Summary
This paper aims to reduce botnet attacks by identifying humans through activity patterns. Specifically, the authors propose installing a secure, trusted piece of code which will detect "human activity" and attest that requests are coming from a human.
The proposed design uses an "Attester" which is loaded from a TPM chip before the OS. This code intercepts all mouse and keyboard activity. The attester could operate in one of two ways: either prompt the user to answer questions or guess that a human is making requests. The authors choose to guess when a human is making the requests because the alternative might lead to "always-click-OK" behavior. When keyboard or mouse activity is detected within a short time of an HTTP request, the Attester sends a cryptographically signed token along with the request. This token attests that a user made this request no a bot.
The key benefit of the proposed technique over CAPTCHA is that it attests that the originating requests come from a human at the requesting machine. CAPTCHA images can be sent to remote human solvers while the proposed attester is not susceptible to this.
Thoughts
I like the idea of using a trusted piece of code to ensure that the attestation comes from the requesting machine and has not been tampered with. However, I can't imagine this being widely used. Presumably, users install this voluntarily, so backwards compatibility would be required thus leaving an way for bots to operate. The second problem is that bots could become smarter and only send requests after user activity.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment