Abstract: A computer-implemented method for identifying abnormal computer behavior includes receiving, at a computer server subsystem, data that characterizes subsets of particular document object models for web pages rendered by particular client computers; identifying clusters from the data that characterize the subsets of the particular document object models; and using the clusters to identify alien content on the particular client computers, wherein the alien content comprises content in the document object models that is not the result of content that is the basis of the document object model served.

Abstract: In an embodiment, a method comprises intercepting, using a server computer, a first set of instructions that define a user interface and a plurality of links, wherein each link in the plurality of links is associated with a target page, and the plurality of links includes a first link; determining that the first link, which references a first target page, is protected; in response to determining the first link is protected: generating a first decoy link that corresponds to the first link, wherein the first decoy link includes data that references a first decoy page which includes false information; rendering a second set of instructions that defines the first decoy link, wherein the second set of instructions is configured to cause a first client computer to hide the first decoy link from the user interface; sending the second set of instructions to the first client computer.

Abstract: A computer-implemented method for identifying abnormal computer behavior includes receiving, at a computer server subsystem, data that characterizes subsets of particular document object models for web pages rendered by particular client computers; identifying clusters from the data that characterize the subsets of the particular document object models; and using the clusters to identify alien content on the particular client computers, wherein the alien content comprises content in the document object models that is not the result of content that is the basis of the document object model served.

Abstract: A computer-implemented method for coordinating content transformation includes receiving, at a computer server subsystem and from a web server system, computer code to be served in response to a request from a computing client over the internet; modifying the computer code to obscure operation of the web server system that could be determined from the computer code; generating transformation information that is needed in order to reverse the modifications of the computer code to obscure the operation of the web server system; and serving to the computing client the modified code and the reverse transformation information.

Abstract: In one implementation, a computer-implemented method can identify abnormal computer behavior. The method can receive, at a computer server subsystem and from a web server system, computer code to be served in response to a request from a computing client over the internet. The method can also modify the computer code to obscure operational design of the web server system that could be determined from the computer code, and supplement the computer code with instrumentation code that is programmed to execute on the computing client. The method may serve the modified and supplemented computer code to the computing client.

Abstract: A computer-implemented method for identifying abnormal computer behavior includes receiving, at a computer server subsystem, data that characterizes subsets of particular document object models for web pages rendered by particular client computers; identifying clusters from the data that characterize the subsets of the particular document object models; and using the clusters to identify alien content on the particular client computers, wherein the alien content comprises content in the document object models that is not the result of content that is the basis of the document object model served.

Abstract: A computer-implemented method for coordinating content transformation includes receiving, at a computer server subsystem and from a web server system, computer code to be served in response to a request from a computing client over the internet; modifying the computer code to obscure operation of the web server system that could be determined from the computer code; generating transformation information that is needed in order to reverse the modifications of the computer code to obscure the operation of the web server system; and serving to the computing client the modified code and the reverse transformation information.

Abstract: In an embodiment, a method comprises intercepting, using a server computer, a first set of instructions that define a user interface and a plurality of links, wherein each link in the plurality of links is associated with a target page, and the plurality of links includes a first link; determining that the first link, which references a first target page, is protected; in response to determining the first link is protected: generating a first protected link that is different than the first link and includes first data that authenticates a first request that has been generated based on the first protected link and that references the first target page; and generating a first decoy link that includes second data that references a first decoy page and not the first target page; rendering a second set of instructions comprising the first protected link and the first decoy link, but not the first link, and which is configured to cause a first client computer to present the first protected link in the user interfac

Abstract: In an embodiment, a method comprises rendering a first image of a first user interface based on a first set of instructions; rendering a second image of a second user interface based on a second set of instructions; generating a first mask comprising a plurality of points, wherein each point in the first mask indicates whether a first point in the first image and a second point in the second image are different; rendering a third image of a third user interface based on a third set of instructions, wherein the first set of instructions are different than the third set of instructions and the first image is different than the third image; determining that the first image is equivalent to the third image based on the first image, the first mask, and the third image.

Abstract: A computer-implemented method for identifying abnormal computer behavior includes receiving, at a computer server subsystem, data that characterizes subsets of particular document object models for web pages rendered by particular client computers; identifying clusters from the data that characterize the subsets of the particular document object models; and using the clusters to identify alien content on the particular client computers, wherein the alien content comprises content in the document object models that is not the result of content that is the basis of the document object model served.

Abstract: In an embodiment, a method comprises intercepting, using a server computer, a first set of instructions that define a user interface and a plurality of links, wherein each link in the plurality of links is associated with a target page, and the plurality of links includes a first link; determining that the first link, which references a first target page, is protected; in response to determining the first link is protected: generating a first protected link that is different than the first link and includes first data that authenticates a first request that has been generated based on the first protected link and that references the first target page; and generating a first decoy link that includes second data that references a first decoy page and not the first target page; rendering a second set of instructions comprising the first protected link and the first decoy link, but not the first link, and which is configured to cause a first client computer to present the first protected link in the user interfac

Abstract: A computer-implemented method for deflecting abnormal computer interactions includes receiving, at a computer server system and from a client computer device that is remote from the computer server system, a request for web content; identifying, by computer analysis of mark-up code content that is responsive to the request, executable code that is separate from, but programmatically related to, the mark-up code content; generating groups of elements in the mark-up code content and the related executable code by determining that the elements within particular groups are programmatically related to each other; modifying elements within particular ones of the groups consistently so as to prevent third-party code written to interoperate with the elements from modifying from interoperating with the modified elements, while maintain an ability of the modified elements within each group to interoperate with each other; and recoding the mark-up code content and the executable code to include the modified elements.

Abstract: In an embodiment, a method comprises intercepting, from a first computer, a first set of instructions that define one or more original operations, which are configured to cause one or more requests to be sent if executed by a client computer; modifying the first set of instructions to produce a modified set of instructions, which are configured to cause a credential to be included in the one or more requests sent if executed by the client computer; rendering a second set of instructions comprising the modified set of instructions and one or more credential-morphing-instructions, wherein the one or more credential-morphing-instructions define one or more credential-morphing operations, which are configured to cause the client computer to update the credential over time if executed; sending the second set of instructions to a second computer.

Abstract: In an embodiment, a method comprises intercepting, using a server computer, a first set of instructions that define a user interface and a plurality of links, wherein each link in the plurality of links is associated with a target page, and the plurality of links includes a first link; determining that the first link, which references a first target page, is protected; in response to determining the first link is protected: generating a first protected link that is different than the first link and includes first data that authenticates a first request that has been generated based on the first protected link and that references the first target page; and generating a first decoy link that includes second data that references a first decoy page and not the first target page; rendering a second set of instructions comprising the first protected link and the first decoy link, but not the first link, and which is configured to cause a first client computer to present the first protected link in the user interfac

Abstract: In one implementation, a computer-implemented method can identify abnormal computer behavior. The method can receive, at a computer server subsystem and from a web server system, computer code to be served in response to a request from a computing client over the internet. The method can also modify the computer code to obscure operational design of the web server system that could be determined from the computer code, and supplement the computer code with instrumentation code that is programmed to execute on the computing client. The method may serve the modified and supplemented computer code to the computing client.

Abstract: In an embodiment, a method comprises intercepting, from a first computer, a first set of instructions that define one or more original operations, which are configured to cause one or more requests to be sent if executed by a client computer; modifying the first set of instructions to produce a modified set of instructions, which are configured to cause a credential to be included in the one or more requests sent if executed by the client computer; rendering a second set of instructions comprising the modified set of instructions and one or more credential-morphing-instructions, wherein the one or more credential-morphing-instructions define one or more credential-morphing operations, which are configured to cause the client computer to update the credential over time if executed; sending the second set of instructions to a second computer.

Abstract: In one implementation, a computer-implemented method can identify abnormal computer behavior. The method can receive, at a computer server subsystem and from a web server system, computer code to be served in response to a request from a computing client over the internet. The method can also modify the computer code to obscure operational design of the web server system that could be determined from the computer code, and supplement the computer code with instrumentation code that is programmed to execute on the computing client. The method may serve the modified and supplemented computer code to the computing client.

Abstract: In one implementation, a computer-implemented method can identify abnormal computer behavior. The method can receive, at a computer server subsystem and from a web server system, computer code to be served in response to a request from a computing client over the internet. The method can also modify the computer code to obscure operational design of the web server system that could be determined from the computer code, and supplement the computer code with instrumentation code that is programmed to execute on the computing client. The method may serve the modified and supplemented computer code to the computing client.

Abstract: In one implementation, a computer-implemented method can identify abnormal computer behavior. The method can receive, at a computer server subsystem and from a web server system, computer code to be served in response to a request from a computing client over the internet. The method can also modify the computer code to obscure operational design of the web server system that could be determined from the computer code, and supplement the computer code with instrumentation code that is programmed to execute on the computing client. The method may serve the modified and supplemented computer code to the computing client.

Abstract: A computer-implemented method for deflecting abnormal computer interactions includes receiving, at a computer server system and from a client computer device that is remote from the computer server system, a request for web content; identifying, by computer analysis of mark-up code content that is responsive to the request, executable code that is separate from, but programmatically related to, the mark-up code content; generating groups of elements in the mark-up code content and the related executable code by determining that the elements within particular groups are programmatically related to each other; modifying elements within particular ones of the groups consistently so as to prevent third-party code written to interoperate with the elements from modifying from interoperating with the modified elements, while maintain an ability of the modified elements within each group to interoperate with each other; and recoding the mark-up code content and the executable code to include the modified elements.