Detecting automation of my application (bot-protection)

[docholiday]

Hi,

I have been researching this for quite some time now, but I cannot
seem to find any good articles or discussions about this topic -
perhaps I am only searching for the wrong terms.

My question is as follows: I want to prevent the user from using
automation in order to control an application I wrote. The application
consists of a couple of buttons and editfields. A user would enter
some data into those fields and then press a 'calculate' button to get
his result.

My company now wants this application (which is distributed to several
thousand clients) to forbid automation in any form. The reason for
that is kind of hard to explain, because of the nature of the product
(it is a financial application that can be used in combination with
other popular stock market software). Put simple, what I need to do is
a kind of "bot-protection".

Point is, however, that I cannot only detect how often the user clicks
the calculate-button, because it would make sense to do this only once
every few minutes, whereas a "manual user" might want to do it quite
more often. Just think of it as way to prevent a user to write an
application, that allows him to interact with the program without
being at the computer at the time.

Also the time needed to enter the data could be checked, but I could
imagine someone writing a solution that enters data in a way a human
would do it.

The third obvious way to prevent the user from automating my
application (captchas and the like) are sadly not an option either.

To make a long story short, is it possible to detect whether
informations about my controls (like their positions or the captions
of buttons (e.g. by means of GetWindowText et al)) are requested by
another process? How about detecting usage of methods like SendKeys or
the automated movement of the mouse? Or even shorter: is it possible
to detect, whether my application is automated by another process
without putting constraints on what a real user could do?

I would be very grateful for any informations regarding this topic,
sincerly,

Michael Donn

 

[Jeroen]

Hi Michael,

Philosophically speaking, you're running into the fact that others are
more and more able to beat the "Turing Test". Here's a link to the
Wikipedia article:

http://en.wikipedia.org/wiki/Turing_test

Theory aside, I think the answer to your question is "No, you can
never be 100% sure who or what is pushing the buttons in your app."
You can reach near 100% using a variety of methods, however I leave
suggesting of methods to more knowledgeable folks in this group.

Regards,
Jeroen

 

[docholiday]

First of all thank you for those quick responses.

Perhaps this is not a suitable forum, any pointers at what forums
might be a better starting point for me? I ended up posting here,
because the application is based upon the .NET 2.0 framework.

I have already gathered some informations concerning bots (especially
in MMORPGs) and I know that the generation of false positives might be
the biggest problem in this endeavour - which takes me back to my
original post, where I wondered about the possibility to detect
"abnormal" requests by other processes running on the clients machine
(for instance a GetWindowText-call to get the caption of a button in
my application, or doing a screen capture of our application's
windows). If I could identify processes that request informations
about the controls in my application, that might be a good indicator
for bot-usage (as long as this can be separated from usual windows
behaviour)

In the end it's probably a battle we cannot win. We had a long
discussion about this problem internally, but of course we cannot make
a decision before knowing as many facts as possible about the whole
topic.

Sincerly,
Michael

 

[Paul Shapiro]

You could insert delays in your UI code so it won't run faster than a
"normal" human, but it would seem a delicate balance to keep from annoying
users.