Detecting human activity to mitigate attacks on a host

US 10,735,382 B2
Filed: 01/27/2017
Issued: 08/04/2020
Est. Priority Date: 01/29/2016
Status: Active Grant

First Claim

Patent Images

1. A method for detecting human activity at a client device by a proxy server comprising:

responsive to receiving, by the proxy server, an initial request for online content of a host server from the client device;

routing, by the proxy server, the initial request to the host server,receiving, by the proxy server, a response from the host server, wherein the response includes the requested online content,modifying, by the proxy server, the response from the host server to include a client device challenge prior to transmission of the modified response to the client device by the proxy server by;

injecting, by the proxy server, a first portion of code within the requested online content, wherein the first portion of code is configured to monitor, by the proxy server, for canvas events within the client device and create records of detected canvas events in a client device memory,injecting, by the proxy server, a second portion of code, wherein the second portion of code is configured to determine

1) client device attributes by querying for one or more of browser and client device runtime information when executed by the client device, and

2) an IP address of the client device,injecting, by the proxy server, in the first and second portions of code, a shared encryption key for encrypting the canvas event record and the client device attributes at the client device,injecting, by the proxy server, a beacon within the requested online content, wherein the beacon includes a 1×

1 pixel image and a query string, represented by a beacon request, to retrieve an image of the beacon from the proxy server,wherein the client device attributes and the canvas event record, when the image of the beacon request is retrieved by the client device, are retrieved by the proxy server through the beacon request,wherein the proxy server decrypts the retrieved client device attributes and the canvas event record based on the shared encryption key provided to the client device, andgenerating, by the proxy server, a fingerprint of the client device based on the client device attributes received from the client device, the record of detected canvas events within the online content by the client device received from the client device, and the IP address of the client device received from the client device;

tracking, by the proxy server, the received client device attributes received from the client device, the record of detected canvas events within the online content by the client device received from the client device, and the IP address received from the client device via the fingerprint of the client device;

responsive to tracking, by the proxy server, the fingerprint of the client device, determining, by the proxy server, whether the received client device attributes, the received record of detected canvas events within the online content by the client device, and the received IP address from the client device are indicative of human activity;

responsive to determining that the received client device attributes, the received record of detected canvas events within the online content by the client device, and the received IP address from the client device are indicative of human activity, transmitting the modified response to the client device;

responsive to receiving the record of detected canvas events within the online content from the client device when the image of the beacon request has been retrieved by the client device;

determining whether the record of detected canvas events includes detected canvas events which are indicative of human activity;

determining whether the record includes that the image of the beacon request has been retrieved by the client device in order to provide the client device attributes to the proxy server which are indicative of human activity; and

responsive to determining the record of detected canvas events when the image of the beacon request has been retrieved by the client device are indicative of human activity, permitting the client device access to the requested online content of the host server,wherein the proxy server maintains fingerprints of client devices passing the challenge in a permitted client device store and fingerprints of client devices failing one or more challenges in a denied client device store, wherein the passing and failing is based on a threshold.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system detects human activity through browser canvas events to mitigate the effects of an attack on a host, such as an application layer (layer 7) DDoS attack. A proxy, such as a HTTP/HTTPS “HTTP(S)” proxy server, configured to handle network traffic between a host and clients challenges clients engaging the host. The proxy challenges the clients by injecting code having a beacon and a shared encryption key into the content received from the host prior to transmission of the client. The code, when executed by the client, is configured to monitor user interactions (or lack thereof) with the content at the client in order to determine whether there is human activity at the client. The proxy receives and analyzes the information about interactions (or lack thereof) to determine whether a client is malicious (e.g., non-human activity) or non-malicious (e.g., human activity).

Citations

15 Claims

1. A method for detecting human activity at a client device by a proxy server comprising:
- responsive to receiving, by the proxy server, an initial request for online content of a host server from the client device;
  
  routing, by the proxy server, the initial request to the host server,receiving, by the proxy server, a response from the host server, wherein the response includes the requested online content,modifying, by the proxy server, the response from the host server to include a client device challenge prior to transmission of the modified response to the client device by the proxy server by;
  
  injecting, by the proxy server, a first portion of code within the requested online content, wherein the first portion of code is configured to monitor, by the proxy server, for canvas events within the client device and create records of detected canvas events in a client device memory,injecting, by the proxy server, a second portion of code, wherein the second portion of code is configured to determine
  
  1) client device attributes by querying for one or more of browser and client device runtime information when executed by the client device, and
  
  2) an IP address of the client device,injecting, by the proxy server, in the first and second portions of code, a shared encryption key for encrypting the canvas event record and the client device attributes at the client device,injecting, by the proxy server, a beacon within the requested online content, wherein the beacon includes a 1×
  
  1 pixel image and a query string, represented by a beacon request, to retrieve an image of the beacon from the proxy server,wherein the client device attributes and the canvas event record, when the image of the beacon request is retrieved by the client device, are retrieved by the proxy server through the beacon request,wherein the proxy server decrypts the retrieved client device attributes and the canvas event record based on the shared encryption key provided to the client device, andgenerating, by the proxy server, a fingerprint of the client device based on the client device attributes received from the client device, the record of detected canvas events within the online content by the client device received from the client device, and the IP address of the client device received from the client device;
  
  tracking, by the proxy server, the received client device attributes received from the client device, the record of detected canvas events within the online content by the client device received from the client device, and the IP address received from the client device via the fingerprint of the client device;
  
  responsive to tracking, by the proxy server, the fingerprint of the client device, determining, by the proxy server, whether the received client device attributes, the received record of detected canvas events within the online content by the client device, and the received IP address from the client device are indicative of human activity;
  
  responsive to determining that the received client device attributes, the received record of detected canvas events within the online content by the client device, and the received IP address from the client device are indicative of human activity, transmitting the modified response to the client device;
  
  responsive to receiving the record of detected canvas events within the online content from the client device when the image of the beacon request has been retrieved by the client device;
  
  determining whether the record of detected canvas events includes detected canvas events which are indicative of human activity;
  
  determining whether the record includes that the image of the beacon request has been retrieved by the client device in order to provide the client device attributes to the proxy server which are indicative of human activity; and
  
  responsive to determining the record of detected canvas events when the image of the beacon request has been retrieved by the client device are indicative of human activity, permitting the client device access to the requested online content of the host server,wherein the proxy server maintains fingerprints of client devices passing the challenge in a permitted client device store and fingerprints of client devices failing one or more challenges in a denied client device store, wherein the passing and failing is based on a threshold.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the first portion of code is configured to, when executed by the client device, attach to one or more of the canvas events from mouse, keyboard, touch and scrolling events detected within the content and generate the record of detected canvas events, the record of detected canvas events comprising, for each detected canvas event, an event type and at least one of a value associated with the event and a timestamp.
  - 3. The method of claim 1, wherein the second portion of code is configured to, when executed by the client device, provide the record of detected canvas events to the proxy server by setting one or more cookie values in a cookie presented to the proxy server based on the detected canvas events or perform a call to provide the detected canvas events to the proxy server.
  - 4. The method of claim 1, wherein determining whether the record includes detected canvas events indicative of human activity comprising analyzing the record for one or more of a repetition of detected events and a repetition of a sequence of detected event.
  - 5. The method of claim 1, wherein determining whether the record includes detected canvas events indicative of human activity comprises analyzing timestamps associated with detected events in the record for repetition of a difference between timestamps of sequential events.

6. A system for detecting human activity at a client device comprising:
- a proxy server comprising a processor and a non-transitory computer readable storage medium storing computer program instructions that when executed by the processor cause the proxy server to;
  
  in response to receipt, by the proxy server, of an initial request for online content of a host server from the client device;
  
  route, by the proxy server, the initial request to the host server,receive, by the proxy server, a response from the host server, wherein the response includes the requested online content, modify, by the proxy server, the response from the host server to include a client device challenge prior to transmission of the modified response to the client device by the proxy server by;
  
  injecting, by the proxy server, a first portion of code within the requested online content, wherein the first portion of code is configured to monitor, by the proxy server, for canvas events within the client device and create records of detected canvas events in a client device memory,injecting, by the proxy server, a second portion of code, wherein the second portion of code is configured to determine
  
  1) client device attributes by querying for one or more of browser and client device runtime information when executed by the client device and
  
  2) an IP address of the client device,injecting, by the proxy server, in the first and second portions of code, a shared encryption key for encrypting the canvas event record and the client device attributes at the client device,injecting, by the proxy server, a beacon within the requested online content, wherein the beacon includes a 1×
  
  1 pixel image and a query string;
  
  represented by a beacon request, to retrieve an image of the beacon from the proxy server,wherein the client device attributes and the canvas event record, when the image of the beacon request is retrieved by the client device, are retrieved by the proxy server through the beacon request,wherein the proxy server decrypts the retrieved client device attributes and the canvas event record based on the shared encryption key provided to the client device, andgenerate, by the proxy server, a fingerprint of the client device based on the client device attributes received from the client device, the record of detected canvas events within the online content by the client device received from the client device, and the IP address of the client device received from the client device;
  
  track, by the proxy server, the received client device attributes received from the client device, the record of detected canvas events within the online content by the client device received from the client device, and the IP address received from the client device via the fingerprint of the client device;
  
  responsive to tracking, by the proxy server, the fingerprint of the client device, determine, by the proxy server, whether the received client device attributes, the received record of detected canvas events within the online content by the client device, and the received IP address from the client device are indicative of human activity;
  
  responsive to determining that the received client device attributes, the received record of detected canvas events within the online content by the client device, and the received IP address from the client device are indicative of human activity, transmit the modified response to the client device;
  
  in response to receipt of the record of detected canvas events within the online content from the client device when the image of the beacon request has been retrieved by the client device;
  
  determine whether the record of detected canvas events includes detected canvas events which are indicative of human activity;
  
  determine whether the record of when the image of the beacon request has been retrieved by the canvas event includes the image of the beacon request being retrieved by the client device which are indicative of human activity; and
  
  responsive to a determination that the record of detected canvas events when the image of the beacon request has been retrieved by the client device are indicative of human activity, permit the client device access to the requested online content of the host server,wherein the proxy server maintains fingerprints of client devices passing the challenge in a permitted client device store and fingerprints of client devices failing one or more challenges in a denied client device store, wherein the passing and failing is based on a threshold.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, wherein the first portion of code is configured to, when executed by the client device, attach to one or more of the canvas events from mouse, keyboard, touch and scrolling events detected within the content and generate the record of detected canvas events, the record of detected canvas events comprising, for each detected canvas event, an event type and at least one of a value associated with the event and a timestamp.
  - 8. The system of claim 6, wherein the second portion of code is configured to, when executed by the client device, provide the record of detected canvas events to the proxy server by setting one or more cookie values in a cookie presented to the proxy server based on the detected canvas events or perform a call to provide the detected canvas events to the proxy server.
  - 9. The system of claim 6, wherein determining whether the record includes detected canvas events indicative of human activity comprising analyzing the record for one or more of a repetition of detected events and a repetition of a sequence of detected event.
  - 10. The system of claim 6, wherein determining whether the record includes detected canvas events indicative of human activity comprises analyzing timestamps associated with detected events in the record for repetition of a difference between timestamps of sequential events.

11. A non-transitory computer readable storage medium for detecting human activity at a client device by a proxy server, the computer readable storage medium comprising stored computer program instructions that when executed by a processor cause the processor to:
- in response to receipt, by the proxy server, an initial request for online content of a host server from the client device;
  
  route, by the proxy server, the initial request to the host server, receive, by the proxy server, a response from the host server, wherein the response includes the requested online content,modify, by the proxy server, the response from the host server to include a client device challenge prior to transmission of the modified response to the client device by the proxy server by;
  
  injecting, by the proxy server, a first portion of code within the requested online content, wherein the first portion of code is configured to monitor, by the proxy server, for canvas events within the client device and create records of detected canvas events in a client device memory,injecting, by the proxy server, a second portion of code, wherein the second portion of code is configured to determine
  
  1) client device attributes by querying for one or more of browser and client device runtime information when executed by the client device and
  
  2) an IP address of the client device,injecting, by the proxy server, in the first and second portions of code, a shared encryption key for encrypting the canvas event record and the client device attributes at the client device,injecting, by the proxy server, a beacon within the requested online content, wherein the beacon includes a 1×
  
  1 pixel image and a query string;
  
  represented by a beacon request, to retrieve an image of the beacon from the proxy server,wherein the client device attributes and the canvas event record, when the image of the beacon request is retrieved by the client device, are retrieved by the proxy server through the beacon request,wherein the proxy server decrypts the retrieved client device attributes and the canvas event record based on the shared encryption key provided to the client device, andgenerate, by the proxy server, a fingerprint of the client device based on the client device attributes received from the client device, the record of detected canvas events within the online content by the client device received from the client device, and the IP address of the client device received from the client device;
  
  track, by the proxy server, the received client device attributes received from the client device, the record of detected canvas events within the online content by the client device received from the client device, and the IP address received from the client device via the fingerprint of the client device;
  
  responsive to tracking, by the proxy server, the fingerprint of the client device, determine, by the proxy server, whether the received client device attributes, the received record of detected canvas events within the online content by the client device, and the received IP address from the client device are indicative of human activity;
  
  responsive to determining that the received client device attributes, the received record of detected canvas events within the online content by the client device, and the received IP address from the client device are indicative of human activity, transmit the modified response to the client device;
  
  in response to receipt of the record of detected canvas events within the online content from the client device when the image of the beacon request has been retrieved by the client device;
  
  determine whether the record of detected canvas events includes detected canvas events which are indicative of human activity;
  
  determine whether the record of when the image of the beacon request has been retrieved by the client device includes the image of the beacon request being retrieved by the client device which is indicative of human activity; and
  
  responsive to a determination that the record of detected canvas events when the image of the beacon request has been retrieved by the client device are indicative of human activity, permit the client device access to the requested online content of the host server,wherein the proxy server maintains fingerprints of client devices passing the challenge in a permitted client device store and fingerprints of client devices failing one or more challenges in a denied client device store, wherein the passing and failing is based on a threshold.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The non-transitory computer readable storage medium of claim 11, wherein the first portion of code is configured to, when executed by the client device, attach to one or more of the canvas events from mouse, keyboard, touch and scrolling events detected within the content and generate the record of detected canvas events, the record of detected canvas events comprising, for each detected canvas event, an event type and at least one of a value associated with the event and a timestamp.
  - 13. The non-transitory computer readable storage medium of claim 11, wherein the second portion of code is configured to, when executed by the client device, provide the record of detected canvas events to the proxy server by setting one or more cookie values in a cookie presented to the proxy server based on the detected canvas events or perform a call to provide the detected canvas events to the proxy server.
  - 14. The non-transitory computer readable storage medium of claim 11, wherein determining whether the record includes detected canvas events indicative of human activity comprising analyzing the record for one or more of a repetition of detected events and a repetition of a sequence of detected event.
  - 15. The non-transitory computer readable storage medium of claim 11, wherein determining whether the record includes detected canvas events indicative of human activity comprises analyzing timestamps associated with detected events in the record for repetition of a difference between timestamps of sequential events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zenedge, Inc. (Oracle Corporation)
Original Assignee
Zenedge, Inc. (Oracle Corporation)
Inventors
Kuperman, Leon, Lendeborg, Fausto, McKinney, David Allen, Hernandez, Jose Enrique
Primary Examiner(s)
Shiferaw, Eleni A
Assistant Examiner(s)
Noaman, Bassam A

Application Number

US15/418,527
Publication Number

US 20170223049A1
Time in Patent Office

1,285 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 63/0281   Proxies

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

Detecting human activity to mitigate attacks on a host

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting human activity to mitigate attacks on a host

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links