A security server device, method, non-transitory computer readable medium and security system that receives request data for a request from a client to a web server system where the request comprises a session identifier (ID) for a session between an authenticated user and the web server system. A determination is made whether the client is a single-user device based on the request data and multi-domain data. Another determinations is made on whether the client is compromised based on the request data. In response to the determinations that the client is a single-user device and is not compromised an extension of the session between the authenticated user on the client and the web server system is caused.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
2.
DETECTING COMPROMISED WEB PAGES IN A RUNTIME ENVIRONMENT
Techniques are provided for detecting compromised web pages in a runtime environment. A first version of a web page is retrieved and loaded in a browser comprising a browser extension configured to detect event listeners added when web pages are loaded by the browser. First data is generated describing a first set of event listeners detected by the browser extension when the first version of the web page is loaded. At a second time a second version of the web page is retrieved and loaded in the browser. Second data is generated describing a second set of event listeners detected by the browser extension when the second version of the web page is loaded. It is determined that the web page is compromised based on comparing the first data and the second data. In response to determining that the web page is compromised, a threat response action is performed.
Computer systems and methods in various embodiments are configured for improving the security and efficiency of client computers interacting with server computers through supervising instructions defined in a web page and/or web browser. In an embodiment, a computer system comprising one or more processors, coupled to a remote client computer, and configured to send, to the remote client computer, one or more instructions, which when executed by the remote client computer, cause a run-time environment on the remote client computer to: intercept, within the run-time environment, a first call to execute a particular function defined in the run-time environment by a first caller function in the run-time environment; determine a first caller identifier, which corresponds to the first caller function identified in a run-time stack maintained by the run-time environment; determine whether the first caller function is authorized to call the particular function based on the first caller identifier.
Techniques are provided for detecting a malicious script in a web page. Instrumentation code is provided for serving to a client computing device with a web page. The instrumentation code is configured to monitor web code execution at the client computing device when a script referenced by the web page is processed. Script activity data generated by the instrumentation code is received. The script activity data describes one or more script actions detected by the instrumentation code at the client computing device. Prior script activity data generated by a prior instance of the instrumentation code is obtained. A malicious change in the script is detected based on comparing the script activity data and the prior script activity data. In response to detecting the malicious change in the script, a threat response action is performed.
This technology receive first telemetry data collected at the client when first instrumentation code provided to the client during a first interaction with a first server is executed at the client. The first telemetry data is stored in a telemetry data set comprising telemetry data for one or more interactions between a plurality of clients and a plurality of servers. Second telemetry data, collected at the client when the second instrumentation code provided to the client during a second interaction with a second server is executed at the client, is received. Based on the second telemetry data, determining when the telemetry data set includes stored telemetry data for an interaction between the client and the first server. A transfer of data associated with the client and the first server to the second interaction is facilitated when the determination indicates the telemetry data set includes the stored telemetry data.
Techniques for code modification for detecting abnormal activity are described. Web code is obtained. Modified web code is generated by changing a particular programmatic element to a modified programmatic element throughout the web code. Instrumentation code is generated configured to monitor and report on one or more interactions with versions of the particular programmatic element. The instrumentation code is caused to be provided in association with the modified web code to the first client device in response to the first request from the first client device. Report data generated by the instrumentation code is received. The report data describes abnormal activity at the first client device, the abnormal activity comprising an interaction with a version of the particular programmatic element that does not exist in the modified web code. Based on the report, it is determined that the first client device is likely controlled by malware.
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
H04L 67/02 - Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
7.
Obfuscating programs using different instruction set architectures
Technology related to obfuscating programs using different instruction set architectures is disclosed. In one example, a method includes receiving a program implemented as a set of ordered instructions. Each instruction of the set of ordered instructions has a type specified by a first instruction set architecture (ISA). A subgroup of instructions is selected from the set of ordered instructions. A new instruction type is generated to perform the operations of the subgroup of consecutive instructions. The new instruction type is added to a second ISA. An updated program is generated by replacing the subgroup of instructions with a new instruction of the generated new instruction type. An interpreter for executing programs using the second ISA is generated. In response to a request for the program, the updated program and the interpreter is sent.
A security server device, method, non-transitory computer readable medium and security system that receives request data for a request from a client to a web server system where the request comprises a session identifier (ID) for a session between an authenticated user and the web server system. A determination is made whether the client is a single-user device based on the request data and multi-domain data. Another determinations is made on whether the client is compromised based on the request data. In response to the determinations that the client is a single-user device and is not compromised an extension of the session between the authenticated user on the client and the web server system is caused.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
9.
Methods for automatically preventing data exfiltration and devices thereof
Methods, non-transitory computer readable media, protection server apparatuses, and network security systems that improve network security for web applications by mitigating cyberattacks that cause the exfiltration of data are illustrated. With this technology, network request(s) are received from a client that specify domain(s) to which the client has sent data during rendering of a webpage. The webpage includes instrumentation code configured to intercept and post the network requests. A determination is then mage when one of the domain(s) is a malicious domain. Interceptor code is generated based on a type of attack that is associated with the one of the domains, when the determination indicates the one of the domains is a malicious domain. The instrumentation code is then updated to include the interceptor code. The interceptor code is configured to mitigate the attack when the webpage is subsequently rendered by another client.
This technology maintains de-identified visit data to a plurality of websites from assigned user identifiers (UIDs) corresponding to a plurality of clients. The assigned UIDs include a different assigned UID for each client-website pair, the de-identified visit data associating the assigned UIDs to a plurality of groups. A first group from the groups is determined based on first request data corresponding to a first request from a client to a web server system. First group visit data describing visits to a set of the websites by assigned UIDs belonging to the first group is obtained from the de-identified visit data. Affinity data, comprising at least one affinity score for at least one of the websites, is generated based on the first group visit data. Generation of affiliate content based on the affinity data is caused, where the affiliate content corresponds to the at least one of the websites.
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
A method non-transitory computer readable medium, device and system that receives one of one or more requests from a client to a web server system. An interstitial page is served to the client and comprises instrumentation code that, when executed at the client, collects telemetry data. The telemetry data is received and a threat analysis is performed on the telemetry data collected in association with the one of the requests. A determination is made on when, based on the performing the threat analysis, that the one of the requests is from a potential attacker. When the determination indicates the one of the requests is not from the potential attacker then the one of the requests is allowed.
Technology related to detecting and/or mitigating malicious client-side scripts is disclosed. In one example, a method includes sending a request for a page of a client application. In response to the request for the page, the page and a supervisory script of the page are received. The supervisory script of the page of the client application can be executed within a client environment. The supervisory script can override an operation associated with an architected application programming interface (API) of the client environment. During rendering of the page, a call to the architected API of the client environment can be serviced by performing a modified operation that is different than the architected operation associated with the architected API.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
13.
Security scoring based on multi domain telemetry data
A method, non-transitory compute r readable medium, device, and system that receives telemetry data collected based on instrumentation code executed at one of a plurality of client computing devices with a requested transaction with one of a plurality of web server systems. Identifying signal data (IDSD) usable to identify the one of client computing devices is determined based on the received telemetry data. Any matching telemetry data in a telemetry data set for a plurality of prior transactions between one or more of the client computing devices and one or more of the web server systems is identified based on any stored IDSDs that match the received IDSD. A security score associated with the one of the client computing devices is generated based on the identified matching telemetry data. A response to the requested transaction to the one of client computing devices is managed based on the generated security score.
Techniques are provided for detecting a malicious script in a web page. Instrumentation code is provided for serving to a client computing device with a web page. The instrumentation code is configured to monitor web code execution at the client computing device when a script referenced by the web page is processed. Script activity data generated by the instrumentation code is received. The script activity data describes one or more script actions detected by the instrumentation code at the client computing device. Prior script activity data generated by a prior instance of the instrumentation code is obtained. A malicious change in the script is detected based on comparing the script activity data and the prior script activity data. In response to detecting the malicious change in the script, a threat response action is performed.
Techniques are provided for detecting a malicious script in a web page. Instrumentation code is provided for serving to a client computing device with a web page. The instrumentation code is configured to monitor web code execution at the client computing device when a script referenced by the web page is processed. Script activity data generated by the instrumentation code is received. The script activity data describes one or more script actions detected by the instrumentation code at the client computing device. Prior script activity data generated by a prior instance of the instrumentation code is obtained. A malicious change in the script is detected based on comparing the script activity data and the prior script activity data. In response to detecting the malicious change in the script, a threat response action is performed.
Unsupervised or supervised machine learning (“ML”) techniques discussed herein can be used to classify browsers as one or more types of browser or within one or more browser groups. For example, a computer system configured to improve security of server computers interacting with client computers through an intermediary computer, and comprising: a memory comprising processor logic; one or more processors coupled to the memory, wherein the one or more processors execute the processor logic, which causes the one or more processors to: receive a first plurality of requests from a first plurality of browsers; generate a first plurality of request-feature vectors from the first plurality of requests; generate a plurality of browser groups based on the first plurality of request-feature vectors; receive a first new request from a first client computer; generate a first new request-feature vector based on the first new request; determine that the first new request-feature vector belongs to a first browser group among the plurality of browser groups; determine that the first browser group is associated with a first rule, and in response, respond to the first new request according to the first rule.
Techniques are provided for detecting compromised credentials in a credential stuffing attack. A set model is trained based on a first set of spilled credentials. The set model does not comprise any credential of the first set of spilled credentials. A first request is received from a client computer with a first candidate credential to login to a server computer. The first candidate credential is tested for membership in the first set of spilled credentials using the set model. In response to determining the first set of spilled credentials includes the first candidate credential using the set model, one or more negative actions is performed.
Techniques are provided for proof-of-work based on runtime compilation. Key generation code is partitioned into a set of code blocks. The key generation code generates an expected key value when compiled and executed. A shuffled set of code blocks is generated by reordering the set of code blocks. A client computing device is provided the shuffled set of code blocks and problem-solving code that, when executed at the client computing device, reconstructs the key generation code to generate a submission value by performing one or more compiling iterations. Each compiling iteration comprising reordering the shuffled set of code blocks to generate test code, and attempting to compile and execute the test code to generate the submission value. It is determined that the client computing device fully executed the problem-solving code based on the verifying the submission value.
Techniques are provided for detecting compromised web pages in a runtime environment. A first version of a web page is retrieved and loaded in a browser comprising a browser extension configured to detect event listeners added when web pages are loaded by the browser. First data is generated describing a first set of event listeners detected by the browser extension when the first version of the web page is loaded. At a second time a second version of the web page is retrieved and loaded in the browser. Second data is generated describing a second set of event listeners detected by the browser extension when the second version of the web page is loaded. It is determined that the web page is compromised based on comparing the first data and the second data. In response to determining that the web page is compromised, a threat response action is performed.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer software as a service (SAAS) services featuring
software for use by others for detecting, monitoring, and
preventing network security risks and privacy risks;
software as a service (SAAS) services featuring software for
use by others featuring software for protecting and securing
websites; software as a service (SAAS) services featuring
software for use by others featuring software for preventing
network attacks and network security breaches; software as a
service (SAAS) services, namely, providing machine learning
based security and threat detection to users seeking to
protect and secure computer systems, accounts, and
credentials; software as a service (SAAS) services, namely,
providing security and threat detection to users seeking to
protect and secure computer systems, accounts, and
credentials.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer software as a service (SaaS) services featuring
software for use by others for detecting, monitoring, and
preventing network security risks and privacy risks;
software as a service (SaaS) services featuring software for
use by others featuring software for protecting and securing
websites; software as a service (SaaS) services featuring
software for use by others featuring software for preventing
network attacks and network security breaches; software as a
service (SaaS) services featuring machine learning security
and threat detection software for users seeking to protect
and secure computer systems, accounts and credentials;
software as a service (SaaS) services featuring software for
security and threat detection for users seeking to protect
and secure computer systems, accounts and credentials.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer software as a service (SAAS) services featuring
software for use by others for detecting, monitoring, and
preventing network security risks and privacy risks;
software as a service (SAAS) services featuring software for
use by others featuring software for protecting and securing
websites; software as a service (SAAS) services featuring
software for use by others featuring software for preventing
network attacks and network security breaches; software as a
service (SAAS) services, namely, providing machine learning
based security and threat detection to users seeking to
protect and secure computer systems, accounts, and
credentials; software as a service (SAAS) services, namely,
providing security and threat detection to users seeking to
protect and secure computer systems, accounts and
credentials.
23.
DETECTING COMPROMISED CREDENTIALS BY IMPROVED PRIVATE SET INTERSECTION
In an embodiment, a method is configured to detect compromised credentials, comprising: generating a plurality of bloom filters, wherein each bloom filter corresponds to a particular subset of a set of compromised credentials; receiving an index value from a client computing device; in response to receiving the index value, determining a target bloom filter corresponding to the index value, and sending the target bloom filter to the client computing device; receiving a first value from the client computing device; in response to receiving the first value, generating a second value based on the first value, and sending the second value to the client computing device.
H04L 9/14 - Arrangements for secret or secure communicationsNetwork security protocols using a plurality of keys or algorithms
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04L 9/34 - Bits, or blocks of bits, of the telegraphic message being interchanged in time
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer software as a service (SAAS) services featuring
software for use by others for detecting, monitoring, and
preventing network security risks and privacy risks;
software as a service (SAAS) services featuring software for
use by others featuring software for protecting and securing
websites; software as a service (SAAS) services featuring
software for use by others featuring software for preventing
network attacks and network security breaches; software as a
service (SAAS) services, namely, providing machine learning
based security and threat detection to users seeking to
protect and secure computer systems, accounts, and
credentials; software as a service (SAAS) services, namely,
providing security and threat detection to users seeking to
protect and secure computer systems, accounts, and
credentials.
25.
Detecting compromised credentials by improved private set intersection
In an embodiment, a method is configured to detect compromised credentials, comprising: generating a plurality of bloom filters, wherein each bloom filter corresponds to a particular subset of a set of compromised credentials; receiving an index value from a client computing device; in response to receiving the index value, determining a target bloom filter corresponding to the index value, and sending the target bloom filter to the client computing device; receiving a first value from the client computing device; in response to receiving the first value, generating a second value based on the first value, and sending the second value to the client computing device.
In an embodiment, a method for training a decision tree comprising a plurality of nodes using a database system comprises: storing in a database input data for training the decision tree, the input data comprising a plurality of feature values corresponding to a plurality of features; generating a particular node of the plurality of decision nodes by: selecting a subset of the plurality of features and a subset of the input data; using one or more queries to the database system, for each feature of the subset of the plurality of features, calculating an information gain associated with the feature based on the subset of the input data; identifying a particular feature of the subset of the plurality of features associated with the highest information gain; associating the particular node with the particular feature, wherein the particular node causes the decision tree to branch based on the particular feature.
In an embodiment, a computer-implemented method for training a decision tree using a database system, the decision tree comprising a plurality nodes, comprises, by one or more computing devices: storing in a database input data for training the decision tree, the input data comprising a plurality of feature values corresponding to a plurality of features; generating a particular node of the plurality of decision nodes by: selecting a subset of the plurality of features and a subset of the input data; using one or more queries to the database system, for each feature of the subset of the plurality of features, calculating an information gain associated with the feature based on the subset of the input data; identifying a particular feature of the subset of the plurality of features associated with the highest information gain; associating the particular node with the particular feature, wherein the particular node causes the decision tree to branch based on the particular feature.
In an embodiment, a computer-implemented method for efficient execution of a trained neural network using a database system, the trained neural network comprising a plurality of layers and programmed at each of the layers to execute an affine transformation of an activation function and an input value, comprises: for a particular layer of the trained neural network, dividing the affine transformation into a plurality of transformation pieces; executing each of the transformation pieces to result in computed pieces and writing the computed pieces to a first database table; using one or more database queries, combining the computed pieces and applying the activation function to generate a set of output data; writing the output data to one of a plurality of different second database tables that respectively correspond to the layers; repeating the dividing, executing, combining, applying and writing for all layers of the trained neural network.
In an embodiment, a computer-implemented method for efficient execution of a trained neural network using a database system, the trained neural network comprising a plurality of layers each comprising weight values and bias values and programmed at each of the layers to execute an affine transformation of an activation function and an input value, comprises: for a particular layer of the trained neural network, dividing the affine transformation input a plurality of transformation pieces; executing each of the transformation pieces to result in computed pieces and writing the computed pieces to a first database table; using one or more database queries, combining the computed pieces and applying the activation function to generate a set of output data; writing the output data to one of a plurality of different second database tables that respectively correspond to the layers; repeating the dividing, executing, combining, applying and writing for all layers of the trained neural network.
Techniques are described for delayed serving of protected content. A request has been made by a client computing device for a requested resource comprising a first portion and a second portion that is initially withheld from the client computing device. First content comprising the first portion of the requested resource and reconnaissance code is served for execution on the client computing device. When executed at the client computing device, the reconnaissance code gathers data at the client computing device that indicates whether the client computing device is human-controlled or bot-controlled. The data gathered by the reconnaissance code is received. Based on the data, it is determined that the client computing device is not bot-controlled. In response to determining that the client computing device is not bot-controlled, the second portion of the requested resource is served to the client computing device.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/36 - User authentication by graphic or iconic representation
G06Q 20/40 - Authorisation, e.g. identification of payer or payee, verification of customer or shop credentialsReview and approval of payers, e.g. check of credit lines or negative lists
Techniques for code modification for detecting abnormal activity are described. Web code is obtained. Modified web code is generated by changing a particular programmatic element to a modified programmatic element throughout the web code. Instrumentation code is generated configured to monitor and report on one or more interactions with versions of the particular programmatic element. The instrumentation code is caused to be provided in association with the modified web code to the first client device in response to the first request from the first client device. Report data generated by the instrumentation code is received. The report data describes abnormal activity at the first client device, the abnormal activity comprising an interaction with a version of the particular programmatic element that does not exist in the modified web code. Based on the report, it is determined that the first client device is likely controlled by malware.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
H04L 67/1001 - Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
H04L 67/02 - Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Techniques are provided for request modification for web security challenge. Data corresponding to a web page request by a client computing device for a web page is received. The web page comprises web code that allows a user to submit a request to initiate a web transaction with a web server system. Challenge code is generated that determines one or more values that are a valid solution to a challenge. The challenge code is provided for integrated code to be served in response to the web page request. The integrated code comprises the challenge code and modified web code that adds one or more parameters for the valid solution to the request. A particular request is received to initiate the web transaction. It is determined that the one or more parameter values are not a valid solution. In response, the web server system is prevented from processing the particular request.
Techniques are provided for security code for integration with an application. A first request associated with a request by an application to an application server is received. The application includes security code that performs a set of one or more operations on one or more input parameters. The application is provided one or more parameter values, wherein the security code generates a secret cryptographic key based on the one or more parameter values. A security key is received that includes encrypted client data collected at the client device that is encrypted using the secret cryptographic key. The secret cryptographic key is generated based on the one or more parameter values and knowledge of the set of one or more operations. It is determined that the decrypted client data matches a pattern of data associated with malware. The application server is prevented from processing a second request.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04L 9/06 - Arrangements for secret or secure communicationsNetwork security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer software as a service (SAAS) services featuring
software for use by others for detecting, monitoring, and
preventing network security risks and privacy risks;
software as a service (SAAS) services featuring software for
use by others featuring software for protecting and securing
websites; software as a service (SAAS) services featuring
software for use by others featuring software for preventing
network attacks and network security breaches; software as a
service (SAAS) services, namely providing online
non-downloadable machine learning software for users seeking
to protect and secure computer systems.
35.
Deterministic reproduction of system state using seeded pseudo-random number generators
Computer systems and methods for improving the security and efficiency of client computers interacting with server computers through an intermediary computer using one or more polymorphic protocols are discussed herein. In an embodiment, a computer system comprises a memory; one or more processors coupled to the memory and configured to: generate a modified identifier for a original object based on a original identifier and a nonce; render one or more instructions that include the nonce and define a modified object that corresponds to the original object and includes the modified identifier; send the one or more instructions to a client computer, wherein the one or more instructions, when executed by the client computer, are configured to cause the client computer to send a request from the client computer with the modified identifier and the nonce; receive, from the client computer, a request with a challenge identifier and a challenge nonce; generate a test identifier based on the original identifier and the challenge nonce; determine whether the test identifier matches the challenge identifier.
This document describes, among other things, a computer-implemented method that can include receiving, from a web server system, web page code to be provided over the internet to a computing device. The web page code can correspond to a particular web page served by the web server system. The method may include generating an intermediate representation of at least a portion of the web page code, and comparing the intermediate representation to a prior intermediate representation of the particular web page. Based on a result of the comparison, the method can include determining what portion of the web page code to analyze for re-coding of the web page code before serving the web page code to the computing device.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer software as a service (SAAS) services featuring
software for use by others for detecting, monitoring, and
preventing network security risks and privacy risks;
software as a service (SAAS) services featuring software for
use by others featuring software for protecting and securing
websites; software as a service (SAAS) services featuring
software for use by others featuring software for preventing
network attacks and network security breaches; software as a
service (SAAS) services, namely, providing machine learning
based security and threat detection to users seeking to
protect and secure computer systems, accounts, and
credentials; software as a service (SAAS) services, namely,
providing security and threat detection to users seeking to
protect and secure computer systems, accounts, and
credentials.
38.
Using individualized APIs to block automated attacks on native apps and/or purposely exposed APIs with forced user interaction
An API call filtering system filters responses to API call requests received, via a network, from UEs. The API call filtering system is configured to require personalized API call requests wherein each API call (except for some minor exceptions) includes a unique UE identifier (“UEIN”) of the UE making the request. Using the UEIN, the web service or other service protected by the API call filtering system can be secured against excessive request iterations from a set of rogue UEs while allowing for ordinary volumes of requests of requests the UEs, wherein one or more boundaries between what is deemed to be an ordinary volume of requests and what is deemed to be excessive request iterations are determined by predetermined criteria.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer software as a service (SAAS) services featuring
software for use by others for detecting, monitoring, and
preventing network security risks and privacy risks;
software as a service (SAAS) services featuring software for
use by others featuring software for protecting and securing
websites; software as a service (SAAS) services featuring
software for use by others featuring software for preventing
network attacks and network security breaches; software as a
service (SAAS) services, namely, providing machine learning
based security and threat detection to users seeking to
protect and secure computer systems.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer software as a service (saas) services featuring software for use by others for detecting, monitoring, and preventing network security risks and privacy risks; software as a service (saas) services featuring software for use by others featuring software for protecting and securing websites; software as a service (saas) services featuring software for use by others featuring software for preventing network attacks and network security breaches; software as a service (saas) services, namely, providing machine learning based security and threat detection to users seeking to protect and secure computer systems, accounts, and credentials; software as a service (saas) services, namely, providing security and threat detection to users seeking to protect and secure computer systems, accounts, and credentials; Data security services; Computer security threat analysis for protecting data; IT security, protection and restoration; Computer security services for protection against illegal network access.
41.
Evaluating and modifying countermeasures based on aggregate transaction status
Techniques are provided for evaluating and modifying countermeasures based on aggregate transaction status. A first expression pattern is determined that occurs in each of first response messages served by the web server system in response to successful transactions of the transaction type. A second expression pattern is determined that occurs in each of second response messages served by the web server system in response to non-successful transactions of the transaction type requested. Aa status is determined for each of a plurality of transactions of the transaction type based on matching the first expression pattern or the second expression pattern to response messages served by the web server system. Aggregate status information for the transaction type based on the status for the set of operations is updated. Based on a change in the aggregate status information, a set of one or more security countermeasures is updated.
42 - Scientific, technological and industrial services, research and design
Goods & Services
(1) Computer software as a service (SAAS) services featuring software for use by others for detecting, monitoring, and preventing network security risks and privacy risks; software as a service (SAAS) services featuring software for use by others featuring software for protecting and securing websites; software as a service (SAAS) services featuring software for use by others featuring software for preventing network attacks and network security breaches; software as a service (SAAS) services, namely, providing machine learning based security and threat detection to users seeking to protect and secure computer systems, accounts, and credentials; software as a service (SAAS) services, namely, providing security and threat detection to users seeking to protect and secure computer systems, accounts, and credentials
42 - Scientific, technological and industrial services, research and design
Goods & Services
(1) Computer software as a service (SAAS) services featuring software for use by others for detecting, monitoring, and preventing network security risks and privacy risks; software as a service (SAAS) services featuring software for use by others featuring software for protecting and securing websites; software as a service (SAAS) services featuring software for use by others featuring software for preventing network attacks and network security breaches; software as a service (SAAS) services, namely, providing machine learning based security and threat detection to users seeking to protect and secure computer systems, accounts, and credentials; software as a service (SAAS) services, namely, providing security and threat detection to users seeking to protect and secure computer systems, accounts and credentials
44.
Security systems for mitigating attacks from a headless browser executing on a client computer
Computer systems and methods in various embodiments are configured for improving the security and efficiency of server computers interacting through an intermediary computer with client computers that may be executing malicious and/or autonomous headless browsers or “bots”. In an embodiment, a computer system comprises a memory; one or more processors coupled to the memory; a processor logic coupled to the memory and the one or more processors, and configured to: intercept, from a server computer, one or more original instructions to be sent to a browser of a client computer; send the one or more original instructions to the browser and one or more telemetry instructions, wherein the telemetry instructions are configured, when executed, to generate a set of telemetry data indicating one or more objects that were referenced by the browser and to send the set of telemetry data to the intermediary computer; receive the set of telemetry data and determine whether the browser is legitimate or illegitimate based on the set of telemetry data.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer software as a service (SAAS) services featuring software for use by others for detecting, monitoring, and preventing network security risks and privacy risks; software as a service (SAAS) services featuring software for use by others featuring software for protecting and securing websites; software as a service (SAAS) services featuring software for use by others featuring software for preventing network attacks and network security breaches; software as a service (SAAS) services, namely, providing machine learning based security and threat detection to users seeking to protect and secure computer systems, accounts, and credentials; software as a service (SAAS) services, namely, providing security and threat detection to users seeking to protect and secure computer systems, accounts, and credentials
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer software as a service (SAAS) services featuring software for use by others for detecting, monitoring, and preventing network security risks and privacy risks; software as a service (SAAS) services featuring software for use by others featuring software for protecting and securing websites; software as a service (SAAS) services featuring software for use by others featuring software for preventing network attacks and network security breaches; software as a service (SAAS) services, namely, providing machine learning based security and threat detection to users seeking to protect and secure computer systems, accounts, and credentials; software as a service (SAAS) services, namely, providing security and threat detection to users seeking to protect and secure computer systems, accounts and credentials
42 - Scientific, technological and industrial services, research and design
Goods & Services
(1) Computer software as a service (SAAS) services featuring software for use by others featuring software for detecting, monitoring, and preventing network security risks and privacy risks; software as a service (SAAS) services featuring software for use by others featuring software for protecting and securing websites; software as a service (SAAS) services featuring software for use by others featuring software for preventing network attacks and network security breaches.
A computer-implemented method for securing a content server system is disclosed. The method includes identifying that a request has been made by a client computing device for serving of content from the content server system; serving, to the client computing device and for execution on the client computing device, reconnaissance code that is programmed to determine whether the client computing device is human-controlled or bot-controlled; receiving, from the reconnaissance code, data that indicates whether the client computing device is human-controlled or bot-controlled; and serving follow-up content to the client computing device, wherein the make-up of the follow-up content is selected based on a determination of whether the client computing device is human-controlled or bot-controlled.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/36 - User authentication by graphic or iconic representation
G06Q 20/40 - Authorisation, e.g. identification of payer or payee, verification of customer or shop credentialsReview and approval of payers, e.g. check of credit lines or negative lists
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer software as a service (SAAS) services featuring
software for use by others featuring software for detecting,
monitoring, and preventing network security risks and
privacy risks; software as a service (SAAS) services
featuring software for use by others featuring software for
protecting and securing websites; software as a service
(SAAS) services featuring software for use by others
featuring software for preventing network attacks and
network security breaches.
Techniques are provided for a security policy for browser extensions. A first pattern is determined that is present in requests from client computing devices when a first browser extension is operating on the client computing devices. The first pattern is identified in a first request from a first client computing device to a first web server system. It is determined, based on identifying the first pattern in the first request, that the first browser extension is associated with the first request. It is determined that the first browser extension associated with the first request is whitelisted with respect to the first web server system based on a security policy. In response to determining that the first browser extension is whitelisted with respect to the first web server system, a first automated response is performed that causes the first web server system to process the first request.
42 - Scientific, technological and industrial services, research and design
Goods & Services
(1) Computer software as a service (SAAS) services featuring software for use by others for detecting, monitoring, and preventing network security risks and privacy risks; software as a service (SAAS) services featuring software for use by others featuring software for protecting and securing websites; software as a service (SAAS) services featuring software for use by others featuring software for preventing network attacks and network security breaches; software as a service (SAAS) services, namely, providing machine learning based security and threat detection to users seeking to protect and secure computer systems, accounts, and credentials; software as a service (SAAS) services, namely, providing security and threat detection to users seeking to protect and secure computer systems, accounts, and credentials
42 - Scientific, technological and industrial services, research and design
Goods & Services
(1) Computer software as a service (SAAS) services featuring software for use by others for detecting, monitoring, and preventing network security risks and privacy risks; software as a service (SAAS) services featuring software for use by others featuring software for protecting and securing websites; software as a service (SAAS) services featuring software for use by others featuring software for preventing network attacks and network security breaches; software as a service (SAAS) services, namely, providing machine learning based security and threat detection to users seeking to protect and secure computer systems, accounts, and credentials; software as a service (SAAS) services, namely, providing security and threat detection to users seeking to protect and secure computer systems, accounts, and credentials
42 - Scientific, technological and industrial services, research and design
Goods & Services
(1) Computer software as a service (SAAS) services featuring software for use by others for detecting, monitoring, and preventing network security risks and privacy risks; software as a service (SAAS) services featuring software for use by others featuring software for protecting and securing websites; software as a service (SAAS) services featuring software for use by others featuring software for preventing network attacks and network security breaches; software as a service (SAAS) services, namely, providing machine learning based security and threat detection to users seeking to protect and secure computer systems
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer software as a service (SAAS) services featuring software for use by others for detecting, monitoring, and preventing network security risks and privacy risks; software as a service (SAAS) services featuring software for use by others featuring software for protecting and securing websites; software as a service (SAAS) services featuring software for use by others featuring software for preventing network attacks and network security breaches; software as a service (SAAS) services, namely, providing machine learning based security and threat detection to users seeking to protect and secure computer systems, accounts, and credentials; software as a service (SAAS) services, namely, providing security and threat detection to users seeking to protect and secure computer systems, accounts, and credentials
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer software as a service (SAAS) services featuring software for use by others for detecting, monitoring, and preventing network security risks and privacy risks; software as a service (SAAS) services featuring software for use by others featuring software for protecting and securing websites; software as a service (SAAS) services featuring software for use by others featuring software for preventing network attacks and network security breaches; software as a service (SAAS) services, namely, providing machine learning based security and threat detection to users seeking to protect and secure computer systems, accounts, and credentials; software as a service (SAAS) services, namely, providing security and threat detection to users seeking to protect and secure computer systems, accounts, and credentials
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer software as a service (SAAS) services featuring software for use by others for detecting, monitoring, and preventing network security risks and privacy risks; software as a service (SAAS) services featuring software for use by others featuring software for protecting and securing websites; software as a service (SAAS) services featuring software for use by others featuring software for preventing network attacks and network security breaches; software as a service (SAAS) services, namely, providing machine learning based security and threat detection to users seeking to protect and secure computer systems, accounts, and credentials; software as a service (SAAS) services, namely, providing security and threat detection to users seeking to protect and secure computer systems, accounts, and credentials
57.
Detection of malicious activity using behavior data
Techniques are provided for detection of malicious activity using behavior data. A behavior model is trained with behavior data generated in association with a plurality of requests. Data is received that describes a particular request from a particular client device to a server system hosting a website. The data includes particular behavior data generated at the particular client device in association with the particular request. The particular behavior data is analyzed using the behavior model to generate a behavior model result. An automation determination for the particular request is generated based on the behavior model result. The particular request is handled based on the automation determination for the particular request.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer software as a service (SAAS) services featuring software for use by others for detecting, monitoring, and preventing network security risks and privacy risks; software as a service (SAAS) services featuring software for use by others featuring software for protecting and securing websites; software as a service (SAAS) services featuring software for use by others featuring software for preventing network attacks and network security breaches; software as a service (SAAS) services, namely, providing machine learning based security and threat detection to users seeking to protect and secure computer systems
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer software as a service (SAAS) services featuring software for use by others for detecting, monitoring, and preventing network security risks and privacy risks; software as a service (SAAS) services featuring software for use by others featuring software for protecting and securing websites; software as a service (SAAS) services featuring software for use by others featuring software for preventing network attacks and network security breaches; software as a service (SAAS) services, namely, providing machine learning based security and threat detection to users seeking to protect and secure computer systems
60.
Systems for detecting a headless browser executing on a client computer
In an embodiment, a computer system is configured to improve security of server computers interacting with client computers through an intermediary computer, and comprising: a memory comprising processor logic; one or more processors coupled to the memory, wherein the one or more processors execute the processor logic, which causes the one or more processors to: intercept, from a server computer, one or more original instructions to be sent to a browser being executed on a client computer; inject, into the one or more original instructions, one or more browser detection instructions, which when executed cause one or more operations to be performed by an execution environment on the client computer and send a result that represents an internal state of the execution environment after performing the one or more operations to the intermediary computer; send the one or more original instructions with the one or more browser detection instructions to the browser; receive the result and determine whether the browser is a legitimate browser, or a headless browser, based, at least in part, on the result.
In an embodiment, a computer system is configured to receive, from a client computer, a request with one or more values; determine, based on the one or more values, whether the request is from a platform-specific application compiled for a first computer platform; determine, based on the one or more values, whether the platform-specific application is being executed within an emulator being executed by a second computer platform, wherein the second computer platform is different than the first computer platform.
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
62.
Count-based challenge-response credential pairs for client/server request validation
Computer systems and methods in various embodiments are configured for improving the security and efficiency of server computers interacting through an intermediary computer with client computers that may be executing malicious and/or autonomous headless browsers or “bots”. In an embodiment, a server computer system that is programmed to validate requests from a client computer to a server computer, the server computer system comprising: a memory persistently storing a set of server instructions; one or more processors coupled to the memory, wherein the one or more processors execute the set of server instructions, which causes the one or more processors to: generate a first challenge credential to be sent to the client computer, wherein the first challenge credential corresponds to a first response credential in a first challenge-response credential pair; render one or more first dynamic-credential instructions, which when executed by the client computer, cause the client computer to generate the first response credential in the first challenge-response credential pair; send, to the client computer, the first challenge credential and the one or more first dynamic-credential instructions, but not the first response credential; receive a first request that includes a first test-challenge credential and a first test-response credential; determine whether the first test-challenge credential and the first test-response credential are the first challenge-response credential pair; in response to determining that the first test-response credential is the first response credential, determine that a first count is associated with the first challenge-response credential pair, and determine whether the first count satisfies a first threshold; in response to determining that the first count does not satisfy the first threshold, determine that the first request is not a replay request and assign a second count to the first challenge-response credential pair.
A computer implemented method for improving security of a server computer that is configured to deliver computer program instructions to a remote client computer, and comprising, using an intermediary computer that is topologically interposed between the server computer and the remote client computer is provided. The intermediary computer is configured to intercept a first set of source code instructions from the server computer. The intermediary computer identifies first party operations that include operations on objects and the objects themselves. The intermediary computer identifies a first set of operations within the first party operations that are configured to define values for one or more objects based on one or more constants. The intermediary computer then generates a second set of operations, where the second set of operations are configured to define same values for the one or more objects, when executed by a web browser on the client computer. The intermediary computer transforms the first party operations into transformed first party operations by substituting the first set of operations with the second set of operations. The intermediary computer generates a second set of source code instructions that are based on the first set of source code instructions and the transformed first party operations. The intermediary computer then sends the second set of source code instructions to the client computer.
Methods and apparatus are described for detecting browser extensions. Specific implementations relate to configurable security policies and automated actions performed in response to the detection of browser extensions.
A computer-implemented method includes serving, from a computer server system and to a plurality of different computing devices remote from the computer server system, web code and code for reporting status of the computing devices; receiving from one or more of the computing devices, first data that indicates a parameter of the one or more computing devices, the first data in a compressed format; receiving from one or more others of the computing devices, second data that indicates the parameter of the one or more others of the computing devices, the second data in an uncompressed format; and compressing the second data and comparing the compressed second data to the first data to correlate the first data to the second data. The code for reporting status of the computing devices can include code for allowing the computing devices to determine whether to send the first or second data.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04L 9/06 - Arrangements for secret or secure communicationsNetwork security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
66.
Detecting attacks against a server computer based on characterizing user interactions with the client computing device
A computer-implemented method includes providing, for use by a third-party, injectable computer code that is capable of being served with other code provided by the third-party to client computing devices; receiving data from client computing devices that have been served the code by the third-party, the data including data that characterizes (a) the client computing devices and (b) user interaction with the client computing devices; classifying the client computing devices as controlled by actual users or instead by automated software based on analysis of the received data from the client computing devices; and providing to the third party one or more reports that characterize an overall level of automated software activity among client computing devices that have been served code by the third party.
Techniques are provided for secure detection and management of compromised credentials. A first candidate credential is received, comprising a first username and a first password, wherein the first candidate credential was sent in a first request from a first client computer to log in to a first server computer. A first salt associated with the first username in a salt database is obtained. A first hashed credential is generated based on the first password and the first salt. The first hashed credential is transmitted to a set model server computer, wherein the set model server computer is configured to maintain a set model that represents a set of spilled credentials, determine whether the first hashed credential is represented in the set model, and in response to determining that the first hashed credential is represented in the set model, performing additional processing on the first hashed credential.
Techniques are provided for detecting compromised credentials in a credential stuffing attack. A set model is trained based on a first set of spilled credentials. The set model does not comprise any credential of the first set of spilled credentials. A first request is received from a client computer with a first candidate credential to login to a server computer. The first candidate credential is tested for membership in the first set of spilled credentials using the set model. In response to determining the first set of spilled credentials includes the first candidate credential using the set model, one or more negative actions is performed.
Techniques are provided for detecting compromised credentials in a credential stuffing attack. A set model is trained based on a first set of spilled credentials. The set model does not comprise any credential of the first set of spilled credentials. A first request is received from a client computer with a first candidate credential to login to a server computer. The first candidate credential is tested for membership in the first set of spilled credentials using the set model. In response to determining the first set of spilled credentials includes the first candidate credential using the set model, one or more negative actions is performed.
Techniques are provided for secure detection and management of compromised credentials. A first candidate credential is received, comprising a first username and a first password, wherein the first candidate credential was sent in a first request from a first client computer to log in to a first server computer. A first salt associated with the first username in a salt database is obtained. A first hashed credential is generated based on the first password and the first salt. The first hashed credential is transmitted to a set model server computer, wherein the set model server computer is configured to maintain a set model that represents a set of spilled credentials, determine whether the first hashed credential is represented in the set model, and in response to determining that the first hashed credential is represented in the set model, performing additional processing on the first hashed credential.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04L 9/06 - Arrangements for secret or secure communicationsNetwork security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
71.
Mitigating security vulnerabilities in web content
Methods and apparatus are described for automatically modifying web page source code to address a variety of security vulnerabilities such as, for example, vulnerabilities that are exploited by mixed content attacks.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 16/958 - Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
72.
Blocking automated attacks with forced user interaction
An API call filtering system filters responses to API call requests received, via a network, from UEs. The API call filtering system is configured to require personalized API call requests wherein each API call (except for some minor exceptions) includes a unique UE identifier (“UEIN”) of the UE making the request. Using the UEIN, the web service or other service protected by the API call filtering system can be secured against excessive request iterations from a set of rogue UEs while allowing for ordinary volumes of requests of requests the UEs, wherein one or more boundaries between what is deemed to be an ordinary volume of requests and what is deemed to be excessive request iterations are determined by predetermined criteria.
In an embodiment, a computer system is configured to receive, from a client computer, a request with one or more values; determine, based on the one or more values, whether the request is from a platform-specific application compiled for a first computer platform; determine, based on the one or more values, whether the platform-specific application is being executed within an emulator being executed by a second computer platform, wherein the second computer platform is different than the first computer platform.
In an embodiment, a method comprises intercepting, from a server computer, a first set of instructions that define one or more objects and one or more operations that are based, at least in part, on the one or more objects; generating, in memory, one or more data structures that correspond to the one or more objects; performing the one or more operations on the one or more data structures; updating the one or more data structures, in response to performing the one or more operations, to produce one or more updated data structures; rendering a second set of instructions, which when executed by a remote client computer cause the remote client computer to generate the updated data structures in memory on the remote client computer, wherein the second set of instructions are different than the first set of instructions; sending the second set of instructions to the remote client computer.
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 9/455 - EmulationInterpretationSoftware simulation, e.g. virtualisation or emulation of application or operating system execution engines
75.
Security systems for mitigating attacks from a headless browser executing on a client computer
Computer systems and methods in various embodiments are configured for improving the security and efficiency of server computers interacting through an intermediary computer with client computers that may be executing malicious and/or autonomous headless browsers or “bots”. In an embodiment, a computer system comprises a memory; one or more processors coupled to the memory; a processor logic coupled to the memory and the one or more processors, and configured to: intercept, from a server computer, one or more original instructions to be sent to a browser of a client computer; send the one or more original instructions to the browser and one or more telemetry instructions, wherein the telemetry instructions are configured, when executed, to generate a set of telemetry data indicating one or more objects that were referenced by the browser and to send the set of telemetry data to the intermediary computer; receive the set of telemetry data and determine whether the browser is legitimate or illegitimate based on the set of telemetry data.
This document generally relates to systems, method, and other techniques for identifying and interfering with the operation of computer malware, as a mechanism for improving system security. Some implementations include a computer-implemented method by which a computer security server system performs actions including receiving a request for content directed to a particular content server system; forwarding the request to the particular content server system; receiving executable code from the particular content server system; inserting executable injection code into at least one file of the executable code; applying a security countermeasure to the combined executable code and executable injection code to create transformed code; and providing the transformed code to a client computing device.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
Methods and apparatus are described for automatically modifying web page code. Specific implementations relate to the modification of web page code for the purpose of combatting Man-in-the-Browser (MitB) attacks.
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 16/958 - Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
78.
Management of calls to transformed operations and objects
In an embodiment, a method comprises intercepting a first set of instructions from a server computer that define one or more objects and one or more original operations that are based, at least in part, on the one or more objects; modifying the first set of instructions by adding one or more supervisor operations that are based, at least in part, on the one or more objects; transforming the one or more original operations to produce one or more transformed operations that are based, at least in part, on the one or more supervisor operations; rendering a second set of instructions which define the one or more supervisor operations and the one or more transformed operations; sending the second set of instructions to a remote client computer.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04L 12/24 - Arrangements for maintenance or administration
G06F 9/30 - Arrangements for executing machine instructions, e.g. instruction decode
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
Techniques for code modification for automation detection are described. Web code is obtained corresponding to content to be served to a first client device in response to a first request from the first client device. Instances of a particular programmatic element in the web code are identified. In response to the first request, modified web code is generated from the web code by consistently changing the particular programmatic element to a modified programmatic element throughout the web code. The modified web code is caused to be provided to the first client device in response to the first request from the first client device. A communication is received from the first client device that is made in response to the modified web code. The communication includes an attempt to interact with the particular programmatic element that exists in the web code but not in the modified web code.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
H04L 29/08 - Transmission control procedure, e.g. data link level control procedure
80.
Deterministic reproduction of client/server computer state or output sent to one or more client computers
Computer systems and methods for improving security or performance of one or more client computers interacting with a plurality of server computers. In an embodiment, a computer system comprises a first server computer and a second server computer; wherein the first server computer is configured to: generate a challenge nonce, wherein the challenge nonce corresponds to a challenge state; generate the challenge state based on the challenge nonce, wherein the challenge state corresponds to a response state; send, to a first client computer, the challenge nonce and the challenge state, but not the response state; wherein the second server computer is configured to: receive, from the first client computer, a test nonce and a test response state; determine whether the test response state matches the response state based on the test nonce, without: receiving the challenge state from the first server computer; receiving the challenge state from the first client computer.
Programs written in interpreted languages, such as JavaScript, are distributed in source form, which is helpful to attackers so that they can more easily derive the purposes and effects of a program. As discussed herein, a program's high-level code may be effectively obfuscated by transforming the program's code from its high-level programming language to low-level processor-specific language, such as x86 instructions for x86 processors, JVM bytecode for JVMs, or proprietary opcodes for a corresponding proprietary processor or interpreter. Additional obfuscation techniques can be applied the program's low-level processor-specific code.
Among other things, this document describes a computer-implemented security method such as for authenticated selection of security countermeasures and for reliable identification of computing devices. The method can include receiving, by a computing system, a request from a computing device for an electronic resource. The computing system can identify a security token received from the device that made the request. Based on the security token, particular security countermeasures can be selected that are to be applied to the electronic resource to be served in response to the request. The countermeasures can be operable to interfere with an ability of malware to interact with the served electronic resource when the served electronic resource is on the computing device. Portions of the electronic resource that are to be executed on the computing device can be re-coded using the selected particular security countermeasures.
In an embodiment, a computer system configured to: generate a first challenge credential to be sent to a client computer; render one or more first dynamic-credential instructions, which when executed by the client computer, cause the client computer to generate a first dynamic credential that corresponds to the first challenge credential; modify a first set of instructions, which define one or more original operations, to produce a second set of instructions, wherein the second set of instructions include the first challenge credential and the one or more first dynamic-credential instructions, and which when executed by the client computer, cause the first challenge credential to be included in the one or more requests sent from the client computer; send the second set of instructions to a second computer.
In an embodiment, a method comprises intercepting, from a server computer, a first set of instructions that define a user interface; executing, using a headless browser, the first set of instructions without presenting the user interface; rendering a second set of instructions, which when executed by a client application on a client computer, cause the client computer to present the user interface, wherein the second set of instructions are different than the first set of instructions; sending the second set of instructions to the client computer.
Methods and apparatus are described for automatically modifying web page source code to address a variety of security vulnerabilities such as, for example, vulnerabilities that are exploited by mixed content attacks.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 17/30 - Information retrieval; Database structures therefor
86.
Using instrumentation code to detect bots or malware
Techniques are provided for using instrumentation code to detect bots or malware. Data corresponding to requests from a plurality of client devices for a web resource comprising web code is obtained. The web resource is hosted by a first web server system. For a first client device of the plurality of client devices, instrumentation code is served. The instrumentation code is configured to execute on the first client device to monitor execution of the web code of the web resource at the first client device. One or more responses generated by the instrumentation code at the first client device are received from the first client device. The one or more responses are based one or more interactions with the web code at the first client device.
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/14 - Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
87.
Modifying authentication for an application programming interface
Application programming interfaces (APIs) can be unintentionally exposed and allow for potentially undesirable use of corporate resources. An API call filtering system configured to monitor API call requests received via an endpoint and API call responses received via a supporting service of an API or web service. The API call filtering system enables enterprises to improve their security posture by identifying, studying, reporting, and securing their APIs within their enterprise network.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
G06F 21/30 - Authentication, i.e. establishing the identity or authorisation of security principals
H04L 29/06 - Communication control; Communication processing characterised by a protocol
Techniques are provided for client-side security key generation. An initial request is received from an application executing on a client device. The application includes a security component includes security code. In response to the initial request, a key component is generated. The key component includes one or more parameters from which a valid security key can be generated at the client device by executing the security code. The key component is provided to the client device. A security key associated with a request from the client device to an application server is received. The security key is checked for validity. In response to determining that the security key is valid, processing of the request by the application server is caused.
H04L 9/06 - Arrangements for secret or secure communicationsNetwork security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
G06F 12/14 - Protection against unauthorised use of memory
Techniques are provided for client-side security key generation. An initial request is received from an application executing on a client device. The application includes a security component includes security code. In response to the initial request, a key component is generated. The key component includes one or more parameters from which a valid security key can be generated at the client device by executing the security code. The key component is provided to the client device. A security key associated with a request from the client device to an application server is received. The security key is checked for validity. In response to determining that the security key is valid, processing of the request by the application server is caused.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
A computer-implemented method, the method includes identifying a piece of data to be served from a server system to a client device that is remote from the server system; creating a plurality of expressions that, when executed, provide a result that corresponds to the piece of data; and providing the plurality of expressions to the client device with code for executing the plurality of expressions.
A computer-implemented method includes receiving, at a first server sub-system, content served to a client computing device; transcoding, with the first server sub-system, the received content using a policy received from a second security sub-system; determining, with the first server sub-system that the second server sub-system has likely ceased operating properly; receiving a request to vote on a leader server sub-system from one or more server sub-systems, and voting for from of the one or more server sub-systems; and subsequently transcoding received content according to a policy received from another of the server sub-systems that is not the second server sub-system.
In an embodiment, a method comprises intercepting, from a first computer, a first set of instructions that define one or more original operations, which are configured to cause one or more requests to be sent if executed by a client computer; modifying the first set of instructions to produce a modified set of instructions, which are configured to cause a credential to be included in the one or more requests sent if executed by the client computer; rendering a second set of instructions comprising the modified set of instructions and one or more credential-morphing-instructions, wherein the one or more credential-morphing-instructions define one or more credential-morphing operations, which are configured to cause the client computer to update the credential over time if executed; sending the second set of instructions to a second computer.
In an embodiment, a method comprises intercepting a first set of instructions from a server computer that define one or more objects and one or more original operations that are based, at least in part, on the one or more objects; modifying the first set of instructions by adding one or more supervisor operations that are based, at least in part, on the one or more objects; transforming the one or more original operations to produce one or more transformed operations that are based, at least in part, on the one or more supervisor operations; rendering a second set of instructions which define the one or more supervisor operations and the one or more transformed operations; sending the second set of instructions to a remote client computer.
G06F 15/173 - Interprocessor communication using an interconnection network, e.g. matrix, shuffle, pyramid, star or snowflake
G06F 9/00 - Arrangements for program control, e.g. control units
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04L 12/24 - Arrangements for maintenance or administration
G06F 9/30 - Arrangements for executing machine instructions, e.g. instruction decode
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
In an embodiment, a computer system configured to improve security of client computer interacting with server computers comprises one or more processors; a digital electronic memory storing a set of program instructions which when executed using the one or more processors cause the one or more processors to: process a first set of original instructions that produce a first set of outputs or effects; generate a first set of interpreter instructions that define a first interpreter; generate a first set of alternate instructions from the first set of original instructions, wherein the first set of alternate instructions is functionally equivalent to the first set of original instructions when the first set of alternate instructions is executed by the first interpreter; send, to the first client computer, the first set of alternate instructions and the first set of interpreter instructions.
In an approach, an apparatus comprises: one or more processors; a processor logic coupled to the one or more processors and configured to: intercept, from a client computer, a request directed to a server computer that identifies a purported user agent executing on the client computer; send, to the server computer, the request from the client computer; intercept, from the server computer, one or more original instructions to be executed by the purported user agent of the client computer; determine one or more features supported by the purported user agent that are not utilized by the one or more original instructions; transform the one or more original instructions into one or more revised instructions which, when executed by the purported user agent, cause the purported user agent to utilize the one or more features; send, to the client computer, the one or more revised instructions.
Computer systems and methods for improving security or performance of client computers interacting with a plurality of server computers. In an embodiment, a computer system comprises a first server computer and a second server computer; wherein the first server computer is configured to: generate a challenge nonce, wherein the challenge nonce corresponds to a challenge state; generate the challenge state based on the challenge nonce, wherein the challenge state corresponds to a response state; send, to a first client computer, the challenge nonce and the challenge state, but not the response state; wherein the second server computer is configured to: receive, from the first client computer, a test nonce and a test response state; determine whether the test response state matches the response state based on the test nonce, without: receiving the challenge state from the first server computer; receiving the challenge state from the first client computer.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04L 12/24 - Arrangements for maintenance or administration
H04L 29/06 - Communication control; Communication processing characterised by a protocol
H04L 29/08 - Transmission control procedure, e.g. data link level control procedure
G06F 9/44 - Arrangements for executing specific programs
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
G06F 17/30 - Information retrieval; Database structures therefor
In an approach, an apparatus comprises: one or more processors; a processor logic coupled to the one or more processors and configured to: intercept, from a client computer, a request directed to a server computer that identifies a purported user agent executing on the client computer; send, to the server computer, the request from the client computer; intercept, from the server computer, one or more original instructions to be executed by the purported user agent of the client computer; determine one or more features supported by the purported user agent that are not utilized by the one or more original instructions; transform the one or more original instructions into one or more revised instructions which, when executed by the purported user agent, cause the purported user agent to utilize the one or more features; send, to the client computer, the one or more revised instructions.
Computer systems and methods for improving security or performance of one or more client computers interacting with a plurality of server computers. In an embodiment, a computer system comprises a first server computer and a second server computer; wherein the first server computer is configured to: generate a challenge nonce, wherein the challenge nonce corresponds to a challenge state; generate the challenge state based on the challenge nonce, wherein the challenge state corresponds to a response state; send, to a first client computer, the challenge nonce and the challenge state, but not the response state; wherein the second server computer is configured to: receive, from the first client computer, a test nonce and a test response state; determine whether the test response state matches the response state based on the test nonce, without: receiving the challenge state from the first server computer; receiving the challenge state from the first client computer.
A computer system configured to improve security of server computers interacting with client computers, the system comprising: one or more processors executing instructions that cause the one or more processors to: select, from the plurality of detection tests, one or more first detection tests to be performed by a client computer; send, to the client computer, a first set of detection instructions that define the one or more first detection tests, and which when executed causes generating a first set of results that identifies a first set of characteristics of the client computer; receive the first set of results from the client computer; select one or more first countermeasures from a plurality of countermeasures based on the first set of characteristics identified in the first set of results; send, to the client computer, a first set of countermeasure instructions that define the one or more first countermeasures.
A computer system configured to improve security of server computers interacting with client computers, the system comprising: one or more processors executing instructions that cause the one or more processors to: select, from the plurality of detection tests, one or more first detection tests to be performed by a client computer; send, to the client computer, a first set of detection instructions that define the one or more first detection tests, and which when executed causes generating a first set of results that identifies a first set of characteristics of the client computer; receive the first set of results from the client computer; select one or more first countermeasures from a plurality of countermeasures based on the first set of characteristics identified in the first set of results; send, to the client computer, a first set of countermeasure instructions that define the one or more first countermeasures.
