Real-time monitoring of web page code

US 10,701,030 B2
Filed: 01/10/2018
Issued: 06/30/2020
Est. Priority Date: 07/06/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for monitoring by a virtual document object model (DOM) firewall executed in response to a web browser request by a web browser rendering a web page, the method executed by at least one hardware processor of a web server hosting the web page code in network communication with a client terminal accessing the web page code hosted by the web-server, the method comprising:

receiving over a network from the web browser executing on the client terminal, a request to access the web page code hosted by the web server;

monitoring, by a monitoring code, at least one of attempted actions and attempted events initiated by each of a plurality of components of the web page code, wherein the at least one of attempted actions and attempted events include instructions for manipulation of a document object model (DOM) of the web page code, and the monitoring code includes a virtual DOM firewall that simulates the DOM by intercepting the at least one of attempted actions and attempted events targeting the DOM without execution of the at least one of attempted actions and attempted events on the DOM;

identifying a deviation from a set-of-rules according to an analysis of the monitored at least one of attempted actions and attempted events, wherein the set-of-rules define allowable manipulation of the DOM, and prohibited manipulation of the DOM;

wherein the virtual DOM firewall is stored on the web server and executed by the hardware processor of the web server in associated with the web page code;

wherein a common set-of-rules is defined for the web page code for execution by the web server when each client terminal of a plurality of client terminals access the web page code, the set-of-rules are stored in association with the web server hosting the web page; and

wherein the at least one of attempted actions and attempted events that deviate from the set-of-rules are prevented from execution on the DOM, and the at least one of attempted actions and attempted events that adhere to the set-of-rules are allowed to continue execution on the DOM.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for monitoring web page code comprising: monitoring attempted actions and/or attempted events initiated by components of the web page code for manipulation of a document object model (DOM), the monitoring performed by a virtual DOM firewall that simulates the DOM by intercepting the attempted actions and/or attempted events targeting the DOM without execution of the attempted actions and/or attempted events on the DOM, and identifying a deviation from a set-of-rules defining allowable manipulation of the DOM, and prohibited manipulation of the DOM, wherein the virtual DOM firewall is stored on the web server and executed by the hardware processor of the web server in associated with the web page code, wherein attempted actions and/or attempted events that deviate from the set-of-rules are prevented from execution on the DOM, and attempted actions and/or attempted events that adhere to the set-of-rules are allowed to continue execution on the DOM.

13 Citations

36 Claims

1. A computer-implemented method for monitoring by a virtual document object model (DOM) firewall executed in response to a web browser request by a web browser rendering a web page, the method executed by at least one hardware processor of a web server hosting the web page code in network communication with a client terminal accessing the web page code hosted by the web-server, the method comprising:
- receiving over a network from the web browser executing on the client terminal, a request to access the web page code hosted by the web server;
  
  monitoring, by a monitoring code, at least one of attempted actions and attempted events initiated by each of a plurality of components of the web page code, wherein the at least one of attempted actions and attempted events include instructions for manipulation of a document object model (DOM) of the web page code, and the monitoring code includes a virtual DOM firewall that simulates the DOM by intercepting the at least one of attempted actions and attempted events targeting the DOM without execution of the at least one of attempted actions and attempted events on the DOM;
  
  identifying a deviation from a set-of-rules according to an analysis of the monitored at least one of attempted actions and attempted events, wherein the set-of-rules define allowable manipulation of the DOM, and prohibited manipulation of the DOM;
  
  wherein the virtual DOM firewall is stored on the web server and executed by the hardware processor of the web server in associated with the web page code;
  
  wherein a common set-of-rules is defined for the web page code for execution by the web server when each client terminal of a plurality of client terminals access the web page code, the set-of-rules are stored in association with the web server hosting the web page; and
  
  wherein the at least one of attempted actions and attempted events that deviate from the set-of-rules are prevented from execution on the DOM, and the at least one of attempted actions and attempted events that adhere to the set-of-rules are allowed to continue execution on the DOM.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 2. The computer-implemented method of claim 1, wherein the monitoring comprises intercepting by the virtual DOM firewall, the at least one of attempted actions and attempted events for manipulation of the DOM, and allowing transmission of the intercepted the at least one of attempted actions and attempted events for manipulation of the DOM when no deviation from the set-of-rules is identified.
  - 3. The computer-implemented method of claim 1, wherein the monitoring comprises intercepting by the virtual DOM firewall, the at least one of attempted actions and attempted events for manipulation of the DOM, and blocking transmission of the intercepted the at least one of attempted actions and attempted events for manipulation of the DOM when the deviation from the set-of-rules is identified.
  - 4. The computer-implemented method of claim 1, wherein the virtual DOM firewall identifies the deviation from the set-of-rules before the DOM is manipulated according to the at least one of attempted actions and attempted events.
  - 5. The computer-implemented method of claim 1, wherein the virtual DOM firewall identifies the deviation from the set-of-rules while the browser of the client terminal is accessing the web page code stored on the web server.
  - 6. The computer-implemented method of claim 1, when the deviation from the set-of-rules is identified, further comprising transmitting by the virtual DOM firewall to the respective component of the web page code, a virtual reply in response to the at least one of attempted actions and attempted events, wherein the virtual reply includes false data indicative of simulated execution of the at least one of attempted actions and attempted events on the DOM without executing the at least one of attempted actions and attempted events on the DOM, wherein the virtual reply enables the web page code to continue execution without deviating from the set-of-rules.
  - 7. The computer-implemented method of claim 6, further comprising generating the virtual reply according to a simulation execution of the at least one of attempted actions and attempted events on the virtual DOM firewall that simulates the DOM without executing the at least one of attempted actions and attempted events on the DOM.
  - 8. The computer implemented method of claim 1, wherein the component of the web page code comprises malicious code injected by the browser executing on the client terminal accessing the web page code.
  - 9. The computer-implemented method of claim 1, further comprising adding an event handler that detects a mutation event to the DOM of the web page and analyzing a stack trace to determine a sub-component of the component associated with code that caused the mutation, and evaluating whether the mutation deviates from the set-of-rules.
  - 10. The computer-implemented method of claim 1, further comprising adding an event handler that detects a mutation event to the virtual DOM firewall that simulates the DOM of the web page and analyzing a stack trace to determine a sub-component of the component associated with code that caused the mutation.
  - 11. The computer-implemented method of claim 1, wherein the virtual DOM firewall overrides JAVASCRIPT™
    - functions and analyzes a call stack within the JAVASCRIPT™
      
      network request call to identify the component that originated the at least one of attempted actions and attempted events, and identifies a remote server hosting the component.
  - 12. The computer-implemented method of claim 1, wherein the set-of-rules define playing a visual video on a display as an allowable component of the multi-media advertisement, and the set-of-rules define sound as a prohibited component of the multi-media advertisement, wherein a sound component of the multi-media advertisement is blocked while a visual component of the multi-media advertisement is allowed to continue playing on the display.
  - 13. The computer-implemented method of claim 1, wherein the plurality of components include at least one web browser media object is a programmatic advertisement provided by an ad-server for dynamic loading with the web page by the web browser.
  - 14. The computer-implemented method of claim 1, wherein the web page includes a plurality of designations each for placement of a respective component, wherein the web page includes a plurality of monitoring code instruction instances each for loading with an associated respective component, wherein the monitoring is performed by each monitoring code instance of the associated respective component, and wherein the identification of the deviation of each respective component is performed according to a respective set-of-rules defined for each respective component.
  - 15. The computer-implemented method of claim 14, wherein each monitoring code instance monitors the associated respective component without monitoring other content of the web page or other components being monitored by other monitoring code instances.
  - 16. The computer-implemented method of claim 14, wherein each monitoring code instance and associated component are loaded together within a respective frame of the web page, wherein the monitoring code instance monitors the at least one of attempted actions and attempted events from the associated component within the respective frame.
  - 17. The computer-implemented method of claim 16, wherein the set-of-rules define the maximum loaded size of the component, and identifying comprises identifying a deviation above the maximum loaded size of the loaded component.
  - 18. The computer-implemented method of claim 1, wherein the set-of-rules define undesired parameters leading to a degradation of a user experience of a user using the web browser to access the web page.
  - 19. The computer-implemented method of claim 1, wherein the set-of-rules includes at least one member of the group consisting of:
    - statistically significant network usage, statistically significant processing resource utilization, statistically significant user noticeable slow-down in loading of the web page, statistically significant user noticeable slowdown in execution of other applications running on the client terminal, and detection of malware.
  - 20. The computer-implemented method of claim 1, further comprising recursively monitoring loading of sub-frames within a loaded parent frame of the web page, and recursively monitoring the component within the loaded sub-frame and parent frame.
  - 21. The computer-implemented method of claim 1, wherein monitoring comprises monitoring network activity associated with the monitored component.
  - 22. The computer-implemented method of claim 1, wherein the set-of-rules is designed to detect at least one member of the group consisting of:
    - component associated with an advertiser bot, frequency capping, and re-targeting.
  - 23. The computer-implemented method of claim 1, wherein the set-of-rules define prohibited activity as activation of sound by the component.
  - 24. The computer-implemented method of claim 1, further comprising identifying the at least one of attempted actions and attempted events executed by each sub-component of the component to identify which certain sub-component of the component caused the deviation from the set-of-rules.
  - 25. The computer-implemented method of claim 1, wherein monitoring comprises monitoring each technological platform implementation of the component.
  - 26. The computer-implemented method of claim 25, wherein the technological platform implementation includes at least one member of the group consisting of:
    - at least one programming language used to create the component, DOM representation of the component, interface used by the component, and network activity due to the component.
  - 27. The computer-implemented method of claim 1, further comprising creating a call chain of sub-components of each component.
  - 28. The computer-implemented method of claim 27, wherein the call chain is created by analyzing call stacks to identify the connectivity between the sub-components of the component.
  - 29. The computer-implemented method of claim 1, wherein the component includes a plurality of links to a plurality of resources located on at least one remote server, wherein the resources include instructions for execution by the web browser of the client terminal, wherein the resources are arranged in a hierarchy such that a first resource includes instructions to execute at least one second resource, further comprising tracking loading of each of the plurality of resources and creating a dependency graph representing the loading relationship between resources, wherein nodes of the graph represent resources of the component.
  - 30. The computer-implemented method of claim 29, wherein tracking loading comprises at least one member selected from the group consisting of:
    - time of loading relative to the start of the loading process of the web page, the location of the component resource in the web page relative to the root of a DOM of the web page.
  - 31. The computer-implemented method of claim 29, wherein the dependency graph includes weights assigned between nodes of the graph representing at least one of the loading time and distance based on the screen location.
  - 32. The computer-implemented method of claim 31, wherein the loading relationship of resources of components of the web page are analyzed for each loading session of the web page and added to a common graph created for the component representing an average of weights based on multiple sessions.
  - 33. The computer-implemented method of claim 32, further comprising applying a machine learning method to the graph to identify component resources violating the set-of-rules.
  - 34. The computer-implemented method of claim 1, further comprising blocking at least one component identified as deviating from the set-of-rules by automatically removing a designation for requesting the at least one component from the code of the web page.

35. A system for monitoring by a virtual document object model (DOM) firewall executed in response to a web browser request by a web browser rendering a web page, the system comprising:
- a non-transitory memory having stored thereon a code for execution by at least one hardware processor of a web server hosting web page code in network communication with a client terminal accessing the web page code hosted by the web-server, the code comprising;
  
  code for receiving over a network from the web browser executing on the client terminal, a request to access the web page code hosted by the web server;
  
  code for monitoring, by a monitoring code, at least one of attempted actions and attempted events initiated by each of a plurality of components of the web page code, wherein the at least one of attempted actions and attempted events include instructions for manipulation of a document object model (DOM) of the web page code, and the monitoring code includes a virtual DOM firewall that simulates the DOM by intercepting the at least one of attempted actions and attempted events targeting the DOM without execution of the at least one of attempted actions and attempted events on the DOM;
  
  code for identifying a deviation from a set-of-rules according to an analysis of the monitored at least one of attempted actions and attempted events, wherein the set-of-rules define allowable manipulation of the DOM, and prohibited manipulation of the DOM;
  
  wherein the virtual DOM firewall is stored on the web server and executed by the hardware processor of the web server in associated with the web page code;
  
  wherein a common set-of-rules is defined for the web page code for execution by the web server when each client terminal of a plurality of client terminals access the web page code, the set-of-rules are stored in association with the web server hosting the web page; and
  
  wherein the at least one of attempted actions and attempted events that deviate from the set-of-rules are prevented from execution on the DOM, and the at least one of attempted actions and attempted events that adhere to the set-of-rules are allowed to continue execution on the DOM.

36. A computer program product for monitoring by a virtual document object model (DOM) firewall executed in response to a web browser request by a web browser rendering a web page, the computer program product comprising:
- a non-transitory memory having stored thereon a code for execution by at least one hardware processor of a web server hosting web page code in network communication with a client terminal accessing the web page code hosted by the web-server, the code comprising;
  
  instructions for receiving over a network from the web browser executing on the client terminal, a request to access the web page code hosted by the web server;
  
  instructions for monitoring, by a monitoring code, at least one of attempted actions and attempted events initiated by each of a plurality of components of the web page code, wherein the at least one of attempted actions and attempted events include instructions for manipulation of a document object model (DOM) of the web page code, and the monitoring code includes a virtual DOM firewall that simulates the DOM by intercepting the at least one of attempted actions and attempted events targeting the DOM without execution of the at least one of attempted actions and attempted events on the DOM;
  
  instructions for identifying a deviation from a set-of-rules according to an analysis of the monitored at least one of attempted actions and attempted events, wherein the set-of-rules define allowable manipulation of the DOM, and prohibited manipulation of the DOM;
  
  wherein the virtual DOM firewall is stored on the web server and executed by the hardware processor of the web server in associated with the web page code;
  
  wherein a common set-of-rules is defined for the web page code for execution by the web server when each client terminal of a plurality of client terminals access the web page code, the set-of-rules are stored in association with the web server hosting the web page; and
  
  wherein the at least one of attempted actions and attempted events that deviate from the set-of-rules are prevented from execution on the DOM, and the at least one of attempted actions and attempted events that adhere to the set-of-rules are allowed to continue execution on the DOM.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
HIRO Media, Ltd.
Original Assignee
HIRO Media, Ltd.
Inventors
Napchi, Ariel, Napchi, Oded, Oken, Alan, Daniel, Shahar
Primary Examiner(s)
Bechtel, Kevin

Application Number

US15/866,501
Publication Number

US 20180139180A1
Time in Patent Office

902 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/80   of semi-structured data, e....

G06F 16/986   Document structures and sto...

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

H04L 43/08   Monitoring or testing based...

H04L 63/0227   Filtering policies mail mes...

H04L 67/02   based on web technology, e....

Real-time monitoring of web page code

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

13 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Real-time monitoring of web page code

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links