NOMAD: Towards non-intrusive moving-target defense against web bots

Web bots, such as XRumer, Magic Submitter and SENuke, have been widely used by attackers to perform illicit activities, such as massively registering accounts, sending spam, and automating web-based games. Although the technique of CAPTCHA has been widely used to defend against web bots, it requires users to solve some explicit challenges, which is typically interactive and intrusive, resulting in decreased usability. In this paper, we design a novel, non-intrusive moving-target defense system, NOMAD, to complement existing solutions. NOMAD prevents web bots from automating web resource access by randomizing HTML elements while not affecting normal users. Specifically, to prevent web bots uniquely identifying HTML elements for later automation, NOMAD randomizes name/id parameter values of HTML elements in each HTTP form page. We evaluate NOMAD against five powerful state-of-the-art web bots on several popular open source web platforms. According to our evaluation, NOMAD can prevent all these web bots with a relatively low overhead.