Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / Languages / C# / March 2008

Tip: Looking for answers? Try searching our database.

Detecting automation of my application (bot-protection)

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
docholiday@lafrontera.de - 19 Mar 2008 10:22 GMT
Hi,

I have been researching this for quite some time now, but I cannot
seem to find any good articles or discussions about this topic -
perhaps I am only searching for the wrong terms.

My question is as follows: I want to prevent the user from using
automation in order to control an application I wrote. The application
consists of a couple of buttons and editfields. A user would enter
some data into those fields and then press a 'calculate' button to get
his result.

My company now wants this application (which is distributed to several
thousand clients) to forbid automation in any form. The reason for
that is kind of hard to explain, because of the nature of the product
(it is a financial application that can be used in combination with
other popular stock market software). Put simple, what I need to do is
a kind of "bot-protection".

Point is, however, that I cannot only detect how often the user clicks
the calculate-button, because it would make sense to do this only once
every few minutes, whereas a "manual user" might want to do it quite
more often. Just think of it as way to prevent a user to write an
application, that allows him to interact with the program without
being at the computer at the time.

Also the time needed to enter the data could be checked, but I could
imagine someone writing a solution that enters data in a way a human
would do it.

The third obvious way to prevent the user from automating my
application (captchas and the like) are sadly not an option either.

To make a long story short, is it possible to detect whether
informations about my controls (like their positions or the captions
of buttons (e.g. by means of GetWindowText et al)) are requested by
another process? How about detecting usage of methods like SendKeys or
the automated movement of the mouse? Or even shorter: is it possible
to detect, whether my application is automated by another process
without putting constraints on what a real user could do?

I would be very grateful for any informations regarding this topic,
sincerly,

Michael Donn
Reply to this Message
Jeroen - 19 Mar 2008 10:48 GMT
Hi Michael,

Philosophically speaking, you're running into the fact that others are
more and more able to beat the "Turing Test". Here's a link to the
Wikipedia article:

http://en.wikipedia.org/wiki/Turing_test

Theory aside, I think the answer to your question is "No, you can
never be 100% sure who or what is pushing the buttons in your app."
You can reach near 100% using a variety of methods, however I leave
suggesting of methods to more knowledgeable folks in this group.

Regards,
Jeroen
Reply to this Message
Peter Duniho - 19 Mar 2008 18:51 GMT
> [...]
> My company now wants this application (which is distributed to several
[quoted text clipped - 3 lines]
> other popular stock market software). Put simple, what I need to do is
> a kind of "bot-protection".

This is not a very good forum for the question.  It's far too involved,  
and is so far removed from actual C#/.NET issues that it's not appropriate  
here.

I think the goal is ill-advised, but if you insist on pursuing it, your  
first step ought to be to go learn how a bot is written.  The gaming  
industry, and the MMORPG industry in particular, is a very fertile ground  
for this sort of thing.  Do some research and find the forums where the  
people writing bots for World of Warcraft hang out.  Check out the various  
techniques they are using, and pay especially close to the ways that they  
hide from bot-detection code (see references to Blizzard's "Warden"  
software).  If you expect to be successful, you'll need to be familiar  
with, anticipate, and block all of these techniques.

The bottom line here is that, like all copy protection, your effort is  
doomed to failure, at least in the sense that even in the best-case  
scenario _someone_ will figure out a way around your implementation.  
There is also a _very_ high chance that a truly effective implementation,  
one that does more than just looks for specific signatures of known bot  
programs (something that works fine for something like "Warden", where  
you're dealing with a huge user base and only really care if bots are  
heavily impacting the game, but is probably not going to really address  
the needs of a vertical market product), is going to generate false  
positives, annoying your users at best and causing them real trouble at  
worst.

Given the description you've given already of your product, you should  
also consider that anything that interferes with your own user's  
legitimate use of the software may lead to a genuine liability suit  
against you.  It's popular for EULA's to disavow all warranty for  
"suitability of use" but in reality that language has never been tested,  
and there have been some recent suits in which EULA's have been found  
invalid because of the asymmetric nature of the contract.  I think that in  
any market, but especially when you're writing software that is involved  
in handling significant financial assets, you should be very wary of  
implementing any "feature" that might intentionally (even if mistakenly)  
block your users from being able to use the software.

Pete
Reply to this Message
docholiday@lafrontera.de - 20 Mar 2008 00:47 GMT
First of all thank you for those quick responses.

Perhaps this is not a suitable forum, any pointers at what forums
might be a better starting point for me? I ended up posting here,
because the application is based upon the .NET 2.0 framework.

I have already gathered some informations concerning bots (especially
in MMORPGs) and I know that the generation of false positives might be
the biggest problem in this endeavour - which takes me back to my
original post, where I wondered about the possibility to detect
"abnormal" requests by other processes running on the clients machine
(for instance a GetWindowText-call to get the caption of a button in
my application, or doing a screen capture of our application's
windows). If I could identify processes that request informations
about the controls in my application, that might be a good indicator
for bot-usage (as long as this can be separated from usual windows
behaviour)

In the end it's probably a battle we cannot win. We had a long
discussion about this problem internally, but of course we cannot make
a decision before knowing as many facts as possible about the whole
topic.

Sincerly,
Michael
Reply to this Message
Paul Shapiro - 20 Mar 2008 02:06 GMT
You could insert delays in your UI code so it won't run faster than a
"normal" human, but it would seem a delicate balance to keep from annoying
users.

> First of all thank you for those quick responses.
>
[quoted text clipped - 21 lines]
> Sincerly,
> Michael
Reply to this Message

 Rate this thread:







Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.