DETECTING THE INTRODUCTION OF ALIEN CONTENT

US 20140283067A1
Filed: 10/16/2013
Published: 09/18/2014
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for identifying abnormal computer behavior, the method comprising:

receiving, at a computer server subsystem, data that characterizes subsets of particular document object models for web pages rendered by particular client computers;

identifying clusters from the data that characterize the subsets of the particular document object models; and

using the clusters to identify alien content on the particular client computers by determining that the alien content comprises content in the document object models that is not a result of content that is the basis of a document object model served to a particular client computer of the client computers.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for identifying abnormal computer behavior includes receiving, at a computer server subsystem, data that characterizes subsets of particular document object models for web pages rendered by particular client computers; identifying clusters from the data that characterize the subsets of the particular document object models; and using the clusters to identify alien content on the particular client computers, wherein the alien content comprises content in the document object models that is not the result of content that is the basis of the document object model served.

109 Citations

27 Claims

1. A computer-implemented method for identifying abnormal computer behavior, the method comprising:
- receiving, at a computer server subsystem, data that characterizes subsets of particular document object models for web pages rendered by particular client computers;
  
  identifying clusters from the data that characterize the subsets of the particular document object models; and
  
  using the clusters to identify alien content on the particular client computers by determining that the alien content comprises content in the document object models that is not a result of content that is the basis of a document object model served to a particular client computer of the client computers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The computer-implemented method of claim 1, wherein the data that characterizes subsets of the particular document object models is generated by code that is provided by the computer server subsystem and to the particular client computers in coordination with the web pages.
  - 3. The computer-implemented method of claim 2, wherein the code that is provided by the computer server subsystem identifies changes to the document object model in response to occurrence of events relating to the web pages.
  - 4. The computer-implemented method of claim 3, wherein the events comprise defined user selections of an object on the web pages.
  - 5. The computer-implemented method of claim 2, wherein the code provided by the computer server subsystem performs reduction processes to generate strings that are substantially smaller than the document object models and that characterize content of the document object models.
  - 6. The computer-implemented method of claim 5, wherein the reduction processes comprise a hash function that is performed on at least portions of the respective document object models.
  - 7. The computer-implemented method of claim 1, wherein the clusters are identified by plotting data from particular ones of the client computers on a hyperplane.
  - 8. The computer-implemented method of claim 7, wherein the hyperplane is defined by dimensions that correspond to particular features of the web pages identified as being relevant to determining whether the actions are benign or malicious.
  - 9. The computer-implemented method of claim 1, wherein using the cluster to identify alien content comprises identifying whether the clusters correspond to features previously identified as being related to benign variations in client computers.
  - 10. The computer-implemented method of claim 1, further comprising sending, by the computer server subsystem and to a security server system, at least a portion of the data that characterizes subsets of particular document object models, wherein the security server system is configured to receive data from a plurality of computer server subsystems, and wherein particular ones of the plurality of computer server subsystems serve different web domains.
  - 11. The computer-implemented method of claim 1, further comprising receiving, at the computer server subsystem, data that indicates context of at least one of (i) the web pages and (ii) the particular client computers.
  - 12. The computer-implemented method of claim 11, wherein the data that indicates context comprises information that identifies the particular client computers.
  - 13. The computer-implemented method of claim 11, wherein the data that indicates context comprises information that identifies an application that rendered the web page at particular ones of the client computers.
  - 14. The computer-implemented method of claim 11, wherein the data that indicates context comprises information that identifies a web site or a web domain for which particular ones of the web pages were served.
  - 15. The computer-implemented method of claim 11, wherein identifying clusters from the data that characterizes the subsets of the particular document object models comprises using the data that indicates context.
  - 16. The computer-implemented method of claim 7, wherein the hyperplane is defined by dimensions that include at least one of an identifier of the particular ones of the client computers, an identifier of an application that rendered the web page at particular ones of the client computers, and an identifier of a web site or a web domain that served particular ones of the web pages.
  - 17. The computer-implemented method of claim 1, wherein the clusters are identified based at least in part on identities of particular ones of the web pages or on identities of web domains that served particular ones of the web pages.
  - 18. The computer-implemented method of claim 1, further comprising determining whether the identified alien content is benign or malicious.
  - 19. The computer-implemented method of claim 18, wherein determining whether the identified alien content is benign or malicious comprises comparing the identified alien content to other alien content that has previously been identified as benign or malicious.

20. A computer system for identifying abnormal computer behavior comprising:
- one or more computing devices;
  
  an instrumentation module installed on the one or more computing devices that is configured to supplement web code with instrumentation code that is executable on a client device and that can collect information about execution of the web code at the client device, wherein the information includes representations of a document object model of the web code;
  
  a security monitoring module installed on the one or more computing devices that is configured to analyze information received from a plurality of client devices that was collected by instrumentation code on each of the plurality of client devices to identify alien content on the client devices.
- View Dependent Claims (21)
- - 21. The computer system of claim 20, wherein the security module is further configured to identify alien content from the plurality of client devices includes identifying clusters of information in a hyperplane.

22. A computer-implemented method for identifying abnormal computer behavior, the method comprising:
- receiving, at a security server system, information that characterizes execution of one or more web resources by a plurality of client computing devices, the information having been generated by instrumentation code that was injected into web code of the one or more web resources and was programmed for causing the client computing devices to report representations of the information that characterizes the execution of the one or more web resources;
  
  identifying, based on the information that characterizes the execution of the one or more web resources by the plurality of client computing devices, a subset of executions on particular ones of the plurality of client computing devices of the one or more web resources that deviated from an expected execution of the one or more web resources; and
  
  using information from the subset of executions of the one or more web resources to identify alien content on the particular ones of the plurality of client computing devices that correspond to the subset of executions of the one or more web resources.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. The computer-implemented method of claim 22, wherein the one or more web resources comprise web pages that are executed by standard web browser applications on the plurality of client computing devices.
  - 24. The computer-implemented method of claim 23, wherein the information that characterizes execution of the one or more web resources includes information about user interactions with the web pages.
  - 25. The computer-implemented method of claim 23, wherein the information that characterizes execution of the one or more web resources includes information about the client computing devices or the environments in which the one or more web resources were executed.
  - 26. The computer-implemented method of claim 23, wherein the information that characterizes execution of the one or more web resources includes representations of Document Object Models (DOMs) of the web pages.
  - 27. The computer-implemented method of claim 22, wherein identifying the subset of the executions of the one or more web resources that deviated from the expected execution of the one or more resources comprises identifying clusters of particular executions of the one or more web resources in a hyperplane.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Shape Security Inc. (F5 Incorporated)
Original Assignee
Shape Security Inc. (F5 Incorporated)
Inventors
Call, Justin D., Varadarajan, Subramanian, Huang, Xiaohan, Zhou, Xiaoming, Hansen, Marc R.

Granted Patent

US 9,225,737 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/128   involving web programs, i.e...

G06F 21/54   by adding security routines...

G06F 21/552   involving long-term monitor...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/1466   Active attacks involving in...

H04L 63/1483   service impersonation, e.g....

H04L 67/02   based on web technology, e....

DETECTING THE INTRODUCTION OF ALIEN CONTENT

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

109 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTING THE INTRODUCTION OF ALIEN CONTENT

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links