Paper accepted at RAID'24
25 July 2024, by Mathias Fischer
Photo: raid2024.github.io
We are happy to announce that our paper, ”Encrypted Endpoints: Defending Online Services from Illegitimate Bot Automation”, was accepted for publication at the 27th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2024).
In this paper, we propose encrypted endpoints as an innovative approach to address the scalability of web bots, especially in situations where bots use multiple accounts. Our method involves assigning unique endpoints (URLs) to each user account, thus limiting the bots' ability to operate across different accounts and requiring them to extract account-specific endpoints for each bot instance.
We look forward to presenting our findings at the conference in Padua, Italy (September 30 - October 2, 2024) and seek an exchange with international researchers.
Paper Abstract:
Automated usage of web services by programs, known as bots, poses risks such as data scraping, spam, and cyber attacks.
For instance, X suffers from millions of bot accounts typically controlled by relatively fewer adversarial organizations to create fake likes and comments.
The most widely used solution to distinguish humans from bots (CAPTCHA) is perishing due to advances in machine learning.
Obfuscation techniques in binaries, applications, or websites are designed to impede the creation of bots but fail to prevent their scalability. Bypassing these measures often requires only a one-time effort.
We propose encrypted endpoints as a novel strategy to combat the scalability of web bots, particularly in scenarios where bots leverage multiple accounts. For that we assign unique endpoints (URLs) to each user account, thereby restricting bot applicability across different accounts and necessitating the extraction of account-specific endpoints per bot instance.
Our approach is applicable to a wide range of services utilizing endpoints, including desktop and mobile applications, web applications, and even static or HTML-only websites.
We implemented our approach directly within a backend framework and observed that the latency overhead is less than 0.1ms per request, which constitutes less than 1% of the total request time. Our solution, developed as simple middleware, can be easily integrated in existing projects with low effort. Additionally, we have extended our approach to the Jinja2 template engine, thereby supporting encrypted endpoints for websites out of the box.
Our analysis indicates that our approach not only effectively protects against simple bots but also, when coupled with obfuscation techniques, further impedes bot creation.