Anti-Bot

What Is Fingerprint Clustering?

By the Scrappey Research Team

What Is Fingerprint Clustering? — conceptual illustration
On this page

Fingerprint clustering is the practice of grouping fingerprints from millions of real visitors by similarity, then rejecting any new visitor whose fingerprint does not fall inside a known cluster. A browser fingerprint is the bundle of traits a site can read from your browser (GPU, screen size, fonts, and more). Clustering judges the combination of those traits rather than each one in isolation — closely related to fingerprint lie detection, but driven by population statistics instead of internal contradictions. The catch for a spoofer: you can make every field individually valid yet still produce a combination no real device has ever sent.

Quick facts

Decision basisDistance to the nearest cluster of real fingerprints
Common algorithmsK-Means / DBSCAN, Isolation Forest, co-occurrence tables
CatchesField combinations that never occur on real hardware
Key inputsCanvas/WebGL hash, GPU, fonts, cores, memory, screen, timezone
BeatsRandomised and hand-picked "valid-looking" fingerprints

Why per-field validation is not enough

A simple anti-bot check validates each signal on its own: the User-Agent is a real Chrome string, the screen is 1920x1080, the GPU is an NVIDIA GTX 1080 Ti, the canvas hash (a fingerprint built from a tiny image the browser draws, which varies by hardware) looks like real pixel data, and the timezone is Europe/Amsterdam. Every field passes on its own — yet that exact combination may never have appeared in reality. Clustering exists to catch this kind of fake: signals that are believable individually but collectively impossible.

How clustering works

1. Collect. Every genuine visit is stored as a full fingerprint vector — a list of values for canvas hash, GPU, screen, font count, CPU cores, device memory, timezone, and platform.

2. Cluster. Real hardware and software setups repeat across many people, so the stored data forms natural groups. NVIDIA + Chrome on Windows lands in one cluster with a few hundred known canvas hashes; Apple Silicon + Safari forms another; Intel laptops a third.

3. Score. A new fingerprint is measured by its distance to the nearest cluster — how far it sits from any known group. A canvas hash never seen for that GPU, a font count of zero, or 8 GB of RAM paired with a high-end GPU pushes that distance past a rejection threshold, and the visitor is blocked.

What makes fingerprints cluster naturally

Deterministic rendering. The same GPU + driver + browser version always produces the same canvas and WebGL output (WebGL exposes details about your graphics hardware). A synthetic or solid-colour canvas yields a hash no real GPU has ever produced, so it sits far from every cluster.

OS-bound font sets. Different operating systems ship different fonts, and the exact pixel measurements differ slightly per platform. A real population shows this natural variation; a single hardcoded value repeated on every request does not.

Hardware correlations. Real devices obey constraints that fake data ignores — a high-end discrete GPU rarely pairs with only 8 GB of RAM, and an Apple GPU never reports Win32 as its platform. These joint patterns (which values realistically go together) are exactly what clustering measures.

Why clustering is hard to beat

Replaying a real fingerprint fails — the same fingerprint coming from many IPs is an obvious farm, and it must still match the request's TLS/JA3 fingerprint (TLS is the encryption layer behind https; JA3 is a signature of how the client negotiates it), which most HTTP clients cannot reproduce. Generating random valid fields fails — each field constrains the others, so a coherent profile requires a database of real devices. Enumerating every combination fails — the theoretical space runs to millions, but only a few thousand combinations actually appear regularly, so the rest stand out. The durable approach is to present one internally-consistent fingerprint from a real browser on real hardware — for example a deeply patched build like Camoufox — rather than assembling fields at runtime.

Code example

python
# How a server might cluster real fingerprints and score new ones.
from sklearn.ensemble import IsolationForest

# Each row is one real visitor's fingerprint, vectorised:
# [canvas_id, gpu_vendor, screen_w, screen_h, cores, memory_gb, font_count, tz_offset]
X_real = vectorize(fingerprint_db)        # millions of genuine visitors

model = IsolationForest(contamination=0.01)
model.fit(X_real)                          # learn the clusters of real devices

def verify(fingerprint):
    score = model.decision_function([vectorize(fingerprint)])[0]
    # Low / negative score = far from every cluster = likely fake
    return "accept" if score > THRESHOLD else "reject"

Related terms

What Is Fingerprint Lie Detection?
Fingerprint lie detection is the practice of verifying that the signals a browser reports are internally consistent and untampered, rather t…
What Is Browser Fingerprinting?
Browser fingerprinting is a technique that identifies and tracks a visitor by combining dozens of small, observable characteristics of their…
What Is Canvas Fingerprinting?
Canvas fingerprinting is a way for a website to identify your device by asking the browser to draw a tiny invisible image, then turning the …
What Is WebGL Fingerprinting?
WebGL fingerprinting reads identifying information directly from the GPU. WebGL is the browser feature that lets web pages draw 3D graphics …
What Is Font Fingerprinting?
Font fingerprinting identifies a device by working out which fonts are installed on it and measuring how that device draws text. The idea is…
What Is Behavioural Bot Detection?
Behavioural bot detection is the part of anti-bot scoring that asks "how does this client act?" instead of "what is this client?". Instead o…
What Is Anti-Bot Detection?
Anti-bot detection is the set of techniques websites use to tell automated traffic apart from real human visitors — and then block, challeng…
How to Build an Anti-Bot Challenge
An anti-bot challenge is a small test a server makes your browser run — like proof-of-work (forcing the browser to burn some CPU on a puzzle…
What Is JA4 Fingerprinting?
JA4 is a way to identify a browser by the fingerprint of its TLS handshake — TLS being the encryption layer behind https. It replaced the ol…
What Is Fingerprint Entropy?
Fingerprint entropy is a way to measure how much a browser attribute gives away about who you are, counted in bits. Think of entropy as "how…
What Is a Timezone / IP Mismatch?
A timezone/IP mismatch is when the location a browser claims and the location of its IP address disagree. Anti-bot systems (the software sit…

Concept map

How Fingerprint Clustering connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections
You are here · Anti-Bot
Building map…

Tools & solutions for this topic

Frequently asked questions

How is fingerprint clustering different from lie detection?

Lie detection checks a single fingerprint for internal contradictions and signs of tampering (for example a patched native function, or a Windows User-Agent paired with Linux fonts). Clustering instead compares the fingerprint against the statistical pattern of millions of real devices and rejects it if it falls outside every known cluster. The two are complementary: a fingerprint can be perfectly self-consistent yet still be a combination no real device has ever produced.

Can I beat clustering by copying a real fingerprint?

Not reliably. The same fingerprint arriving from many IPs, or at impossible request rates, is an obvious bot farm — and it must still match the TLS/JA3 fingerprint of the request. Replaying one captured profile gets the device coherence right but fails the cross-signal and rate checks.

What inputs feed a clustering model?

Typically the canvas/WebGL hash, GPU vendor and tier, screen dimensions and colour depth, CPU cores, device memory, installed font count, timezone offset, platform, and touch points — turned into a numeric vector so the distance to known clusters can be measured.

Last updated: 2026-05-31