System, device, and method of detecting malicious automatic script and code injection
First Claim
Patent Images
1. A method comprising:
- determining that a first string that was inputted via manual keyboard input by a user, who utilizes an electronic device to interact with a computerized service, was replaced with a second string by a malware automatic script that is running on said electronic device;
wherein the determining comprises;
(a) at said electronic device, monitoring keystrokes that are actually entered manually through a keyboard unit of said electronic device;
(b) generating a first data-item that indicates the number of keystrokes that were actually entered manually through said keyboard unit based on client-side monitoring of typing of said first string that was typed in a particular on-screen field;
(c1) at a remote server that is in communication with said electronic device, receiving a second string that was transmitted by the electronic device to said remote server wherein said second string is submitted to said remote server by said electronic device as reflecting manual keyboard entry of said user in said particular on-screen field;
(c2) at said remote server, receiving from said electronic device the first data-item which indicates the number of keystrokes that were actually entered manually through said keyboard unit based on client-side monitoring of typing of said first string that was typed in said particular on-screen field;
(c3) at said remote server, determining the character length of said second string that was received at said remote server;
(d) detecting that (I) the value of the first data-item that was received at said remote server at step (c2) which indicates the number of keystrokes that were actually entered manually through said keyboard unit based on client-side monitoring of client-side data, is different from (II) the character length that was determined by the remote server in step (c2) for the second string that was received at said remote server in step (c1);
(e) based on the detecting of step (d), determining that a malware automatic script was running on said electronic device, and replaced (I) the first string that was manually entered into said particular on-screen field, with (II) the second, different, string.
4 Assignments
0 Petitions
Accused Products
Abstract
Devices, systems, and methods of detecting user identity, differentiating between users of a computerized service, and detecting a possible attacker. The methods include monitoring of user-side input-unit interactions, in general and in response to an interference introduced to user-interface elements. The monitored interactions are used for detecting an attacker that utilizes a remote access channel; for detecting a malicious automatic script, as well as malicious code injection; to identify a particular hardware assembly; to perform user segmentation or user characterization; to enable a visual login process with implicit two-factor authentication; to enable stochastic cryptography; and to detect that multiple users are utilizing the same subscription account.
436 Citations
4 Claims
-
1. A method comprising:
-
determining that a first string that was inputted via manual keyboard input by a user, who utilizes an electronic device to interact with a computerized service, was replaced with a second string by a malware automatic script that is running on said electronic device; wherein the determining comprises; (a) at said electronic device, monitoring keystrokes that are actually entered manually through a keyboard unit of said electronic device; (b) generating a first data-item that indicates the number of keystrokes that were actually entered manually through said keyboard unit based on client-side monitoring of typing of said first string that was typed in a particular on-screen field; (c1) at a remote server that is in communication with said electronic device, receiving a second string that was transmitted by the electronic device to said remote server wherein said second string is submitted to said remote server by said electronic device as reflecting manual keyboard entry of said user in said particular on-screen field; (c2) at said remote server, receiving from said electronic device the first data-item which indicates the number of keystrokes that were actually entered manually through said keyboard unit based on client-side monitoring of typing of said first string that was typed in said particular on-screen field; (c3) at said remote server, determining the character length of said second string that was received at said remote server; (d) detecting that (I) the value of the first data-item that was received at said remote server at step (c2) which indicates the number of keystrokes that were actually entered manually through said keyboard unit based on client-side monitoring of client-side data, is different from (II) the character length that was determined by the remote server in step (c2) for the second string that was received at said remote server in step (c1); (e) based on the detecting of step (d), determining that a malware automatic script was running on said electronic device, and replaced (I) the first string that was manually entered into said particular on-screen field, with (II) the second, different, string. - View Dependent Claims (2, 3)
-
-
4. A non-transitory storage medium having stored thereon instructions that, when executed by a hardware processor, cause the hardware processor to perform a method comprising:
-
determining that a first string that was inputted via manual keyboard input by a user, who utilizes an electronic device to interact with a computerized service, was replaced with a second string by a malware automatic script that is running on said electronic device; wherein the determining comprises; (a) at said electronic device, monitoring keystrokes that are actually entered manually through a keyboard unit of said electronic device; (b) generating a first data-item that indicates the number of keystrokes that were actually entered manually through said keyboard unit based on client-side monitoring of typing of said first string that was typed in a particular on-screen field; (c1) at a remote server that is in communication with said electronic device, receiving a second string that was transmitted by the electronic device to said remote server wherein said second string is submitted to said remote server by said electronic device as reflecting manual keyboard entry of said user in said particular on-screen field; (c2) at said remote server, receiving from said electronic device the first data-item which indicates the number of keystrokes that were actually entered manually through said keyboard unit based on client-side monitoring of typing of said first string that was typed in said particular on-screen field; (c3) at said remote server, determining the character length of said second string that was received at said remote server; (d) detecting that (I) the value of the first data-item that was received at said remote server at step (c2) which indicates the number of keystrokes that were actually entered manually through said keyboard unit based on client-side monitoring of client-side data, is different from (II) the character length that was determined by the remote server in step (c2) for the second string that was received at said remote server in step (c1); (e) based on the detecting of step (d), determining that a malware automatic script was running on said electronic device, and replaced (I) the first string that was manually entered into said particular on-screen field, with (II) the second, different, string.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeBiocatch Ltd.
-
Original AssigneeBiocatch Ltd.
-
InventorsTurgeman, Avi
-
Primary Examiner(s)Pwu, Jeffrey C
-
Assistant Examiner(s)Cheema, Ali H.
-
Application NumberUS15/372,420Publication NumberTime in Patent Office1,069 DaysField of Search702 81, 706 52, 709223, 715856, 715738, 726 19, 726 22, 726 23, 726 26, 3405731, 705 35, 713164US Class CurrentCPC Class CodesG06F 21/31 User authenticationG06F 21/316 by observing the pattern of...G06F 21/32 using biometric data, e.g. ...G06F 21/55 Detecting local intrusion o...G06F 21/554 involving event detection a...G06F 2221/031 Protect user input by softw...G06F 2221/034 Test or assess a computer o...G06F 2221/21 Indexing scheme relating to...G06F 2221/2133 Verifying human interaction...H04L 63/145 the attack involving the pr...H04W 12/06 AuthenticationH04W 12/30 Security of mobile devices;...H04W 12/63 Location-dependent; Proximi...
