Is The Industry is Wrong? Are Bot Sessions and Human Sessions Indistinguishable


There are companies in the bot mitigation sector that have built platforms which can tell good bots from bad bots. Google bots are good bots, whereas bots that steal credit card data are bad bots. However, bots are getting more advanced all the time. To deal with bad bots, security startups have incorporated machine learning algorithms and advanced data gathering techniques that help them distinguish a human session from a bot session, something that is very hard to do.

For example, ShieldSquare is a bot mitigation company with the following platform:

  • Collects various parameters about the visitor, building a fingerprint for each visitor into an engine
  • Parameters collected include IP address, extracted IP geo location details, ISP info, IP owner, connection type, number of pages visited per session, time spent on each page, frequency of repeat visits
  • Machine learning gets smarter every day by storing all this info
  • Thereafter, the engine classifies each visitor as human, search engine crawler or bad bot, and blocks bad bots

Here is the biggest problem with that approach: digital bank robbers are also using machine learning algorithms and other techniques to mimic human behavior. With this technology, bots will soon be able to act more like humans than humans themselves, minimizing the benefits bot mitigation platforms bring to their customers.

According to various reports, bot operators control a percentage of PCs around the world and users are unaware of it. In the US, one estimate was 6%. Whether it’s 6% or 1% – that’s too many. And when bot operators have control of a PC, that means they have access to all of that user’s history and activities. So it will be easy for the sophisticated threat actors to incorporate that into their bot operations so that they mimic human behavior. Thus, bots will spend the right amount of time on each page, move the mouse across the screen as a real user would, click on the right parts of the website, and so on. At that point, it will become very challenging for bot mitigation companies to distinguish good bots from bad bots. What’s the moral of the story? It’s time to start thinking about how bot mitigation platforms can defeat bots once they become humanlike.

Scroll to Top