Machine Learning

Overview

Machine Learning is one of the core capabilities in Bot Management for identifying complex automated threats. It is based on our platform traffic analysis, model training, and behavioral pattern recognition, and is designed to detect automated access patterns that are difficult to cover with rules or static features alone.

Compared with Heuristic Detection, Machine Learning is more effective at identifying:

• Bots with strong evasion capabilities
• Automated requests using dynamic proxies or frequently changing identities
• Coordinated attack traffic with complex behavior patterns and weak individual signals
• Continuously changing and evolving attack methods

Machine Learning Detection is one of the inputs used to calculate the Bot Score. It works together with Heuristic Detection signals to improve detection of complex bots and increase overall detection coverage.

How It Works

To balance advanced model analysis with online service stability, Machine Learning Detection uses a combined architecture of asynchronous analysis + edge execution.

Asynchronous Analysis (Offline Computing Layer)

• Role: Acts as the system’s analysis center and is responsible for offline tasks such as model training, feature engineering, clustering analysis, and anomaly detection.
• Input: Large volumes of aggregated and anonymized request log data collected from global edge nodes.
• Processing: Uses unsupervised learning and coordinated-group clustering analysis to identify unknown threats, abnormal group behavior, and potential automated attack networks.
• Output: Regularly generates and updates lightweight risk rules, which are distributed to global edge nodes. This approach separates complex computation from online request evaluation and helps maintain real-time detection efficiency and service stability.

Real-time Decision-making at the Edge (Dynamic Execution Layer)

• Role: Acts as the online execution layer deployed on edge nodes. It performs real-time risk evaluation when requests arrive, based on the risk rules distributed by the central analysis system.
• Input: Request traffic from websites where detection is enabled.
• Processing: When a request reaches an edge node, the system extracts request features in real time and quickly matches and evaluates them against centrally distributed risk rules.
• Output: Produces a risk assessment result and combines it with Heuristic Detection results to generate t
• wo key risk indicators: Bot Score and Bot Tags.

Use Cases

Machine Learning detection is applicable to the following scenarios:

• Identify highly stealth bots: Detects automated traffic that bypasses traditional rule-based detection by imitating real browser behavior.
• Detect coordinated attacks: Identifies automated attacks where individual requests show weak signals, but group behavior reveals clear correlations.
• Detect evolving attack methods: Identifies new bots and attack variants that rules and static features cannot cover quickly enough.
• Cover gaps in Heuristic Detection: Provides additional detection for complex access patterns that known rules cannot easily classify.

How It Works with Heuristic Detection

Heuristic Detection and Machine Learning are two core technologies used in Bot Score, each with a different role:

Heuristic Detection is better suited for identifying:

• Known tools
• Known anomalies
• High-confidence risk signals
• Automated behavior that can be matched quickly with rules

Key strengths: Fast detection, real-time response, high explainability

Machine Learning is better suited for identifying:

• Automated behavior with less obvious features
• Bots with complex behavior patterns
• Continuously changing or evolving attack methods
• Abnormal access patterns that are difficult to cover with rules alone

Key strengths: Better at finding unknown threats, helps cover gaps in heuristic detection, more suitable for complex and evolving attacks.

Combined Assessment
The system combines heuristic labels, behavioral features, and machine learning analysis results to evaluate each request and generate a final Bot Score. Based on the Bot Score and related detection results, you can further configure actions such as monitor, challenge, or block.

Feature Highlights

• Designed for complex threats: Detects disguised, coordinated, and evolving automated attacks that are difficult to cover with rules alone.
• Supports continuous updates: Continuously improves risk detection through ongoing training and traffic analysis.
• Covers detection gaps: Works with Heuristic Detection to improve overall detection coverage.
• Supports policy enforcement: Analysis results can be used in Bot Score calculation and related policy configuration and risk handling.