Abstract: A system detects human activity through browser canvas events to mitigate the effects of an attack on a host, such as an application layer (layer 7) DDoS attack. A proxy, such as a HTTP/HTTPS “HTTP(S)” proxy server, configured to handle network traffic between a host and clients challenges clients engaging the host. The proxy challenges the clients by injecting code having a beacon and a shared encryption key into the content received from the host prior to transmission of the client. The code, when executed by the client, is configured to monitor user interactions (or lack thereof) with the content at the client in order to determine whether there is human activity at the client. The proxy receives and analyzes the information about interactions (or lack thereof) to determine whether a client is malicious (e.g., non-human activity) or non-malicious (e.g., human activity).

Abstract: A system is configured for protecting web applications at a host by analyzing web application behavior to detect malicious client requests. Example embodiments described herein include a proxy configured to handle network traffic between a host and clients. The proxy includes two request classification mechanisms, first a list of known clients, malicious and non-malicious, for identifying known malicious and known non-malicious requests and second a web application firewall for determining a classification for unknown requests (e.g., not originating from a known client). The classification itself may be distributed. The proxy determines whether a request is known non-malicious, known malicious, or unknown. The proxy collects request attributes for the known malicious and known non-malicious requests for the generation of a model based on the attributes of the known requests. The proxy passes the unknown requests to the WAF for determining a classification based on their attributes using the model.

Abstract: A system (and method, and computer readable storage medium storing computer program instructions) is configured to determine a fingerprint of a client and qualify client behavior. For example, a proxy positioned between a host and the client may determine the fingerprint of the client and qualify the behavior of clients engaging the host. The client fingerprint provides a relatively stable representation of the client such that the client may be distinguished from the other clients engaging the host and the behavior of the client tracked. Clients engaging the host in a positive manner are prequalified to access the host based on the positive behavior they exhibit. During an attack on the host, such as a DDoS attack, prequalified clients retain access to features and functionality provided by the host to maintain legitimate user experience and better enable the proxy to handle malicious clients.

Abstract: A proxy server routes a request for online content from a user device to an origin server, which returns the requested online content to the proxy server. The proxy server passes the online content to the user device. In order to service subsequent user device requests with cached content, the proxy server, having received the initially requested online content from the origin server, parses out dynamic content specific to the user from static content common to many users within the web page content according to tags identifying the dynamic content. The proxy server stores the dynamic content within a personalized cache and also stores an association between the user/user device for the dynamic content stored. In this way, a subsequent request from the user device for the same online content may be serviced from cache, and include dynamic content specific to that user/user device by way of the personalized cache.

Abstract: A proxy server routes a request for online content from a user device to an origin server, which returns the requested online content to the proxy server. The proxy server passes the online content to the user device. In order to service subsequent user device requests with cached content, the proxy server, having received the initially requested online content from the origin server, parses out dynamic content specific to the user from static content common to many users within the web page content according to tags identifying the dynamic content. The proxy server stores the dynamic content within a personalized cache and also stores an association between the user/user device for the dynamic content stored. In this way, a subsequent request from the user device for the same online content may be serviced from cache, and include dynamic content specific to that user/user device by way of the personalized cache.