Explaining how to use no-head browser or behavior simulation for Loc collection.

admin

The text has been successfully translated from Chinese to English. The translation is as follows:
"I have seen a big boss publish the method of collecting loc and sending it to telegram. There are also many big bosses who conduct robustness edge testing on the SCDN model. Here I briefly introduce how we identify bot behavior and human behavior, or distinguish between legal bots and illegal ones."
As mentioned in 3077, Secbit's SCDN will record user requests that occur during raw packets, TCP session context, TLS session context, HTTP request context, and store this data in our database for deep learning and generating deep learning defense models. We learn from these records.
In the lifetime cycle of TCP handshake timing baseline, URI request distribution, method type distribution, TCP handshaking timing baseline, TLS handshaking timing baseline, H2 handshaking timing baseline, rate baseline, flow baseline, retransmission baseline, multi-layer fingerprinting, etc. By using these data to generate a model, the model will contain clean traffic behaviors and malicious traffic behaviors.
For HTTP flood defense, the efficiency can reach up to 99.9999%. Similarly, for collecting behaviors, most collectors are very single and have fixed behavior patterns. They are easy to be identified and stopped by the deep learning defense model. So some big bosses propose using no-head browser or simulating normal user access behaviors. Currently, it is difficult to quickly and effectively block these types of collection techniques with current technology conditions, or the cost is too high. If your rate baseline does not show excessive deviations beyond the water level, you need to expand ctx and time window to a longer and wider dimension and period. This is very unfavorable for the cost of deep learning. Generally speaking, when the ctx and time window are longer under the same condition, even if the no-head browser and simulated user access behaviors are collected, they can still be identified because there are actually no users who continuously visit for hours and have relative fixed frequency and time discreteness."
Due to business confidentiality, more detailed and specific implementation details will not be disclosed.
Currently, Secbit's SCDN is exclusively aimed at DDoS defense, HTTP Flood defense, and hacker intrusion defense. We welcome users who have suffered attacks to experience outstanding DDoS and HTTP Flood defense capabilities.