ML Based Bot Detection

The AI-based bot detection model enhances existing signature- and threshold-based rules by identifying sophisticated bots and credential-stuffing (CC) attacks that may evade traditional detection methods.

Unlike conventional bot detection mechanisms, which require manual threshold configuration to distinguish normal from abnormal user behavior, the machine learning (ML)-based model automates this process. For example, determining an appropriate threshold for the number of HTTP requests a user can make before being flagged as suspicious often requires iterative adjustments and continuous log monitoring.

The ML-based bot detection model leverages a Support Vector Machine (SVM) algorithm to construct a self-learning model that profiles legitimate client traffic. Incoming traffic is analyzed against these learned profiles, and deviations result in anomaly classification. When application usage patterns change—such as due to feature updates—the model automatically recalibrates to maintain accuracy.

Additionally, testing indicates that the ML-based bot detection model significantly improves detection accuracy, particularly for crawlers and scrapers. By evaluating traffic across 13 dimensions, it enhances detection precision while reducing false positive rates.

To configure a ML based bot detection rule:

1. Go to BOT MITIGATION > ML Based Detection (Beta).
   You must have already enabled this module in Add Modules. See Add and Remove Modules.
2. Select the Model Settings tab.
   
3. Configure the following settings.
   

Client Identification Method	FortiAppSec Cloud collects samples from the real users to build a machine learning model. Select whether to use IP, IP and User-Agent, or Cookie to identify a user. IP: The traffic data in one sample should come from the same source IP. IP and User-Agent: The traffic data in one sample should come from the same source IP and User-Agent (the browser). Cookie: The traffic data in one sample should have the same cookie value.
Model Type	Multiple models are built during the model building stage. The system uses training accuracy, cross-validation value, and testing accuracy to select qualified models. The Model Type is used to select the one final model out of all the qualified models. If you configure the Model Type to Moderate, the system chooses the model which has the highest training accuracy among all the qualified models. If you configure the Model Type to Strict, the system chooses the model which has the lowest training accuracy among all the qualified models. The Strict Model has a higher likelihood of identifying anomalies, but also carries the risk of incorrectly identifying regular users as bots. The Moderate Model is relatively lenient making it less prone to false positive detections, but comes with the risk of allowing actual bots to go undetected. There isn't a perfect option for every situation. Whichever model type you choose, you can always leverage the options in Anomaly Detection Settings and Action Settings to mitigate the side effects, for example, using Bot Confirmation to avoid false positive detections.
Anomaly Count	If the system detects the configured count of anomalies from a user, it takes action(s) such as sending alerting emails or blocking the traffic from this user. Anomaly Count controls the number of anomalies allowed for each user. For example, the Anomaly Count is set to 4 and the system has detected 3 anomalies in the last 6 samples. If the 7th sample is detected again as an anomaly, the system will enact the configured action(s). If no valid traffic is collected for the 7th sample (for example, the user leaves your application), the system will clear the anomaly count and user information. If the user revisits your application, they will be treated as new users and the system starts anomaly counting afresh. This feature may be useful for avoiding false positive detections.
Challenge	If a bot is detected, the system will use the following methods to confirm it's indeed a bot. Real Browser Enforcement: The system sends a JavaScript to the client to verify whether it is a web browser. CAPTCHA Enforcement: The system requires clients to successfully fulfill a CAPTCHA request. It will trigger the action policy if the traffic is not from web browser.
Block Duration	Enter the number of seconds that you want to block the requests. The valid range is 1–3,600 seconds (1 hour). This option only takes effect when you choose Period Block in Action.
Source IP List	Click Create New to list the source IP ranges of the samples. FortiAppSec Cloud will collect samples from the specified IP ranges.
Exception URLs	Due to the nature of some web pages, such as the stock list web page, even regular users may behave like bots because they tend to frequently refresh the pages. You may need to add these URLs in the exception list, otherwise the model may be invalid because too many bot-like behaviors are recorded in the samples. Click Create New to list exception URLs. The system will collect samples for any URL except the ones in the Exception URLs list.

4. (Optional) Add exception rules for traffic that meets the configured criteria so that it is not blocked.

   Field	Description
   Match Object	The criteria used to base the rule for directing traffic. In this drop-down menu, you can select from the following options: Client IP Host URI Full URL Parameter Cookie
   Match Condition	Select a matching method. If Match Object is Client IP, select one of: Equal Not Equal For all other Match Objects, select one of: String Match Regular Expression Match
   IP/ IP Range	Enter the IP address(es) and/or IP range(s) you wish to allow, separated by commas. For example: 1.2.3.4, 1.2.3.4-1.2.3.40
   Relationship with previous rule	Select whether the current rule should run concurrently with or as an alternative to the previous rule. AND OR For the first rule in a match sequence, this field has no effect. Please note, rules bound by an AND relationship take precedence over those with OR relationships. This ensures all AND conditions must be met before considering OR conditions.

5. Select the action that FortiAppSec Cloud takes when it detects a violation of the rule from the top right corner.
   To configure the actions, you must first enable the Advanced Configuration in WAF > System Settings > Settings.
   

   Alert	Accept the request and generate a log message.
   Alert & Deny	Block the request (or reset the connection) and generate a log message.
   Period Block	Block the current request. Moreover, all the subsequent requests from the same client in the next 10 minutes will also be blocked.
   Deny (no log)	Block the request (or reset the connection) without generating a log message.

6. Click SAVE.