Detection of computerized bots and automated cyber-attack modules
First Claim
1. A method comprising:
- (A) detecting an automated malware that emulates human interactions with a computerized service;
wherein the detecting of step (A) comprises;
(a) monitoring input-unit interactions of an electronic device that is utilized by a user to interact with said computerized service;
(b) injecting an input-output aberration into a web-page, and monitoring whether manual corrective actions were manually performed in response to the input-output aberration;
(c) analyzing said input-unit interactions;
(d) determining that it is humanly-impossible for a human to perform said input-user interactions;
(e) based on the determining of step (d), determining that said input-unit interactions were necessarily performed by said automated script that emulates human interactions, and not by a human user;
wherein the determining of step (e), that said input-unit interactions were necessarily performed by said automated script, is further based on;
detecting that corrective actions that were performed in response to said input-output aberration were insufficient to adequately cure the input-output aberration.
4 Assignments
0 Petitions
Accused Products
Abstract
Devices, systems, and methods of detecting whether an electronic device or computerized device or computer, is being controlled by a legitimate human user, or by an automated cyber-attack unit or malware or automatic script. The system monitors interactions performed via one or more input units of the electronic device. The system searches for abnormal input-user interactions; or for an abnormal discrepancy between: the input-unit gestures that were actually registered by the input unit, and the content that the electronic device reports as allegedly entered via such input units. A discrepancy or abnormality indicates that more-possibly, or necessarily or certainly, a malware or automated script is controlling the electronic device, rather than a legitimate human user. Optionally, an input-output aberration or interference is injected, in order to check for manual corrective actions that only a human user, and not an automated script, is able to perform.
209 Citations
9 Claims
-
1. A method comprising:
-
(A) detecting an automated malware that emulates human interactions with a computerized service; wherein the detecting of step (A) comprises; (a) monitoring input-unit interactions of an electronic device that is utilized by a user to interact with said computerized service; (b) injecting an input-output aberration into a web-page, and monitoring whether manual corrective actions were manually performed in response to the input-output aberration; (c) analyzing said input-unit interactions; (d) determining that it is humanly-impossible for a human to perform said input-user interactions; (e) based on the determining of step (d), determining that said input-unit interactions were necessarily performed by said automated script that emulates human interactions, and not by a human user; wherein the determining of step (e), that said input-unit interactions were necessarily performed by said automated script, is further based on;
detecting that corrective actions that were performed in response to said input-output aberration were insufficient to adequately cure the input-output aberration.
-
-
2. A method comprising:
-
(A) detecting an automated malware that emulates human interactions with a computerized service; wherein the detecting of step (A) comprises; (a) monitoring input-unit interactions of an electronic device that is utilized by a user to interact with said computerized service; (b) injecting an input-output aberration into a web-page, and monitoring whether manual corrective actions were manually performed in response to the input-output aberration; (c) analyzing said input-unit interactions; (d) determining that it is humanly-impossible for a human to perform said input-user interactions; (e) based on the determining of step (d), determining that said input-unit interactions were necessarily performed by said automated script that emulates human interactions, and not by a human user; wherein the method comprises; (i) monitoring key-down events, and key-up events, during a usage session in which said electronic device exhibits reception of keyboard input; (ii) determining that the number of key-down events does not match the number of key-up events, during said usage session; (iii) based on step (ii), determining that said input-unit interactions were necessarily performed by said automated script that emulates human interactions, and not by a human user.
-
-
3. A method comprising:
-
(A) detecting an automated malware that emulates human interactions with a computerized service; wherein the detecting of step (A) comprises; (a) monitoring input-unit interactions of an electronic device that is utilized by a user to interact with said computerized service; (b) injecting an input-output aberration into a web-page, and monitoring whether manual corrective actions were manually performed in response to the input-output aberration; (c) analyzing said input-unit interactions; (d) determining that it is humanly-impossible for a human to perform said input-user interactions; (e) based on the determining of step (d), determining that said input-unit interactions were necessarily performed by said automated script that emulates human interactions, and not by a human user; wherein the method comprises; (i) monitoring key-down events, and monitoring key-up events, during a usage session in which said electronic device exhibits reception of keyboard input; (ii) determining that the order of the key-down events and the key-up events, during said usage session, does not match an expected order of key-down events and key-up events that is expected to be observed if an input unit of said electronic device is utilized for typing by a human user; (iii) based on step (ii), determining that said input-unit interactions were necessarily performed by said automated script that emulates human interactions, and not by a human user.
-
-
4. A method comprising:
-
(A) detecting an automated malware that emulates human interactions with a computerized service; wherein the detecting of step (A) comprises; (a) monitoring input-unit interactions of an electronic device that is utilized by a user to interact with said computerized service; (b) injecting an input-output aberration into a web-page, and monitoring whether manual corrective actions were manually performed in response to the input-output aberration; (c) analyzing said input-unit interactions; (d) determining that it is humanly-impossible for a human to perform said input-user interactions; (e) based on the determining of step (d), determining that said input-unit interactions were necessarily performed by said automated script that emulates human interactions, and not by a human user; wherein the method comprises; (i) continuously monitoring mouse events, during a usage session in which said electronic device exhibits reception of mouse-based input; (ii) determining that during a first period of time within said usage session, the monitored mouse events exhibit a first sampling rate; (iii) determining that during a second period of time within said usage session, the monitored mouse events exhibit a second, different, sampling rate; (iv) based on steps (ii) and (iii), determining that said electronic device is necessarily controlled by an automated module, and not by a legitimate human user.
-
-
5. A method comprising:
-
(A) detecting an automated malware that emulates human interactions with a computerized service; wherein the detecting of step (A) comprises; (a) monitoring input-unit interactions of an electronic device that is utilized by a user to interact with said computerized service; (b) injecting an input-output aberration into a web-page, and monitoring whether manual corrective actions were manually performed in response to the input-output aberration; (c) analyzing said input-unit interactions; (d) determining that it is humanly-impossible for a human to perform said input-user interactions; (e) based on the determining of step (d), determining that said input-unit interactions were necessarily performed by said automated script that emulates human interactions, and not by a human user; wherein the method comprises; (i) continuously monitoring keyboard events, during a usage session in which said electronic device exhibits reception of keyboard-based input; (ii) determining that during a first period of time within said usage session, the monitored keyboard events exhibit a first sampling rate; (iii) determining that during a second period of time within said usage session, the monitored keyboard events exhibit a second, different, sampling rate; (iv) based on steps (ii) and (iii), determining that said electronic device is necessarily controlled by an automated attacking module, and not by a legitimate human user.
-
-
6. A method comprising:
-
(A) detecting an automated malware that emulates human interactions with a computerized service; wherein the detecting of step (A) comprises; (a) monitoring input-unit interactions of an electronic device that is utilized by a user to interact with said computerized service; (b) injecting an input-output aberration into a web-page, and monitoring whether manual corrective actions were manually performed in response to the input-output aberration; (c) analyzing said input-unit interactions; (d) determining that it is humanly-impossible for a human to perform said input-user interactions; (e) based on the determining of step (d), determining that said input-unit interactions were necessarily performed by said automated script that emulates human interactions, and not by a human user; wherein the method comprises; (i) detecting that an input-unit level of the electronic device reports that a message of M characters was manually entered via an input-unit of the electronic device; (ii) detecting that said electronic device sends to a remote server, an outgoing message of N characters that was allegedly typed on said electronic device, wherein N is different than M; (iii) based on the determining of steps (i) and (ii), further determining that said electronic device is necessarily controlled by an automated module, and not by a legitimate human user.
-
-
7. A method comprising:
-
(A) detecting an automated script that emulates human interactions with a computerized service; wherein the detecting of step (A) comprises; (a) monitoring input-unit interactions of an electronic device that is utilized by a user to interact with said computerized service; (b) allocating to each monitored input-unit interaction, a respective score-value that quantifies, on a scale of M to N, how difficult it is for a human user to perform said input-unit interaction; (c) determining a weighted score that corresponds to a set of multiple monitored input-user interactions, based on the respective score-value of each one of said multiple monitored input-user interactions; (d) if said weighted score is greater than a threshold value, then determining that said set of multiple monitored input-unit interactions were necessarily performed by said automated script, and not by a human user. - View Dependent Claims (8, 9)
-
Specification