Anomaly Based Attack Detection in Action: Enhancing Bot Detection with AI


In our previous blog post, we discussed how AI in general plays a critical role in identifying and mitigating bot attacks. Today, we’re building on that discussion by elaborating on one of the approaches we highlighted: anomaly-based detection. This method is helpful for identifying sophisticated bot behaviors that often go unnoticed by conventional techniques. Specifically, we’ll explore how Radware’s Time Series Anomaly Detection Model enhances this approach and strengthens bot detection in complex environments.

The Growing Challenge of Sophisticated Bot Attacks

As bot attacks evolve, traditional detection methods become less effective at identifying newer, more elusive behaviors. Bots can generate randomized hit sequences and mimic legitimate user traffic, making detection a complex task. Anomaly-based detection rises to the challenge by focusing on deviations from established behavioral patterns, rather than relying solely on predefined rules.

Radware’s Time Series Anomaly Detection Model is one of the components in our anomaly-based detection strategy, using time-series analysis to uncover hidden patterns in traffic data. By analyzing how often a user generates requests over specific intervals, our anomaly detection model identifies bots that spread their activities across time, avoiding the typical rapid-fire patterns of basic bots.

How it Works: Analyzing Time-Based Patterns

At the heart of our anomaly detection model is its ability to analyze time intervals between hits from any given user. Rather than evaluating each hit in isolation, the model builds a sequence of time-stamped hits, capturing traffic over varying intervals, in a few minutes, or even several hours. This enables the model to detect abnormal activity patterns that span different timeframes, which can be a strong indicator of bot behavior.

For instance, the model generates statistical features from these time sequences, including:

  • Active Intervals: Counting how many active time intervals a user engages in (e.g., how many active minutes or hours).
  • Average Hits Per Interval: Measuring the average number of hits within a given time period.
  • Variance and Skewness: Assessing the regularity and distribution of the hits, highlighting inconsistencies that suggest automated behavior.

These features enable the model to detect suspicious traffic patterns, even when the bot tries to mimic human behavior by spreading out its requests over longer periods.

Feature Engineering: Uncovering Complex Traffic Insights

The strength of the model lies in its comprehensive feature engineering. It doesn’t simply look at the number of hits; it considers a variety of statistical metrics, such as the variance and coefficient of variation across multiple time intervals. This multi-dimensional approach helps uncovering the sophisticated bots, which may carefully structure their hit sequences.

For example:

  • Max Hits Per Minute: This feature captures the peak activity from a user in one-minute intervals, which can indicate spikes associated with bot-driven attacks.
  • Skewness of Hits: This measures the asymmetry in the distribution of hits, helping identify when a user’s activity pattern deviates from the norm.

In addition to time-series features, the model incorporates spatial patterns (user agent and referrer data) to build a more holistic profile of potential bot activity. This multi-layered approach improves the precision and accuracy of our anomaly detection.

Detecting Anomalies with Isolation Forest

Once these statistical features are compiled, the Isolation Forest algorithm comes into play. As an unsupervised machine learning model, Isolation Forest is particularly effective in identifying outliers, or anomalies, in complex datasets. The algorithm assigns an anomaly score to each user based on how unusual its traffic patterns appear when compared to normal activity.

Users with higher negative anomaly scores are flagged as potential bots. Isolation Forest’s strength lies in its ability to detect even subtle deviations in traffic patterns, enabling the system to identify bots that may otherwise blend into the background of legitimate traffic.

Conclusion

Radware’s Time Series Anomaly Detection Model is part of our anomaly-based detection strategy, providing a sophisticated means of identifying bot activity that would otherwise fly under the radar. By focusing on time-series patterns and employing advanced machine learning techniques like Isolation Forest, this model helps us stay ahead of evolving bot threats. As bots continue to evolve, anomaly-based detection will play an increasingly important role in safeguarding applications from automated attacks.

Rakesh Thatha

Rakesh Thatha

Rakesh Thatha is the Chief Technologist at Radware Innovation Center, overseeing the Cloud Application Security product lines and Cloud Architecture. An MS graduate from IIT Madras, he began his career as a cybersecurity researcher, publishing papers in top-tier conferences. With multiple patents in the fields of cybersecurity and artificial intelligence, he founded two cybersecurity startups, ArrayShield and ShieldSquare, building world-class products and R&D teams from scratch. ShieldSquare was acquired by Radware in 2019. Rakesh is also a regular speaker at cybersecurity and cloud conferences, sharing his expertise with the industry.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center
CyberPedia