Detection Engine Operation Principles
The BotManager detection engine goes through various verification and detection processes for access requests to determine whether they are normal or bots, and decides whether to respond with blocking.
Overview
The detection engine receives requests from agents (web pages or server-side libraries) and performs policy-based detection.
Processing Flow
1. Request Reception
The detection engine receives requests from agents containing the following information:
- Client IP address
- User-Agent header
- Request URL path
- Session ID / Login ID
- Other HTTP header information
2. Check URL Application
Checks whether the current request corresponds to an API path or subpath where policies are configured.
- Policies can be configured granularly by path
- Policy detection is skipped for non-applicable paths
3. Check Block History
Checks whether the login_id or session_id of the current request is already in a blocked state.
If there is no block history, policy-specific detection logic is executed.
Policy-Specific Detection Logic
Static Policies
Header Analysis
Detects when HTTP header values sent from agents match or contain pre-registered values.
- User-Agent header inspection
- Detection of abnormal cookies and custom browser headers
IP Analysis
Detects when the request IP is included in IP lists registered in the console in CIDR format.
- Public VPN, proxy IPs
- Major sources of attack patterns
Developer Tools Detection
When developer tools are activated in the browser, the client side sends specific information.
- Client agent installation required
- Purpose: detect automation scripts
Selenium Detection
When automation tools (Selenium, etc.) make requests, detection information is transmitted from the client side.
- Detection through client-side libraries
- Identification of browser automation tools
Foreign IP Detection
After querying the client IP based on GeoIP, detects when it is from a different country than the domain settings.
- Purpose: prevent illegal foreign access
- Country-based access control
Behavior Analysis (Behavioral Detection)
Analyzes user behavior based on various time/path/identifier conditions for complex and precise detection.
Frequency-Based
| Detection Type | Description |
|---|---|
| Excessive Requests to Specific Path | When accessing a specific path N or more times per day |
| Excessive Requests to All Paths | When accessing all paths N or more times per day/1 minute/1 second |
Regularity-Based (Pattern Access)
| Detection Type | Description |
|---|---|
| Repetitive Access Pattern | When accessing the same number of times every minute for the last N minutes |
Multi-Identifier-Based
| Detection Type | Description |
|---|---|
| Session ID - IP | When the same session_id accesses from N different IPs in one day |
| IP - Login ID | When N different login_ids access from the same IP in one day |
Time-Based
| Detection Type | Description |
|---|---|
| Access Outside Allowed Hours | When accessing N times outside the allowed hours set for a specific path |
Region-Based
| Detection Type | Description |
|---|---|
| Multi-Country Access | When accessing with the same login_id from N countries in one day |
Multi-Device Detection
| Detection Type | Description |
|---|---|
| Concurrent Sessions | When the same login_id accesses with multiple session_ids within 1 hour |
| Multi-Session by Path | When a login_id accesses with multiple session_ids only on specific paths |
Statistics-Based Analysis
Analyzes the average access patterns of all currently connected users in real time to detect abnormally high request frequencies compared to the average.
Detection Result Processing
Processing is performed as follows according to policy detection results:
| Result | Description | Subsequent Processing |
|---|---|---|
| Pass | Determined to be a normal user | Service access allowed |
| Detect | Detected as a bot, detection mode | Log recorded, then service access allowed |
| Block | Detected as a bot, blocking mode | Block response or secondary verification |