Abstract: Improved identification of a computer configured with an operating system (OS), a web browser and one or more applications is disclosed. An identifying code for advertisers (IFA) may be obtained via the operating system (OS) of the computer. A first application configuring the computer may include instructions to initiate an ad call comprising a request including the IFA to cause the first application to render an advertisement received by the computing device from a first web resource in response to the ad call. The web browser may execute the script to associate the web browser with a durable id (DID). The DID and the IFA may be correlated.

Abstract: There are disclosed devices, system and methods for feeding identification data of malicious creatives existing in internet advertisements to a supply side platform (SSP) by receiving reports of unwanted actions without user action by malicious creatives of internet advertisements (ads) requested from the SSP by webpages being displayed to users. The reports include a creative identification (ID), a malicious code chain of events, and a demand side platform (DSP) ID or a seat ID. The reports are pre-processed by classifying the unwanted action attempts based on the chain of events. The pre-processed reports are parsed to extract the creative IDs, the SSP IDs and the DSP IDs; and then stored in a searchable database. The stored parsed pre-processed reports are feed to SSPs based on the SSP identifications. The feed includes the creative IDs, the SSP IDs, the DSP IDs, timestamps of the unwanted action attempt and the classifications.

Abstract: Improved identification of a computer configured with an operating system (OS), a web browser and one or more applications is disclosed. An identifying code for advertisers (IFA) may be obtained via the operating system (OS) of the computer. A first application configuring the computer may include instructions to initiate an ad call comprising a request including the IFA to cause the first application to render an advertisement received by the computing device from a first web resource in response to the ad call. The web browser may execute the script to configure the web browser with a durable id (DID). The web browser may also communicate the DID to associate the IFA with the computing device.

Abstract: There are disclosed devices, system and methods for detecting malicious scripts received from malicious client side vectors. First, a script received from a client side injection vector and being displayed to a user in a published webpage is detected. The script may have malicious code configured to cause a browser unwanted action without user action. The script is wrapped in a java script (JS) closure and/or stripped of hyper-text markup language (HTML). The script is then executed in a browser sandbox that is capable of activating the unwanted action, displaying execution of the script, and stopping execution of the unwanted action if a security error resulting from the unwanted action is detected. When a security error results from this execution in the sandbox, executing the malicious code is discontinued, displaying the malicious code is discontinued, and execution of the unwanted action is stopped.

Abstract: An identification service may provide a device identifier that is available in both browser and non-browser applications on an electronic device. The identification service may include a domain name system server that handles domain name system queries for certain HTTP requests originating from the browser and non-browser applications. An HTTP request in the non-browser application may result in the domain name system server embedding the device identifier into an IPv6 address that is then stored in a local domain name system cache on the device. An HTTP request in the browser application may cause the browser to connect to the IPv6 address stored in the local domain name system cache. The identification service may have an HTTP server bound to the IPv6 address. The HTTP server may extract the device identifier from the IPv6 address and may provide the device identifier to the browser application.

Abstract: There are disclosed devices, system and methods for detecting malicious code existing in an internet advertisement (ad) requested by a published webpage viewed by a user. First, receipt of malicious code of the ad is detected, where that code may be malicious code that causes a browser unwanted action without user action. If the internet ad is an SCR type document, the malicious code may be wrapped in a java script (JS) closure to detect an unwanted action requested by the malicious code. The malicious code is executed a browser sandbox that activates the unwanted action, that displays execution of the internet ad and that allows execution of the unwanted action. When a security error resulting from the unwanted action is detected, executing the malicious code in the browser sandbox is discontinued, displaying of the internet ad on the display is discontinued, and execution of the unwanted action is stopped.

Abstract: There are disclosed devices, system and methods for feeding identification data of malicious creatives existing in internet advertisements to a supply side platform (SSP) by receiving reports of unwanted actions without user action by malicious creatives of internet advertisements (ads) requested from the SSP by webpages being displayed to users. The reports include a creative identification (ID), a malicious code chain of events, and a demand side platform (DSP) ID or a seat ID. The reports are pre-processed by classifying the unwanted action attempts based on the chain of events. The pre-processed reports are parsed to extract the creative IDs, the SSP IDs and the DSP IDs; and then stored in a searchable database. The stored parsed pre-processed reports are feed to SSPs based on the SSP identifications. The feed includes the creative IDs, the SSP IDs, the DSP IDs, timestamps of the unwanted action attempt and the classifications.

Abstract: There are disclosed devices, system and methods for detecting malicious code existing in an internet advertisement (ad) requested by a published webpage viewed by a user. First, receipt of malicious code of the ad is detected, where that code may be malicious code that causes a browser unwanted action without user action. If the internet ad is an SCR type document, the malicious code may be wrapped in a java script (JS) closure to detect an unwanted action requested by the malicious code. The malicious code is executed a browser sandbox that activates the unwanted action, that displays execution of the internet ad and that allows execution of the unwanted action. When a security error resulting from the unwanted action is detected, executing the malicious code in the browser sandbox is discontinued, displaying of the internet ad on the display is discontinued, and execution of the unwanted action is stopped.

Abstract: There are disclosed devices, system and methods for detecting malicious scripts received from malicious client side vectors. First, a script received from a client side injection vector and being displayed to a user in a published webpage is detected. The script may have malicious code configured to cause a browser unwanted action without user action. The script is wrapped in a java script (JS) closure and/or stripped of hyper-text markup language (HTML). The script is then executed in a browser sandbox that is capable of activating the unwanted action, displaying execution of the script, and stopping execution of the unwanted action if a security error resulting from the unwanted action is detected. When a security error results from this execution in the sandbox, executing the malicious code is discontinued, displaying the malicious code is discontinued, and execution of the unwanted action is stopped.

Abstract: There are disclosed devices, system and methods for detecting malicious scripts received from malicious client side vectors. First, a script received from a client side injection vector and being displayed to a user in a published webpage is detected. The script may have malicious code configured to cause a browser unwanted action without user action. The script is wrapped in a java script (JS) closure and/or stripped of hyper-text markup language (HTML). The script is then executed in a browser sandbox that is capable of activating the unwanted action, displaying execution of the script, and stopping execution of the unwanted action if a security error resulting from the unwanted action is detected. When a security error results from this execution in the sandbox, executing the malicious code is discontinued, displaying the malicious code is discontinued, and execution of the unwanted action is stopped.

Abstract: There are disclosed devices, system and methods for detecting malicious scripts received from malicious client side vectors. First, a script received from a client side injection vector and being displayed to a user in a published webpage is detected. The script may have malicious code configured to cause a browser unwanted action without user action. The script is wrapped in a java script (JS) closure and/or stripped of hyper-text markup language (HTML). The script is then executed in a browser sandbox that is capable of activating the unwanted action, displaying execution of the script, and stopping execution of the unwanted action if a security error resulting from the unwanted action is detected. When a security error results from this execution in the sandbox, executing the malicious code is discontinued, displaying the malicious code is discontinued, and execution of the unwanted action is stopped.

Abstract: There are disclosed devices, system and methods for feeding identification data of malicious creatives existing in internet advertisements to a supply side platform (SSP) by receiving reports of unwanted actions without user action by malicious creatives of internet advertisements (ads) requested from the SSP by webpages being displayed to users. The reports include a creative identification (ID), a malicious code chain of events, and a demand side platform (DSP) ID or a seat ID. The reports are pre-processed by classifying the unwanted action attempts based on the chain of events. The pre-processed reports are parsed to extract the creative IDs, the SSP IDs and the DSP IDs; and then stored in a searchable database. The stored parsed pre-processed reports are feed to SSPs based on the SSP identifications. The feed includes the creative IDs, the SSP IDs, the DSP IDs, timestamps of the unwanted action attempt and the classifications.

Abstract: There are disclosed devices, system and methods for feeding identification data of malicious creatives existing in internet advertisements to a supply side platform (SSP) by receiving reports of unwanted actions without user action by malicious creatives of internet advertisements (ads) requested from the SSP by webpages being displayed to users. The reports include a creative identification (ID), a malicious code chain of events, and a demand side platform (DSP) ID or a seat ID. The reports are pre-processed by classifying the unwanted action attempts based on the chain of events. The pre-processed reports are parsed to extract the creative IDs, the SSP IDs and the DSP IDs; and then stored in a searchable database. The stored parsed pre-processed reports are feed to SSPs based on the SSP identifications. The feed includes the creative IDs, the SSP IDs, the DSP IDs, timestamps of the unwanted action attempt and the classifications.

Abstract: There are disclosed devices, system and methods for detecting cross-origin malicious code existing in an internet advertisement (ad) requested by a published webpage viewed by a user. First, receipt of the ad is detected, where that ad includes cross-origin malicious code that causes a browser cross-origin unwanted action without user action. The ad is then executed in a browser sandbox that displays the cross-origin malicious code and intercepts the cross-origin unwanted action. When a cross-origin security error results from this execution, the cross-origin malicious code is discontinued and the cross-origin unwanted action is intercepted.

Abstract: There are disclosed devices, system and methods for detecting malicious code existing in an internet advertisement (ad) requested by a published webpage viewed by a user. First, receipt of malicious code of the ad is detected, where that code may be malicious code that causes a browser unwanted action without user action. If the internet ad is an SCR type document, the malicious code may be wrapped in a java script (JS) closure to detect an unwanted action requested by the malicious code. The malicious code is executed a browser sandbox that activates the unwanted action, that displays execution of the internet ad and that allows execution of the unwanted action. When a security error resulting from the unwanted action is detected, executing the malicious code in the browser sandbox is discontinued, displaying of the internet ad on the display is discontinued, and execution of the unwanted action is stopped.

Abstract: An identification service may provide a device identifier that is available in both browser and non-browser applications on an electronic device. The identification service may include a domain name system server that handles domain name system queries for certain HTTP requests originating from the browser and non-browser applications. An HTTP request in the non-browser application may result in the domain name system server embedding the device identifier into an IPv6 address that is then stored in a local domain name system cache on the device. An HTTP request in the browser application may cause the browser to connect to the IPv6 address stored in the local domain name system cache. The identification service may have an HTTP server bound to the IPv6 address. The HTTP server may extract the device identifier from the IPv6 address and may provide the device identifier to the browser application.

Abstract: Improved identification of a computer configured with an operating system (OS), a web browser and one or more applications is disclosed. An identifying code for advertisers (IFA) may be obtained via the operating system (OS) of the computer. A first application configuring the computer may include instructions to initiate an ad call comprising a request including the IFA to cause the first application to render an advertisement received by the computing device from a first web resource in response to the ad call. The web browser may execute the script to associate the web browser with a durable id (DID). The DID and the IFA may be correlated.

Abstract: Improved identification of a computer configured with an operating system (OS), a web browser and one or more applications is disclosed. An identifying code for advertisers (IFA) may be obtained via the operating system (OS) of the computer. A first application configuring the computer may include instructions to initiate an ad call comprising a request including the IFA to cause the first application to render an advertisement received by the computing device from a first web resource in response to the ad call. The web browser may execute the script to configure the web browser with a durable id (DID). The web browser may also communicate the DID to associate the IFA with the computing device.

Abstract: An advertiser participating in a method of targeting based on first party cookies may update its DNS record to include a subdomain that redirects to a server associated with an ad network. The ad network may incorporate that advertiser's subdomain in an ad pixel tag published on one or more of the advertiser's web pages, to set a cookie on the advertiser's domain. Specifically, when a user visits one of the advertiser's web pages, the ad pixel tag may be redirected by the advertiser's DNS update to an ad network server for receipt of a cookie that matches the subdomain. The ad network may distribute to its publishers an ad call that checks for the presence of any first party domain cookies set via the second stage, and then pass any such cookie data to the network's ad servers to decide which ad to serve.

Abstract: An advertiser participating in a method of targeting based on first party cookies may update its DNS record to include a subdomain that redirects to a server associated with an ad network. The ad network may incorporate that advertiser's subdomain in an ad pixel tag published on one or more of the advertiser's web pages, to set a cookie on the advertiser's domain. Specifically, when a user visits one of the advertiser's web pages, the ad pixel tag may be redirected by the advertiser's DNS update to an ad network server for receipt of a cookie that matches the subdomain. The ad network may distribute to its publishers an ad call that checks for the presence of any first party domain cookies set via the second stage, and then pass any such cookie data to the network's ad servers to decide which ad to serve.