23 July 2022, by Mathias Fischer
Our paper entitled “Introducing polymorphic protocols to limit the influence of web bots” was accepted for publication at the 27th European Symposium on Research in Computer Security (ESORICS 2022).
In this paper, we present an approach approach to combat the cost-efficient duplication of bots that can be applied with low performance and organizational overhead.
We will present our results on the conference in Copenhagen in September 2022 and seek an exchange with international researchers.
Unwanted automation of network services by web robots (bots) increases the operation costs, and affects the satisfaction of human users, e.g., in online games or social media. Bots impact the revenue of service providers and can damage society by spreading false information.
While few bots are usually not a problem, a large number is. Thus, we focus on bots that directly use a service's application protocol, as they are the most efficient and easiest to scale.
Current solutions such as registration with personal data or CAPTCHAs are frustrating for users or can be easily overcome. Anti-reverse engineering and digital rights management solutions that impede bot creation, e.g., unique client specific API keys, are only effective for the first bot.
Therefore, we present an obfuscation approach inspired by polymorphic malware and censorship resistance to increase the costs of duplicating bots for an attacker.
Our approach is called polymorphic protocols and enables each client of a service to use its own application protocol for communication. Therefore, a bot creator is forced to extract and reimplement a new protocol from a valid client for each bot that is created.
We integrate our approach into an existing ecosystem and implement the approach for Protobuf and Java. The results show that the overhead for service providers and users is low, depending on the deployment and chosen protocol configuration, while increasing the cost for an attacker for scaling bots.