Abstract: Techniques are provided for detecting a malicious script in a web page. Instrumentation code is provided for serving to a client computing device with a web page. The instrumentation code is configured to monitor web code execution at the client computing device when a script referenced by the web page is processed. Script activity data generated by the instrumentation code is received. The script activity data describes one or more script actions detected by the instrumentation code at the client computing device. Prior script activity data generated by a prior instance of the instrumentation code is obtained. A malicious change in the script is detected based on comparing the script activity data and the prior script activity data. In response to detecting the malicious change in the script, a threat response action is performed.

Abstract: Techniques are provided for detecting compromised credentials in a credential stuffing attack. A set model is trained based on a first set of spilled credentials. The set model does not comprise any credential of the first set of spilled credentials. A first request is received from a client computer with a first candidate credential to login to a server computer. The first candidate credential is tested for membership in the first set of spilled credentials using the set model. In response to determining the first set of spilled credentials includes the first candidate credential using the set model, one or more negative actions is performed.

Abstract: Techniques are provided for detecting compromised web pages in a runtime environment. A first version of a web page is retrieved and loaded in a browser comprising a browser extension configured to detect event listeners added when web pages are loaded by the browser. First data is generated describing a first set of event listeners detected by the browser extension when the first version of the web page is loaded. At a second time a second version of the web page is retrieved and loaded in the browser. Second data is generated describing a second set of event listeners detected by the browser extension when the second version of the web page is loaded. It is determined that the web page is compromised based on comparing the first data and the second data. In response to determining that the web page is compromised, a threat response action is performed.

Abstract: In an embodiment, a computer-implemented method for training a decision tree using a database system, the decision tree comprising a plurality nodes, comprises, by one or more computing devices: storing in a database input data for training the decision tree, the input data comprising a plurality of feature values corresponding to a plurality of features; generating a particular node of the plurality of decision nodes by: selecting a subset of the plurality of features and a subset of the input data; using one or more queries to the database system, for each feature of the subset of the plurality of features, calculating an information gain associated with the feature based on the subset of the input data; identifying a particular feature of the subset of the plurality of features associated with the highest information gain; associating the particular node with the particular feature, wherein the particular node causes the decision tree to branch based on the particular feature.

Abstract: Techniques are provided for detecting a malicious script in a web page. Instrumentation code is provided for serving to a client computing device with a web page. The instrumentation code is configured to monitor web code execution at the client computing device when a script referenced by the web page is processed. Script activity data generated by the instrumentation code is received. The script activity data describes one or more script actions detected by the instrumentation code at the client computing device. Prior script activity data generated by a prior instance of the instrumentation code is obtained. A malicious change in the script is detected based on comparing the script activity data and the prior script activity data. In response to detecting the malicious change in the script, a threat response action is performed.

Abstract: A security server device, method, non-transitory computer readable medium and security system that receives request data for a request from a client to a web server system where the request comprises a session identifier (ID) for a session between an authenticated user and the web server system. A determination is made whether the client is a single-user device based on the request data and multi-domain data. Another determinations is made on whether the client is compromised based on the request data. In response to the determinations that the client is a single-user device and is not compromised an extension of the session between the authenticated user on the client and the web server system is caused.

Abstract: Technology related to obfuscating programs using different instruction set architectures is disclosed. In one example, a method includes receiving a program implemented as a set of ordered instructions. Each instruction of the set of ordered instructions has a type specified by a first instruction set architecture (ISA). A subgroup of instructions is selected from the set of ordered instructions. A new instruction type is generated to perform the operations of the subgroup of consecutive instructions. The new instruction type is added to a second ISA. An updated program is generated by replacing the subgroup of instructions with a new instruction of the generated new instruction type. An interpreter for executing programs using the second ISA is generated. In response to a request for the program, the updated program and the interpreter is sent.

Abstract: Methods, non-transitory computer readable media, protection server apparatuses, and network security systems that improve network security for web applications by mitigating cyberattacks that cause the exfiltration of data are illustrated. With this technology, network request(s) are received from a client that specify domain(s) to which the client has sent data during rendering of a webpage. The webpage includes instrumentation code configured to intercept and post the network requests. A determination is then mage when one of the domain(s) is a malicious domain. Interceptor code is generated based on a type of attack that is associated with the one of the domains, when the determination indicates the one of the domains is a malicious domain. The instrumentation code is then updated to include the interceptor code. The interceptor code is configured to mitigate the attack when the webpage is subsequently rendered by another client.

Abstract: This technology maintains de-identified visit data to a plurality of websites from assigned user identifiers (UIDs) corresponding to a plurality of clients. The assigned UIDs include a different assigned UID for each client-website pair, the de-identified visit data associating the assigned UIDs to a plurality of groups. A first group from the groups is determined based on first request data corresponding to a first request from a client to a web server system. First group visit data describing visits to a set of the websites by assigned UIDs belonging to the first group is obtained from the de-identified visit data. Affinity data, comprising at least one affinity score for at least one of the websites, is generated based on the first group visit data. Generation of affiliate content based on the affinity data is caused, where the affiliate content corresponds to the at least one of the websites.

Abstract: A method non-transitory computer readable medium, device and system that receives one of one or more requests from a client to a web server system. An interstitial page is served to the client and comprises instrumentation code that, when executed at the client, collects telemetry data. The telemetry data is received and a threat analysis is performed on the telemetry data collected in association with the one of the requests. A determination is made on when, based on the performing the threat analysis, that the one of the requests is from a potential attacker. When the determination indicates the one of the requests is not from the potential attacker then the one of the requests is allowed.

Abstract: In an embodiment, a method comprises intercepting, from a first computer, a first set of instructions that define one or more original operations, which are configured to cause one or more requests to be sent if executed by a client computer; modifying the first set of instructions to produce a modified set of instructions, which are configured to cause a credential to be included in the one or more requests sent if executed by the client computer; rendering a second set of instructions comprising the modified set of instructions and one or more credential-morphing-instructions, wherein the one or more credential-morphing-instructions define one or more credential-morphing operations, which are configured to cause the client computer to update the credential over time if executed; sending the second set of instructions to a second computer.

Abstract: Techniques are provided for detection of malicious activity using behavior data. A behavior model is trained with behavior data generated in association with a plurality of requests. Data is received that describes a particular request from a particular client device to a server system hosting a website. The data includes particular behavior data generated at the particular client device in association with the particular request. The particular behavior data is analyzed using the behavior model to generate a behavior model result. An automation determination for the particular request is generated based on the behavior model result. The particular request is handled based on the automation determination for the particular request.

Abstract: Technology related to detecting and/or mitigating malicious client-side scripts is disclosed. In one example, a method includes sending a request for a page of a client application. In response to the request for the page, the page and a supervisory script of the page are received. The supervisory script of the page of the client application can be executed within a client environment. The supervisory script can override an operation associated with an architected application programming interface (API) of the client environment. During rendering of the page, a call to the architected API of the client environment can be serviced by performing a modified operation that is different than the architected operation associated with the architected API.

Abstract: Techniques for code modification for detecting abnormal activity are described. Web code is obtained. Modified web code is generated by changing a particular programmatic element to a modified programmatic element throughout the web code. Instrumentation code is generated configured to monitor and report on one or more interactions with versions of the particular programmatic element. The instrumentation code is caused to be provided in association with the modified web code to the first client device in response to the first request from the first client device. Report data generated by the instrumentation code is received. The report data describes abnormal activity at the first client device, the abnormal activity comprising an interaction with a version of the particular programmatic element that does not exist in the modified web code. Based on the report, it is determined that the first client device is likely controlled by malware.

Abstract: Techniques are provided for request modification for web security challenge. Data corresponding to a web page request by a client computing device for a web page is received. The web page comprises web code that allows a user to submit a request to initiate a web transaction with a web server system. Challenge code is generated that determines one or more values that are a valid solution to a challenge. The challenge code is provided for integrated code to be served in response to the web page request. The integrated code comprises the challenge code and modified web code that adds one or more parameters for the valid solution to the request. A particular request is received to initiate the web transaction. It is determined that the one or more parameter values are not a valid solution. In response, the web server system is prevented from processing the particular request.

Abstract: A method, non-transitory compute r readable medium, device, and system that receives telemetry data collected based on instrumentation code executed at one of a plurality of client computing devices with a requested transaction with one of a plurality of web server systems. Identifying signal data (IDSD) usable to identify the one of client computing devices is determined based on the received telemetry data. Any matching telemetry data in a telemetry data set for a plurality of prior transactions between one or more of the client computing devices and one or more of the web server systems is identified based on any stored IDSDs that match the received IDSD. A security score associated with the one of the client computing devices is generated based on the identified matching telemetry data. A response to the requested transaction to the one of client computing devices is managed based on the generated security score.

Abstract: Techniques are provided for evaluating and modifying countermeasures based on aggregate transaction status. A first expression pattern is determined that occurs in each of first response messages served by the web server system in response to successful transactions of the transaction type. A second expression pattern is determined that occurs in each of second response messages served by the web server system in response to non-successful transactions of the transaction type requested. Aa status is determined for each of a plurality of transactions of the transaction type based on matching the first expression pattern or the second expression pattern to response messages served by the web server system. Aggregate status information for the transaction type based on the status for the set of operations is updated. Based on a change in the aggregate status information, a set of one or more security countermeasures is updated.

Abstract: Unsupervised or supervised machine learning (“ML”) techniques discussed herein can be used to classify browsers as one or more types of browser or within one or more browser groups.

Abstract: Techniques are provided for security code for integration with an application. A first request associated with a request by an application to an application server is received. The application includes security code that performs a set of one or more operations on one or more input parameters. The application is provided one or more parameter values, wherein the security code generates a secret cryptographic key based on the one or more parameter values. A security key is received that includes encrypted client data collected at the client device that is encrypted using the secret cryptographic key. The secret cryptographic key is generated based on the one or more parameter values and knowledge of the set of one or more operations. It is determined that the decrypted client data matches a pattern of data associated with malware. The application server is prevented from processing a second request.

Abstract: Computer systems and methods in various embodiments are configured for improving the security and efficiency of client computers interacting with server computers through supervising instructions defined in a web page and/or web browser. In an embodiment, a computer system comprising one or more processors, coupled to a remote client computer, and configured to send, to the remote client computer, one or more instructions, which when executed by the remote client computer, cause a run-time environment on the remote client computer to: intercept, within the run-time environment, a first call to execute a particular function defined in the run-time environment by a first caller function in the run-time environment; determine a first caller identifier, which corresponds to the first caller function identified in a run-time stack maintained by the run-time environment; determine whether the first caller function is authorized to call the particular function based on the first caller identifier.