Abstract: A computer-implemented method includes providing, for use by a third-party, injectable computer code that is capable of being served with other code provided by the third-party to client computing devices; receiving data from client computing devices that have been served the code by the third-party, the data including data that characterizes (a) the client computing devices and (b) user interaction with the client computing devices; classifying the client computing devices as controlled by actual users or instead by automated software based on analysis of the received data from the client computing devices; and providing to the third party one or more reports that characterize an overall level of automated software activity among client computing devices that have been served code by the third party.

Abstract: Techniques detecting the execution of alien content on a client computing device are provided. A set of web code is supplemented with a set of instrumentation code, which when executed at a client computing device, collects and reports information that describes execution of the set of web code at the client computing device, wherein the client computing device receives the set of web code and the set of instrumentation code. A set of information is received from the client computing device that is generated by the set of instrumentation code when the set of instrumentation code is executed at the client computing device. The presence of alien content interacting with the set of web code on the client computing device is determined based on the set of information.

Abstract: Techniques for code modification for automation detection are described. Web code is obtained corresponding to content to be served to a first client device in response to a first request from the first client device. Instances of a particular programmatic element in the web code are identified. In response to the first request, modified web code is generated from the web code by consistently changing the particular programmatic element to a modified programmatic element throughout the web code. The modified web code is caused to be provided to the first client device in response to the first request from the first client device. A communication is received from the first client device that is made in response to the modified web code. The communication includes an attempt to interact with the particular programmatic element that exists in the web code but not in the modified web code.

Abstract: A computer-implemented method includes receiving content and annotation information that describe a structure of the content, the annotation information having been previously generated by a sub-system that is separate from a content transformation sub-system and at a time before the content was requested to be served; interpreting the annotation information to generate transcoding rules that identify one or more portions of the received content to be transcoded in serving the content; applying the transcoding rules to the content to change the content in a manner that interferes with an ability of malware on a client device to interfere with operation of the content; and providing the transcoded content to a client device that requested the content.

Abstract: A computer-implemented method for identifying abnormal computer behavior includes receiving, at a computer server subsystem, data that characterizes subsets of particular document object models for web pages rendered by particular client computers; identifying clusters from the data that characterize the subsets of the particular document object models; and using the clusters to identify alien content on the particular client computers, wherein the alien content comprises content in the document object models that is not the result of content that is the basis of the document object model served.

Abstract: A computer-implemented method for deflecting abnormal computer interactions includes receiving, at a computer server system and from a client computer device that is remote from the computer server system, a request for web content; identifying, by computer analysis of mark-up code content that is responsive to the request, executable code that is separate from, but programmatically related to, the mark-up code content; generating groups of elements in the mark-up code content and the related executable code by determining that the elements within particular groups are programmatically related to each other; modifying elements within particular ones of the groups consistently so as to prevent third-party code written to interoperate with the elements from modifying from interoperating with the modified elements, while maintain an ability of the modified elements within each group to interoperate with each other; and recoding the mark-up code content and the executable code to include the modified elements.

Abstract: Techniques are provided for using instrumentation code to detect bots or malware. Data corresponding to requests from a plurality of client devices for a web resource comprising web code is obtained. The web resource is hosted by a first web server system. For a first client device of the plurality of client devices, instrumentation code is served. The instrumentation code is configured to execute on the first client device to monitor execution of the web code of the web resource at the first client device. One or more responses generated by the instrumentation code at the first client device are received from the first client device. The one or more responses are based one or more interactions with the web code at the first client device.

Abstract: Application programming interfaces (APIs) can be unintentionally exposed and allow for potentially undesirable use of corporate resources. An API call filtering system configured to monitor API call requests received via an endpoint and API call responses received via a supporting service of an API or web service. The API call filtering system enables enterprises to improve their security posture by identifying, studying, reporting, and securing their APIs within their enterprise network.

Abstract: A computer-implemented method includes receiving, at a first server sub-system, content served to a client computing device; transcoding, with the first server sub-system, the received content using a policy received from a second security sub-system; determining, with the first server sub-system that the second server sub-system has likely ceased operating properly; receiving a request to vote on a leader server sub-system from one or more server sub-systems, and voting for from of the one or more server sub-systems; and subsequently transcoding received content according to a policy received from another of the server sub-systems that is not the second server sub-system.

Abstract: A computer-implemented method includes receiving, at a primary security sub-system, code to be served from a web server system to one or more computing devices; forwarding a representation of the code to a secondary security sub-system that is remote from the primary security sub-system; receiving, from the secondary sub-system and in response to the forwarding, a template created from analysis of the representation of the code that indicates changes to be made to the code and locations of the changes; and using the template to recode the code, by the primary security sub-system, before serving the code to the one or more computing devices.

Abstract: A computer-implemented method includes receiving content and annotation information that describe a structure of the content, the annotation information having been previously generated by a sub-system that is separate from a content transformation sub-system and at a time before the content was requested to be served; interpreting the annotation information to generate transcoding rules that identify one or more portions of the received content to be transcoded in serving the content; applying the transcoding rules to the content to change the content in a manner that interferes with an ability of malware on a client device to interfere with operation of the content; and providing the transcoded content to a client device that requested the content.

Abstract: In one implementation, a computer-implemented method can identify abnormal computer behavior. The method can receive, at a computer server subsystem and from a web server system, computer code to be served in response to a request from a computing client over the internet. The method can also modify the computer code to obscure operational design of the web server system that could be determined from the computer code, and supplement the computer code with instrumentation code that is programmed to execute on the computing client. The method may serve the modified and supplemented computer code to the computing client.

Abstract: Application programming interfaces (APIs) can be unintentionally exposed and allow for potentially undesirable use of corporate resources. An API call filtering system configured to monitor API call requests received via an endpoint and API call responses received via a supporting service of an API or web service. The API call filtering system enables enterprises to improve their security posture by identifying, studying, reporting, and securing their APIs within their enterprise network.

Abstract: A computer-implemented method for identifying abnormal computer behavior includes receiving, at a computer server subsystem, data that characterizes subsets of particular document object models for web pages rendered by particular client computers; identifying clusters from the data that characterize the subsets of the particular document object models; and using the clusters to identify alien content on the particular client computers, wherein the alien content comprises content in the document object models that is not the result of content that is the basis of the document object model served.

Abstract: A computer-implemented method includes providing, for use by a third-party, injectable computer code that is capable of being served with other code provided by the third-party to client computing devices; receiving data from client computing devices that have been served the code by the third-party, the data including data that characterizes (a) the client computing devices and (b) user interaction with the client computing devices; classifying the client computing devices as controlled by actual users or instead by automated software based on analysis of the received data from the client computing devices; and providing to the third party one or more reports that characterize an overall level of automated software activity among client computing devices that have been served code by the third party.

Abstract: Systems, methods, and other techniques for improving the operation of computing systems are described. Some implementations include a computer-implemented method. The method can include intercepting, at an intermediary computing system, messages communicated between a web server system and one or more client computing devices. A subset of the intercepted messages can be selected that are determined to commonly relate to a particular web transaction. The method can identify an expression pattern that occurs in the subset of the intercepted messages, and can determine that the identified expression pattern matches a first pre-defined expression pattern from among a plurality of different pre-defined expression patterns. A status of the particular web transaction can be determined based on the first pre-defined expression pattern that matches the identified expression pattern occurring in the subset of the intercepted messages.

Abstract: A computer-implemented security method includes receiving, at a server sub-system, reports from a plurality of clients that were served content served by a web server system, the different versions of content varying from each other by polymorphic transformation that inserts varying content at common locations in the content; determining, with the server sub-system, an effectiveness level of security countermeasures applied to the content, using the received reports; selecting an updated security countermeasure package determined to address malware identified using data from the reports; and providing to the web server system information causing the web server system to switch to the updated security countermeasure package.

Abstract: A computer-implemented method for identifying abnormal computer behavior includes receiving, at a computer server subsystem, data that characterizes subsets of particular document object models for web pages rendered by particular client computers; identifying clusters from the data that characterize the subsets of the particular document object models; and using the clusters to identify alien content on the particular client computers, wherein the alien content comprises content in the document object models that is not the result of content that is the basis of the document object model served.

Abstract: A computer-implemented method involves identifying an initial element for serving by a web server system to a client device and recoding the element by creating a plurality of different elements that each represent a portion of the initial element. The different elements are then served in place of the initial element. A response is received form the client device and has portions that correspond to the different elements, and a combined response is created by combining the received portions in a manner that corresponds to a manner in which the initial element was recoded to create the plurality of different elements.

Abstract: A computer-implemented method for securing a content server system is disclosed. The method includes identifying that a request has been made by a client computing device for serving of content from the content server system; serving, to the client computing device and for execution on the client computing device, reconnaissance code that is programmed to determine whether the client computing device is human-controlled or bot-controlled; receiving, from the reconnaissance code, data that indicates whether the client computing device is human-controlled or bot-controlled; and serving follow-up content to the client computing device, wherein the make-up of the follow-up content is selected based on a determination of whether the client computing device is human-controlled or bot-controlled.