This work addresses the growing threat posed by malicious bots to e-commerce platforms, which increasingly leverage proxies, botnets, and AI techniques to evade conventional detection mechanisms such as IP blacklists and CAPTCHAs. To counter this challenge, we propose the first non-intrusive, graph neural network–based detection framework tailored for e-commerce scenarios. By constructing user session behavior graphs and employing an inductive graph neural network (GNN) to model relational structures and behavioral semantics among users, our approach achieves generalization to unseen sessions and URLs without requiring client-side instrumentation. The framework supports real-time inference and incremental updates, making it suitable for dynamic deployment. Evaluated on real-world e-commerce data, the model significantly outperforms MLP baselines in both AUC and F1 metrics, demonstrating high accuracy, robustness, and practical deployability.

Malicious bots pose a growing threat to e-commerce platforms by scraping data, hoarding inventory, and perpetrating fraud. Traditional bot mitigation techniques, including IP blacklists and CAPTCHA-based challenges, are increasingly ineffective or intrusive, as modern bots leverage proxies, botnets, and AI-assisted evasion strategies. This work proposes a non-intrusive graph-based bot detection framework for e-commerce that models user session behavior through a graph representation and applies an inductive graph neural network for classification. The approach captures both relational structure and behavioral semantics, enabling accurate identification of subtle automated activity that evades feature-based methods. Experiments on real-world e-commerce traffic demonstrate that the proposed inductive graph model outperforms a strong session-level multilayer perceptron baseline in terms of AUC and F1 score. Additional adversarial perturbation and cold-start simulations show that the model remains robust under moderate graph modifications and generalizes effectively to previously unseen sessions and URLs. The proposed framework is deployment-friendly, integrates with existing systems without client-side instrumentation, and supports real-time inference and incremental updates, making it suitable for practical e-commerce security deployments.