fingerprints, mobile device attributes and sensors, as well as other attributes, to provide comprehensive analysis for accurate attack source detection.
Here’s an overview of the basic functionality you need to mitigate — or manage — bots:
- A session is a single context from a single user or client accessing your app. A bot manager must add a cookie in the web environment or a token in the API environment in order to monitor and analyze session context.
- A bot manager must correlate all the behaviors of all sources across all sessions for the purpose of attack detection. Those behaviors should include volume, nature, frequency of transactions and navigation flow.
- A bot manager should be able to uniquely identify sources. Consider the simple example of an attacker trying to crack a particular user’s password. Suppose it tries three times to log in with a dictionary password before switching to another IP. In such a scenario, IP-based identification of the attack source is ineffective, and you’re blind to the attack.