Is a bot at the controls?: Detecting input data attacks

The use of programmatically generated input data in place of human-generated input data poses problems for many computer applications in use today. Mouse clicks and keyboard strokes can automatically be generated to cheat in online games, or to perpetrate click fraud. The ability to discern whether input data was computationally generated instead of created by a human input device is therefore of paramount importance to these types of applications. This paper describes a method for detecting input data that was computationally modified or fabricated. This includes detecting data that was not directly generated by a physical human input device such as a keyboard or mouse. A prototype of this system was built on existing hardware and was shown to be effective at detecting attacks on a real application. This detection method is capable of addressing the majority of input-based attacks currently in use. When used in conjunction with a trusted peripheral, it offers a robust mechanism for ensuring a computer is not at the controls.