Abstract: Techniques for code modification for detecting abnormal activity are described. Web code is obtained. Modified web code is generated by changing a particular programmatic element to a modified programmatic element throughout the web code. Instrumentation code is generated configured to monitor and report on one or more interactions with versions of the particular programmatic element. The instrumentation code is caused to be provided in association with the modified web code to the first client device in response to the first request from the first client device. Report data generated by the instrumentation code is received. The report data describes abnormal activity at the first client device, the abnormal activity comprising an interaction with a version of the particular programmatic element that does not exist in the modified web code. Based on the report, it is determined that the first client device is likely controlled by malware.

Abstract: Techniques for code modification for detecting abnormal activity are described. Web code is obtained. Modified web code is generated by changing a particular programmatic element to a modified programmatic element throughout the web code. Instrumentation code is generated configured to monitor and report on one or more interactions with versions of the particular programmatic element. The instrumentation code is caused to be provided in association with the modified web code to the first client device in response to the first request from the first client device. Report data generated by the instrumentation code is received. The report data describes abnormal activity at the first client device, the abnormal activity comprising an interaction with a version of the particular programmatic element that does not exist in the modified web code. Based on the report, it is determined that the first client device is likely controlled by malware.

Abstract: Techniques are provided for evaluating and modifying countermeasures based on aggregate transaction status. A first expression pattern is determined that occurs in each of first response messages served by the web server system in response to successful transactions of the transaction type. A second expression pattern is determined that occurs in each of second response messages served by the web server system in response to non-successful transactions of the transaction type requested. Aa status is determined for each of a plurality of transactions of the transaction type based on matching the first expression pattern or the second expression pattern to response messages served by the web server system. Aggregate status information for the transaction type based on the status for the set of operations is updated. Based on a change in the aggregate status information, a set of one or more security countermeasures is updated.

Abstract: Techniques are described for delayed serving of protected content. A request has been made by a client computing device for a requested resource comprising a first portion and a second portion that is initially withheld from the client computing device. First content comprising the first portion of the requested resource and reconnaissance code is served for execution on the client computing device. When executed at the client computing device, the reconnaissance code gathers data at the client computing device that indicates whether the client computing device is human-controlled or bot-controlled. The data gathered by the reconnaissance code is received. Based on the data, it is determined that the client computing device is not bot-controlled. In response to determining that the client computing device is not bot-controlled, the second portion of the requested resource is served to the client computing device.

Abstract: Application programming interfaces (APIs) can be unintentionally exposed and allow for potentially undesirable use of corporate resources. An API call filtering system configured to monitor API call requests received via an endpoint and API call responses received via a supporting service of an API or web service. The API call filtering system enables enterprises to improve their security posture by identifying, studying, reporting, and securing their APIs within their enterprise network.

Abstract: Techniques for code modification for detecting abnormal activity are described. Web code is obtained. Modified web code is generated by changing a particular programmatic element to a modified programmatic element throughout the web code. Instrumentation code is generated configured to monitor and report on one or more interactions with versions of the particular programmatic element. The instrumentation code is caused to be provided in association with the modified web code to the first client device in response to the first request from the first client device. Report data generated by the instrumentation code is received. The report data describes abnormal activity at the first client device, the abnormal activity comprising an interaction with a version of the particular programmatic element that does not exist in the modified web code. Based on the report, it is determined that the first client device is likely controlled by malware.

Abstract: Techniques are described for delayed serving of protected content. A request has been made by a client computing device for a requested resource comprising a first portion and a second portion that is initially withheld from the client computing device. First content comprising the first portion of the requested resource and reconnaissance code is served for execution on the client computing device. When executed at the client computing device, the reconnaissance code gathers data at the client computing device that indicates whether the client computing device is human-controlled or bot-controlled. The data gathered by the reconnaissance code is received. Based on the data, it is determined that the client computing device is not bot-controlled.

Abstract: Techniques are provided for flexible caching.

Abstract: A computer-implemented method for securing a content server system is disclosed. The method includes identifying that a request has been made by a client computing device for serving of content from the content server system; serving, to the client computing device and for execution on the client computing device, reconnaissance code that is programmed to determine whether the client computing device is human-controlled or bot-controlled; receiving, from the reconnaissance code, data that indicates whether the client computing device is human-controlled or bot-controlled; and serving follow-up content to the client computing device, wherein the make-up of the follow-up content is selected based on a determination of whether the client computing device is human-controlled or bot-controlled.

Abstract: This document describes, among other things, a computer-implemented method that can include receiving, from a web server system, web page code to be provided over the internet to a computing device. The web page code can correspond to a particular web page served by the web server system. The method may include generating an intermediate representation of at least a portion of the web page code, and comparing the intermediate representation to a prior intermediate representation of the particular web page. Based on a result of the comparison, the method can include determining what portion of the web page code to analyze for re-coding of the web page code before serving the web page code to the computing device.

Abstract: Techniques for code modification for automation detection are described. Web code is obtained corresponding to content to be served to a first client device in response to a first request from the first client device. Instances of a particular programmatic element in the web code are identified. In response to the first request, modified web code is generated from the web code by consistently changing the particular programmatic element to a modified programmatic element throughout the web code. The modified web code is caused to be provided to the first client device in response to the first request from the first client device. A communication is received from the first client device that is made in response to the modified web code. The communication includes an attempt to interact with the particular programmatic element that exists in the web code but not in the modified web code.

Abstract: Techniques are provided for evaluating and modifying countermeasures based on aggregate transaction status. A first expression pattern is determined that occurs in each of first response messages served by the web server system in response to successful transactions of the transaction type. A second expression pattern is determined that occurs in each of second response messages served by the web server system in response to non-successful transactions of the transaction type requested. Aa status is determined for each of a plurality of transactions of the transaction type based on matching the first expression pattern or the second expression pattern to response messages served by the web server system. Aggregate status information for the transaction type based on the status for the set of operations is updated. Based on a change in the aggregate status information, a set of one or more security countermeasures is updated.

Abstract: A computer-implemented method for securing a content server system is disclosed. The method includes identifying that a request has been made by a client computing device for serving of content from the content server system; serving, to the client computing device and for execution on the client computing device, reconnaissance code that is programmed to determine whether the client computing device is human-controlled or bot-controlled; receiving, from the reconnaissance code, data that indicates whether the client computing device is human-controlled or bot-controlled; and serving follow-up content to the client computing device, wherein the make-up of the follow-up content is selected based on a determination of whether the client computing device is human-controlled or bot-controlled.

Abstract: Techniques are provided for using instrumentation code to detect bots or malware. Data corresponding to requests from a plurality of client devices for a web resource comprising web code is obtained. The web resource is hosted by a first web server system. For a first client device of the plurality of client devices, instrumentation code is served. The instrumentation code is configured to execute on the first client device to monitor execution of the web code of the web resource at the first client device. One or more responses generated by the instrumentation code at the first client device are received from the first client device. The one or more responses are based one or more interactions with the web code at the first client device.

Abstract: A computer-implemented method for coordinating content transformation includes receiving, at a computer server subsystem and from a web server system, computer code to be served in response to a request from a computing client over the internet; modifying the computer code to obscure operation of the web server system that could be determined from the computer code; generating transformation information that is needed in order to reverse the modifications of the computer code to obscure the operation of the web server system; and serving to the computing client the modified code and the reverse transformation information.

Abstract: Systems, methods, and other techniques for improving the operation of computing systems are described. Some implementations include a computer-implemented method. The method can include intercepting, at an intermediary computing system, messages communicated between a web server system and one or more client computing devices. A subset of the intercepted messages can be selected that are determined to commonly relate to a particular web transaction. The method can identify an expression pattern that occurs in the subset of the intercepted messages, and can determine that the identified expression pattern matches a first pre-defined expression pattern from among a plurality of different pre-defined expression patterns. A status of the particular web transaction can be determined based on the first pre-defined expression pattern that matches the identified expression pattern occurring in the subset of the intercepted messages.

Abstract: A computer-implemented method includes providing, for use by a third-party, injectable computer code that is capable of being served with other code provided by the third-party to client computing devices; receiving data from client computing devices that have been served the code by the third-party, the data including data that characterizes (a) the client computing devices and (b) user interaction with the client computing devices; classifying the client computing devices as controlled by actual users or instead by automated software based on analysis of the received data from the client computing devices; and providing to the third party one or more reports that characterize an overall level of automated software activity among client computing devices that have been served code by the third party.

Abstract: A computer-implemented method for securing a content server system is disclosed. The method includes identifying that a request has been made by a client computing device for serving of content from the content server system; serving, to the client computing device and for execution on the client computing device, reconnaissance code that is programmed to determine whether the client computing device is human-controlled or bot-controlled; receiving, from the reconnaissance code, data that indicates whether the client computing device is human-controlled or bot-controlled; and serving follow-up content to the client computing device, wherein the make-up of the follow-up content is selected based on a determination of whether the client computing device is human-controlled or bot-controlled.

Abstract: A computer-implemented method for coordinating content transformation includes receiving, at a computer server subsystem and from a web server system, computer code to be served in response to a request from a computing client over the internet; modifying the computer code to obscure operation of the web server system that could be determined from the computer code; generating transformation information that is needed in order to reverse the modifications of the computer code to obscure the operation of the web server system; and serving to the computing client the modified code and the reverse transformation information.

Abstract: Techniques are provided for using instrumentation code to detect bots or malware. Data corresponding to requests from a plurality of client devices for a web resource comprising web code is obtained. The web resource is hosted by a first web server system. For a first client device of the plurality of client devices, instrumentation code is served. The instrumentation code is configured to execute on the first client device to monitor execution of the web code of the web resource at the first client device. One or more responses generated by the instrumentation code at the first client device are received from the first client device. The one or more responses are based one or more interactions with the web code at the first client device.