Antonio Nappa, Professor, Corelight Inc, USA
CAPTCHA systems have been widely deployed to identify and block fraudulent bot traffic. However, current solutions, such as Google’s reCAPTCHA, often either (i) require additional user actions (e.g., users solving mathematical or image-based puzzles), or (ii) need to send the attestation data back to the server (e.g., user behavioral data, device fingerprints, etc.), thus raising significant privacy concerns. To address both of the above, in this paper we present ZKSENSE: the first zero knowledge proof-based bot detection system, specifically designed for mobile devices. Our approach is completely transparent to the users and does not reveal any sensitive sensor data to the service provider. To achieve this, ZKSENSE studies the mobile device’s motion sensor outputs during user actions and assess their humanness locally with the use of an ML-based classifier trained by using sensor data from public sources and data collected from a small set of volunteers. We implement a proof of concept of our system as an Android service to demonstrate its feasibility and effectiveness. In our evaluation we show that ZKSENSE detects bots without degrading the end-user experience or jeopardizing their privacy, with 91% accuracy across a variety of bot scenarios, including: (i) when the device is resting (e.g., on a table), (ii) when there is artificial movement from the device’s vibration, and (iii) when the device is docked on a swinging cradle.