Human-like bots now operate using techniques such as ‘low and slow’ to evade security measures, and leverage cloud data centers, infected devices, malware-laden applications and even hijacked behavioral characteristics to try to slip past bot detection systems. It’s an unending and increasingly sophisticated arms race between bot developers and security experts, and any effective bot management solution must necessarily evolve to stay abreast of the most insidious threats extant today.
Let’s look at the core detection capabilities that we consider essential for a bot management solution:
1. Ability to monitor and analyze session context
A ‘session’ is a single instance of a single user or client accessing a website or app. To monitor and analyze any visitor’s behavior and intent in the context of a session, a bot manager must be able to insert a cookie in the web/ app environment (or a token in the API environment).
2. Behavior correlation across sessions
To effectively analyze intent and detect attacks ─ even if a bot’s visits occur over non-contiguous time periods ─ a bot manager must correlate all the behaviors of all sources across all sessions, including volume, nature, frequency of transactions and navigation flow.
3. Ability to uniquely identify sources
Let’s say that an attacker tries to crack a particular user’s password by using three dictionary-based login guesses that all originate from a single IP address, and then switches to a different IP address. In this scenario, it’s futile to rely on IP-based identification. This is why, to detect an attacker using a multitude of IPs, device fingerprinting is critical to obtain identifying information. It’s essential for a bot manager to have the ability to identify behavior and context over multiple sessions spanning different IP addresses and devices. This requires embedding device fingerprints into the application’s data flow to and from the bot detection engine.
4. A rules engine with deterministic as well as probabilistic rules
While deterministic rule-sets that are based on known intelligence and patterns can support immediate attack detection and mitigation, probabilistic analysis is also essential to analyze and detect intent over a period of time to identify sophisticated botnets.
5. Machine learning capabilities
Machine learning is indispensable in detecting sophisticated bots whose behavior cannot be detected by deterministic rules. For example, what may be legitimate behavior in a specific app may be considered suspicious in another app. Machine learning techniques are able to rapidly and accurately analyze overall context and visitor behavior for effective bot detection.
While we currently consider these capabilities foundational in a bot management solution, there is little doubt that as bots and attack methods get more sophisticated, additional capabilities will become essential for effective bot management. For an in-depth look at bots and bot management, download our Ultimate Guide to Bot Management.