DETECTING THE INTRODUCTION OF ALIEN CONTENT
First Claim
1. A computer-implemented method for identifying abnormal computer behavior, the method comprising:
- receiving, at a computer server subsystem, data that characterizes subsets of particular document object models for web pages rendered by particular client computers;
identifying clusters from the data that characterize the subsets of the particular document object models; and
using the clusters to identify alien content on the particular client computers by determining that the alien content comprises content in the document object models that is not a result of content that is the basis of a document object model served to a particular client computer of the client computers.
4 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method for identifying abnormal computer behavior includes receiving, at a computer server subsystem, data that characterizes subsets of particular document object models for web pages rendered by particular client computers; identifying clusters from the data that characterize the subsets of the particular document object models; and using the clusters to identify alien content on the particular client computers, wherein the alien content comprises content in the document object models that is not the result of content that is the basis of the document object model served.
109 Citations
27 Claims
-
1. A computer-implemented method for identifying abnormal computer behavior, the method comprising:
-
receiving, at a computer server subsystem, data that characterizes subsets of particular document object models for web pages rendered by particular client computers; identifying clusters from the data that characterize the subsets of the particular document object models; and using the clusters to identify alien content on the particular client computers by determining that the alien content comprises content in the document object models that is not a result of content that is the basis of a document object model served to a particular client computer of the client computers. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A computer system for identifying abnormal computer behavior comprising:
-
one or more computing devices; an instrumentation module installed on the one or more computing devices that is configured to supplement web code with instrumentation code that is executable on a client device and that can collect information about execution of the web code at the client device, wherein the information includes representations of a document object model of the web code; a security monitoring module installed on the one or more computing devices that is configured to analyze information received from a plurality of client devices that was collected by instrumentation code on each of the plurality of client devices to identify alien content on the client devices. - View Dependent Claims (21)
-
-
22. A computer-implemented method for identifying abnormal computer behavior, the method comprising:
-
receiving, at a security server system, information that characterizes execution of one or more web resources by a plurality of client computing devices, the information having been generated by instrumentation code that was injected into web code of the one or more web resources and was programmed for causing the client computing devices to report representations of the information that characterizes the execution of the one or more web resources; identifying, based on the information that characterizes the execution of the one or more web resources by the plurality of client computing devices, a subset of executions on particular ones of the plurality of client computing devices of the one or more web resources that deviated from an expected execution of the one or more web resources; and using information from the subset of executions of the one or more web resources to identify alien content on the particular ones of the plurality of client computing devices that correspond to the subset of executions of the one or more web resources. - View Dependent Claims (23, 24, 25, 26, 27)
-
Specification