Abstract: In an embodiment, a method comprises intercepting, from a server computer, a first set of instructions that define one or more objects and one or more operations that are based, at least in part, on the one or more objects; generating, in memory, one or more data structures that correspond to the one or more objects; performing the one or more operations on the one or more data structures; updating the one or more data structures, in response to performing the one or more operations, to produce one or more updated data structures; rendering a second set of instructions, which when executed by a remote client computer cause the remote client computer to generate the updated data structures in memory on the remote client computer, wherein the second set of instructions are different than the first set of instructions; sending the second set of instructions to the remote client computer.

Abstract: A computer-implemented method involves identifying an initial element for serving by a web server system to a client device and recoding the element by creating a plurality of different elements that each represent a portion of the initial element. The different elements are then served in place of the initial element. A response is received form the client device and has portions that correspond to the different elements, and a combined response is created by combining the received portions in a manner that corresponds to a manner in which the initial element was recoded to create the plurality of different elements.

Abstract: In one embodiment, a method of improving the security of a computing device comprises using a computing device that has received one or more messages that have been determined as unauthorized, obtaining a plurality of state data values from one or more of the computing device, the one or more messages, and a second computer; before admitting the one or more messages to a data communications network that the computing device is configured to protect: using the computing device and pseudo-random selection logic, based on the state data values, pseudo-randomly selecting a particular policy action from among a plurality of different stored policy actions; using the computing device, acting upon the one or more messages using the particular policy action; wherein the method is performed using one or more computing devices.

Abstract: A computer-implemented method includes providing, for use by a third-party, injectable computer code that is capable of being served with other code provided by the third-party to client computing devices; receiving data from client computing devices that have been served the code by the third-party, the data including data that characterizes (a) the client computing devices and (b) user interaction with the client computing devices; classifying the client computing devices as controlled by actual users or instead by automated software based on analysis of the received data from the client computing devices; and providing to the third party one or more reports that characterize an overall level of automated software activity among client computing devices that have been served code by the third party.

Abstract: In an embodiment, a method comprises intercepting a first set of instructions from a server computer that define one or more objects and one or more original operations that are based, at least in part, on the one or more objects; modifying the first set of instructions by adding one or more supervisor operations that are based, at least in part, on the one or more objects; transforming the one or more original operations to produce one or more transformed operations that are based, at least in part, on the one or more supervisor operations; rendering a second set of instructions which define the one or more supervisor operations and the one or more transformed operations; sending the second set of instructions to a remote client computer.

Abstract: In an embodiment, a method comprises intercepting, from a server computer, a first set of instructions that define one or more objects and one or more operations that are based, at least in part, on the one or more objects; generating, in memory, one or more data structures that correspond to the one or more objects; performing the one or more operations on the one or more data structures; updating the one or more data structures, in response to performing the one or more operations, to produce one or more updated data structures; rendering a second set of instructions, which when executed by a remote client computer cause the remote client computer to generate the updated data structures in memory on the remote client computer, wherein the second set of instructions are different than the first set of instructions; sending the second set of instructions to the remote client computer.

Abstract: This document describes, among other things, a computer-implemented method that can include receiving, from a web server system, web page code to be provided over the internet to a computing device. The web page code can correspond to a particular web page served by the web server system. The method may include generating an intermediate representation of at least a portion of the web page code, and comparing the intermediate representation to a prior intermediate representation of the particular web page. Based on a result of the comparison, the method can include determining what portion of the web page code to analyze for re-coding of the web page code before serving the web page code to the computing device.

Abstract: In one implementation, a computer-implemented method can identify abnormal computer behavior. The method can receive, at a computer server subsystem and from a web server system, computer code to be served in response to a request from a computing client over the internet. The method can also modify the computer code to obscure operational design of the web server system that could be determined from the computer code, and supplement the computer code with instrumentation code that is programmed to execute on the computing client. The method may serve the modified and supplemented computer code to the computing client.

Abstract: A computer-implemented method for coordinating content transformation includes receiving, at a computer server subsystem and from a web server system, computer code to be served in response to a request from a computing client over the internet; modifying the computer code to obscure operation of the web server system that could be determined from the computer code; generating transformation information that is needed in order to reverse the modifications of the computer code to obscure the operation of the web server system; and serving to the computing client the modified code and the reverse transformation information.

Abstract: A computer-implemented method for deflecting abnormal computer interactions includes receiving, at a computer server system and from a client computer device that is remote from the computer server system, a request for web content; identifying, by computer analysis of mark-up code content that is responsive to the request, executable code that is separate from, but programmatically related to, the mark-up code content; generating groups of elements in the mark-up code content and the related executable code by determining that the elements within particular groups are programmatically related to each other; modifying elements within particular ones of the groups consistently so as to prevent third-party code written to interoperate with the elements from modifying from interoperating with the modified elements, while maintain an ability of the modified elements within each group to interoperate with each other; and recoding the mark-up code content and the executable code to include the modified elements.

Abstract: In one implementation, a computer-implemented method can identify abnormal computer behavior. The method can receive, at a computer server subsystem and from a web server system, computer code to be served in response to a request from a computing client over the internet. The method can also modify the computer code to obscure operational design of the web server system that could be determined from the computer code, and supplement the computer code with instrumentation code that is programmed to execute on the computing client. The method may serve the modified and supplemented computer code to the computing client.

Abstract: A computer-implemented method for identifying abnormal computer behavior includes receiving, at a computer server subsystem, data that characterizes subsets of particular document object models for web pages rendered by particular client computers; identifying clusters from the data that characterize the subsets of the particular document object models; and using the clusters to identify alien content on the particular client computers, wherein the alien content comprises content in the document object models that is not the result of content that is the basis of the document object model served.

Abstract: In one implementation, a computer-implemented method can identify abnormal computer behavior. The method can receive, at a computer server subsystem and from a web server system, computer code to be served in response to a request from a computing client over the internet. The method can also modify the computer code to obscure operational design of the web server system that could be determined from the computer code, and supplement the computer code with instrumentation code that is programmed to execute on the computing client. The method may serve the modified and supplemented computer code to the computing client.

Abstract: A code finder system deployed as a software module, a web service or as part of a larger security system, identifies and processes well-formed code sequences. For a data flow that is expected to be free of executable or interpreted code, or free of one or more known styles of executable or interpreted code, the code finder system can protect participants in the communications network. Examples of payload carried by data flows that can be monitored include, but are not limited to, user input data provided as part of interacting with a web application, data files or entities, such as images or videos, and user input data provided as part of interacting with a desktop application.

Abstract: A code finder system deployed as a software module, a web service or as part of a larger security system, identifies and processes well-formed code sequences. For a data flow that is expected to be free of executable or interpreted code, or free of one or more known styles of executable or interpreted code, the code finder system can protect participants in the communications network. Examples of payload carried by data flows that can be monitored include, but are not limited to, user input data provided as part of interacting with a web application, data files or entities, such as images or videos, and user input data provided as part of interacting with a desktop application.