System, device, and method of detecting malicious automatic script and code injection
First Claim
1. A method comprising:
- determining that a first string that was inputted via manual keyboard input by a user, who utilizes an electronic device to interact with a computerized service, was replaced with a second string by a malware automatic script that is running on said electronic device;
wherein the determining comprises;
(a) at said electronic device, monitoring keystrokes that are actually entered manually through a keyboard unit of said electronic device;
(b) generating a first data-item that indicates the number of keystrokes that were actually entered manually through said keyboard unit based on client-side monitoring of typing of said first string that was typed in a particular on-screen field;
(c1) at a remote server that is in communication with said electronic device, receiving a second string that was transmitted by the electronic device to said remote server wherein said second string is submitted to said remote server by said electronic device as reflecting manual keyboard entry of said user in said particular on-screen field;
(c2) at said remote server, receiving from said electronic device the first data-item which indicates the number of keystrokes that were actually entered manually through said keyboard unit based on client-side monitoring of typing of said first string that was typed in said particular on-screen field;
(c3) at said remote server, determining the character length of said second string that was received at said remote server;
(d) detecting that (I) the value of the first data-item that was received at said remote server at step (c2) which indicates the number of keystrokes that were actually entered manually through said keyboard unit based on client-side monitoring of client-side data, is different from (II) the character length that was determined by the remote server in step (c2) for the second string that was received at said remote server in step (c1);
(e) based on the detecting of step (d), determining that a malware automatic script was running on said electronic device, and replaced (I) the first string that was manually entered into said particular on-screen field, with (II) the second, different, string.
4 Assignments
0 Petitions
Accused Products
Abstract
Devices, systems, and methods of detecting user identity, differentiating between users of a computerized service, and detecting a possible attacker. The methods include monitoring of user-side input-unit interactions, in general and in response to an interference introduced to user-interface elements. The monitored interactions are used for detecting an attacker that utilizes a remote access channel; for detecting a malicious automatic script, as well as malicious code injection; to identify a particular hardware assembly; to perform user segmentation or user characterization; to enable a visual login process with implicit two-factor authentication; to enable stochastic cryptography; and to detect that multiple users are utilizing the same subscription account.
-
Citations
4 Claims
-
1. A method comprising:
-
determining that a first string that was inputted via manual keyboard input by a user, who utilizes an electronic device to interact with a computerized service, was replaced with a second string by a malware automatic script that is running on said electronic device; wherein the determining comprises; (a) at said electronic device, monitoring keystrokes that are actually entered manually through a keyboard unit of said electronic device; (b) generating a first data-item that indicates the number of keystrokes that were actually entered manually through said keyboard unit based on client-side monitoring of typing of said first string that was typed in a particular on-screen field; (c1) at a remote server that is in communication with said electronic device, receiving a second string that was transmitted by the electronic device to said remote server wherein said second string is submitted to said remote server by said electronic device as reflecting manual keyboard entry of said user in said particular on-screen field; (c2) at said remote server, receiving from said electronic device the first data-item which indicates the number of keystrokes that were actually entered manually through said keyboard unit based on client-side monitoring of typing of said first string that was typed in said particular on-screen field; (c3) at said remote server, determining the character length of said second string that was received at said remote server; (d) detecting that (I) the value of the first data-item that was received at said remote server at step (c2) which indicates the number of keystrokes that were actually entered manually through said keyboard unit based on client-side monitoring of client-side data, is different from (II) the character length that was determined by the remote server in step (c2) for the second string that was received at said remote server in step (c1); (e) based on the detecting of step (d), determining that a malware automatic script was running on said electronic device, and replaced (I) the first string that was manually entered into said particular on-screen field, with (II) the second, different, string. - View Dependent Claims (2, 3)
-
-
4. A non-transitory storage medium having stored thereon instructions that, when executed by a hardware processor, cause the hardware processor to perform a method comprising:
-
determining that a first string that was inputted via manual keyboard input by a user, who utilizes an electronic device to interact with a computerized service, was replaced with a second string by a malware automatic script that is running on said electronic device; wherein the determining comprises; (a) at said electronic device, monitoring keystrokes that are actually entered manually through a keyboard unit of said electronic device; (b) generating a first data-item that indicates the number of keystrokes that were actually entered manually through said keyboard unit based on client-side monitoring of typing of said first string that was typed in a particular on-screen field; (c1) at a remote server that is in communication with said electronic device, receiving a second string that was transmitted by the electronic device to said remote server wherein said second string is submitted to said remote server by said electronic device as reflecting manual keyboard entry of said user in said particular on-screen field; (c2) at said remote server, receiving from said electronic device the first data-item which indicates the number of keystrokes that were actually entered manually through said keyboard unit based on client-side monitoring of typing of said first string that was typed in said particular on-screen field; (c3) at said remote server, determining the character length of said second string that was received at said remote server; (d) detecting that (I) the value of the first data-item that was received at said remote server at step (c2) which indicates the number of keystrokes that were actually entered manually through said keyboard unit based on client-side monitoring of client-side data, is different from (II) the character length that was determined by the remote server in step (c2) for the second string that was received at said remote server in step (c1); (e) based on the detecting of step (d), determining that a malware automatic script was running on said electronic device, and replaced (I) the first string that was manually entered into said particular on-screen field, with (II) the second, different, string.
-
Specification