Security systems for mitigating attacks from a headless browser executing on a client computer

US 9,986,058 B2
Filed: 05/21/2015
Issued: 05/29/2018
Est. Priority Date: 05/21/2015
Status: Active Grant

First Claim

Patent Images

1. A computer system configured to improve security of server computers interacting with client computers, and comprising:

a memory;

one or more processors coupled to the memory;

a processor logic coupled to the memory and the one or more processors, and programmed to;

send a set of one or more instructions to a browser at a client computer, wherein the set of one or more instructions define one or more checkpoints which are configured to, when executed, generate a set of telemetry data comprising one or more checkpoint tokens indicating that the one or more checkpoints were executed by the browser and to send the set of telemetry data to the computer system;

receive the set of telemetry data; and

determine whether the browser is legitimate or illegitimate based on the one or more checkpoint tokens in the set of telemetry data;

in response to determining that the one or more checkpoint tokens correspond to one or more valid checkpoint tokens, determine that the browser is legitimate.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer systems and methods in various embodiments are configured for improving the security and efficiency of server computers interacting through an intermediary computer with client computers that may be executing malicious and/or autonomous headless browsers or “bots”. In an embodiment, a computer system comprises a memory; one or more processors coupled to the memory; a processor logic coupled to the memory and the one or more processors, and configured to: intercept, from a server computer, one or more original instructions to be sent to a browser of a client computer; send the one or more original instructions to the browser and one or more telemetry instructions, wherein the telemetry instructions are configured, when executed, to generate a set of telemetry data indicating one or more objects that were referenced by the browser and to send the set of telemetry data to the intermediary computer; receive the set of telemetry data and determine whether the browser is legitimate or illegitimate based on the set of telemetry data.

166 Citations

28 Claims

1. A computer system configured to improve security of server computers interacting with client computers, and comprising:
- a memory;
  
  one or more processors coupled to the memory;
  
  a processor logic coupled to the memory and the one or more processors, and programmed to;
  
  send a set of one or more instructions to a browser at a client computer, wherein the set of one or more instructions define one or more checkpoints which are configured to, when executed, generate a set of telemetry data comprising one or more checkpoint tokens indicating that the one or more checkpoints were executed by the browser and to send the set of telemetry data to the computer system;
  
  receive the set of telemetry data; and
  
  determine whether the browser is legitimate or illegitimate based on the one or more checkpoint tokens in the set of telemetry data;
  
  in response to determining that the one or more checkpoint tokens correspond to one or more valid checkpoint tokens, determine that the browser is legitimate.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computer system of claim 1, wherein the one or more checkpoint tokens indicate at least a state of one or more objects in the browser, and the set of telemetry data indicates whether the browser interacted with the one or more objects based on the one or more states.
  - 3. The computer system of claim 1,wherein the processor logic is further programmed to determine the browser is illegitimate in response to determining the one or more checkpoint tokens correspond to one or more invalid checkpoint tokens.
  - 4. The computer system of claim 1, wherein the set of one or more instructions define a callback function that is programmed to be triggered by the browser, and to generate data included in the set of telemetry data indicating whether the browser interacted with a particular object based on a particular state of the browser;
    - wherein the processor logic is further programmed to determine that the browser is legitimate in response to determining the set of telemetry data includes data indicating the browser interacted with the particular object.
  - 5. The computer system of claim 1, wherein the set of one or more instructions define a callback function that is programmed to be triggered by the browser, and to generate data included in the set of telemetry data indicating whether the browser interacted with a particular object based on a particular status of the browser;
    - wherein the processor logic is further programmed to determine that the browser is illegitimate in response to determining the set of telemetry data includes data indicating the browser interacted with the particular object.
  - 6. The computer system of claim 1, wherein the set of telemetry data indicates how one or more checkpoints were reached by the browser;
    - wherein determining whether the browser is legitimate or illegitimate is performed based on how the one or more checkpoints were reached.
  - 7. The computer system of claim 1, wherein the set of telemetry data indicates that one or more checkpoints were reached by the browser in a particular order;
    - wherein determining whether the browser is legitimate or illegitimate is performed based on the particular order in which the one or more checkpoints were reached.
  - 8. The computer system of claim 7, wherein each checkpoint of the one or more checkpoints is a function;
    - wherein the particular order represents a call stack.
  - 9. The computer system of claim 1, wherein the processor logic is further programmed to, in response to determining the browser is legitimate:
    - store a set of identification data that identifies the browser and indicates that the browser is legitimate;
      
      determine from the set of identification data that the browser is legitimate, and in response, send a set of one or more new instructions that do not include instructions which, when executed, generate a set of telemetry data.
  - 10. The computer system of claim 9, wherein the processor logic is further programmed to send the set of one or more new instructions without injecting one or more countermeasure instructions into the set of one or more new instructions in response to determining from the set of identification data that the browser is legitimate.
  - 11. The computer system of claim 1, wherein the processor logic is further programmed to, in response to determining the browser is illegitimate:
    - store a set of identification data that identifies the browser and indicates that the browser is illegitimate;
      
      determine from the set of identification data that the browser is illegitimate, and in response, send a set of one or more new instructions with one or more new browser-detection instructions.
  - 12. The computer system of claim 11, wherein the processor logic is further programmed to, in response to determining from the set of identification data that the browser is illegitimate, inject one or more countermeasure instructions in the set of one or more new instructions, and send the set of one or more new instructions with the one or more countermeasure instructions to the browser.
  - 13. The computer system of claim 1, wherein the processor logic is further programmed to, in response to determining the browser is illegitimate:
    - store a set of identification data that identifies the browser and indicates that the browser is illegitimate;
      
      receive a request for additional data from the browser;
      
      determine based, at least in part, on the set of identification data that the browser is illegitimate, and in response, terminate the request.
  - 14. The system of claim 1, wherein each checkpoint token indicates that the browser executed an associated set of instructions, and wherein the processor logic is further programmed to determine the browser is legitimate in response to determining, based on the telemetry data, that the browser executed a particular set of instructions.
  - 15. The system of claim 1, wherein each checkpoint token indicates that the browser executed an associated set of instructions, and wherein the processor logic is further programmed to determine the browser is illegitimate in response to determining, based on the telemetry data, that the browser executed a particular set of instructions.

16. A computer system configured to improve security of server computers interacting with client computers, and comprising:
- one or more processors;
  
  a memory;
  
  a processor logic coupled to the memory and the one or more processors and programmed to;
  
  send, to a browser of a client computer, a web page comprising JavaScript instructions, the instructions comprising one or more browser-detection JavaScript instructions, which when executed, cause one or more operations to be performed on the client computer and a set of telemetry data to be sent to the computer system, wherein the set of telemetry data comprises one or more checkpoint tokens indicating that one or more checkpoints were executed by the browser of the client computer;
  
  receive the set of telemetry data; and
  
  determine whether the browser is legitimate or illegitimate based on the one or more checkpoint tokens in the set of telemetry data;
  
  in response to determining that the one or more checkpoint tokens correspond to one or more valid checkpoint tokens, determine that the browser is legitimate.
- View Dependent Claims (17, 18, 19)
- - 17. The computer system of claim 16, wherein the processor logic is further programmed to, before receiving the set of telemetry data, terminate one or more requests for additional data from the browser until the set of telemetry data is received and the browser is determined to be legitimate.
  - 18. The system of claim 16, wherein each checkpoint token indicates that the browser executed an associated set of instructions, and wherein the processor logic is further programmed to determine the browser is legitimate in response to determining, based on the telemetry data, that the browser executed a particular set of instructions.
  - 19. The system of claim 16, wherein each checkpoint token indicates that the browser executed an associated set of instructions, and wherein the processor logic is further programmed to determine the browser is illegitimate in response to determining, based on the telemetry data, that the browser executed a particular set of instructions.

20. A method for improving security of a server computer interacting with a client computer, the method comprising:
- receiving, through a browser on the client computer, a set of instructions with one or more browser-detection instructions;
  
  executing the one or more browser-detection instructions, and in response, generating a set of telemetry data comprising one or more checkpoint tokens indicating that one or more checkpoints were executed by the browser;
  
  sending the set of telemetry data to the server computer, wherein the server computer is configured to determine whether the browser is legitimate or illegitimate based on the one or more checkpoint tokens in the set of telemetry data;
  
  wherein the server computer is configured to determine that the browser is legitimate in response to determining that the one or more checkpoint tokens correspond to one or more valid checkpoint tokens;
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
- - 21. The method of claim 20, wherein the one or more checkpoint tokens indicate at least a state of one or more objects in the browser, and the set of telemetry data indicates whether the browser interacted with the one or more objects based on the one or more states.
  - 22. The method of claim 20 comprising:
    - generating a request for further data from the server computer based on content of the set of instructions;
      
      sending the request to the server computer after sending the set of telemetry data to the server computer.
  - 23. The method of claim 20 comprising:
    - generating a request for further data from the server computer based on content generated by the set of instructions;
      
      sending the request to the server computer with the set of telemetry data.
  - 24. The method of claim 20, wherein the browser-detection instructions are JavaScript instructions.
  - 25. The method of claim 20, wherein the browser-detection instructions are DART instructions.
  - 26. The method of claim 20, wherein the one or more browser-detection instructions are configured to intercept a call to a particular function, generate a particular set of data describing one or more states of one or more objects when the particular function is called, and include the particular set of data in the set of telemetry data.
  - 27. The method of claim 20, wherein each checkpoint token indicates that the browser executed an associated set of instructions, the method further comprising determining the browser is legitimate in response to determining, based on the telemetry data, that the browser executed a particular set of instructions.
  - 28. The method of claim 20, wherein each checkpoint token indicates that the browser executed an associated set of instructions, the method further comprising determining the browser is illegitimate in response to determining, based on the telemetry data, that the browser executed a particular set of instructions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Shape Security Inc. (F5 Incorporated)
Original Assignee
Shape Security Inc. (F5 Incorporated)
Inventors
Li, Zhiwei
Primary Examiner(s)
ABEDIN, SHANTO

Application Number

US14/718,736
Publication Number

US 20160344769A1
Time in Patent Office

1,104 Days
Field of Search

726 23- 25, 713168
US Class Current
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/2133   Verifying human interaction...

H04L 63/0876   based on the identity of th...

H04L 63/1466   Active attacks involving in...

H04L 63/168   above the transport layer

H04L 67/02   based on web technology, e....

H04L 67/564   Enhancement of application ...

Security systems for mitigating attacks from a headless browser executing on a client computer

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

166 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Security systems for mitigating attacks from a headless browser executing on a client computer

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

166 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links