Detecting human activity to mitigate attacks on a host
First Claim
1. A method for detecting human activity at a client device by a proxy server comprising:
- responsive to receiving, by the proxy server, an initial request for online content of a host server from the client device;
routing, by the proxy server, the initial request to the host server,receiving, by the proxy server, a response from the host server, wherein the response includes the requested online content,modifying, by the proxy server, the response from the host server to include a client device challenge prior to transmission of the modified response to the client device by the proxy server by;
injecting, by the proxy server, a first portion of code within the requested online content, wherein the first portion of code is configured to monitor, by the proxy server, for canvas events within the client device and create records of detected canvas events in a client device memory,injecting, by the proxy server, a second portion of code, wherein the second portion of code is configured to determine
1) client device attributes by querying for one or more of browser and client device runtime information when executed by the client device, and
2) an IP address of the client device,injecting, by the proxy server, in the first and second portions of code, a shared encryption key for encrypting the canvas event record and the client device attributes at the client device,injecting, by the proxy server, a beacon within the requested online content, wherein the beacon includes a 1×
1 pixel image and a query string, represented by a beacon request, to retrieve an image of the beacon from the proxy server,wherein the client device attributes and the canvas event record, when the image of the beacon request is retrieved by the client device, are retrieved by the proxy server through the beacon request,wherein the proxy server decrypts the retrieved client device attributes and the canvas event record based on the shared encryption key provided to the client device, andgenerating, by the proxy server, a fingerprint of the client device based on the client device attributes received from the client device, the record of detected canvas events within the online content by the client device received from the client device, and the IP address of the client device received from the client device;
tracking, by the proxy server, the received client device attributes received from the client device, the record of detected canvas events within the online content by the client device received from the client device, and the IP address received from the client device via the fingerprint of the client device;
responsive to tracking, by the proxy server, the fingerprint of the client device, determining, by the proxy server, whether the received client device attributes, the received record of detected canvas events within the online content by the client device, and the received IP address from the client device are indicative of human activity;
responsive to determining that the received client device attributes, the received record of detected canvas events within the online content by the client device, and the received IP address from the client device are indicative of human activity, transmitting the modified response to the client device;
responsive to receiving the record of detected canvas events within the online content from the client device when the image of the beacon request has been retrieved by the client device;
determining whether the record of detected canvas events includes detected canvas events which are indicative of human activity;
determining whether the record includes that the image of the beacon request has been retrieved by the client device in order to provide the client device attributes to the proxy server which are indicative of human activity; and
responsive to determining the record of detected canvas events when the image of the beacon request has been retrieved by the client device are indicative of human activity, permitting the client device access to the requested online content of the host server,wherein the proxy server maintains fingerprints of client devices passing the challenge in a permitted client device store and fingerprints of client devices failing one or more challenges in a denied client device store, wherein the passing and failing is based on a threshold.
1 Assignment
0 Petitions
Accused Products
Abstract
A system detects human activity through browser canvas events to mitigate the effects of an attack on a host, such as an application layer (layer 7) DDoS attack. A proxy, such as a HTTP/HTTPS “HTTP(S)” proxy server, configured to handle network traffic between a host and clients challenges clients engaging the host. The proxy challenges the clients by injecting code having a beacon and a shared encryption key into the content received from the host prior to transmission of the client. The code, when executed by the client, is configured to monitor user interactions (or lack thereof) with the content at the client in order to determine whether there is human activity at the client. The proxy receives and analyzes the information about interactions (or lack thereof) to determine whether a client is malicious (e.g., non-human activity) or non-malicious (e.g., human activity).
-
Citations
15 Claims
-
1. A method for detecting human activity at a client device by a proxy server comprising:
responsive to receiving, by the proxy server, an initial request for online content of a host server from the client device; routing, by the proxy server, the initial request to the host server, receiving, by the proxy server, a response from the host server, wherein the response includes the requested online content, modifying, by the proxy server, the response from the host server to include a client device challenge prior to transmission of the modified response to the client device by the proxy server by; injecting, by the proxy server, a first portion of code within the requested online content, wherein the first portion of code is configured to monitor, by the proxy server, for canvas events within the client device and create records of detected canvas events in a client device memory, injecting, by the proxy server, a second portion of code, wherein the second portion of code is configured to determine
1) client device attributes by querying for one or more of browser and client device runtime information when executed by the client device, and
2) an IP address of the client device,injecting, by the proxy server, in the first and second portions of code, a shared encryption key for encrypting the canvas event record and the client device attributes at the client device, injecting, by the proxy server, a beacon within the requested online content, wherein the beacon includes a 1×
1 pixel image and a query string, represented by a beacon request, to retrieve an image of the beacon from the proxy server,wherein the client device attributes and the canvas event record, when the image of the beacon request is retrieved by the client device, are retrieved by the proxy server through the beacon request, wherein the proxy server decrypts the retrieved client device attributes and the canvas event record based on the shared encryption key provided to the client device, and generating, by the proxy server, a fingerprint of the client device based on the client device attributes received from the client device, the record of detected canvas events within the online content by the client device received from the client device, and the IP address of the client device received from the client device; tracking, by the proxy server, the received client device attributes received from the client device, the record of detected canvas events within the online content by the client device received from the client device, and the IP address received from the client device via the fingerprint of the client device; responsive to tracking, by the proxy server, the fingerprint of the client device, determining, by the proxy server, whether the received client device attributes, the received record of detected canvas events within the online content by the client device, and the received IP address from the client device are indicative of human activity; responsive to determining that the received client device attributes, the received record of detected canvas events within the online content by the client device, and the received IP address from the client device are indicative of human activity, transmitting the modified response to the client device; responsive to receiving the record of detected canvas events within the online content from the client device when the image of the beacon request has been retrieved by the client device; determining whether the record of detected canvas events includes detected canvas events which are indicative of human activity; determining whether the record includes that the image of the beacon request has been retrieved by the client device in order to provide the client device attributes to the proxy server which are indicative of human activity; and responsive to determining the record of detected canvas events when the image of the beacon request has been retrieved by the client device are indicative of human activity, permitting the client device access to the requested online content of the host server, wherein the proxy server maintains fingerprints of client devices passing the challenge in a permitted client device store and fingerprints of client devices failing one or more challenges in a denied client device store, wherein the passing and failing is based on a threshold. - View Dependent Claims (2, 3, 4, 5)
-
6. A system for detecting human activity at a client device comprising:
-
a proxy server comprising a processor and a non-transitory computer readable storage medium storing computer program instructions that when executed by the processor cause the proxy server to; in response to receipt, by the proxy server, of an initial request for online content of a host server from the client device; route, by the proxy server, the initial request to the host server, receive, by the proxy server, a response from the host server, wherein the response includes the requested online content, modify, by the proxy server, the response from the host server to include a client device challenge prior to transmission of the modified response to the client device by the proxy server by; injecting, by the proxy server, a first portion of code within the requested online content, wherein the first portion of code is configured to monitor, by the proxy server, for canvas events within the client device and create records of detected canvas events in a client device memory, injecting, by the proxy server, a second portion of code, wherein the second portion of code is configured to determine
1) client device attributes by querying for one or more of browser and client device runtime information when executed by the client device and
2) an IP address of the client device,injecting, by the proxy server, in the first and second portions of code, a shared encryption key for encrypting the canvas event record and the client device attributes at the client device, injecting, by the proxy server, a beacon within the requested online content, wherein the beacon includes a 1×
1 pixel image and a query string;
represented by a beacon request, to retrieve an image of the beacon from the proxy server,wherein the client device attributes and the canvas event record, when the image of the beacon request is retrieved by the client device, are retrieved by the proxy server through the beacon request, wherein the proxy server decrypts the retrieved client device attributes and the canvas event record based on the shared encryption key provided to the client device, and generate, by the proxy server, a fingerprint of the client device based on the client device attributes received from the client device, the record of detected canvas events within the online content by the client device received from the client device, and the IP address of the client device received from the client device; track, by the proxy server, the received client device attributes received from the client device, the record of detected canvas events within the online content by the client device received from the client device, and the IP address received from the client device via the fingerprint of the client device; responsive to tracking, by the proxy server, the fingerprint of the client device, determine, by the proxy server, whether the received client device attributes, the received record of detected canvas events within the online content by the client device, and the received IP address from the client device are indicative of human activity; responsive to determining that the received client device attributes, the received record of detected canvas events within the online content by the client device, and the received IP address from the client device are indicative of human activity, transmit the modified response to the client device; in response to receipt of the record of detected canvas events within the online content from the client device when the image of the beacon request has been retrieved by the client device; determine whether the record of detected canvas events includes detected canvas events which are indicative of human activity; determine whether the record of when the image of the beacon request has been retrieved by the canvas event includes the image of the beacon request being retrieved by the client device which are indicative of human activity; and responsive to a determination that the record of detected canvas events when the image of the beacon request has been retrieved by the client device are indicative of human activity, permit the client device access to the requested online content of the host server, wherein the proxy server maintains fingerprints of client devices passing the challenge in a permitted client device store and fingerprints of client devices failing one or more challenges in a denied client device store, wherein the passing and failing is based on a threshold. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A non-transitory computer readable storage medium for detecting human activity at a client device by a proxy server, the computer readable storage medium comprising stored computer program instructions that when executed by a processor cause the processor to:
-
in response to receipt, by the proxy server, an initial request for online content of a host server from the client device; route, by the proxy server, the initial request to the host server, receive, by the proxy server, a response from the host server, wherein the response includes the requested online content, modify, by the proxy server, the response from the host server to include a client device challenge prior to transmission of the modified response to the client device by the proxy server by; injecting, by the proxy server, a first portion of code within the requested online content, wherein the first portion of code is configured to monitor, by the proxy server, for canvas events within the client device and create records of detected canvas events in a client device memory, injecting, by the proxy server, a second portion of code, wherein the second portion of code is configured to determine
1) client device attributes by querying for one or more of browser and client device runtime information when executed by the client device and
2) an IP address of the client device,injecting, by the proxy server, in the first and second portions of code, a shared encryption key for encrypting the canvas event record and the client device attributes at the client device, injecting, by the proxy server, a beacon within the requested online content, wherein the beacon includes a 1×
1 pixel image and a query string;
represented by a beacon request, to retrieve an image of the beacon from the proxy server,wherein the client device attributes and the canvas event record, when the image of the beacon request is retrieved by the client device, are retrieved by the proxy server through the beacon request, wherein the proxy server decrypts the retrieved client device attributes and the canvas event record based on the shared encryption key provided to the client device, and generate, by the proxy server, a fingerprint of the client device based on the client device attributes received from the client device, the record of detected canvas events within the online content by the client device received from the client device, and the IP address of the client device received from the client device; track, by the proxy server, the received client device attributes received from the client device, the record of detected canvas events within the online content by the client device received from the client device, and the IP address received from the client device via the fingerprint of the client device; responsive to tracking, by the proxy server, the fingerprint of the client device, determine, by the proxy server, whether the received client device attributes, the received record of detected canvas events within the online content by the client device, and the received IP address from the client device are indicative of human activity; responsive to determining that the received client device attributes, the received record of detected canvas events within the online content by the client device, and the received IP address from the client device are indicative of human activity, transmit the modified response to the client device; in response to receipt of the record of detected canvas events within the online content from the client device when the image of the beacon request has been retrieved by the client device; determine whether the record of detected canvas events includes detected canvas events which are indicative of human activity; determine whether the record of when the image of the beacon request has been retrieved by the client device includes the image of the beacon request being retrieved by the client device which is indicative of human activity; and responsive to a determination that the record of detected canvas events when the image of the beacon request has been retrieved by the client device are indicative of human activity, permit the client device access to the requested online content of the host server, wherein the proxy server maintains fingerprints of client devices passing the challenge in a permitted client device store and fingerprints of client devices failing one or more challenges in a denied client device store, wherein the passing and failing is based on a threshold. - View Dependent Claims (12, 13, 14, 15)
-
Specification