Product guides

Bot characteristics

Suggest Edits

Bot Defender uses a variety of characteristics to measure and analyze bot behavior. These include:

Each category has their own set of indicators. You can learn what each indicator means in this article.

Bot indicators

Bot indicators are characteristics that show why Bot Defender flagged requests as bots. The available indicators are:

  • Volumetric Anomalies: The request volume was unusually high or different from normal traffic patterns.
  • Global Threat Signatures: The request matched a global signature or fingerprint for a known automation tool, such as PhantomJS, or a well-known attack pattern.
  • Custom Threat Signatures: The request matched a custom signature or fingerprint specific to this application, created manually or dynamically using machine learning.
  • Environment Spoofing: The request was claiming to use a different browser, device, or OS than they actually are.
  • Bad Network Reputation: The request came from a network known to be bad or recently flagged as suspicious by Sightline’s models.
  • Robotic Interaction Patterns: The user's interactions, such as clicking, mouse movements, or typing, showed signs of robotic automation.
  • Missing JavaScript: The JavaScript on the page didn't load.
  • Manipulated Signal: The signal collected by the sensor showed signs of malicious tampering.
  • Suspicious User Flow: The user's navigation or actions on the website didn't follow expected patterns. For example, the user directly accessed an API endpoint without prior browsing on the application.
  • Application Policy Enforcement: The request matched a blocking rule configured in the application's policy rules.

Bot capabilities

Bot capabilities are characteristics that show what the bot was capable of doing and how sophisticated it was. In other words, these characteristics show how the bot was trying to behave like a human. The available capabilities are:

  • Residential IP Usage: The bot used IP addresses classified as residential. This means it attempted to evade network-based detections.
  • Session Persistence: The bot successfully saved and reused cookies. This means it attempted to evade flow-based detections and mimic continuous user interaction.
  • JavaScript Execution: The bot successfully executed JavaScript. This means that it attempted to evade script-blocking detections and mimic real browser behavior.
  • Full Page Load: The bot loaded the full page DOM enhancing its ability to interact with the website like a real user. The bot may be using a legitimate browser.
  • User Interaction Capability: The bot simulated mouse interaction such as movements and clicks to evade detection mechanisms that identify basic robotic behavior.
  • Challenge Handling: The bot attempted to handle and solve the Human Challenge, demonstrating a high degree of sophistication in bypassing human verification systems.
  • Signal Manipulation: The bot attempted to manipulate the signals collected by the JavaScript sensor, demonstrating a very advanced level of sophistication and dedication to avoiding detection.

IP origin

IP origin characteristics show IP sources or environments that the bots came from. Knowing where the bots came from can indicate how sophisticated they are or if these bot requests were from a centralized area. The possible origins are:

  • Data Centers: Known cloud service providers like Amazon Web Services (AWS), Google Cloud Platform (GCP), or Microsoft Azure. These are commonly used to host websites or applications.
  • Business: Shared IPs from known corporate networks.
  • Education: Shared IPs from known educational institutions such as universities or schools.
  • Government: Shared IPs from known government institutions or agencies.
  • Residential: IP origins assigned by an ISP to a typical home user as well as includes residential proxies, or proxies that route through a real residential IP.
  • Standard: Origins that don't fit into any of the other categories.

Updated about 1 month ago