Even Turing Should Sometimes Not Be Able to Tell: Mimicking Humanoid Usage Behavior for Exploratory Studies of Online Services | SpringerLink
Skip to main content
Springer Nature Link
Log in

Even Turing Should Sometimes Not Be Able to Tell: Mimicking Humanoid Usage Behavior for Exploratory Studies of Online Services

  • Conference paper
  • First Online:
Secure IT Systems (NordSec 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11875))

Included in the following conference series:

Abstract

Online services such as social networks, online shops, and search engines deliver different content to users depending on their location, browsing history, or client device. Since these services have a major influence on opinion forming, understanding their behavior from a social science perspective is of greatest importance. In addition, technical aspects of services such as security or privacy are becoming more and more relevant for users, providers, and researchers. Due to the lack of essential data sets, automatic black box testing of online services is currently the only way for researchers to investigate these services in a methodical and reproducible manner. However, automatic black box testing of online services is difficult since many of them try to detect and block automated requests to prevent bots from accessing them.

In this paper, we introduce a testing tool that allows researchers to create and automatically run experiments for exploratory studies of online services. The testing tool performs programmed user interactions in such a manner that it can hardly be distinguished from a human user. To evaluate our tool, we conducted—among other things—a large-scale research study on Risk-based Authentication (RBA), which required human-like behavior from the client. We were able to circumvent the bot detection of the investigated online services with the experiments. As this demonstrates the potential of the presented testing tool, it remains to the responsibility of its users to balance the conflicting interests between researchers and service providers as well as to check whether their research programs remain undetected.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 5719
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 7149
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Provided as open source software at https://github.com/das-th-koeln/HOSIT.

  2. 2.

    First version of the source code was published on the Puppeteer GitHub repository on May 11th, 2017: https://github.com/GoogleChrome/puppeteer/commit/2cda8c18d10865d79d3e63b23e36aa7562098bf7.

  3. 3.

    To be compatible with Linux servers or Docker containers without a visible desktop environment, the headful mode can also be run inside a virtual window session.

  4. 4.

    Amazon, Facebook, GOG.com, Google, iCloud, LinkedIn, Steam and Twitch.

References

  1. Akamai: Bot-Manager, January 2018. https://www.akamai.com/us/en/multimedia/documents/product-brief/bot-manager-product-brief.pdf

  2. Allen, N.A.: Risk based authentication. Patent number US9202038B1 (2015)

    Google Scholar 

  3. Amazon: Amazon.co.uk Help: How do I request my data? (2019). https://www.amazon.co.uk/gp/help/customer/display.html?nodeId=G5NBVNN2RHXD5BUW

  4. Auer, S., Bizer, C., Kobilarov, G., Lehmann, J., Cyganiak, R., Ives, Z.: DBpedia: a nucleus for a web of open data. In: Aberer, K., et al. (eds.) ASWC/ISWC 2007. LNCS, vol. 4825, pp. 722–735. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-76298-0_52

    Chapter  Google Scholar 

  5. Blythe, J., et al.: Testing cyber security with simulated humans. In: IAAI 2011, San Francisco, CA, USA, August 2011

    Google Scholar 

  6. Bond, R.M., et al.: A 61-million-person experiment in social influence and political mobilization. Nature 489(7415), 295–298 (2012)

    Article  Google Scholar 

  7. Bujlow, T., Carela-Espanol, V., Lee, B.R., Barlet-Ros, P.: A survey on web tracking: mechanisms, implications, and defenses. Proc. IEEE 105(8), 1476–1510 (2017)

    Article  Google Scholar 

  8. Card, S.K., Moran, T.P., Newell, A.: The keystroke-level model for user performance time with interactive systems. Commun. ACM 23(7), 396–410 (1980)

    Article  Google Scholar 

  9. Chaabane, A., Kaafar, M.A., Boreli, R.: Big friend is watching you: analyzing online social networks tracking capabilities. In: WOSN 2012, Helsinki, Finland, pp. 7–12. ACM, August 2012

    Google Scholar 

  10. Choudhary, S.R., Prasad, M.R., Alessandro Orso: X-PERT: a web application testing tool for cross-browser inconsistency detection. In: ISSTA 2014, San Jose, CA, USA, pp. 417–420. ACM (2014)

    Google Scholar 

  11. Dalai, A.K., Jena, S.K.: Online identification of illegitimate web server requests. In: Venugopal, K.R., Patnaik, L.M. (eds.) ICIP 2011. CCIS, vol. 157, pp. 123–131. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22786-8_15

    Chapter  Google Scholar 

  12. Degeling, M., Utz, C., Lentzsch, C., Hosseini, H., Schaub, F., Holz, T.: We value your privacy ... Now take some cookies: measuring the GDPR’s impact on web privacy. In: NDSS 2019, San Diego, CA, USA, February 2019

    Google Scholar 

  13. DETER Project: DASH user guide (2014). https://deter-project.org/sites/deter-test.isi.edu/files/files/dash_users_guide.pdf

  14. Drury, C.G., Hoffmann, E.R.: A model for movement time on data-entry keyboards. Ergonomics 35(2), 129–147 (1992)

    Article  Google Scholar 

  15. Englehardt, S., Narayanan, A.: Online tracking: a 1-million-site measurement and analysis. In: CCS 2016, Vienna, Austria, pp. 1388–1401. ACM, October 2016

    Google Scholar 

  16. European Parliament and Council: Regulation (EU) 2016/679 (GDPR), January 2016. http://data.europa.eu/eli/reg/2016/679/oj/eng

  17. Franken, G., Goethem, T.V., Joosen, W.: Who left open the cookie jar? A comprehensive evaluation of third-party cookie policies. In: USENIX Security 2018, Baltimore, MD, USA, August 2018

    Google Scholar 

  18. Freeman, D., Jain, S., Duermuth, M., Biggio, B., Giacinto, G.: Who are you? A statistical approach to measuring user authenticity. In: NDSS 2016, San Diego, CA, USA, February 2016

    Google Scholar 

  19. Golla, M., Dürmuth, M.: On the accuracy of password strength meters. In: CCS 2018, Toronto, Canada, pp. 1567–1582. ACM, October 2018

    Google Scholar 

  20. Google: reCAPTCHA v3, July 2019. https://developers.google.com/recaptcha/docs/v3

  21. Google Chrome: Puppeteer - Headless Chrome node API, July 2019. https://github.com/googlechrome/puppeteer

  22. Grassi, P.A., et al.: Digital identity guidelines: authentication and lifecycle management. Technical report, NIST SP 800–63b, National Institute of Standards and Technology, Gaithersburg, MD, June 2017

    Google Scholar 

  23. Iaroshevych, O.: Improving second factor authentication challenges to help protect Facebook account owners. In: SOUPS 2017, Santa Clara, CA, USA. USENIX Association, July 2017

    Google Scholar 

  24. Judd, T., Kennedy, G.: A five-year study of on-campus Internet use by undergraduate biomedical students. Comput. Educ. 55(4), 1564–1571 (2010)

    Article  Google Scholar 

  25. Komandur, S., Johnson, P.W., Storch, R.: Relation between mouse button click duration and muscle contraction time. In: EMBC 2008. IEEE, August 2008

    Google Scholar 

  26. Li, T.-C., Hang, H., Faloutsos, M., Efstathopoulos, P.: TrackAdvisor: taking back browsing privacy from third-party trackers. In: Mirkovic, J., Liu, Y. (eds.) PAM 2015. LNCS, vol. 8995, pp. 277–289. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15509-8_21

    Chapter  Google Scholar 

  27. Mark, G., Wang, Y., Niiya, M.: Stress and multitasking in everyday college life: an empirical study of online activity. In: CHI 2014, Toronto, Canada. ACM (2014)

    Google Scholar 

  28. Milka, G.: Anatomy of account takeover. In: Enigma 2018, Santa Clara, CA. USENIX Association, January 2018. https://www.usenix.org/node/208154

  29. Petsas, T., Tsirantonakis, G., Athanasopoulos, E., Ioannidis, S.: Two-factor authentication: is the world ready?: quantifying 2FA adoption. In: EuroSec 2015, Bordeaux, France, pp. 4:1–4:7. ACM, April 2015

    Google Scholar 

  30. Rsmwe: Rakuten.com Chrome Headless Detection, February 2018. https://github.com/Rsmwe/Headless-detected-demo

  31. Smith, B., Linden, G.: Two decades of recommender systems at Amazon.com. IEEE Internet Comput. 21(3), 12–18 (2017)

    Article  Google Scholar 

  32. Snickars, P., Mähler, R.: SpotiBot - turing testing spotify. Digit. Hum. Q. 12, 12 (2018)

    Google Scholar 

  33. Soukoreff, R.W., MacKenzie, I.S.: Towards a standard for pointing device evaluation, perspectives on 27 years of Fitts’ law research in HCI. Int. J. Hum. Comput. Stud. 61(6), 751–789 (2004)

    Article  Google Scholar 

  34. Starov, O., Nikiforakis, N.: XHOUND: quantifying the fingerprintability of browser extensions. In: IEEE S&P, San Jose, CA, USA. IEEE, May 2017

    Google Scholar 

  35. Steward, S., Burns, D.: WebDriver - W3C Recommendation, June 2018. https://www.w3.org/TR/webdriver1/

  36. Sulikowski, P., Zdziebko, T., Turzyński, D., Kańtoch, E.: Human-website interaction monitoring in recommender systems. Procedia Comput. Sci. 126, 1587–1596 (2018)

    Article  Google Scholar 

  37. Trauzettel-Klosinski, S., Dietz, K.: Standardized assessment of reading performance: the new international reading speed texts IReST. Investig. Opthalmol. Vis. Sci. 53(9), 5452 (2012)

    Article  Google Scholar 

  38. UK Financial Conduct Authority: Regulatory Sandbox Lessons Learned Report (2017). https://www.fca.org.uk/publication/research-and-data/regulatory-sandbox-lessons-learned-report.pdf

  39. UK Information Commissioner’s Office: Call for Views on Building a Sandbox: Summary of Responses and ICO Comment (2018). https://ico.org.uk/media/about-the-ico/consultations/2260322/201811-sandbox-call-for-views-analysis.pdf

  40. Vastel, A.: Detecting Chrome headless, new techniques, January 2018. https://antoinevastel.com/bot%20detection/2018/01/17/detect-chrome-headless-v2.html

  41. Vastel, A.: How to monitor the execution of JavaScript code with Puppeteer and Chrome headless, June 2019. https://antoinevastel.com/javascript/2019/06/10/monitor-js-execution.html

  42. Velayathan, G., Yamada, S.: Behavior-based web page evaluation. In: WI-IAT 2006, pp. 409–412, December 2006

    Google Scholar 

  43. Venkatadri, G., Lucherini, E., Sapiezynski, P., Mislove, A.: Investigating sources of PII used in Facebook’s targeted advertising. In: PETS 2019, pp. 227–244 (2019)

    Article  Google Scholar 

  44. W3Schools: Browser Statistics: The Most Popular Browsers (2019). https://www.w3schools.com/browsers/default.asp

  45. Wiefling, S., Lo Iacono, L., Dürmuth, M.: Is this really you? An empirical study on risk-based authentication applied in the wild. In: Dhillon, G., Karlsson, F., Hedström, K., Zúquete, A. (eds.) SEC 2019. IFIPAICT, vol. 562, pp. 134–148. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22312-0_10

    Chapter  Google Scholar 

  46. Williams, J.L., Skinner, C.H., Floyd, R.G., Hale, A.D., Neddenriep, C., Kirk, E.P.: Words correct per minute: the variance in standardized reading scores accounted for by reading speed. Psychol. Sch. 48(2), 87–101 (2011)

    Article  Google Scholar 

Download references

Acknowledgements

We would like to thank Tanvi Patil for proofreading a draft of the paper. This research was supported by the research training group “Human Centered Systems Security” (NERD.NRW) sponsored by the state of North Rhine-Westphalia.

Author information

Authors and Affiliations

  1. TH Köln - University of Applied Sciences, Cologne, Germany

    Stephan Wiefling & Luigi Lo Iacono

  2. University of Oslo, Oslo, Norway

    Nils Gruschka

Authors
  1. Stephan Wiefling
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nils Gruschka
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Luigi Lo Iacono
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Stephan Wiefling .

Editor information

Editors and Affiliations

  1. Aarhus University, Aarhus, Denmark

    Aslan Askarov

  2. Aalborg University, Aalborg, Denmark

    René Rydhof Hansen

  3. IT University of Copenhagen, Copenhagen, Denmark

    Willard Rafnsson

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wiefling, S., Gruschka, N., Lo Iacono, L. (2019). Even Turing Should Sometimes Not Be Able to Tell: Mimicking Humanoid Usage Behavior for Exploratory Studies of Online Services. In: Askarov, A., Hansen, R., Rafnsson, W. (eds) Secure IT Systems. NordSec 2019. Lecture Notes in Computer Science(), vol 11875. Springer, Cham. https://doi.org/10.1007/978-3-030-35055-0_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-35055-0_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-35054-3

  • Online ISBN: 978-3-030-35055-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation