AppTrana Bot Management Enhancements – User-Defined Bot Policies and More
June 25, 2024
Have you ever wanted to fine-tune the configuration of your Bot Management?
With self-service rules, you get finer control over bot scoring and customize it according to user behavior on your applications.
In this blog, we will cover three use cases that will explain how to use this feature.
1. User Defined Bot Policies Based on User Behaviour
Custom policies can be defined to assign bot scores based on detected anomalies. By analyzing user behavior and setting specific thresholds, you can dynamically adjust the bot score of a user session.
When a user’s behavior triggers thresholds set by these policies—such as exceeding a certain number of actions within a specific timeframe—the bot score increases accordingly.
Example
In your e-commerce site after performing a log analysis, you found that there could be scraper bots. These bots are likely extracting pricing and other information from your product details page.
A typical user browsing your site only views about 3-5 products per session and you see that some user agents view 20+ products per session.
So, using user-defined bot policies, you could start increasing the bot score as soon as the view count goes beyond 10. Once the bot scores reach a certain threshold, you can layer in bot mitigation actions starting from a crypto challenge and eventually start showing CAPTCHA or Dropping the requests entirely.
2. Customizable Bot Scoring for Balancing False Positives and Risks
Excessive false positives can obstruct your customers’ user experience and buying experience.
Instead of making binary decisions, the scoring system categorizes bots, enabling tailored actions – such as blocking those with high scores or implementing CAPTCHAs for lower scores.
Users can further refine the control by defining different BOT thresholds and BOT actions for different areas / use cases of the application.
Example
In an e-commerce site, minimizing barriers for users browsing the catalog is crucial for user engagement. To minimize false positives, consider setting a high threshold on such pages.
For instance, the page www.examplecommerce.com/listitems?filter=user_applied_filters might have a high threshold of 80 before showing a CAPTCHA.
In contrast, stricter controls are necessary for more sensitive areas like checkout or payment pages. Here, you can set a rule to show a CAPTCHA when the bot score reaches 50, a lower threshold compared to the listing page.
High bot score thresholds on catalog pages ensure legitimate users navigate smoothly, while CAPTCHAs or blocks challenge scraper bots effectively.
3. Custom Increase in Bot Score
The behavioral-based bot module identifies bots using several checks:
- Validating if the client IP belongs to a TOR network or data center
- Verifying if the user agent is a known bad user agent
- Checking if the client pretends to be a good bot by matching the user agent and IP address with known parameters
- Confirming if any requests from the client were blocked by the WAF in the last 10 minutes
These validations assign specific scores (2, 5, or 10 points) to the client IP.
However, not all bot indicators fit into these predefined conditions, requiring tailored solutions to effectively manage them.
Example:
Your website might see higher traffic from a blog page (e.g., www.exampleblog.com). You can’t block this traffic outright since legitimate users also come from this referrer.
In such cases, users can now define a self-service rule to increase the bot score for any client IPs landing on your site from www.exampleblog.com. This custom rule adds to the overall bot score, making these clients more suspicious and lowering their tolerance in AppTrana’s bot evaluation and mitigation framework.
This allows you to leverage AppTrana’s existing intelligence while tailoring specific use cases to identify difficult-to-detect bots, giving users finer control over bot management.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.
