NOMAD: Towards non-intrusive moving-target defense against web bots

Web bots, such as XRumer, Magic Submitter and SENuke, have been widely used by attackers to perform illicit activities, such as massively registering accounts, sending spam, and automating web-based games. Although the technique of CAPTCHA has been widely used to defend against web bots, it requires users to solve some explicit challenges, which is typically interactive and intrusive, resulting in decreased usability. In this paper, we design a novel, non-intrusive moving-target defense system, NOMAD, to complement existing solutions. NOMAD prevents web bots from automating web resource access by randomizing HTML elements while not affecting normal users. Specifically, to prevent web bots uniquely identifying HTML elements for later automation, NOMAD randomizes name/id parameter values of HTML elements in each HTTP form page. We evaluate NOMAD against five powerful state-of-the-art web bots on several popular open source web platforms. According to our evaluation, NOMAD can prevent all these web bots with a relatively low overhead.

[1]  Calton Pu,et al.  Characterizing Web Spam Using Content and HTTP Session Analysis , 2007, CEAS.

[2]  James Ze Wang,et al.  IMAGINATION: a robust image-based CAPTCHA generation system , 2005, MULTIMEDIA '05.

[3]  Jeff Yan,et al.  A low-cost attack on a Microsoft captcha , 2008, CCS.

[4]  Gilad Mishne,et al.  Blocking Blog Spam with Language Model Disagreement , 2005, AIRWeb.

[5]  Rich Gossweiler,et al.  What's up CAPTCHA?: a CAPTCHA based on image orientation , 2009, WWW '09.

[6]  Archana Bhattarai,et al.  Characterizing comment spam in the blogosphere through content analysis , 2009, 2009 IEEE Symposium on Computational Intelligence in Cyber Security.

[7]  Zhenyu Wu,et al.  Battle of Botcraft: fighting bots in online games with human observational proofs , 2009, CCS.

[8]  Jon Howell,et al.  Asirra: a CAPTCHA that exploits interest-aligned manual image categorization , 2007, CCS '07.

[9]  Hao Chen,et al.  Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks , 2009, NDSS.

[10]  Mary Czerwinski,et al.  Designing human friendly human interaction proofs (HIPs) , 2005, CHI.

[11]  Steven Gianvecchio,et al.  Measurement and Classification of Humans and Bots in Internet Chat , 2008, USENIX Security Symposium.

[12]  Kris Popat,et al.  Human Interactive Proofs and Document Image Analysis , 2002, Document Analysis Systems.

[13]  J. Doug Tygar,et al.  Image Recognition CAPTCHAs , 2004, ISC.

[14]  John Langford,et al.  CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[15]  Steven Myers,et al.  The Nuts and Bolts of a Forum Spam Automator , 2011, LEET.

[16]  Steven Myers,et al.  Prevalence and mitigation of forum spamming , 2011, 2011 Proceedings IEEE INFOCOM.

[17]  John Langford,et al.  Telling humans and computers apart automatically , 2004, CACM.

[18]  Sushil Jajodia,et al.  Blog or block: Detecting blog bots through behavioral biometrics , 2013, Comput. Networks.

[19]  Calton Pu,et al.  A Link Obfuscation Service to Detect Webbots , 2010, 2010 IEEE International Conference on Services Computing.

[20]  Erik Johnson,et al.  Is a bot at the controls?: Detecting input data attacks , 2007, NetGames '07.

[21]  Jeff Yan,et al.  Usability of CAPTCHAs or usability issues in CAPTCHA design , 2008, SOUPS '08.

[22]  Hao Chen,et al.  A Quantitative Study of Forum Spamming Using Context-based Analysis , 2007, NDSS.

[23]  Ieee Staff,et al.  2013 IEEE Conference on Communications and Network Security (CNS) , 2013 .

[24]  Zicheng Liu,et al.  Excuse me, but are you human? , 2003, MULTIMEDIA '03.

[25]  Peter Matthews,et al.  Scene tagging: image-based CAPTCHA using image composition and object relationships , 2010, ASIACCS '10.