Detection of computerized bots and automated cyber-attack modules

US 10,069,852 B2
Filed: 12/13/2017
Issued: 09/04/2018
Est. Priority Date: 11/29/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

(A) detecting an automated malware that emulates human interactions with a computerized service;

wherein the detecting of step (A) comprises;

(a) monitoring input-unit interactions of an electronic device that is utilized by a user to interact with said computerized service;

(b) injecting an input-output aberration into a web-page, and monitoring whether manual corrective actions were manually performed in response to the input-output aberration;

(c) analyzing said input-unit interactions;

(d) determining that it is humanly-impossible for a human to perform said input-user interactions;

(e) based on the determining of step (d), determining that said input-unit interactions were necessarily performed by said automated script that emulates human interactions, and not by a human user;

wherein the determining of step (e), that said input-unit interactions were necessarily performed by said automated script, is further based on;

detecting that corrective actions that were performed in response to said input-output aberration were insufficient to adequately cure the input-output aberration.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Devices, systems, and methods of detecting whether an electronic device or computerized device or computer, is being controlled by a legitimate human user, or by an automated cyber-attack unit or malware or automatic script. The system monitors interactions performed via one or more input units of the electronic device. The system searches for abnormal input-user interactions; or for an abnormal discrepancy between: the input-unit gestures that were actually registered by the input unit, and the content that the electronic device reports as allegedly entered via such input units. A discrepancy or abnormality indicates that more-possibly, or necessarily or certainly, a malware or automated script is controlling the electronic device, rather than a legitimate human user. Optionally, an input-output aberration or interference is injected, in order to check for manual corrective actions that only a human user, and not an automated script, is able to perform.

209 Citations

9 Claims

1. A method comprising:
- (A) detecting an automated malware that emulates human interactions with a computerized service;
  
  wherein the detecting of step (A) comprises;
  
  (a) monitoring input-unit interactions of an electronic device that is utilized by a user to interact with said computerized service;
  
  (b) injecting an input-output aberration into a web-page, and monitoring whether manual corrective actions were manually performed in response to the input-output aberration;
  
  (c) analyzing said input-unit interactions;
  
  (d) determining that it is humanly-impossible for a human to perform said input-user interactions;
  
  (e) based on the determining of step (d), determining that said input-unit interactions were necessarily performed by said automated script that emulates human interactions, and not by a human user;
  
  wherein the determining of step (e), that said input-unit interactions were necessarily performed by said automated script, is further based on;
  
  detecting that corrective actions that were performed in response to said input-output aberration were insufficient to adequately cure the input-output aberration.

2. A method comprising:
- (A) detecting an automated malware that emulates human interactions with a computerized service;
  
  wherein the detecting of step (A) comprises;
  
  (a) monitoring input-unit interactions of an electronic device that is utilized by a user to interact with said computerized service;
  
  (b) injecting an input-output aberration into a web-page, and monitoring whether manual corrective actions were manually performed in response to the input-output aberration;
  
  (c) analyzing said input-unit interactions;
  
  (d) determining that it is humanly-impossible for a human to perform said input-user interactions;
  
  (e) based on the determining of step (d), determining that said input-unit interactions were necessarily performed by said automated script that emulates human interactions, and not by a human user;
  
  wherein the method comprises;
  
  (i) monitoring key-down events, and key-up events, during a usage session in which said electronic device exhibits reception of keyboard input;
  
  (ii) determining that the number of key-down events does not match the number of key-up events, during said usage session;
  
  (iii) based on step (ii), determining that said input-unit interactions were necessarily performed by said automated script that emulates human interactions, and not by a human user.

3. A method comprising:
- (A) detecting an automated malware that emulates human interactions with a computerized service;
  
  wherein the detecting of step (A) comprises;
  
  (a) monitoring input-unit interactions of an electronic device that is utilized by a user to interact with said computerized service;
  
  (b) injecting an input-output aberration into a web-page, and monitoring whether manual corrective actions were manually performed in response to the input-output aberration;
  
  (c) analyzing said input-unit interactions;
  
  (d) determining that it is humanly-impossible for a human to perform said input-user interactions;
  
  (e) based on the determining of step (d), determining that said input-unit interactions were necessarily performed by said automated script that emulates human interactions, and not by a human user;
  
  wherein the method comprises;
  
  (i) monitoring key-down events, and monitoring key-up events, during a usage session in which said electronic device exhibits reception of keyboard input;
  
  (ii) determining that the order of the key-down events and the key-up events, during said usage session, does not match an expected order of key-down events and key-up events that is expected to be observed if an input unit of said electronic device is utilized for typing by a human user;
  
  (iii) based on step (ii), determining that said input-unit interactions were necessarily performed by said automated script that emulates human interactions, and not by a human user.

4. A method comprising:
- (A) detecting an automated malware that emulates human interactions with a computerized service;
  
  wherein the detecting of step (A) comprises;
  
  (a) monitoring input-unit interactions of an electronic device that is utilized by a user to interact with said computerized service;
  
  (b) injecting an input-output aberration into a web-page, and monitoring whether manual corrective actions were manually performed in response to the input-output aberration;
  
  (c) analyzing said input-unit interactions;
  
  (d) determining that it is humanly-impossible for a human to perform said input-user interactions;
  
  (e) based on the determining of step (d), determining that said input-unit interactions were necessarily performed by said automated script that emulates human interactions, and not by a human user;
  
  wherein the method comprises;
  
  (i) continuously monitoring mouse events, during a usage session in which said electronic device exhibits reception of mouse-based input;
  
  (ii) determining that during a first period of time within said usage session, the monitored mouse events exhibit a first sampling rate;
  
  (iii) determining that during a second period of time within said usage session, the monitored mouse events exhibit a second, different, sampling rate;
  
  (iv) based on steps (ii) and (iii), determining that said electronic device is necessarily controlled by an automated module, and not by a legitimate human user.

5. A method comprising:
- (A) detecting an automated malware that emulates human interactions with a computerized service;
  
  wherein the detecting of step (A) comprises;
  
  (a) monitoring input-unit interactions of an electronic device that is utilized by a user to interact with said computerized service;
  
  (b) injecting an input-output aberration into a web-page, and monitoring whether manual corrective actions were manually performed in response to the input-output aberration;
  
  (c) analyzing said input-unit interactions;
  
  (d) determining that it is humanly-impossible for a human to perform said input-user interactions;
  
  (e) based on the determining of step (d), determining that said input-unit interactions were necessarily performed by said automated script that emulates human interactions, and not by a human user;
  
  wherein the method comprises;
  
  (i) continuously monitoring keyboard events, during a usage session in which said electronic device exhibits reception of keyboard-based input;
  
  (ii) determining that during a first period of time within said usage session, the monitored keyboard events exhibit a first sampling rate;
  
  (iii) determining that during a second period of time within said usage session, the monitored keyboard events exhibit a second, different, sampling rate;
  
  (iv) based on steps (ii) and (iii), determining that said electronic device is necessarily controlled by an automated attacking module, and not by a legitimate human user.

6. A method comprising:
- (A) detecting an automated malware that emulates human interactions with a computerized service;
  
  wherein the detecting of step (A) comprises;
  
  (a) monitoring input-unit interactions of an electronic device that is utilized by a user to interact with said computerized service;
  
  (b) injecting an input-output aberration into a web-page, and monitoring whether manual corrective actions were manually performed in response to the input-output aberration;
  
  (c) analyzing said input-unit interactions;
  
  (d) determining that it is humanly-impossible for a human to perform said input-user interactions;
  
  (e) based on the determining of step (d), determining that said input-unit interactions were necessarily performed by said automated script that emulates human interactions, and not by a human user;
  
  wherein the method comprises;
  
  (i) detecting that an input-unit level of the electronic device reports that a message of M characters was manually entered via an input-unit of the electronic device;
  
  (ii) detecting that said electronic device sends to a remote server, an outgoing message of N characters that was allegedly typed on said electronic device, wherein N is different than M;
  
  (iii) based on the determining of steps (i) and (ii), further determining that said electronic device is necessarily controlled by an automated module, and not by a legitimate human user.

7. A method comprising:
- (A) detecting an automated script that emulates human interactions with a computerized service;
  
  wherein the detecting of step (A) comprises;
  
  (a) monitoring input-unit interactions of an electronic device that is utilized by a user to interact with said computerized service;
  
  (b) allocating to each monitored input-unit interaction, a respective score-value that quantifies, on a scale of M to N, how difficult it is for a human user to perform said input-unit interaction;
  
  (c) determining a weighted score that corresponds to a set of multiple monitored input-user interactions, based on the respective score-value of each one of said multiple monitored input-user interactions;
  
  (d) if said weighted score is greater than a threshold value, then determining that said set of multiple monitored input-unit interactions were necessarily performed by said automated script, and not by a human user.
- View Dependent Claims (8, 9)
- - 8. The method of claim 7,wherein the monitoring of step (a) comprises:
    - monitoring input-unit interactions in response to an input-output aberration that was injected into a web-page and that requires manual corrective actions.
  - 9. The method of claim 7,wherein the monitoring of step (a) comprises:
    - monitoring input-unit interactions in response to an input-output aberration that was injected into an application element and that requires manual corrective actions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Biocatch Ltd.
Original Assignee
Biocatch Ltd.
Inventors
Turgeman, Avi, Novick, Itai
Primary Examiner(s)
Rahman, Shawnchoy

Application Number

US15/840,035
Publication Number

US 20180103047A1
Time in Patent Office

265 Days
Field of Search
US Class Current
CPC Class Codes

G01R 29/26   Measuring noise figure; Mea...

G06F 21/121   Restricting unauthorised ex...

G06F 21/316   by observing the pattern of...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 2221/2133   Verifying human interaction...

G06Q 20/308   using the Internet of Things

G06Q 20/321   using wearable devices

G06Q 20/4014   Identity check for transact...

G06Q 20/4016   involving fraud or risk lev...

H04L 2463/082   applying multi-factor authe...

H04L 2463/144   Detection or countermeasure...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/102   Entity profiles

H04L 63/126   the source of the received ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Detection of computerized bots and automated cyber-attack modules

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

209 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of computerized bots and automated cyber-attack modules

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

209 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links