US20160342793A1 - Automatic Library Detection - Google Patents

Automatic Library Detection Download PDF

Info

Publication number
US20160342793A1
US20160342793A1 US15/224,978 US201615224978A US2016342793A1 US 20160342793 A1 US20160342793 A1 US 20160342793A1 US 201615224978 A US201615224978 A US 201615224978A US 2016342793 A1 US2016342793 A1 US 2016342793A1
Authority
US
United States
Prior art keywords
source code
code
web page
string
processing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US15/224,978
Inventor
Ariya Hidayat
Bei Zhang
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shape Security Inc
Original Assignee
Shape Security Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US14/293,895 priority Critical patent/US9405910B2/en
Application filed by Shape Security Inc filed Critical Shape Security Inc
Priority to US15/224,978 priority patent/US20160342793A1/en
Publication of US20160342793A1 publication Critical patent/US20160342793A1/en
Application status is Abandoned legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/42Protocols for client-server architectures
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Abstract

The automated, real-time detection of specific blocks of code within a larger body of source code is described. Specific implementations relate to the detection of known code libraries in web page code to improve the efficiency of the generation of polymorphic transformations of the web page code for the purpose of impeding automated cyber-attacks.

Description

    BACKGROUND
  • Automated cyber-attacks that exploit web applications have been on the rise throughout the past decade, growing in both frequency and variety. Many of these cyber-attacks have potentially devastating consequences. For instance, a recent automated attack modified banking transactions without using authentication credentials. Thus, defending against automated attacks is becoming an increasingly high priority for businesses with an online presence.
  • Implementing security countermeasures to prevent automated attacks generally comes at the cost of slowing down the operation of web applications. Because perceptible latency in interactions with such applications is unacceptable to users, increasing efficiency in the fight against cyber-attacks is, and will continue to be, an important objective.
  • SUMMARY
  • According to various implementations, methods, apparatus, systems, and computer program products are provided for the detection of specific blocks of code within a larger body of source code. According to a particular class of implementations, source code is received from a server, responsive to a request from a client. A set of tokens based on the source code is generated. A first string of values representing a subset of the set of tokens is generated. It is determined whether any portion of the first string corresponds to any of a plurality of predetermined strings of values. The source code is processed responsive to determining whether any portion of the first string corresponds to any of the predetermined strings. The processed source code is provided to the client in response to the request.
  • In some implementations, each of the predetermined strings might correspond to a known library. In other implementations, each of the predetermined strings might correspond to previously processed code, and the processing of the source code might include use of processing results corresponding to the previously processed code.
  • According to some implementations, the source code might correspond to a web page and processing the source code might include recoding the source code to generate a polymorphic representation of the source code.
  • According to some implementations, where a first portion of the first string corresponds to one of the predetermined strings, a first portion of the source code corresponding to the first portion of the first string is excluded from at least a portion of the processing of the source code.
  • A further understanding of the nature and advantages of various implementations may be realized by reference to the remaining portions of the specification and the drawings.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 shows an example of a system for generating polymorphic transformations of web page code for the purpose of impeding automated attacks.
  • FIG. 2 is a simplified block diagram of a network appliance configured to generate polymorphic transformations of web page code.
  • FIG. 3 is a flowchart illustrating the operation of a specific implementation in which library code is detected within the source code of a web page.
  • FIG. 4 shows an example of the tokenization of source code.
  • FIG. 5 shows an example of a comparison between strings corresponding to web page source code and strings corresponding to known JavaScript libraries.
  • FIG. 6 shows an example of the Aho-Corasick string matching algorithm embodied as a finite state machine.
  • DETAILED DESCRIPTION
  • This disclosure describes the automated, real-time detection of specific blocks of code within a larger body of source code. Specific implementations are described that involve the detection of known code libraries in web page code to improve the efficiency of the generation of polymorphic transformations of the web page code for the purpose of impeding automated cyber-attacks. However, it should be noted that these implementations are merely examples of a much broader class of applications contemplated by the inventors.
  • The polymorphic transformation of web page code involves dynamically altering the ordinarily static source code associated with a web page. This makes the source code more difficult to exploit from the perspective of an automated attacker while leaving web content viewable to the human user apparently unchanged. One challenge associated with such techniques is that, in order for a web page to remain functional, changes to its source code must be consistent across resources related to the web page. For instance, if a web page is associated with html source code further referencing JavaScript, any change made to the html code must be consistent with the internally referenced JavaScript and vice versa. Thus, changing the source code of a web page while maintaining its functionality requires identifying connections within and between components of the source code. Analyzing code for such connections can be computationally expensive, potentially introducing unacceptable latency in the delivery of web content and services to end users.
  • According to specific implementations described herein, blocks of code within source code that do not require processing are identified and excluded from processing, thereby reducing the latency associated with the processing of the source code. For example, detecting a known JavaScript library and excluding the library from unnecessary processing facilitates efficiency in the context of generating polymorphic transformations of web pages. In another example, gains in efficiency can be achieved by detecting code that has previously been analyzed for polymorphic transformation and excluding the analyzed code from potentially redundant processing and/or reusing the results of the previous processing.
  • FIG. 1 illustrates an example of a computing environment 100 in which polymorphic transformations of web page code are generated for the purpose of impeding automated attacks that are designed to exploit such code. One or more servers 104 serve web pages via a network 108 to one or more client devices 112. Network 108 represents any subset or combination of a wide array of network environments, including the interne, public networks, private networks, local area networks, TCP/IP-based networks, telecommunications networks, wireless networks, cable networks, etc. Client devices 112 could be any device capable of requesting web pages served by server(s) 104. For instance, such devices might include a desktop computer, a laptop computer, a tablet, a smartphone, a set top box, a wearable device, etc.
  • A load balancer 116 acts as an intermediary between the servers 104 and the network 108, distributing source code (e.g., web pages served by servers 104) to one or more network appliances 120. The one or more network appliances 120 process at least a portion of the source code received, generating polymorphic representations of the source code. Ultimately, the one or more network appliances 120 provide the transformed source code to one or more client devices 112 via the load balancer 116 to the network 108.
  • A simplified block diagram of such a network appliance 120 is shown in FIG. 2. Appliance 120 contains one or more processors 200, including one or more single or multi-core processors configured to execute stored instructions. Appliance 120 also includes one or more memories 204. Memory 204 comprises non-transitory computer-readable storage media that could potentially include a wide variety of forms of volatile and non-volatile storage media. For instance, memory 204 could include electronic storage media, magnetic storage media, optical storage media, quantum storage media, mechanical storage media, etc. Memory 204 provides storage for computer readable instructions, data structures, program modules and other data for the operation of appliance 120.
  • Appliance 120 also includes one or more network interfaces 208. The network interfaces 208 may be used to connect via wired or wireless connections to cellular networks, including the internet, public networks, private networks, local area networks, etc. For example, network interfaces 208 may include modules for a T-carrier such as a T1 or T3 line, an optical carrier line such as a line to a synchronous optical network or a fiber optic network, an Ethernet connection, a digital subscriber line, a telephone line, a coaxial cable, etc. Network interfaces 208 might also include radio frequency modules for a 3G or 4G cellular network, a WiFi local area network and a Bluetooth private network. Appliance 120 also includes one or more buses or other internal communications hardware or software (not shown) that allow for the transfer of data and instructions between the various modules and components of the appliance.
  • While appliance 120 might have many functions, this document focuses mainly on the use of appliance 120 to generate polymorphic representations of source code associated with a web page. In one implementation, appliance 120 receives Input Source Code 212 associated with a web page through one or more network interfaces 208. The Input Source Code 212 is processed by a series of modules. While the number and variety of modules will vary depending on the specific implementation, three modules relevant to the depicted implementation are discussed herein. It will be understood that these and other modules may be implemented by processor(s) 200 executing code in memory 204.
  • In the library detection module 216, appliance 120 detects blocks of source code within the Input Source Code 212. For instance, appliance 120 might be configured to detect known JavaScript libraries. In other examples, appliance 120 might be configured to detect known libraries associated with other languages such as JavaScript, CoffeeScript, TypeScript, Dart, Cascading Style Sheets (CSS), Hypertext Markup Language (html), C, C++, Python, PHP: Hypertext Preprocessor, Perl, Visual Basic Script, etc. In yet another example, appliance 120 could be configured to detect blocks of source code that have already been subject to some level processing in order to exclude those blocks of code from redundant processing. Library detection is discussed in more detail below.
  • At least a portion of the Input Source Code 212 is subject to processing at the Code Analysis Module 220. As discussed above, one challenge associated with modification of web page source code is that changes must be consistent across all resources related to the web page. Thus, in the context of generating polymorphic transformations of web page code, the Code Analysis Module 220 processes the code to identify connections between web page resources—e.g., between html source code and internally referenced JavaScript. For additional information regarding the processing of web page code in the context of generating polymorphic transformations of the code, please refer to U.S. patent application Ser. No. 14/055,704 for “Safe Intelligent Content Modification” filed on Oct. 16, 2013 (Attorney Docket No. 37109-0005001), the entire disclosure of which is incorporated herein by reference for all purposes.
  • According to some implementations, certain blocks of source code identified at the Library Detection Module 216 might be excluded from processing by the Code Analysis Module 220 to save computational resources. For instance, third party JavaScript libraries, such as jQuery, TeaLeaf, some jQuery plugins, etc., might be detected by the Library Detection Module 216 and, as a result, be excluded from processing by the Code Analysis Module 220. Along the same lines, if a block of source code is identified at the Library Detection Module 216 to be a block of source code that has been previously analyzed, the previously analyzed block of source code might also be excluded from processing by the Code Analysis Module 220.
  • A polymorphic representation of the Input Source Code 212 is generated at the Recoding Module 224. It should be noted that there are a number of ways to transform web page source code without changing the web page's appearance to a user. For instance, a variable (e.g., “user_name”) describing an inputted username could be changed from “user_name” to a random string (e.g., “n2qi87fpr3wr”). In another example, the layers of a field from which a username is gathered could be changed. Instead of taking all of the user name characters from a single field, the first and third characters might be entered in one field, the second character in another, etc. If the fields are overlaid in the user interface, a user cannot tell the difference between a representation of a website where all username characters are gathered from a single field and a representation where the characters are gathered from multiple overlaid fields. Ultimately, the recoding process can vary greatly from implementation to implementation. Further examples may be found with reference to U.S. application Ser. No. 14/055,704 incorporated herein by reference above.
  • After the source code is transformed in the Recoding Module 224, Output Source Code 228 comprising a polymorphic representation of the Input Source Code 212 is transmitted from the appliance 120 via the one or more network interfaces 208. In some implementations, the Output Source Code 228 is transmitted to a load balancer (e.g., load balancer 116 of FIG. 1) and then on to the requesting user device via a network (e.g., to one of devices 112 via network 108 as shown in FIG. 1). Alternatively, the Output Source Code 228 might be transmitted directly to the user device. The Output Source Code 228 may then be rendered as a web page in a browser on the user device.
  • It should be noted that, despite references to specific computing paradigms and software tools in this disclosure, the computer program instructions on which implementations are based may correspond to any of a wide variety of programming languages, software tools and data formats, may be stored in any type of non-transitory computer-readable storage media or memory device(s), and may be executed according to a variety of computing models including, for example, a client/server model, a peer-to-peer model, on a stand-alone computing device, or according to a distributed computing model in which various functionalities may be effected or employed at different locations. In addition, references to particular protocols in this disclosure are merely by way of example. Suitable alternatives known to those of skill in the art may be employed as appropriate for particular implementations.
  • Referring now to FIG. 3, a particular example of the detection of blocks of code within a larger body of source code will be described. As mentioned above, the example of FIG. 3 is discussed in the context of detecting known code libraries within web page source code to improve the efficiency of generating polymorphic transformations of the web page source code for the purpose of impeding automated cyber-attacks. It should also be noted that the example of FIG. 3 could be implemented in a variety of ways including, for instance, integrated with the operation of a network appliance such as, for example, appliance 120 described above. Alternatively, code detection as described herein might be implemented in another device (e.g., integrated with the originating server or at an intermediate device such as a load balancer) or be distributed among multiple devices.
  • Source code is received from a server in response to a request from a client (300). The source code could include components in a wide variety of languages including, for example, JavaScript, CoffeeScript, TypeScript, Dart, Cascading Style Sheets (CSS), Hypertext Markup Language (html), C, C++, Python, PHP: Hypertext Preprocessor, Perl, Visual Basic Script, etc. The source code could also be associated with a number of objects including, for example, an executable program. For the sake of clarity and brevity, the specific implementations discussed in this document will focus on source code associated with a web page. However, it will be understood that the described techniques are not so limited.
  • A set of tokens is generated based on the source code (304). Tokenization is a broadly defined process. For instance, tokenization might include breaking up the source code into recognized words, whitespace, and punctuation, and including the whitespace and punctuation in the set of tokens. In another scenario, whitespace and punctuation may not be included. An example of tokenization is provided in FIG. 4. Source code 400 is broken into tokens 402-424. In this example, the tokens include all elements of the source code including whitespace and punctuation.
  • Any number of tokens, including zero, might be removed from the set of tokens to produce a subset of tokens (308). For example, in the context of web page code, some of the removed tokens might be associated with one or more portions of the source code that are unnecessary for processing of the source code by a browser. Tokens might also be removed such that the subset of tokens is sufficient, but no greater in size than necessary, to uniquely identify the various blocks of code within the source code. In other situations, a greater number of tokens may be removed such that various blocks within the source code may no longer be completely uniquely identifiable but are still sufficiently likely to be correctly identified based on the remaining subset of tokens.
  • In the example shown in FIG. 4, tokens representing punctuation and whitespace are removed from a set of tokens 426 to produce subset 428. A token for “var” 414 is also removed. Since “var” is used to define variable scope, it may be used in some variations of a given library and not used in others. Therefore, while token subset 428 may not contain information about all of the intricacies of source code 400, it is likely sufficient to correctly identify whether or not source code 400 is a specific block of code, e.g., a known JavaScript library.
  • Referring again to FIG. 3, a string of values is generated based on the subset of tokens (312). This may be done in a variety of ways. For example, as shown in FIG. 4, the string could represent a one to one mapping of the tokens to integers; each token in subset 428 being mapped to an integer to generate string 430. In other implementations, the string could comprise alphanumeric characters or other symbols and could be associated with the subset of tokens in a variety of ways. For example, a specific class of tokens might be represented by a hexadecimal digit. Other ways of representing the subset of tokens may be application specific and will be appreciated by those of skill in the art.
  • It is then determined whether any portion of the string corresponds to any of a plurality of predetermined strings of values, each of which corresponds to a known library or block of code (316). FIG. 5 shows an example in which a set of strings 500 representing JavaScript from a web page are compared to a set of predetermined strings 504. In the depicted example, the strings derived from the web page include strings 508 and 512 corresponding to blocks of code labeled in FIG. 5 as bundle.js and ga.js, respectively. Predetermined strings 516, 520, 524, and 528 correspond to JavaScript libraries “jQuery,” “Mootools,” “dojo,” and “Google Analytics,” respectively. String 512 is determined to correspond to string 528 (“Google Analytics”) because each element of string 512 matches the corresponding element of string 528. On the other hand, string 508 does not match any of the predetermined strings 504.
  • In a particular implementation, the predetermined strings are included in a previously generated database of strings in which at least some of the strings represent known JavaScript libraries. The database could be generated offline using a process similar to that described above with reference to 304-312. That is, each known library or block of code to be included in the database could be tokenized (304), have tokens optionally removed (308), and a have a representative string generated based on the remaining tokens (312). Such a database might, for example, be stored in the memory of or be otherwise available to appliance 120.
  • According to various implementations, determining whether any portion of a string generated from received source code corresponds to any of the predetermined strings (316) can be done in a variety of ways. According to a particular class of implementations, the identification process is implemented as a finite state machine, which is pre-computed offline. Pre-computing the state machine offline, allows it to be loaded into the memory of a device, e.g., appliance 120. Advantageously, the state machine operates quickly, allowing the string matching process to operate with little or no perceptible latency.
  • An example of the operation of such a state machine, employing the Aho-Corasick algorithm, is illustrated in FIG. 6. For more specific details about the Aho-Corasick algorithm, please refer to “Efficient string matching: an aid to bibliographic search” by Alfred V. Aho and Margaret J. Corasick, published in “Communications of the ACM” volume 18, issue 6 p. 333-40 (June 1975), the entire text of which is incorporated herein by reference for all purposes.
  • As depicted in FIG. 6, the states and transitions are defined by a set of predetermined strings 600, each representing a JavaScript library. More specifically, the transitions leading to an endpoint state (616, 632, or 636) are defined by successive characters in a string, each character corresponding to a given JavaScript library associated with the endpoint state. Each solid line with an arrow represents a transition and is labeled with a number which leads to the transition. A dotted line with an arrow represents a failure transition. For the sake of clarity, failure transitions leading to the root state 604 are not shown in FIG. 6. Each state in the machine is labeled with reference numerals 604-636. When an endpoint state (616, 632, or 636) is reached, the state machine outputs the name of the library corresponding to the endpoint state.
  • To illustrate how the state machine works, it may be helpful to walk through a specific example. Assume that a string representing received source code comprising integers 138647 is inputted into the machine. Beginning at root state 604, the first character of the input string, 1, will change the state to 608. The next character, 3, will change the state to 612. There is no transition from state 612 associated with the next character of the input string, 8, leading to a failure. There is a failure transition leading from 612 to 620 because 3 is a prefix leading to both state 612 and 620; therefore, the state will change to 620. The next characters, 8, 6, and 4, trigger transitions leading to states 624, 628, and 632 respectively. State 632 is an endpoint corresponding to the Mootools library; therefore, the machine will output that the 3864 portion of the string matches the Mootools library. There is no transition from state 632 corresponding to 7; thus, the next character, 7, leads to back to root state 604. Again, there is no transition associated with 7, so the state will not change. At this point, there are no remaining elements in the inputted string; thus, the process will stop.
  • Returning to FIG. 3, where a portion of the string is determined to correspond to one of the predetermined strings (316), a corresponding portion of the source code is excluded from at least a portion of the processing of the source code (320). As mentioned above, excluding identified blocks of code from processing may serve to save computational resources in the context of generating polymorphic transformations of web page code. For example, to save processing time, many third party JavaScript libraries may be excluded from the analysis stage of such a process.
  • According to some implementations, it may optionally be determined whether any portion of the string representing the received code corresponds to any of an additional set of predetermined strings, each of which corresponds to previously processed code (324). This allows for the re-use of the results of previous processing (328) after, for example, blocks of code have been processed and cached. For example, once a block of code has been processed, a string corresponding to that block of code can be saved as one of the predetermined strings. When a previously processed block of code is detected in newly received code, redundant processing steps can be avoided. For example, assume that a user accesses a web page that was accessed by another user. Also assume that at the time the first user accessed the web page, the source code associated with the web page was processed. Thus, when the second user accesses the same web page, a portion of the source code associated with the web page will have been previously processed. Because the portion of previously processed source code has already been subject to a level of processing, the results of the processing might be reused or redundant processing might be avoided altogether.
  • In some instances, data surrounding the processing of web page source code might be shared by multiple devices. For example, source code might be analyzed for connections by a first device (e.g., an appliance 120) when a web page is accessed by a first user. A string corresponding to the analyzed code could be shared with one or more additional devices (e.g., additional appliances 120). Thus, when future users access the previously analyzed web page, the analyzed code will be detected and redundant analysis skipped even if the first device is offline.
  • It should be noted that string processing for the detection of known libraries and the detection of previously processed code have been described as being performed separately for the purpose of clear illustration. However, it will be understood that these detections may be performed together as part of the same sequence of processing steps. That is, the predetermined strings corresponding to known libraries and those corresponding to previously processed code may be stored in the same database and be used to implement a single state machine against which received code is processed as described.
  • Returning to FIG. 3, the source code is processed responsive to the results of the string detection (332). For example, if no portions of the string representing the received code correspond to any of the predetermined strings, the entire source code might be processed. On the other hand, if a match is detected, the portion of the source code corresponding to the matched portion of the string might be subject to lesser processing or be excluded from processing.
  • It is important to note that the processing of the source code as represented in FIG. 3 is intended to cover a broad range of alternatives. For example, processing might include analysis for connections within and between components of source code. Processing might also include the recoding of source code to generate a polymorphic representation of the source code. Moreover, the manner in which the processing is responsive to the detection of blocks of code within the source code may also vary considerably. For example, if source code corresponding to a recently analyzed and recoded block of source code is detected, the analyzed and recoded block of source code might be re-used. In another example, a known JavaScript library might be detected, e.g., in the Library Detection Module 216 of appliance 120, and the responsive processing might include the detected code being excluded from processing by the Code Analysis Module 220.
  • Returning to FIG. 3, the processed source code is provided to a client (336). For instance, the source code might be associated with an online banking website and might be transmitted for rendering in a browser on a customer's smart phone. In the context of the polymorphic transformation of the web page code, the customer would be able to interact with the website with little or no perceptible latency because redundant processing is eliminated through the library detection techniques disclosed herein.
  • As mentioned above, the disclosed methods, apparatus, and computer-readable storage media for detecting specific blocks of code within a larger body of source code are not limited to the detection of known libraries. For example, they might be used purely for caching the results of previous processing as described above. For example, when a block of source code is analyzed, e.g., in the code analysis module 220 in appliance 120, a string representing the analyzed source code can be cached so as to prevent subsequent re-analysis of the same code. In another example, once source code has been through some level of processing (e.g., polymorphic transformation), the processed source code itself can be cached for later re-use. Alternatively, a result from the processing of a block of source code, e.g., whether or not the block of source code is transformable, can be cached and later re-used when that block of source code is identified.
  • Another useful implementation of detecting specific blocks of code within a larger body of source code might involve detecting malicious code that has been injected into web page source code. For example, a dynamically generated web page might receive an input containing a malicious script. A string representing the web page source code can be compared to a database of predetermined strings representing certain malicious scripts using the methods described herein. If a malicious script is detected, the malicious script can be removed before damage is done.
  • Yet another useful implementation of detecting specific blocks of code within a larger body of source code might involve source code scanning. For example, the detection methods disclosed herein could be used by developers to detect third party libraries in a source code repository.
  • While the subject matter of this application has been particularly shown and described with reference to specific implementations thereof, it will be understood by those skilled in the art that changes in the form and details of the disclosed implementations may be made without departing from the spirit or scope of the invention. Examples of some of these implementations are illustrated in the accompanying drawings, and specific details are set forth in order to provide a thorough understanding thereof. It should be noted that implementations may be practiced without some or all of these specific details. In addition, well known features may not have been described in detail to promote clarity. Finally, although various advantages have been discussed herein with reference to various implementations, it will be understood that the scope of the invention should not be limited by reference to such advantages. Rather, the scope of the invention should be determined with reference to the appended claims.

Claims (1)

What is claimed is:
1. A computer-implemented method, comprising:
receiving source code from a server, the source code being responsive to a request from a client to the server;
using one or more processors, generating a set of tokens based on the source code;
using the one or more processors, generating a first string of values representing a subset of the set of tokens;
using the one or more processors, determining whether any portion of the first string corresponds to any of a plurality of predetermined strings of values, each of the predetermined strings corresponding to a known library;
using the one or more processors, processing the source code responsive to determining whether any portion of the first string corresponds to any of the predetermined strings; and
providing the processed source code to the client in response to the request.
US15/224,978 2014-06-02 2016-08-01 Automatic Library Detection Abandoned US20160342793A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US14/293,895 US9405910B2 (en) 2014-06-02 2014-06-02 Automatic library detection
US15/224,978 US20160342793A1 (en) 2014-06-02 2016-08-01 Automatic Library Detection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US15/224,978 US20160342793A1 (en) 2014-06-02 2016-08-01 Automatic Library Detection

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US14/293,895 Continuation US9405910B2 (en) 2014-06-02 2014-06-02 Automatic library detection

Publications (1)

Publication Number Publication Date
US20160342793A1 true US20160342793A1 (en) 2016-11-24

Family

ID=54702126

Family Applications (2)

Application Number Title Priority Date Filing Date
US14/293,895 Active 2034-06-18 US9405910B2 (en) 2014-06-02 2014-06-02 Automatic library detection
US15/224,978 Abandoned US20160342793A1 (en) 2014-06-02 2016-08-01 Automatic Library Detection

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US14/293,895 Active 2034-06-18 US9405910B2 (en) 2014-06-02 2014-06-02 Automatic library detection

Country Status (1)

Country Link
US (2) US9405910B2 (en)

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140373087A1 (en) * 2013-06-18 2014-12-18 Microsoft Corporation Automatic Code and Data Separation of Web Application
US9917850B2 (en) 2016-03-03 2018-03-13 Shape Security, Inc. Deterministic reproduction of client/server computer state or output sent to one or more client computers
US9923919B2 (en) 2013-03-15 2018-03-20 Shape Security, Inc. Safe intelligent content modification
US9954893B1 (en) 2014-09-23 2018-04-24 Shape Security, Inc. Techniques for combating man-in-the-browser attacks
US9973519B2 (en) 2013-03-15 2018-05-15 Shape Security, Inc. Protecting a server computer by detecting the identity of a browser on a client computer
US9986058B2 (en) 2015-05-21 2018-05-29 Shape Security, Inc. Security systems for mitigating attacks from a headless browser executing on a client computer
US10044753B2 (en) 2014-01-20 2018-08-07 Shape Security, Inc. Intercepting and supervising calls to transformed operations and objects
US10089216B2 (en) 2014-06-30 2018-10-02 Shape Security, Inc. Automatically determining whether a page of a web site is broken despite elements on the page that may change
US10129289B1 (en) 2016-03-11 2018-11-13 Shape Security, Inc. Mitigating attacks on server computers by enforcing platform policies on client computers
US10187408B1 (en) 2014-04-17 2019-01-22 Shape Security, Inc. Detecting attacks against a server computer based on characterizing user interactions with the client computing device
US10193909B2 (en) 2013-03-15 2019-01-29 Shape Security, Inc. Using instrumentation code to detect bots or malware
US10205742B2 (en) 2013-03-15 2019-02-12 Shape Security, Inc. Stateless web content anti-automation
US10212137B1 (en) 2014-01-21 2019-02-19 Shape Security, Inc. Blind hash compression
US10212130B1 (en) 2015-11-16 2019-02-19 Shape Security, Inc. Browser extension firewall
US10230718B2 (en) 2015-07-07 2019-03-12 Shape Security, Inc. Split serving of computer code
US10298599B1 (en) 2014-09-19 2019-05-21 Shape Security, Inc. Systems for detecting a headless browser executing on a client computer
US10326790B2 (en) 2016-02-12 2019-06-18 Shape Security, Inc. Reverse proxy computer: deploying countermeasures in response to detecting an autonomous browser executing on a client computer
US10333924B2 (en) 2014-07-01 2019-06-25 Shape Security, Inc. Reliable selection of security countermeasures
US10375026B2 (en) 2015-10-28 2019-08-06 Shape Security, Inc. Web transaction status tracking
US10382482B2 (en) 2015-08-31 2019-08-13 Shape Security, Inc. Polymorphic obfuscation of executable code

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101543237B1 (en) * 2014-12-03 2015-08-11 한국인터넷진흥원 Apparatus, system and method for detecting and preventing a malicious script by static analysis using code pattern and dynamic analysis using API flow

Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040015892A1 (en) * 2001-05-25 2004-01-22 International Business Machines Corporation Compiler with dynamic lexical scanner adapted to accommodate different character sets
US20050108554A1 (en) * 1997-11-06 2005-05-19 Moshe Rubin Method and system for adaptive rule-based content scanners
US20050172338A1 (en) * 2004-01-30 2005-08-04 Sandu Catalin D. System and method for detecting malware in executable scripts according to its functionality
US20050240999A1 (en) * 1997-11-06 2005-10-27 Moshe Rubin Method and system for adaptive rule-based content scanners for desktop computers
US20050273858A1 (en) * 2004-06-07 2005-12-08 Erez Zadok Stackable file systems and methods thereof
US20060020595A1 (en) * 2004-07-26 2006-01-26 Norton Marc A Methods and systems for multi-pattern searching
US20060230288A1 (en) * 2005-03-29 2006-10-12 International Business Machines Corporation Source code classification method for malicious code detection
US20070055766A1 (en) * 2003-04-29 2007-03-08 Lykourgos Petropoulakis Monitoring software
US20070083933A1 (en) * 2005-10-07 2007-04-12 Microsoft Corporation Detection of security vulnerabilities in computer programs
US20070088955A1 (en) * 2005-09-28 2007-04-19 Tsern-Huei Lee Apparatus and method for high speed detection of undesirable data content
US20080046423A1 (en) * 2006-08-01 2008-02-21 Lucent Technologies Inc. Method and system for multi-character multi-pattern pattern matching
US7398553B1 (en) * 2000-10-30 2008-07-08 Tread Micro, Inc. Scripting virus scan engine
US20090070459A1 (en) * 2005-04-18 2009-03-12 Cho Young H High-Performance Context-Free Parser for Polymorphic Malware Detection
US20110302564A1 (en) * 2010-06-07 2011-12-08 Microsoft Corporation Library Conformity Checker
US20130055211A1 (en) * 2011-08-26 2013-02-28 Apple Inc. Client-side policy enforcement of developer api use
US9104878B1 (en) * 2013-12-11 2015-08-11 Appercut Security Ltd. Automated source code scanner for backdoors and other pre-defined patterns

Family Cites Families (81)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AT419586T (en) 1995-02-13 2009-01-15 Intertrust Tech Corp Systems and methods for secured transaction management and electronic legal protection
US6697948B1 (en) 1999-05-05 2004-02-24 Michael O. Rabin Methods and apparatus for protecting information
US7058699B1 (en) * 2000-06-16 2006-06-06 Yahoo! Inc. System and methods for implementing code translations that enable persistent client-server communication via a proxy
US7636945B2 (en) * 2000-07-14 2009-12-22 Computer Associates Think, Inc. Detection of polymorphic script language viruses by data driven lexical analysis
US6938170B1 (en) 2000-07-17 2005-08-30 International Business Machines Corporation System and method for preventing automated crawler access to web-based data sources using a dynamic data transcoding scheme
US7117239B1 (en) 2000-07-28 2006-10-03 Axeda Corporation Reporting the state of an apparatus to a remote computer
US7024479B2 (en) 2001-01-22 2006-04-04 Intel Corporation Filtering calls in system area networks
US7028305B2 (en) 2001-05-16 2006-04-11 Softricity, Inc. Operating system abstraction and protection layer
US20020199116A1 (en) 2001-06-25 2002-12-26 Keith Hoene System and method for computer network virus exclusion
US7010779B2 (en) 2001-08-16 2006-03-07 Knowledge Dynamics, Inc. Parser, code generator, and data calculation and transformation engine for spreadsheet calculations
CA2359831A1 (en) * 2001-10-24 2003-04-24 Ibm Canada Limited-Ibm Canada Limitee Method and system for multiple level parsing
US7114160B2 (en) 2002-04-17 2006-09-26 Sbc Technology Resources, Inc. Web content customization via adaptation Web services
US20040162994A1 (en) 2002-05-13 2004-08-19 Sandia National Laboratories Method and apparatus for configurable communication network defenses
US7117429B2 (en) 2002-06-12 2006-10-03 Oracle International Corporation Methods and systems for managing styles electronic documents
JP4093012B2 (en) 2002-10-17 2008-05-28 日本電気株式会社 Hypertext inspection apparatus, method, and program
US20050216770A1 (en) 2003-01-24 2005-09-29 Mistletoe Technologies, Inc. Intrusion detection system
US7735144B2 (en) 2003-05-16 2010-06-08 Adobe Systems Incorporated Document modification detection and prevention
US7519621B2 (en) * 2004-05-04 2009-04-14 Pagebites, Inc. Extracting information from Web pages
CA2577891A1 (en) 2004-08-24 2006-03-02 Washington University Methods and systems for content detection in a reconfigurable hardware
US7480385B2 (en) 2004-11-05 2009-01-20 Cable Television Laboratories, Inc. Hierarchical encryption key system for securing digital media
US7707223B2 (en) 2005-04-28 2010-04-27 Cisco Technology, Inc. Client-side java content transformation
US20060288418A1 (en) 2005-06-15 2006-12-21 Tzu-Jian Yang Computer-implemented method with real-time response mechanism for detecting viruses in data transfer on a stream basis
US9467462B2 (en) 2005-09-15 2016-10-11 Hewlett Packard Enterprise Development Lp Traffic anomaly analysis for the detection of aberrant network code
US7770185B2 (en) 2005-09-26 2010-08-03 Bea Systems, Inc. Interceptor method and system for web services for remote portlets
US8170020B2 (en) 2005-12-08 2012-05-01 Microsoft Corporation Leveraging active firewalls for network intrusion detection and retardation of attack
US8086756B2 (en) 2006-01-25 2011-12-27 Cisco Technology, Inc. Methods and apparatus for web content transformation and delivery
GB0620855D0 (en) 2006-10-19 2006-11-29 Dovetail Software Corp Ltd Data processing apparatus and method
US8290800B2 (en) 2007-01-30 2012-10-16 Google Inc. Probabilistic inference of site demographics from aggregate user internet usage and source demographic information
WO2008095018A2 (en) 2007-01-31 2008-08-07 Omniture, Inc. Page grouping for site traffic analysis reports
US20080222736A1 (en) 2007-03-07 2008-09-11 Trusteer Ltd. Scrambling HTML to prevent CSRF attacks and transactional crimeware attacks
US20090083415A1 (en) 2007-04-17 2009-03-26 Kenneth Tola Unobtrusive methods and systems for collecting information transmitted over a network
US7895653B2 (en) 2007-05-31 2011-02-22 International Business Machines Corporation Internet robot detection for network distributable markup
US8527757B2 (en) 2007-06-22 2013-09-03 Gemalto Sa Method of preventing web browser extensions from hijacking user information
US8689330B2 (en) 2007-09-05 2014-04-01 Yahoo! Inc. Instant messaging malware protection
DK2191610T3 (en) 2007-09-07 2019-10-07 Dis Ent Llc SOFTWARE BASED MULTICAN CHANNEL POLYMORF DATA Encryption
US7941382B2 (en) 2007-10-12 2011-05-10 Microsoft Corporation Method of classifying and active learning that ranks entries based on multiple scores, presents entries to human analysts, and detects and/or prevents malicious behavior
US8260845B1 (en) 2007-11-21 2012-09-04 Appcelerator, Inc. System and method for auto-generating JavaScript proxies and meta-proxies
US8347396B2 (en) 2007-11-30 2013-01-01 International Business Machines Corporation Protect sensitive content for human-only consumption
CN101471818B (en) 2007-12-24 2011-05-04 北京启明星辰信息技术股份有限公司 Detection method and system for malevolence injection script web page
US8646067B2 (en) 2008-01-26 2014-02-04 Citrix Systems, Inc. Policy driven fine grain URL encoding mechanism for SSL VPN clientless access
US20090241174A1 (en) 2008-02-19 2009-09-24 Guru Rajan Handling Human Detection for Devices Connected Over a Network
US9317255B2 (en) 2008-03-28 2016-04-19 Microsoft Technology Licensing, LCC Automatic code transformation with state transformer monads
US8086957B2 (en) 2008-05-21 2011-12-27 International Business Machines Corporation Method and system to selectively secure the display of advertisements on web browsers
KR100987354B1 (en) 2008-05-22 2010-10-12 주식회사 이베이지마켓 System for checking false code in website and Method thereof
US8762962B2 (en) * 2008-06-16 2014-06-24 Beek Fund B.V. L.L.C. Methods and apparatus for automatic translation of a computer program language code
US8453126B1 (en) * 2008-07-30 2013-05-28 Dulles Research LLC System and method for converting base SAS runtime macro language scripts to JAVA target language
US8677481B1 (en) * 2008-09-30 2014-03-18 Trend Micro Incorporated Verification of web page integrity
WO2010040133A2 (en) 2008-10-03 2010-04-08 Limelight Networks, Inc. Content delivery network encryption
US8020193B2 (en) 2008-10-20 2011-09-13 International Business Machines Corporation Systems and methods for protecting web based applications from cross site request forgery attacks
US8434068B2 (en) 2008-10-23 2013-04-30 XMOS Ltd. Development system
WO2010105249A1 (en) 2009-03-13 2010-09-16 Rutgers, The State University Of New Jersey Systems and methods for the detection of malware
US9311425B2 (en) 2009-03-31 2016-04-12 Qualcomm Incorporated Rendering a page using a previously stored DOM associated with a different page
US8838628B2 (en) 2009-04-24 2014-09-16 Bonnie Berger Leighton Intelligent search tool for answering clinical queries
US9336191B2 (en) 2009-05-05 2016-05-10 Suboti, Llc System, method and computer readable medium for recording authoring events with web page content
US8924943B2 (en) 2009-07-17 2014-12-30 Ebay Inc. Browser emulator system
US8438312B2 (en) 2009-10-23 2013-05-07 Moov Corporation Dynamically rehosting web content
US9015686B2 (en) * 2009-12-21 2015-04-21 Oracle America, Inc. Redundant run-time type information removal
US8660976B2 (en) 2010-01-20 2014-02-25 Microsoft Corporation Web content rewriting, including responses
US8997217B2 (en) * 2010-01-25 2015-03-31 Samsung Electronics Co., Ltd. Safely processing and presenting documents with executable text
US8370940B2 (en) 2010-04-01 2013-02-05 Cloudflare, Inc. Methods and apparatuses for providing internet-based proxy services
WO2011130228A2 (en) 2010-04-12 2011-10-20 Google Inc. Scrolling in large hosted data set
US8561193B1 (en) 2010-05-17 2013-10-15 Symantec Corporation Systems and methods for analyzing malware
US8739150B2 (en) 2010-05-28 2014-05-27 Smartshift Gmbh Systems and methods for dynamically replacing code objects via conditional pattern templates
US8914879B2 (en) * 2010-06-11 2014-12-16 Trustwave Holdings, Inc. System and method for improving coverage for web code
US8589405B1 (en) * 2010-07-16 2013-11-19 Netlogic Microsystems, Inc. Token stitcher for a content search system having pipelined engines
US20120124372A1 (en) 2010-10-13 2012-05-17 Akamai Technologies, Inc. Protecting Websites and Website Users By Obscuring URLs
US8631091B2 (en) 2010-10-15 2014-01-14 Northeastern University Content distribution network using a web browser and locally stored content to directly exchange content between users
AU2011200413B1 (en) 2011-02-01 2011-09-15 Symbiotic Technologies Pty Ltd Methods and Systems to Detect Attacks on Internet Transactions
US8667565B2 (en) 2011-02-18 2014-03-04 Microsoft Corporation Security restructuring for web media
US8555388B1 (en) 2011-05-24 2013-10-08 Palo Alto Networks, Inc. Heuristic botnet detection
US8966643B2 (en) 2011-10-08 2015-02-24 Broadcom Corporation Content security in a social network
WO2013091709A1 (en) 2011-12-22 2013-06-27 Fundació Privada Barcelona Digital Centre Tecnologic Method and apparatus for real-time dynamic transformation of the code of a web document
US10049168B2 (en) 2012-01-31 2018-08-14 Openwave Mobility, Inc. Systems and methods for modifying webpage data
US20130227397A1 (en) 2012-02-24 2013-08-29 Microsoft Corporation Forming an instrumented text source document for generating a live web page
EP2642715A1 (en) * 2012-03-20 2013-09-25 British Telecommunications public limited company Method and system for malicious code detection
US9111090B2 (en) 2012-04-02 2015-08-18 Trusteer, Ltd. Detection of phishing attempts
US20140089786A1 (en) 2012-06-01 2014-03-27 Atiq Hashmi Automated Processor For Web Content To Mobile-Optimized Content Transformation
US9165125B2 (en) 2012-06-13 2015-10-20 Mobilextension Inc. Distribution of dynamic structured content
US8595613B1 (en) 2012-07-26 2013-11-26 Viasat Inc. Page element identifier pre-classification for user interface behavior in a communications system
WO2014078585A2 (en) * 2012-11-14 2014-05-22 University Of Virginia Patent Foundation Methods, systems and computer readable media for detecting command injection attacks
US20140281535A1 (en) 2013-03-15 2014-09-18 Munibonsoftware.com, LLC Apparatus and Method for Preventing Information from Being Extracted from a Webpage

Patent Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050108554A1 (en) * 1997-11-06 2005-05-19 Moshe Rubin Method and system for adaptive rule-based content scanners
US20050240999A1 (en) * 1997-11-06 2005-10-27 Moshe Rubin Method and system for adaptive rule-based content scanners for desktop computers
US7398553B1 (en) * 2000-10-30 2008-07-08 Tread Micro, Inc. Scripting virus scan engine
US20040015892A1 (en) * 2001-05-25 2004-01-22 International Business Machines Corporation Compiler with dynamic lexical scanner adapted to accommodate different character sets
US20070055766A1 (en) * 2003-04-29 2007-03-08 Lykourgos Petropoulakis Monitoring software
US20050172338A1 (en) * 2004-01-30 2005-08-04 Sandu Catalin D. System and method for detecting malware in executable scripts according to its functionality
US20050273858A1 (en) * 2004-06-07 2005-12-08 Erez Zadok Stackable file systems and methods thereof
US20060020595A1 (en) * 2004-07-26 2006-01-26 Norton Marc A Methods and systems for multi-pattern searching
US20060230288A1 (en) * 2005-03-29 2006-10-12 International Business Machines Corporation Source code classification method for malicious code detection
US20090070459A1 (en) * 2005-04-18 2009-03-12 Cho Young H High-Performance Context-Free Parser for Polymorphic Malware Detection
US20070088955A1 (en) * 2005-09-28 2007-04-19 Tsern-Huei Lee Apparatus and method for high speed detection of undesirable data content
US20070083933A1 (en) * 2005-10-07 2007-04-12 Microsoft Corporation Detection of security vulnerabilities in computer programs
US20080046423A1 (en) * 2006-08-01 2008-02-21 Lucent Technologies Inc. Method and system for multi-character multi-pattern pattern matching
US20110302564A1 (en) * 2010-06-07 2011-12-08 Microsoft Corporation Library Conformity Checker
US20130055211A1 (en) * 2011-08-26 2013-02-28 Apple Inc. Client-side policy enforcement of developer api use
US9104878B1 (en) * 2013-12-11 2015-08-11 Appercut Security Ltd. Automated source code scanner for backdoors and other pre-defined patterns

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9973519B2 (en) 2013-03-15 2018-05-15 Shape Security, Inc. Protecting a server computer by detecting the identity of a browser on a client computer
US10205742B2 (en) 2013-03-15 2019-02-12 Shape Security, Inc. Stateless web content anti-automation
US9923919B2 (en) 2013-03-15 2018-03-20 Shape Security, Inc. Safe intelligent content modification
US10193909B2 (en) 2013-03-15 2019-01-29 Shape Security, Inc. Using instrumentation code to detect bots or malware
US9774620B2 (en) * 2013-06-18 2017-09-26 Microsoft Technology Licensing, Llc Automatic code and data separation of web application
US20140373087A1 (en) * 2013-06-18 2014-12-18 Microsoft Corporation Automatic Code and Data Separation of Web Application
US10044753B2 (en) 2014-01-20 2018-08-07 Shape Security, Inc. Intercepting and supervising calls to transformed operations and objects
US10212137B1 (en) 2014-01-21 2019-02-19 Shape Security, Inc. Blind hash compression
US10187408B1 (en) 2014-04-17 2019-01-22 Shape Security, Inc. Detecting attacks against a server computer based on characterizing user interactions with the client computing device
US10089216B2 (en) 2014-06-30 2018-10-02 Shape Security, Inc. Automatically determining whether a page of a web site is broken despite elements on the page that may change
US10333924B2 (en) 2014-07-01 2019-06-25 Shape Security, Inc. Reliable selection of security countermeasures
US10298599B1 (en) 2014-09-19 2019-05-21 Shape Security, Inc. Systems for detecting a headless browser executing on a client computer
US9954893B1 (en) 2014-09-23 2018-04-24 Shape Security, Inc. Techniques for combating man-in-the-browser attacks
US9986058B2 (en) 2015-05-21 2018-05-29 Shape Security, Inc. Security systems for mitigating attacks from a headless browser executing on a client computer
US10367903B2 (en) 2015-05-21 2019-07-30 Shape Security, Inc. Security systems for mitigating attacks from a headless browser executing on a client computer
US10230718B2 (en) 2015-07-07 2019-03-12 Shape Security, Inc. Split serving of computer code
US10382482B2 (en) 2015-08-31 2019-08-13 Shape Security, Inc. Polymorphic obfuscation of executable code
US10375026B2 (en) 2015-10-28 2019-08-06 Shape Security, Inc. Web transaction status tracking
US10212130B1 (en) 2015-11-16 2019-02-19 Shape Security, Inc. Browser extension firewall
US10326790B2 (en) 2016-02-12 2019-06-18 Shape Security, Inc. Reverse proxy computer: deploying countermeasures in response to detecting an autonomous browser executing on a client computer
US10212173B2 (en) 2016-03-03 2019-02-19 Shape Security, Inc. Deterministic reproduction of client/server computer state or output sent to one or more client computers
US9917850B2 (en) 2016-03-03 2018-03-13 Shape Security, Inc. Deterministic reproduction of client/server computer state or output sent to one or more client computers
US10129289B1 (en) 2016-03-11 2018-11-13 Shape Security, Inc. Mitigating attacks on server computers by enforcing platform policies on client computers
US10447726B2 (en) 2016-03-11 2019-10-15 Shape Security, Inc. Mitigating attacks on server computers by enforcing platform policies on client computers

Also Published As

Publication number Publication date
US9405910B2 (en) 2016-08-02
US20150347756A1 (en) 2015-12-03

Similar Documents

Publication Publication Date Title
US20150135256A1 (en) Disambiguating conflicting content filter rules
US8943588B1 (en) Detecting unauthorized websites
US9241004B1 (en) Alteration of web documents for protection against web-injection attacks
US8898776B2 (en) Automatic context-sensitive sanitization
CN103095681B (en) A kind of method and device detecting leak
US9710645B2 (en) Systems and methods to detect and neutralize malware infected electronic communications
US20150295942A1 (en) Method and server for performing cloud detection for malicious information
US9544318B2 (en) HTML security gateway
US20130031628A1 (en) Preventing Phishing Attacks
US9697261B2 (en) Application representation for application editions
US8286250B1 (en) Browser extension control flow graph construction for determining sensitive paths
US20080097990A1 (en) High accuracy document information-element vector encoding server
Jain et al. A novel approach to protect against phishing attacks at client side using auto-updated white-list
US20140344658A1 (en) Enhanced links in curation and collaboration applications
Borgolte et al. Delta: automatic identification of unknown web-based infection campaigns
US9304979B2 (en) Authorized syndicated descriptions of linked web content displayed with links in user-generated content
TW201224807A (en) DOM based page uniqueness detection
JP6494609B2 (en) Method and apparatus for generating a customized software development kit (SDK)
EP2976709B1 (en) Systems and methods for intercepting, processing, and protecting user data through web application pattern detection
US9015657B2 (en) Systems and methods for developing and delivering platform adaptive web and native application content
US10182324B2 (en) Contextual deep linking of applications
DE112010003979T5 (en) System and method for the static recognition and categorization of information flow downgraders
TW201416894A (en) Determining a characteristic group
US20150033331A1 (en) System and method for webpage analysis
US20180374097A1 (en) A distributed user profile identity verification system for e-commerce transaction security

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION