Techniques for combating man-in-the-browser attacks

US 9,954,893 B1
Filed: 09/22/2015
Issued: 04/24/2018
Est. Priority Date: 09/23/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

generating modified web page code by;

adding decoy code to web page code, wherein the decoy code is designed to be recognized by malware as web code that is vulnerable to attack;

adding monitoring code to the web page code, wherein the monitoring code is configured to detect interaction between malicious code and the decoy code when the modified web page code is executed at the client device;

transmitting the modified web page code to the client device;

wherein the method is performed by one or more computing devices.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus are described for automatically modifying web page code. Specific implementations relate to the modification of web page code for the purpose of combatting Man-in-the-Browser (MitB) attacks.

194 Citations

24 Claims

1. A method, comprising:
- generating modified web page code by;
  
  adding decoy code to web page code, wherein the decoy code is designed to be recognized by malware as web code that is vulnerable to attack;
  
  adding monitoring code to the web page code, wherein the monitoring code is configured to detect interaction between malicious code and the decoy code when the modified web page code is executed at the client device;
  
  transmitting the modified web page code to the client device;
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the decoy code is added to a comments section of the web page code that is not rendered by a browser executing on the client device.
  - 3. The method of claim 1, wherein the decoy code is configured to render the interaction between the malicious code and the decoy code harmless.
  - 4. The method of claim 1, further comprising:
    - receiving a notification from the monitoring code that the interaction between the malicious code and the decoy code was detected.
  - 5. The method of claim 1, wherein the monitoring code is further configured to generate one or more notifications in response to detecting one or more interactions between any malicious code and the decoy code.
  - 6. The method of claim 1, further comprising detecting a change to the decoy code caused by interaction between the malicious code and the decoy code.
  - 7. The method of claim 6, wherein detecting the decoy code comprises:
    - receiving sample web page code from the client device comprising elements of the decoy code at the client device;
      
      comparing the sample web page code to reference web page code comprising original elements of the decoy code added to the web page code; and
      
      determining that the sample web page code does not match the reference web page code.
  - 8. The method of claim 1, wherein the decoy code is configured to be obscured when the modified web page code is rendered on a browser executing on the client device.
  - 9. The method of claim 1, wherein the decoy code includes a dynamic ID.

10. A system, comprising:
- one or more hardware processors;
  
  memory coupled to the one or more hardware processors and storing one or more instructions which, when executed by the one or more hardware processors, cause the one or more hardware processors to;
  
  generate modified web page code by;
  
  adding decoy code to web page code, wherein the decoy code is designed to be recognized by malware as web code that is vulnerable to attack; and
  
  adding monitoring code to the web page code, wherein the monitoring code is configured to detect interaction between malicious code and the decoy code when the modified web page code is executed at the client device;
  
  transmit the modified web page code to the client device.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the decoy code is added to a comments section of the web page code that is not rendered by a browser executing on the client device.
  - 12. The system of claim 10, wherein the decoy code is configured to render the interaction between the malicious code and the decoy code harmless.
  - 13. The system of claim 10, wherein the one or more instructions, when executed by the one or more hardware processors, further cause the one or more hardware processors to:
    - receive a notification from the monitoring code that the interaction between the malicious code and the decoy code was detected.
  - 14. The system of claim 10, wherein the monitoring code is further configured to generate one or more notifications in response to detecting one or more interactions between any malicious code and the decoy code.
  - 15. The system of claim 10, wherein the one or more instructions, when executed by the one or more hardware processors, further cause the one or more hardware processors to:
    - detect a change to the decoy code caused by interaction between the malicious code and the decoy code.
  - 16. The system of claim 15, wherein detecting the change to the decoy code comprises:
    - receiving sample web page code from the client device comprising elements of the decoy code at the client device;
      
      comparing the sample web page code to reference web page code comprising original elements of the decoy code added to the web page code; and
      
      determining that the sample web page code does not match the reference web page code.
  - 17. The system of claim 10, wherein the decoy code is configured to be obscured when the modified web page code is rendered on a browser executing on the client device.
  - 18. The system of claim 10, wherein the decoy code includes a dynamic ID.

19. One or more non-transitory computer-readable media storing instructions which, when executed by one or more hardware processors, cause the one or more hardware processors to:
- generate modified web page code by;
  
  adding decoy code to web page code, wherein the decoy code is designed to be recognized by malware as web code that is vulnerable to attack; and
  
  adding monitoring code to the web page code, wherein the monitoring code is configured to detect interaction between malicious code and the decoy code when the modified web page code is executed at the client device;
  
  transmit the modified web page code to the client device.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The non-transitory computer-readable media of claim 19, wherein the decoy code is configured to render the interaction between the malicious code and the decoy code harmless.
  - 21. The non-transitory computer-readable media of claim 19, wherein the one or more instructions, when executed by the one or more hardware processors, further cause the one or more hardware processors to:
    - receive a notification from the monitoring code that the interaction between the malicious code and the decoy code was detected.
  - 22. The non-transitory computer-readable media of claim 19, wherein the one or more instructions, when executed by the one or more hardware processors, further cause the one or more hardware processors to:
    - detect a change to the decoy code caused by interaction between the malicious code and the decoy code.
  - 23. The non-transitory computer-readable media of claim 22, wherein detecting the change to the decoy code comprises:
    - receiving sample web page code from the client device comprising elements of the decoy code at the client device;
      
      comparing the sample web page code to reference web page code comprising original elements of the decoy code added to the web page code; and
      
      determining that the sample web page code does not match the reference web page code.
  - 24. The non-transitory computer-readable media of claim 19, wherein the decoy code is configured to be obscured when the modified web page code is rendered on a browser executing on the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Shape Security Inc. (F5 Incorporated)
Original Assignee
Shape Security Inc. (F5 Incorporated)
Inventors
Zhao, Yao, Wang, Xinran
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Teng, Louis

Application Number

US14/861,906
Time in Patent Office

945 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 16/958   Organisation or management ...

G06F 21/54   by adding security routines...

G06F 2221/2119   Authenticating web pages, e...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1466   Active attacks involving in...

H04L 63/1491   using deception as counterm...

Techniques for combating man-in-the-browser attacks

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

194 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for combating man-in-the-browser attacks

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

194 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links