RU2781477C2 - Method and system for detection of fraudulent access to web-resource - Google Patents

Abstract

FIELD: computer technology.

SUBSTANCE: method for detection of fraudulent access to a web-resource placed on a server, performed by the server, includes reception by the server from the first electronic device of the first request for access to the web-resource, containing the first cookie file; conversion by the server of the first cookie file into the second cookie file; sending by the server of the second cookie file to the first electronic device for storage; reception by the server from the second electronic device of the second request for access to the web-resource, containing the third cookie file; and determination by the server of the second request as a fraudulent request based on analysis of the third cookie file and the first cookie file.

EFFECT: increase in the safety of access to a web-resource.

20 cl, 5 dwg

Description

The technical field to which the invention belongs

[1] The present technology relates generally to systems and methods for detecting fraudulent access and, in particular, to methods and systems for detecting fraudulent access to a web resource.

State of the art

[2] Various global and local networks (Internet, World Wide Web, local networks, etc.) provide the user with access to a huge amount of information. This information includes many context-sensitive topics such as news and current events, maps, company information, financial information and resources, traffic information, game and entertainment information, and more. Users use a variety of client devices (desktop, laptop, smartphone, tablet, etc.) to access rich content (images, audio, video, animation, and other multimedia content from such networks).

[3] It is common knowledge that websites use cookies to track visitors and improve the user experience. A cookie is a small text file of information sent by a web server to a web browser that the browser software is expected to store and return to the server when the browser sends further requests to the server.

[4] In general, most web resources use cookies only to identify user devices. Clearly, an attacker can imitate a user request by stealing the victim's complete cookie set. From the point of view of the web service, the attacker has the same identity as the victim, and thus the request is made on behalf of the victim.

[5] US2005262026A1 "Authorization system" (Daniel Watkins, published November 24, 2005) describes systems and methods for securely authorizing an online transaction, such as one involving a micropayment, between a client browser and a merchant's server without special software. installed on the client computer, or an SSL connection to the merchant's server. The authorization method includes a double redirect command: the initial transaction request is redirected through the client's web browser to a service provider capable of authenticating the client, from where the authenticated command is further redirected through the client's web browser to the merchant's website to complete the transaction. Information identifying the merchant, product, etc. is included in the redirect command and may be encrypted or encoded, for example, using a hash function, to prevent tampering. To authorize an authenticated command, a cookie containing transaction identification data may be provided to the merchant's web server along with the authenticated command. Alternatively, the service provider may set a time limit after which an authenticated command becomes invalid.

[6] Patent application US20090083184A1 "Methods and apparatus for detecting fraud with time based computer tags" (Ori Eisen, published March 26, 2009) describes systems and methods for generating and analyzing computer tag information to prevent or detect potential fraud. Computers and other devices that access the Internet have device tags with information about the date and time they were generated by the security tag server. The server timestamp can be included in time-based computer tags, such as cookies, indicating when they were created. Such timestamp information may be encrypted and then parsed in future attempts to access the secure network, for example, when a client attempts to access an account in a bank-client system. The invention can be used to detect a suspicious transaction by comparing the timestamp information from the tag with other selected information about the user, device and/or account, including the date/time the account was last accessed, the date the account was created, etc.

Disclosure of invention

[7] Non-limiting embodiments of the present technology are based on the developer's understanding of at least one technical problem associated with known solutions.

[8] In accordance with the first aspect of the present technology, a method for detecting fraudulent access to a web resource hosted on a server is implemented. The method is performed by the server. The method includes receiving by the server from the first electronic device a first request for access to a web resource containing a first cookie, converting the first cookie into a second cookie by the server, sending the second cookie by the server to the first electronic device for storage, receiving by the server from the second electronic device of the second request for access to the web resource containing the third cookie, and the server determines the second request as fraudulent based on the analysis of the third cookie and the first cookie.

[9] In some non-limiting embodiments of the present technology, the first cookie is a first encrypted cookie, the third cookie is a third encrypted cookie, and converting the first cookie to a second cookie includes: re-encrypting the first encrypted cookie into a second encrypted cookie.

[10] In some non-limiting embodiments of the present technology, the first encrypted cookie contains a first user device identifier associated with the first electronic device and a first timestamp indicating the time the first encrypted cookie was created, the second encrypted cookie contains the first identifier of the user device and the second timestamp indicating the time of creation of the second encrypted cookie, and the third encrypted cookie contains at least the second identifier of the user device.

[11] In some non-limiting embodiments of the present technology, the server is connected to a database, and the method further includes storing by the server in the database an indication to re-encrypt the first encrypted cookie into a second encrypted cookie.

[12] In some non-limiting embodiments of the present technology, determining the second request as fraudulent includes querying a database to determine if the second user device ID matches the first user device ID.

[13] In some non-limiting embodiments of the present technology, the first electronic device is different from the second electronic device.

[14] In some non-limiting embodiments of the present technology, the first electronic device is the same as the second electronic device.

[15] In some non-limiting embodiments of the present technology, the method further includes determining a creation time of the first encrypted cookie in response to receiving the first request, and re-encrypting the first encrypted cookie into a second encrypted cookie if the creation time indicates that the lifetime of the first encrypted cookie exceeds a predetermined threshold.

[16] In some non-limiting embodiments of the present technology, the server is configured to store the first encryption key and the second encryption key, and the method further includes receiving a third request from the first electronic device prior to receiving the first request, generating a first encrypted cookie using the first encryption key and sending the first encrypted cookie to the first electronic storage device, wherein re-encryption by the server includes decrypting the first encrypted cookie using the first encryption key and re-encrypting the decrypted first encrypted cookie using the second encryption key, wherein the second encrypted cookie is different from the first encrypted cookie.

[17] In some non-restrictive embodiments of the present technology, in response to determining the second request as fraudulent, a restrictive action is taken on the second request.

[18] In some non-restrictive embodiments of the present technology, the restrictive action is to deny the second request or grant limited access to the web resource.

[19] In accordance with another aspect of the present technology, a system is implemented for detecting fraudulent access to a web resource hosted on a server. The server comprises a processor capable of receiving from the first electronic device a first request for access to a web resource containing a first cookie, converting the first cookie into a second cookie, sending the second cookie to the first electronic device for storage, receiving from the second electronic devices a second request to access a web resource containing a third cookie, and determine the second request as fraudulent based on the analysis of the third cookie and the first cookie.

[20] In some non-limiting embodiments of the present technology, the first cookie is a first encrypted cookie, the third cookie is a third encrypted cookie, and to convert the first cookie to a second cookie, the processor is able to re-encrypt the first encrypted cookie into a second encrypted cookie.

[21] In some non-limiting embodiments of the present technology, the first encrypted cookie contains a first user device identifier associated with the first electronic device and a first timestamp indicating the time the first encrypted cookie was created, the second encrypted cookie contains the first identifier of the user device and the second timestamp indicating the time of creation of the second encrypted cookie, and the third encrypted cookie contains at least the second identifier of the user device.

[22] In some non-limiting embodiments of the present technology, the server is connected to the database, and the processor is further configured to store in the database an indication to re-encrypt the first encrypted cookie into the second encrypted cookie.

[23] In some non-limiting embodiments of the present technology, in order to determine the second request is fraudulent, the processor is able to access a database to determine if the second user device ID matches the first user device ID.

[24] In some non-limiting embodiments of the present technology, the first electronic device is different from the second electronic device.

[25] In some non-limiting embodiments of the present technology, the first electronic device is the same as the second electronic device.

[26] In some non-limiting embodiments of the present technology, the processor is further capable of determining the creation time of the first encrypted cookie in response to receiving the first request, re-encrypting the first encrypted cookie into a second encrypted cookie if the creation time indicates that the lifetime of the first encrypted cookie exceeds a predetermined threshold.

[27] In some non-limiting embodiments of the present technology, the processor is capable of storing a first encryption key and a second encryption key, and is further capable of receiving a third request from the first electronic device prior to receiving the first request, generating a first encrypted cookie using the first key. encryption and send the first encrypted cookie to the first electronic storage device, wherein for re-encryption by the server, the processor is able to decrypt the first encrypted cookie using the first encryption key and re-encrypt the decrypted first encrypted cookie using the second encryption key, while the second encrypted the cookie is different from the first encrypted cookie.

[28] In the context of the present description, the term "server" means a computer program executed by appropriate hardware and capable of receiving requests (for example, from electronic devices) via a network and fulfill these requests or initiate their execution. The hardware may be one physical computer or one computer system, which is not essential to the present technology. In the present context, the expression "at least one server" does not mean that every task (for example, a received command or request) or some specific task is received, executed or started by the same server (i.e. the same software and / or hardware). This expression means that any number of software or hardware can receive, send, execute or initiate the execution of any task or request or the results of any tasks or requests. All of these software and hardware may be a single server or multiple servers, both of which are meant by the expression "at least one server".

[29] In the context of the present description, unless explicitly stated otherwise, the numerals "first", "second", "third", etc. are used only to indicate the difference between the nouns they refer to, but not to describe any specific relationship between these nouns. For example, it should be understood that the use of the terms "first server" and "third server" does not imply any particular order, type, chronology, hierarchy or classification of, in this case, servers, nor is their use (by itself) implies the mandatory presence of a "second server" in any situation. Also, as occurs here in another context, referring to a "first" element and a "second" element does not preclude that the two elements may in fact be the same element. Thus, for example, in some cases the "first" server and the "second" server may be the same software and/or hardware, and in other cases they may be different software and/or hardware.

[30] In the context of this description, unless expressly stated otherwise, the term "database" means any structured set of data, regardless of its specific structure, database management software or computer hardware for storing this data, their application or provision using them in a different way. The database may reside on the same hardware as the process for storing or using the information stored in the database, or the database may reside on separate hardware such as a specialized server or multiple servers.

Brief description of the drawings

[31] The following description is provided for a better understanding of the present technology, as well as other aspects and their features, and should be used in conjunction with the attached drawings.

[32] FIG. 1 is a diagram of a system implemented in accordance with non-limiting embodiments of the present technology.

[33] FIG. 2 shows the structure of the system database.

[34] FIG. Figure 3 shows a scheme for detecting fraudulent access to a web resource.

[35] FIG. 4 is a diagram for determining the last timestamp associated with a user ID.

[36] FIG. 5 is a flowchart of a method for detecting fraudulent access to a web resource.

Implementation of the invention

[37] FIG. 1 is a diagram of a system 100 suitable for non-limiting embodiments of the present technology. Obviously, the system 100 is shown only to demonstrate an implementation of the present technology. Thus, the following description of the system is a description of examples illustrating the present technology. This description is not intended to define the scope or boundaries of the present technology. In some instances, useful examples of modifications to system 100 are also provided. They aid understanding but also do not define the scope or boundaries of the present technology. These modifications do not constitute an exhaustive list. As one of skill in the art would appreciate, other modifications are possible. In addition, if modifications are not described in some cases (i.e., there are no examples of modifications), this does not mean that they are impossible and / or that the description contains the only possible implementation of one or another element of the present technology. One skilled in the art will appreciate that this is not the case. In addition, it should be understood that system 100 may, in some instances, be a simplified implementation of the present technology, and that such variations are presented in order to facilitate a better understanding thereof. Those skilled in the art will appreciate that various embodiments of the present technology can be significantly more complex.

[38] The examples and conventions presented herein are intended to provide a better understanding of the principles of the present technology, and not to limit its scope to such specifically given examples and terms. It is obvious that specialists in the art are able to develop various methods and devices that are not explicitly described or shown, but implement the principles of the present technology within its essence and scope. In addition, to facilitate a better understanding, the following description may include simplified implementations of the present technology. A person skilled in the art should be clear that various embodiments of this technology can be significantly more complex.

[39] Moreover, the description of principles, aspects, and embodiments of the present technology, as well as their specific examples, is intended to cover their structural and functional equivalents, whether they are currently known or will be developed in the future. For example, it should be apparent to those skilled in the art that any structural diagrams described herein correspond to conceptual representations of illustrative circuit diagrams that implement the principles of the present technology. It should also be obvious that any flowcharts, process diagrams, state transition diagrams, pseudocodes, etc. correspond to various processes that may be represented on a computer-readable physical storage medium and may be executed by a computer or processor, whether such computer or processor is explicitly shown or not.

[40] The functions of the various elements shown in the figures, including any functional block labeled "processor", may be implemented using dedicated hardware as well as hardware capable of executing the corresponding software. If a processor is used, these functions may be performed by a single dedicated processor, a single shared processor, or multiple individual processors, some of which may be shared. In some embodiments of the present technology, the processor may be a general purpose processor such as a central processing unit (CPU) or a specialized processor such as a graphics processing unit (GPU). In addition, explicit use of the term "processor" or "controller" should not be construed as referring solely to the hardware capable of executing the software and may refer to, but is not limited to, digital signal processor (DSP) hardware, network processor, ASIC (ASIC), Field Programmable Gate Array (FPGA), Read Only Memory (ROM) for storing software, Random Access Memory (RAM) and Non-Volatile Memory (ROM). Other general purpose and/or custom hardware may also be contemplated.

[41] In the following, in view of the foregoing principles, some non-limiting examples are provided to illustrate various embodiments of aspects of the present technology.

[42] System 100 includes a first electronic device 102. The first electronic device 102 typically interacts with a user (not shown) and may be referred to as a client device. It should be noted that the interaction of the first electronic device 102 with the user is not intended to suggest or imply any mode of operation, such as login, registration, or the like.

[43] As used herein, unless expressly stated otherwise, the term "electronic device" means any computer hardware capable of executing programs suitable for a given task. Thus, some (non-limiting) examples of electronic devices include personal computers (desktops, laptops, netbooks, etc.), smartphones and tablets, and network equipment such as routers, switches, and gateways. It should be noted that in this context, a device functioning as an electronic device may also function as a server with respect to other electronic devices. The use of the term "electronic device" does not preclude the use of multiple electronic devices to receive, send, perform or initiate any task or request or the results of any tasks or requests or steps of any method described herein.

[44] The first electronic device 102 includes a non-volatile memory 104. The non-volatile memory 104 may include one or more storage media and generally provides storage space for computer instructions executed by the processor 106. For example, the non-volatile memory 104 may be implemented as being readable by a computer. environment, including ROM, hard disk drives (HDD), solid state drives (SSD) and flash memory cards.

[45] The first electronic device 102 comprises hardware and/or software and/or firmware (or a combination thereof) known in the art for executing the browser application 108. In general, the browser application 108 provides a user (not shown) access to one or more web resources. The method for implementing the browser application 108 is known in the art and is not described here. Suffice it to say that the browser application 108 may be a Google™ Chrome™ browser, a Yandex.Browser™ browser, or another commercially available or proprietary browser.

[46] Regardless of the implementation method, the browser application 108 typically has a command interface 110 and a browsing interface 112. In general, a user (not shown) can access a web resource via a communications network in two main ways. A user can access a particular web resource directly by typing the web resource's address (usually a Uniform Resource Locator (URL) such as www.example.com) into the command interface 110, or by following a link in a message. email or other web resource (this action is equivalent to copying and pasting into the command interface 110 the URL associated with the link).

[47] Alternatively, the user can search for the resource of interest using a search engine (not shown) according to their purpose. The latter option is especially convenient when the user knows the topic of interest, but does not know the URL of the web resource. The search engine usually generates a search engine results page (SERP, Search Engine Result Page), which contains links to one or more web resources that match the user's query. After clicking on one or more links on the SERP page, the user can open the required web resource.

[48] The first electronic device 102 includes a communication interface (not shown) for two-way communication with the communication network 114 over the communication line 116 . In some non-limiting embodiments of the present technology, the Internet may be used as communication network 114 . In other embodiments of the present technology, communications network 114 may be implemented differently, such as any wide area network, local area network, private network, or the like.

[49] The implementation of the communication link 116 is not particularly limited, but depends on the implementation of the first electronic device 102. By way of non-limiting example only, in those embodiments of the present technology where the first electronic device 102 is implemented as wireless communication device (such as a smartphone), link 116 may be implemented as a wireless link (such as a 3G network link, a 4G network link, Wireless Fidelity or WiFi®, Bluetooth®, etc. for short) or a wired communication lines (such as an Ethernet-based connection).

[50] It should be obvious that the embodiments of the first electronic device 102, communication line 116 and communication network 114 are for illustration purposes only. A person skilled in the art should be clear and other specific details of the implementation of the first electronic device 102, communication line 116 and communication network 114. The above examples do not limit the scope of the present technology in any way.

[51] System 100 also includes a server 118 connected to a communication network 114. Server 118 may be implemented as a conventional computer server. In an exemplary embodiment of the present technology, server 118 may be implemented as a Dell™ PowerEdge™ server running a Microsoft™ Windows Server™ operating system. Obviously, the server 118 may be implemented using any other suitable hardware and/or application software and/or firmware, or a combination thereof. In the present non-limiting embodiment of the present technology, the server 118 is implemented as a single server. In other non-limiting embodiments of the present technology, the functions of the server 118 may be distributed among multiple servers.

[52] The implementation of the server 118 is well known. Briefly, the server 118 includes a communication interface (not shown) whose structure and settings allow communication with various elements (such as the first electronic device 102 and other devices that may be connected to the communication network 114). Like first electronic device 102, server 118 includes server memory 120 that contains one or more storage media and generally provides storage space for computer program instructions executed by server processor 122. For example, server memory 120 may be implemented as a computer-readable physical storage medium, including ROM and/or RAM. Server memory 120 may also include one or more persistent storage devices such as hard disk drives (HDDs), solid state drives (SSDs), and flash memory cards.

[53] In some embodiments of the invention, the server 118 may be managed by an organization that provides the browser application 108 described above. , Moscow, 119021, Russia). In other embodiments, the server 118 may be operated by an organization other than the one that provides the browser application 108 described above.

[54] In some embodiments of the present technology, server 118 generally functions as a repository for web resource 124. As used herein, the term "web resource" means any network resource associated with a specific web address (such as a URL). (such as a web page, website, or web service) whose content can be presented to the user in visual form by the first electronic device 102 using the browser application 108.

[55] The web resource 124 is accessible by the first electronic device 102 via the communication network 114, for example, by a user entering a URL in a browser application 108 or by a web search using a search engine (not shown). Although the web server 118 hosts only the web resource 124 in the present non-limiting embodiment of the present technology, the scope of the invention is not limited to this and there may be multiple web resources.

[56 In general, in some non-limiting embodiments of the present technology, server 118 is capable of generating and sending cookies to electronic devices accessing web resource 124. The method of generating a cookie is well known in the art and is not detailed here. described. Suffice it to say that, in response to a request from an electronic device, server 118 is able to generate and send a cookie to the electronic device if the request itself does not contain a cookie.

[57] For example, the server 118 is able to execute the application 128 authentication. In some non-limiting embodiments of the present technology, the authentication application 128 is capable of generating a cookie 126 in response to an access request from the first electronic device 102 to the web resource 124 if the cookie is not present in the access request.

[58] Cookie 126 is an identifier assigned by the application 128 authentication. In some non-limiting embodiments of the present technology, the cookie contains a user ID (described in detail below) and a timestamp corresponding to the time the cookie 126 was created.

[59] In general, the cookie 126 is stored on the first electronic device 102 and may be temporary, ie. stored in the first electronic device 102 during the browsing session. Alternatively, in some non-limiting embodiments of the present technology, cookie 126 may be semi-permanent. In this case, the cookie 126 is stored on the first electronic device 102 after the user has left the web resource 124 and is reused by the server 118 on subsequent access. For example, cookie 126 may be stored on first electronic device 102 until deleted by the user.

[60] In some embodiments of the present technology, cookie 126 is encrypted using an encryption key (not shown). There are no restrictions on the implementation of the encryption key. For example, the encryption key may be based on or may be a variant of an algorithm based on the Advanced Encryption Standard (AES) with a 128-bit key in Electronic Code Book (ECB) mode, or the like.

[61] In general, in some non-limiting embodiments of the present technology, cookie 126 is sent by browser application 108 to server 118 whenever a new web page is requested from web resource 124.

[62] In some non-limiting embodiments of the present technology, cookie 126 is a dynamic cookie. In the context of this description, the term "dynamic cookie" may mean a cookie that changes over time.

[963] For example. given that cookie 126 contains a timestamp, in some non-restrictive embodiments of the present technology, authentication application 128 is able to change the timestamp of cookie 126 to reflect the time and date of each access request. In other words, with each request to access the web resource 124 from the first electronic device 102, the cookie 126 is modified by the authentication application 128 to change the time stamp. The modified cookie 126 is sent to the first electronic device 102 for storage. In other words, given that the cookie 126 contains at least a user ID and a timestamp, the user ID does not change, but the timestamp changes dynamically based on the time the web resource 124 was last accessed.

[64] In some non-limiting embodiments of the present technology, the authentication application 128 is capable of changing the timestamp of the cookie 126 in response to one or more triggering events. For example, the authentication application 128 may be able to update the timestamp of the cookie 126 on each access after a predetermined period of time (eg, weekly, monthly, etc.).

[65] In another example, the authentication application 128 may be able to update the timestamp of the cookie 126 in the presence of a different encryption key (such as a new encryption key (not shown)). In such a situation, the authentication application 128 is able to decrypt the cookie 126 using the old encryption key and re-encrypt the cookie 126 (with a corresponding new timestamp) using the new encryption key. For example, the authentication application 128 may be able to periodically use a new re-encryption key (eg, weekly, biweekly, etc.).

[66] To keep track of the various timestamps associated with each cookie, the server 118, in some non-limiting embodiments of the present technology, is linked to the database 130.

[67] FIG. 2 shows the structure of the database 130.

[68] For convenience of explanation, it can be assumed that the cookie 126 is associated with the user ID 202. The list 206 contains timestamps associated with the user ID 202 .

[69] In the example shown, the user ID 202 is associated with three timestamps (first timestamp 208, second timestamp 210, and third timestamp 212). The three timestamps are arranged in chronological order such that the first timestamp 208 is associated with the first visit to the first electronic device 102, the second timestamp 210 is associated with the next visit to the first electronic device 102, and the third timestamp 212 is associated with the last visit (when the cookie 126 was last encrypted).

[70] Of course, it is also contemplated that the timestamps may not be associated with the time of the visit, but point to the time when the cookie 126 was encrypted or re-encrypted.

[71] In some non-limiting embodiments of the present technology, server 118 is capable of tracking information associated with browser application 108. For example, server 118 may store information about browser application 108 and the operating systems used, the duration of the visit (or visits), web pages visited on the web resource 124, links, buttons or other elements used on the web resource 124, and data entered from the keyboard in the text fields of the web resource 124 (for example, comments posted).

[72] In some non-limiting embodiments of the present technology, the authentication application 128 is capable of assigning a user score to each user based on tracked information. For example, a user's score is a score indicating the likelihood that the user is a computer application (such as a bot) and/or a human spammer. Of course, it is also contemplated that the score may indicate not the likelihood that the user is a computer application and/or human spammer, but that the user is a trustworthy user.

[73] No restrictions are imposed on the determination of the user's rating. Given that the server 118 is capable of storing information associated with the browser application 108, the authentication application 128 may be able to determine the user's score based on an empirical approach (by collecting actual examples tagged as a non-spammer browsing sequence of the web resource 124) or a heuristic approach (by determining the sequence of browsing the web resource 124 by a person who is not a spammer). For example, the authentication application 128 may be able to assign a lower user score (indicating a greater likelihood that the user is a bot or spammer) in the event of an excessively long visit (e.g., six hours) compared to the average human user (e.g., 30 minutes).

[74] In another example, the authentication application 128 may be able to assign a lower user score in the event of an excessive number of web pages visited on the web resource 124 (e.g., 100 web pages) compared to the average human user (e.g., 10 pages).

[75] In yet another example, the authentication application 128 may be able to assign a lower score to a user if the content of the text fields entered by the user contains swear words, obscure text, and the like.

[76] Although in the above example, the user's score is determined only using the user's actions in relation to the web resource 124, the scope of the invention is not limited to this. In some non-limiting embodiments of the present technology, a user's score may be determined using browsing or navigation operations of the browser application 108 prior to accessing the web resource 124 by applying the technology described in the same applicant's patent application US15893824 "Method and system for detection potential spam activity during account registration, filed February 12, 2018, and incorporated herein by reference in its entirety.

[77] In some non-restrictive embodiments of the present technology, if the user's score falls below a predetermined threshold, the authentication application 128 is able to perform a restrictive action on the browser application associated with that user's score. For example, a restrictive action may correspond to (a) denying the electronic device's request to access the web resource 124, (b) limiting the number of web pages that the electronic device can request on the web resource 124, or (c) disabling the commenting feature. so that the corresponding user cannot post messages on the web resource 124 (or so that the number of messages is limited).

[78] In some non-limiting embodiments of the present technology, the user score associated with each cookie is stored in the database 130.

[79] It can be assumed that the cookie 126 stored in the first electronic device 102 contains a user ID 202 and a third timestamp 212 (see FIG. 1).

[80] Although the cookie 126 is described as containing the user ID 202 and the last timestamp 212, the scope of the invention is not limited to this. In some non-limiting embodiments of the present technology, cookie 126 may contain a user ID 202 and a timestamp string. In other words, cookie 126 may contain a user identifier 202, a first timestamp 208, a second timestamp 210, and a third timestamp 212 to chronologically illustrate visits and/or re-encrypt cookie 126. In such embodiments, the invention does not need to be stored in a database. timestamp data, i.e. a first time stamp 208, a second time stamp 210, and a third time stamp 212.

[81] In general, in other non-limiting embodiments of the invention, the timestamps stored locally in the first electronic device 102 or centrally in the database 130 may be a sequence of timestamps (i.e., first timestamp 208, second timestamp 210 timestamp and a third timestamp 212) or only the latest timestamps (in this case, the third timestamp 212).

[82] The system 100 also includes a second electronic device 132 connected to the communication network 114. There are no restrictions on how the second electronic device 132 is implemented, for example, it can be implemented like the first electronic device 102.

[83] In some non-limiting embodiments of the present technology, the second electronic device 132 is associated with the user who stole the cookie. In other words, the user associated with the second electronic device 132 is interested in mimicking another user by using a cookie associated with the other electronic device (or devices) when accessing the web resource.

[84] The reason why the second electronic device 132 needs to imitate a cookie file of another device is not subject to any restrictions. For example, the second electronic device 132 may be associated with a user's score below a threshold and therefore needs to steal a cookie 126 associated with a user's score above the threshold. In fact, as described above, many web resources (such as web resource 124) use cookies as identifiers to filter out users associated with a user rating below a threshold. By stealing someone else's cookie (such as cookie 126), the second electronic device 132 also steals the history associated with the first electronic device 102 and can thus bypass the filter.

[85] The method for stealing a cookie by the second electronic device 132 is outside the scope of the present technology and therefore is not discussed in detail. Suffice it to say that known cookie theft methods include, for example, network traffic interception, cross-site scripting (also known as XSS type attack), and the like.

[86] In the present example, it can be assumed that the second electronic device 132 has stolen the cookie 126 stored in the first electronic device 102. Accordingly, the second electronic device 132 contains a cookie with a user ID 202 and a third timestamp 212.

[87] Although system 100 has been described with reference to various hardware elements (such as database 130, server 118, first electronic device 102, and second electronic device 132) shown separately, it should be understood that this is done for better understanding. It is contemplated that the various functions performed by these elements may be performed by a single element or may be distributed among different elements.

Application 128 Authentication

[88] Obviously, as a result of "copying" or "stealing" the cookie 126 by the second electronic device 132 from the first electronic device 102, the system 100 contains two electronic devices containing the same cookies 126.

[89] In other words, from the perspective of the server 118, the first electronic device 102 and the second electronic device 132 correspond to the same electronic device (because they contain the same user ID 202).

[90] Of course, this can cause problems, since the second electronic device 132 is able to imitate the first electronic device 102 when accessing the web resource 124 in order to engage in spam or even illegal activities on the web resource 124.

[91] FIG. 3 is a diagram of a web resource access fraud detection process 124. The fraudulent access detection process is performed by an authentication application 128 (see FIG. 1) implemented in accordance with a non-restrictive embodiment of the present technology. The authentication application 128 performs (or otherwise accesses) the receive procedure 302, the determine procedure 304, and the output procedure 306.

[92] As used herein, the term "procedure" refers to a subset of the authentication application 128 computer program instructions executed by the server processor 122 (accept procedure 302, determine procedure 304, and output procedure 306). It should be clearly understood that the receive procedure 302, determine procedure 304, and output procedure 306 are shown separately for convenience in explaining the processes performed by the authentication application 128. It is contemplated that some or all of the procedures among the receive procedure 302, determine procedure 304, and output procedure 306 may be implemented as one or more combined procedures.

[93] For a better understanding of the present technology, the functions and processed or stored data and/or information of the receive procedure 302, determine procedure 304, and output procedure 306 are described below.

Receive procedure 302

[94] The receiving procedure 302 is capable of receiving a data packet 308 from the second electronic device 132. The data packet 308 contains a cookie 126 stored in the second electronic device 132. The transmission of the data packet 308 to the receiving procedure 302, which is not subject to any restrictions, may, for example, be performed in response to a request from the second electronic device 132 to access the web resource 124.

[95] If the cookie 126 is encrypted, the receiving procedure 302 is able to decrypt the cookie 126 using the means described above to determine the user ID 202 and the third timestamp 212.

[96] Next, the receive procedure 302 is able to send the data packet 314 to the determine procedure 304 . Packet 314 data contains the identifier 202 of the user and the third mark 212 times.

Procedure 304 determine

[97] In response to receiving the data packet 314, the determination routine 304 is capable of performing the following functions.

[98] First, the determination procedure 304 is able to access the database 130 and determine whether the third timestamp 212 is the last timestamp associated with the user ID 202.

[99] In other words, given that the cookie 126 sent by the second electronic device 132 is associated with the third time stamp 212 "July 25, 2019 10:53", the determination procedure 304 is able to access the database 130 and determine whether there is any next (new) timestamp associated with the user ID 202 .

[100] FIG. 4 is a diagram for determining if the user ID 202 is associated with the latest timestamp.

[101] In the present example, the list 206 indicates that the last timestamp associated with the user ID 202 is not the third timestamp 212, but the fourth timestamp 214.

[102] In other words, the first electronic device 102 accessed the web resource on July 30, 2019 at 10:13 am when the new timestamp was associated with the user ID 202.

[103] If it is determined that the third timestamp 212 is not the last timestamp associated with the user ID 202, the procedure 304 is able to determine that the second electronic device 132 has fraudulently obtained the cookie 126.

[104] The determination procedure 304 is further capable of sending the data packet 316 to the output procedure 306 (see FIG. 3). Packet 316 data contains an indication that the request of the second electronic device 132 to access the web resource 124 corresponds to a fraudulent access.

Output procedure 306

[105] In response to receiving the data packet 316, the output procedure 306 is capable of performing the following functions.

[106] As described above, it was determined that the request of the second electronic device 132 to access the web resource 124 corresponds to fraudulent access. In this regard, the output procedure 306 is able to perform a restrictive action on this request (as described above).

[107] In some non-limiting embodiments of the present technology, in addition to performing a restrictive action, the output procedure 306 is further capable of generating and sending a second cookie 318 to the second electronic device 132.

[108] For example, the second cookie 318 contains a user ID that is different from the user ID 202 (see FIG. 4) and refers to the second electronic device 132. In other words, the second cookie 318 replaces the cookie 126 in the second electronic device 132.

[109] In some non-limiting embodiments of the present technology, it is assumed that not only is a second cookie 318 generated for the second electronic device 132, but the output procedure 306 is additionally capable of generating and sending a third cookie (not shown) to the first electronic device. 102 in response to receiving a new request to access the web resource 124.

[110] Such embodiments are based on the assumption that while cookie thieves typically store a stolen cookie for some period of time before it is used (and therefore the first electronic device 102 is most likely to access the web). resource 124 prior to the request from the second electronic device 132), this may not always be the case. In other words, the second electronic device 132 may copy the cookie 126 and immediately access the web resource 124. Accordingly, when the first electronic device 102 subsequently requests access to the web resource 124, a third cookie (not shown) is generated and sent to the first electronic storage device 102, thus replacing the cookie 126.

[111] In other words, in some non-limiting embodiments of the present technology, if it is determined that cookie 126 was used by two different electronic devices, server 118 is able to generate and assign different cookies to each of the two different electronic devices (resulting in causing cookie 126 to become obsolete).

[112] In various non-limiting embodiments of the present technology, it is possible to detect fraudulent access to a web resource.

[113] The architecture and examples described above allow a computer-based method to detect fraudulent access to a web resource. In FIG. 5 is a flow diagram of a method 500 performed in accordance with non-limiting embodiments of the present technology. Method 500 may be performed by server 118.

[114] Step 502: The server receives from the first electronic device the first access request to the web resource containing the first cookie.

[115] The method 500 begins at step 502, in which the first electronic device 102 sends a request to the server 118 to access the web resource 124. The request contains a cookie 126 containing at least a user ID 202 and a second timestamp 210.

[116] Step 504: The server converts the first cookie into a second cookie.

[117] At step 504, the server 118 updates the cookie 126, which now contains the third timestamp 212 and the user ID 202.

[118] Step 506: The server sends the second cookie to the first electronic storage device.

[119] At step 506, the server 118 sends a cookie 126 containing the user ID 202 and the third timestamp 212 to the first electronic storage device.

[120] Step 508: The server receives from the second electronic device a second access request to a web resource containing a third cookie.

[121] At step 508, the second electronic device 132 sends the data packet 308 to the receive procedure 302 . The data packet 308 contains a cookie 126. The cookie 126 received from the second electronic device 132 contains a user ID 202 and a third timestamp 212.

[122] Step 510: The server determines the second request as fraudulent based on the analysis of the third cookie and the first cookie.

[123] At step 510, the determination routine 304 is able to query the database 130 to determine if the third timestamp 212 is the latest timestamp associated with the user ID 202.

[124] If the third timestamp 212 is not the last timestamp associated with the user ID 202, procedure 304 is able to determine that the request from the second electronic device 132 is a fraudulent request.

[125] For a person skilled in the art, possible changes and improvements in the above-described embodiments of the present technology may be obvious. The foregoing description is given by way of example and not by way of limitation on the scope of the invention. The scope of protection of this technology is determined solely by the scope of the appended claims.

[126] Although the embodiments described above are given with reference to specific steps performed in a certain order, it should be understood that these steps can be combined, separated, or their order can be changed without departing from the boundaries of the present technology. Accordingly, the order and grouping of steps is not limiting to the present technology.

Claims (59)

1. A method for detecting fraudulent access to a web resource hosted on a server, performed by the server and including: receiving by the server from the first electronic device the first request for access to the web resource containing the first cookie; the server converting the first cookie into a second cookie; sending, by the server, a second cookie to the first electronic storage device; receiving by the server from the second electronic device a second request for access to a web resource containing a third cookie; and determination by the server of the second request as a fraudulent request based on the analysis of the third cookie and the first cookie. 2. The method according to p. 1, characterized in that the first cookie is the first encrypted cookie; the third cookie is the third encrypted cookie; and converting the first cookie to the second cookie includes re-encrypting the first encrypted cookie to the second encrypted cookie. 3. The method according to p. 2, characterized in that the first encrypted cookie contains a first user device identifier associated with the first electronic device and a first timestamp indicating the time the first encrypted cookie was created; the second encrypted cookie contains a first user device identifier and a second timestamp indicating the time the second encrypted cookie was created; and the third encrypted cookie contains at least the second identifier of the user device. 4. The method according to claim 3, characterized in that the server is connected to the database, and the method further includes storing by the server in the database an indication to re-encrypt the first encrypted cookie into the second encrypted cookie. 5. The method of claim 4, wherein determining the second request as a fraudulent request includes querying a database to determine if the second user device ID matches the first user device ID. 6. Method according to claim 5, characterized in that the first electronic device is different from the second electronic device. 7. Method according to claim 5, characterized in that the first electronic device matches the second electronic device. 8. The method according to p. 2, characterized in that it further includes determining when the first encrypted cookie is created after the first request is received; and re-encrypting the first encrypted cookie into a second encrypted cookie if the creation time indicates that the lifetime of the first encrypted cookie exceeds a predetermined threshold. 9. The method of claim. 2, characterized in that the server is able to store the first encryption key and the second encryption key, and the method further includes receiving a third request from the first electronic device before receiving the first request; generating a first encrypted cookie using the first encryption key; and sending the first encrypted cookie to the first electronic storage device, while reencryption by the server includes decrypting the first encrypted cookie using the first encryption key; and re-encrypting the decrypted first encrypted cookie using the second encryption key, wherein the second encrypted cookie is different from the first encrypted cookie. 10. The method of claim 2, further comprising performing a restrictive action on the second request after the second request is determined to be a fraudulent request. 11. The method according to claim 10, characterized in that the restrictive action is a rejection of the second request or provision of limited access to the web resource. 12. A system for detecting fraudulent access to a web resource hosted on a server containing a processor configured to receiving from the first electronic device the first access request to the web resource containing the first cookie; converting the first cookie to a second cookie; sending a second cookie to the first electronic storage device; receiving from the second electronic device a second request for access to a web resource containing a third cookie; and determining the second request as a fraudulent request based on the analysis of the third cookie and the first cookie. 13. The system according to claim 12, characterized in that the first cookie is the first encrypted cookie; the third cookie is the third encrypted cookie; and to convert the first cookie into a second cookie, the processor is configured to re-encrypt the first encrypted cookie into a second encrypted cookie. 14. The system according to claim 13, characterized in that the first encrypted cookie contains a first user device identifier associated with the first electronic device and a first timestamp indicating the time the first encrypted cookie was created; the second encrypted cookie contains a first user device identifier and a second timestamp indicating the time the second encrypted cookie was created; and the third encrypted cookie contains at least the second identifier of the user device. 15. The system according to claim 14, characterized in that the server is connected to the database, and the processor is additionally configured to store in the database an indication to re-encrypt the first encrypted cookie into the second encrypted cookie. 16. The system of claim. 15, wherein in order to determine the second request as a fraudulent request, the processor is configured to access a database to determine a match between the second user device identifier and the first user device identifier. 17. The system of claim. 16, characterized in that the first electronic device is different from the second electronic device. 18. The system according to claim 16, characterized in that the first electronic device is the same as the second electronic device. 19. The system according to claim 13, characterized in that the processor is additionally configured to determining when the first encrypted cookie is created after the first request is received; and re-encrypting the first encrypted cookie into a second encrypted cookie if the creation time indicates that the lifetime of the first encrypted cookie exceeds a predetermined threshold. 20. The system according to claim 13, characterized in that the processor is additionally configured to storing the first encryption key and the second encryption key; receiving a third request from the first electronic device before receiving the first request; generating a first encrypted cookie using the first encryption key; sending the first encrypted cookie to the first electronic storage device, at the same time, for re-encryption by the server, the processor is configured to decrypting the first encrypted cookie using the first encryption key; and re-encrypting the decrypted first encrypted cookie using the second encryption key, wherein the second encrypted cookie is different from the first encrypted cookie.

Images