US20220253489A1 - Detecting a change to the content of information displayed to a user of a website - Google Patents
Detecting a change to the content of information displayed to a user of a website Download PDFInfo
- Publication number
- US20220253489A1 US20220253489A1 US17/729,410 US202217729410A US2022253489A1 US 20220253489 A1 US20220253489 A1 US 20220253489A1 US 202217729410 A US202217729410 A US 202217729410A US 2022253489 A1 US2022253489 A1 US 2022253489A1
- Authority
- US
- United States
- Prior art keywords
- web page
- fingerprint
- server
- content
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000008859 change Effects 0.000 title claims abstract description 25
- 238000000034 method Methods 0.000 claims abstract description 78
- 238000004891 communication Methods 0.000 claims description 34
- 238000013500 data storage Methods 0.000 claims description 20
- 238000002347 injection Methods 0.000 claims description 17
- 239000007924 injection Substances 0.000 claims description 17
- 238000013515 script Methods 0.000 description 32
- 230000008569 process Effects 0.000 description 11
- 230000009471 action Effects 0.000 description 9
- 230000001010 compromised effect Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 4
- 239000000463 material Substances 0.000 description 4
- 238000009877 rendering Methods 0.000 description 4
- 230000003190 augmentative effect Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- UPLPHRJJTCUQAY-WIRWPRASSA-N 2,3-thioepoxy madol Chemical compound C([C@@H]1CC2)[C@@H]3S[C@@H]3C[C@]1(C)[C@@H]1[C@@H]2[C@@H]2CC[C@](C)(O)[C@@]2(C)CC1 UPLPHRJJTCUQAY-WIRWPRASSA-N 0.000 description 2
- 230000004075 alteration Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000014509 gene expression Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 239000002245 particle Substances 0.000 description 2
- KJLPSBMDOIVXSN-UHFFFAOYSA-N 4-[4-[2-[4-(3,4-dicarboxyphenoxy)phenyl]propan-2-yl]phenoxy]phthalic acid Chemical compound C=1C=C(OC=2C=C(C(C(O)=O)=CC=2)C(O)=O)C=CC=1C(C)(C)C(C=C1)=CC=C1OC1=CC=C(C(O)=O)C(C(O)=O)=C1 KJLPSBMDOIVXSN-UHFFFAOYSA-N 0.000 description 1
- VYZAMTAEIAYCRO-UHFFFAOYSA-N Chromium Chemical compound [Cr] VYZAMTAEIAYCRO-UHFFFAOYSA-N 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/957—Browsing optimisation, e.g. caching or content distillation
Definitions
- FIG. 7 depicts a flowchart showing the operation of an example method in accordance with embodiments of the present invention.
- Web browser 204 may be any web browser capable of retrieving and displaying information resources that reside on the world wide web, public network, and/or private network.
- Example web browsers 204 include, but are not limited to Internet Explorer, Chrome, Firefox, Opera, and Safari.
- Web browser 204 generally includes an address bar 206 that displays a particular Uniform Resource Locator (URL) 208 in which a web browser 204 is currently accessing or the web browser 204 has been directed to.
- a URL may refer to an address of a remote server that provides access to one or more resources, such as, but not limited to web pages, websites, documents, and discussion forums.
- a URL may refer to a local resource located on a local computer system and/or local computer network.
- malware is used herein to refer generally to any executable computer file or, more generally “object”, that is itself or contains malicious code, and thus includes viruses, Trojans, worms, spyware, adware, etc. and the like. Malware is generally designed to wreak havoc on computer systems by disrupting operations, gathering sensitive information, and/or providing access to the compromised computer system. When gathering sensitive information, variants of malware may target a specific set or class of websites known to accept or require various amounts of sensitive data from a user. For example, some variants of malware will alter content, i.e.
- Code injector 408 may include a processor 526 , memory 528 , one or more communication interfaces 530 for communicating with the server 104 , the computer system 108 , and/or the communication network 112 .
- the code injector generally comprises one or more network appliances capable of inspecting, managing, and modifying network traffic communicating on the communication interface 530 .
- Processor 526 is the same or similar to processor 504 ; that is, processor 526 is provided to execute instructions contained within memory 528 and/or storage 524 .
- the functionality of the code injector 408 is typically stored in memory 528 and/or storage 524 in the form of instructions and carried out by the processor 526 executing such instructions.
- the processor 526 may be implemented as any suitable type of microprocessor or similar type of processing chip.
- One example of the processor 526 may include any general-purpose programmable processor, digital signal processor (DSP) or controller for executing application programming contained within memory 528 and/or storage 524 .
- DSP digital signal processor
- processor 540 may be replaced or augmented with an application specific integrated circuit (ASIC), a programmable logic device (PLD), or a field programmable gate array (FPGA).
- ASIC application specific integrated circuit
- PLD programmable logic device
- FPGA field programmable gate array
- a fingerprint is created utilizing the objects elements, and/or content that have been identified.
- a client-side executable code such as script 428 .
- This client-side executable code, or fingerprint script is created such that when executed at a computer system, such as computer system 108 , a fingerprint is created utilizing those same objects, elements, and or content identified in step 612 .
- the server 104 may determine that there has been no change between the two fingerprints at step 748 and end at step 742 .
Landscapes
- Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
Abstract
Description
- This application is a continuation of, and claims a benefit of priority under 35 U.S.C. 120 of, U.S. patent application Ser. No. 14/214,935 filed Mar. 15, 2014, entitled “DETECTING A CHANGE TO THE CONTENT OF INFORMATION DISPLAYED TO A USER OF A WEBSITE”, which claims a benefit of priority under 35 U.S.C. 119 to U.S. Provisional Application No. 61/802,348 filed Mar. 15, 2013, entitled “DETECTING A CHANGE TO THE CONTENT OF INFORMATION DISPLAYED TO A USER OF A WEBSITE”, all of which are hereby incorporated herein for all purposes.
- The present invention relates generally to the field of computer security. More specifically, the present invention relates to detecting a change to the content of information that is displayed to a user of a website.
- Malicious software can wreak havoc on computer and information systems that are unfortunate enough to become the latest malware or pestware victim. As anti-malware software and anti-malware detection techniques become increasingly effective at combating the onslaught of malware or pestware infections, unfortunately, some malware still manages to make its way onto the computers of unsuspecting users. Even worse, as more and more service providers are utilizing the internet and making use of various web architectures to provide or allow access to an expanding profile of services, service providers have no effective techniques to ensure that the services they offer are being accessed and utilized by uninfected computer systems. Moreover, providing services that make use of sensitive information such as online banking information, personal health records, and even social media, can be fraught with danger should the sensitive information fall into the wrong hands. Many users of computer systems willingly provide sensitive information to reputable and frequently accessed service provider's websites without thinking twice, making them prime targets to phishing scams and fraudulent websites.
- Phishing tends to be defined as the act of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Common types of phishing include forged or fraudulent websites, deceitful emails, and falsified instant messages. In general, an unsuspecting user is tricked into believing that the communication they are having is with a trusted entity and an entity authorized to collect their sensitive information. Although encryption techniques exist to reduce the likelihood of man-in-the-middle attacks, a solution that protects unsuspecting users from entering information into reputable websites that have been compromised in one way or another has yet to be implemented; that is, there is no solution that exists which ensures that the website a user is visiting is the website the service provider intended them to see.
- Accordingly, there exists a need to ensure that a web page a user is viewing is the web page that a service provider intended them to see. It is thus one aspect of the present invention to provide a method that generally comprises detecting a change in content of a web page. This method may further comprise creating a server-side fingerprint based on one or more elements of the web page, injecting executable instructions into the web page such that upon execution at a client device, the executable instructions create a client-side fingerprint of a web page containing the executable instructions based on the one or more elements, receiving the client-side fingerprint, and comparing the client-side fingerprint to the server-side fingerprint.
- Since such a solution may be applied to web pages, or web sites, already in place, embodiments of the present invention may provide a method that may protect existing websites; the method generally comprises generating a first fingerprint of a web page, wherein the first fingerprint is based on one or more elements of a first instance of the web page, receiving a second instance of a web page, injecting executable instructions into the received second instance of the web page such that upon execution at a client device, the executable instructions create a second fingerprint of the web page, wherein the second fingerprint is based on the one or more elements of the web page, and comparing the first fingerprint to the second fingerprint.
- It is another aspect of the present invention to provide a system for detecting a change in web content, the system comprising a code injection module, a server device including a processor, a communication interface, data storage, and a server application stored on the data storage that is executable by the processor, wherein the server application is operable to create a server-side fingerprint based on one or more elements of a web page and provide the web page, utilizing the communication interface, to a code injection module, wherein the code injection module injects executable instructions into the web page such that upon execution at a client device, the executable instructions create a client-side fingerprint of a web page containing the executable instructions based on the one or more elements, wherein the server application is further operable to receive the client-side fingerprint and compare the client-side fingerprint to the server-side fingerprint.
- The phrases “at least one”, “one or more”, and “and/or” are open-ended expressions that are both conjunctive and disjunctive in operation. For example, each of the expressions “at least one of A, B and C”, “at least one of A, B”, or C, “one or more of A, B”, and C, “one or more of A, BC”, or and “A, B, and/or C” means A alone, B alone, C alone, A and B together, A and C together, B and C together, or A, B and C together.
- The term “a” or “an” entity refers to one or more of that entity. As such, the terms “a” (or “an”), “one or more” and “at least one” can be used interchangeably herein. It is also to be noted that the terms “comprising”, “including”, and “having” can be used interchangeably.
- The term “automatic” and variations thereof, as used herein, refers to any process or operation done without material human input when the process or operation is performed. However, a process or operation can be automatic, even though performance of the process or operation uses material or immaterial human input, if the input is received before performance of the process or operation. Human input is deemed to be material if such input influences how the process or operation will be performed. Human input that consents to the performance of the process or operation is not deemed to be “material”.
- The term “computer-readable medium” as used herein refers to any tangible storage that participates in providing instructions to a processor for execution. Such a medium may take many forms, including but not limited to, non-volatile media, volatile media, and transmission media. Non-volatile media includes, for example, NVRAM, magnetic or optical disks. Volatile media includes dynamic memory, such as main memory. Common forms of computer-readable media include, for example, a floppy disk, a flexible disk, hard disk, magnetic tape, or any other magnetic medium, magneto-optical medium, a CD-ROM, any other optical medium, punch cards, paper tape, any other physical medium with patterns of holes, a RAM, a PROM, and EPROM, a FLASH-EPROM, a solid state medium like a memory card, any other memory chip or cartridge, or any other medium from which a computer can read. When the computer-readable media is configured as a database, it is to be understood that the database may be any type of database, such as relational, hierarchical, object-oriented, and/or the like. Accordingly, the invention is considered to include a tangible storage medium and prior art-recognized equivalents and successor media, in which the software implementations of the present invention are stored.
- As will become apparent in view of the following disclosure, the various aspects and embodiments of the invention can be combined.
-
FIG. 1 illustrates an example of a computer system communicating with a service provider server in accordance with embodiments of the present invention; -
FIG. 2 depicts a first web page in accordance with embodiments of the present invention; -
FIG. 3 depicts a compromised web page in accordance with embodiments of the present invention; -
FIG. 4 illustrates detailed view of a computer system, service provider information system, and injection device, in accordance with embodiments of the present invention; -
FIG. 5 depicts details of a computer system, server, and code injector in accordance with embodiments of the present invention; -
FIG. 6 depicts a flowchart showing the operation of an example of a method in accordance with embodiments of the present invention; and -
FIG. 7 depicts a flowchart showing the operation of an example method in accordance with embodiments of the present invention. - Referring to
FIG. 1 , acomputer network 100 is generally shown as being based around a distributed network such as acommunication network 112.Communication network 112 may comprise any type of known communication medium or collection of communication media and may use any type of protocols to transport messages between endpoints. Thecommunication network 112 may include wired and/or wireless communication technologies. The Internet is an example of thecommunication network 112 that constitutes an Internet Protocol (IP) network consisting of many computers, computing networks, and other communication devices located all over the world, which are connected through many telephone systems and other means. Other examples of thecommunication network 112 include, without limitation, a standard Plain Old Telephone System (POTS), an Integrated Services Digital Network (ISDN), the Public Switched Telephone Network (PSTN), a Local Area Network (LAN), a Wide Area Network (WAN), a cellular network, and any other type of packet-switched or circuit-switched network known in the art. In addition, it can be appreciated that thecommunication network 112 need not be limited to any one network type, and instead may be comprised of a number of different networks and/or network types. - One or more
local computer systems 108 may be connected via thecommunication network 112 to one or morecentral servers 104 capable of providing or serving content to acomputer system 108 over thecommunication medium 112. For example, all or portions of a particular website, “Website 1”, as illustrated inFIG. 2 , may be hosted byserver 104. Eachcomputer system 108 may comprises apersonal computer 108A, 108C, a server of any type, a PDA, mobile device 108B such as a mobile phone, an interactive television, or any other device capable of loading and operating computer objects. Thecomputer system 108 may also be considered a client computer system; such a client computer system is generally located within a distributed network environment where one ormore computer systems 108 relies on a service, product, or application that resides in a network environment that is not local to thecomputer systems 108. As a client computer system,computer system 108 might access services, products, or applications residing onserver 104 viacommunication network 112. - As an example of an implementation of
computer network 100 in accordance with embodiments of the present disclosure, aclient computer system 108 may make a request to view a website, wherein one or more files associated with the website reside onserver 104.Server 104 generally responds to the request of thecomputer system 108 and sendsvarying content 116 to thecomputer system 108. Thecontent 116 sent fromserver 104 tocomputer system 108 may be referred to as web content; though other forms of content are contemplated. Thecomputer system 108 may interact with the content and may further submit or send additional content, orclient information 120, to theserver 104. In the context of websites for example, if a user is utilizingcomputer system 108 to login to a website hosted or located atserver 104, thecomputer system 108 may send or submit a user id associated with the user and a password associated with the user id. In such an instance, theclient information 120 comprising the user id and the password may be sent to theserver 104, as illustrated generally inFIG. 1 . As another example, a user may enter “UserABC” as their user id and “PasswordABC” as their password. “UserABC” and “PasswordABC” are sent to theserver 104 asclient information 120. Of course, the user id and password may be encrypted prior to sending. - Referring to
FIG. 2 , an example web browser andweb page 200 is illustrated.Web browser 204 may be any web browser capable of retrieving and displaying information resources that reside on the world wide web, public network, and/or private network.Example web browsers 204 include, but are not limited to Internet Explorer, Chrome, Firefox, Opera, and Safari.Web browser 204 generally includes anaddress bar 206 that displays a particular Uniform Resource Locator (URL) 208 in which aweb browser 204 is currently accessing or theweb browser 204 has been directed to. A URL may refer to an address of a remote server that provides access to one or more resources, such as, but not limited to web pages, websites, documents, and discussion forums. Alternatively, or in addition, a URL may refer to a local resource located on a local computer system and/or local computer network. - The
web browser 204 may display one or more web pages 212 to a user. A web page 212 is generally a web document or other resource that is accessible through a web browser and displayed on a monitor ormobile device 108. The web page 212 may be rendered, or displayed, within the borders of theweb browser 204, or may be displayed as a separate application or resource. For example, it is not uncommon for a web page to launch a pop-up window that displays additional information, such as audio, video, and/or another web page, in a separate window, tab, or web browser. - The web page 212 may be rendered according to a document object model (DOM) associated with the web page. The DOM may include one or more nodes that correspond to one or more elements appearing in the web page. For example, web page 212, as shown, is generally illustrative of a banking website requiring the submission of sensitive information in order to gain access to services, such as banking services, provided by a banking institution. The example web page 212 may include elements such as, but not limited to one or
more logos 216, a banner orbanners more content areas 228, and one ormore login areas 232. Thelogin area 232 generally includes one or more fields or forms 240, 244 and a “submit” and/or “log in”button 248. Alogin area 232 may include acontent area 236; thecontent area 236 may include instructions that a user is to follow to gain access to services provided by the banking institution. Alternatively, or in addition,content area 236 may include content generally representative of thelogin area 232. For example,content area 236 may provide an indication to a user that certain locations withincontent area 236 are locations in which a user id and password are to be entered. For instance, a user would enter a user id in field 240 and a password in field 244. After entering these two items, a user would click on the “log in”button 248 to be logged into the banking website. Once logged in, the user may have access to various services and offerings provided by the banking institution. Each element, as described above, may have one or more DOM nodes associated therewith. - The web page 212 may be created, or coded, using various mark-up and/or programming languages such as, but not limited to HTML, XML, JAVASCRIPT, AJAX, ASP, PHP, Perl, Python, .NET, Java, and jQuery. In general, a web page, such as web page 212, resides on a
server 104 capable of serving web content, such as aweb content 116. More specifically, a web page 212 may include programming code that causes web content and/or functions to be transferred and displayed to a user at a client or computer system. Upon a user navigating theweb browser 204 to a particular web page or resource residing at or on aweb server 104 for example,content web browser 204 for rendering and display in the web page 212. That is, a web page may comprise a document that can incorporate text, graphics, sounds, etc. and is generally a hypertext document, or file, on the World Wide Web, but is not limited to this location. The content of the web page, or file, may therefore include text, graphics, sounds, etc. and also markup symbols or codes inserted in the content, or file, intended for display on a World Wide Web browser page. Additionally, executable instructions, such as scripts, codes, and the like may be utilized within the content to make actions, functions, and or interactions possible. - Various mark-up and programming languages make actions, functions, and/or interactions of the web page possible. For example, some programming languages execute programming code on the web server in which they reside; such programming languages are often referred to as server side coding languages or server side scripting languages. An example of a server side language is PHP. Other programming languages are designed to execute on the
client computer system 108, such as within theweb browser 204, theclient computer system 108, and/orcomputing device 104; these programming languages are often referred to as client side coding languages or client side scripting. An example of a client side scripting language is JavaScript. Depending on requirements, a web page 212 may be coded in multiple programming languages, such that coded portions of a web page 212 are executed at aweb server 104 while other coded portions of a web page are executed on theclient computer system 108. As one example, a web page may comprise one or more HTML elements, attributes for the one or more HTML elements, one or more tags, and/or one or more scripts to be executed by theclient computer system 108. - As another example, referring to
FIG. 1 , the content displayed incontent area 228 may reside in adatabase 124 referenced by the web page 212 and accessible to aweb server 104 on which web page 212 resides. The coded web page may execute a portion of the coded programming language to retrieve the content 128 to be displayed incontent area 228. Theweb server 104 may then format the retrieved content 128 and transmit the newly assembledweb content 116 to theclient computer system 108 for rendering and display. Once the web page 212 has been displayed, a user may enter a user id into field 240, a password into field 244, and click on thebutton 248. Upon clicking on thebutton 248, client side executable code may execute, causing the user id and password to be encrypted and sent to theserver 104. Using the user id and password, theserver 104 may then log the user into the website. - In some situations, the
client computer system 108 may become infected with malware; that is, one or more pieces of malware may have been installed on theclient computer system 108 rendering theclient computer system 108 compromised. The term “malware” is used herein to refer generally to any executable computer file or, more generally “object”, that is itself or contains malicious code, and thus includes viruses, Trojans, worms, spyware, adware, etc. and the like. Malware is generally designed to wreak havoc on computer systems by disrupting operations, gathering sensitive information, and/or providing access to the compromised computer system. When gathering sensitive information, variants of malware may target a specific set or class of websites known to accept or require various amounts of sensitive data from a user. For example, some variants of malware will alter content, i.e. web content, that is displayed to a user such that the displayed web page phishes for additional sensitive information; that is, the user, believing the website is legitimate, may enter such sensitive information into one or more fields of a website. As an example, web page 212—as a banking website—allows a user to access services from a banking services provider utilizing aclient computer system 108. As previously discussed and as illustrated inFIG. 2 , a user may be required to provide a username and a password to gain access to the services offered by the baking services provider. If thecomputer system 108 becomes infected with specific variants of malware that gathers sensitive information, the malware variant, running on the localclient computer system 108, may alter a web page 212 that is displayed to a user. Stated another way, the malware may modify the website code in such a manner as to cause the web page that is displayed to the user to be different from the web page in which the services provider intended the user to view. - As an example,
FIG. 3 generally illustrates a web browser andweb page 300 that is displayed as a result of thecomputer system 108 having been infected with one or more pieces of malware. In particular,web page 312, corresponding to theuninfected computer system 108 displaying web page 212, has been altered such that additional content is displayed to a user. Specifically, a malware variant has caused field 308 to be added and the information incontent areas web page 312 using a variety of different methods. For example, the malware variant may intercept and modify theweb content 116 as thecontent 116 is being received and/or rendered via the web browser. As a simple example, table 1 includes example PHP programming code describing a common form object that includes a userid and password field as shown inlogin area 232. Specifically, when the user clicks “log in”, 248, a web page—Login.php may make use of and access the data entered into the userid and password fields. For example, the userid and the password may be compared to a list of userids and associated passwords that are authorized to access a particular website or login. Of course, depending on various security models, the userid and/or the password may be encrypted prior to being made available to the Login.php web page. -
TABLE 1 <form action=“Login.php” method=“post”> <h3>SIGN IN TO YOUR ACCOUNT</h3> <form action=“Login.php” method=“post”> <input type=“text” name=“userid” value=“User ID”><br> <input type=“text” name=“password” value=“Password”><br> <br> <input type=“submit” value=“LOG IN”> </form> - Table 2 includes example PHP programming code describing a common form object of 232 that has been compromised by one or more pieces of malware. Specifically, the one or malware variants have altered the
login content area 232 ofFIG. 2 such that an additional element or field, Social Security #308, is displayed to the user, as shown in thelogin area 312 ofFIG. 3 . If a user clicks “log in”, 248, a web page—Login.php can make use of and access the data entered into the userid 240, password 244, and now, social security #308 fields. -
TABLE 2 <form action=“Login.php” method=“post”> <h3>LOG IN TO YOUR ACCOUNT, WE NOW REQUIRE SS#s</h3> <form action=“Login.php” method=“post”> <input type=“text” name=“userid” value=“User ID”><br> <input type=“text” name=“password” value=“Password”><br> <input type=“text” name=“social_security” value=“Social Security #”><br> <br> <input type=“submit” value=“LOG IN”> </form> - Moreover, the malware variant may have caused additional alterations to the web page 212. For example,
web page 304 now includes additional, or altered, content located incontent area 312.Content area 312 includes a content area 308 that may display a comforting or reaffirming message to a user; a message such as “For your added security, we now require your Social Security number as part of the login process. We guarantee a safe online experience!” may lead an unsuspecting user to believe that the additional social security information requested by theweb page 312 is a legitimate request. Moreover, a content area 336 may state “LOG IN TO YOUR ACCOUNT, WE NOW REQUIRE SS#s”. Again, such an alteration in content may cause an unsuspecting user to believe that the additional social security information requested by theweb page 312 is a legitimate request. The user may then enter additional information, such as their social security information, and click submit. A malware variant may then receive this additional information and forward it on to a person having malicious intent. - Once a user has entered this additional information, a malware variant may obtain this entered additional information in a variety of ways. For example, the malware variant may log keystrokes associated with the particular field, take a screenshot of the web page upon the user clicking submit, and/or may cause the information entered into the fields to be “posted”, using post or get methods, to a web page other than the web page defined in the form. For example, the form of Table 1 utilizes the “post” method to send the information entered into the form fields, i.e. userid, password, to the web page “Login.php”. A malware variant may cause the information entered into the form fields, i.e. userid, password, social security number, to be sent to a different web page, such as “MalwareLogin.php”. Additional methods in which the malware variant may cause the information entered into the form fields to be sent to a different web page are contemplated.
-
FIG. 4 illustrates an example of an implementation ofcomputer network 400 in accordance with embodiments of the present disclosure; embodiments of the present disclosure reduce the likelihood of an altered web page being displayed or rendered to a user without a user knowing that the displayed web page has been modified. Thus, if a web page, such as web page 212, is altered by one or more malware variants, a user and/or a service provider may be alerted or notified to the existence of this altered web page. Such a notification may prevent a user from unintentionally providing sensitive information to a malware variant. - Embodiments of the present disclosure utilize digital fingerprints to essentially “lockdown” a web page, such that any change or modification that occurs to a web page between the time a web page is accessed on a server and presented to a user is detected. For example, a digital fingerprint of a web page, or web content that is to be presented to a user, is created at a server controlled by a service provider. This digital fingerprint is then stored at the server for later use. For instance, a service provider, such as a banking institution, may create one or more websites having one or more web pages that have been made accessible to clients or customers. The service provider may choose to create a digital fingerprint of a web page, a website, and/or resources, such as documents, that are made available to users. For example, the service provider may create a digital fingerprint of web pages in which sensitive information is received, such as a login screen webpage. This digital fingerprint is stored as a server-side fingerprint for later retrieval.
- Moreover, the service provider may cause a client-side executable code, such as script, to be inserted into the web content and/or web page code, associated with the web page to be fingerprinted. The inserted client-side executable code, once received at a client computer system, creates a client-side fingerprint of the web page rendered and/or presented to a user. The client-side fingerprint is then sent to the server so that the client-side fingerprint and the server-side fingerprint can be compared. If there exist any discrepancies between the client-side fingerprint and the server-side fingerprint, the user and/or the service provider may be alerted and/or notified. Additionally, other protective measures, such as page redirection, may occur if the two fingerprints do not match.
- Turning again to
FIG. 4 , plural local orcomputer systems 108 may be connected via thecommunication network 112 to a “central server” or one ormore servers 104 capable of providing or serving, or providing, content to thecomputer system 108 via thecommunication medium 112. For instance, a particular website, “Website 1”, may be hosted byserver 104. Thecomputer system 108 may make a request to view the website, wherein one or more files of the website reside onserver 104.Server 104 generally responds to the request of thecomputer system 108 and sends varyingcontent 412 to thecomputer system 108. Generally speaking, thecontent 412 sent fromserver 104 tocomputer system 108 may be referred to as web content and/or web page code; though, as previously mentioned, other forms of content are contemplated. Prior to being delivered to thecomputer system 108, thecontent 412 sent from theserver 104 is intercepted at acode injector 408. Thecode injector 408 may be any device or module that provides a capability to manipulate and manage internet protocol traffic. For example,code injector 408 may intercept, inspect, and/or transform the inbound and outbound internet protocol traffic. One example of a code injector may be a device utilizing one or more iRules that intercept, inspect, and transform inbound or outbound traffic to inject ascript 428, such as a JavaScript, into thecontent 412. As will be discussed later, thescript 428, or client-side executing code that is injected or added into thecontent 412, may cause a digital fingerprint 422 of a web page rendered or displayed at thecomputer system 108 to be created. Once ascript 428 has been added to thecontent 412, thecontent 412 andscript 428, now referenced as content andscript 416, may be delivered to thecomputer system 108 via thecommunication network 112 as content and script. AlthoughFIG. 4 depicts thecode injector 408 communicating directly with theserver 104, those skilled in the art can appreciate that any method of communication is possible; that is,code injector 408 is generally a network enabled device that may communicate withserver 104 via a communication network, such ascommunication network 112. - Alternatively, or in addition, the capability to inject or add a client-
side script 428 tocontent 412 may reside withinserver 104. For example, a code injection module, later shown as 518, may inject or add a client-side script 428, as previously described, to thecontent 412, such that theserver 104 provides the content and thescript 416 to thecomputer system 108 via thecommunication network 112; in some instances, acode injector 408 external to theserver 104 may not be necessary; in other instances, acode injector 408 may be provided in addition to aserver 104 utilizing acode injection module 518. - Content and
script 416 may then be provided to thecomputer system 108. As previously discussed, content and script 416 may be a combination ofcontent 412 and at least one client-side script 428 that when executed at a client, creates a digital fingerprint 422 of one or more web pages.Content 412 is generally described as being web content or web page content. Thus, web content contained in content and script 416 may be rendered and/or displayed oncomputer system 108. Upon rendering and/or displaying thecontent 412, thescript 428 containing executable code may be executed on thecomputer system 108. Alternatively, or in addition, theexecutable code 428 may be executed when a user clicks a submit button, such as a “log in”button 248. Theexecutable code 428 then executes, creating a digital fingerprint 422 of the rendered or displayedweb page 412 on thecomputer system 108 and sends the digital fingerprint 422 toserver 104, via acommunication network 112. Alternatively, or in addition the contents of theclient information 423, and or the number of separate values contained in theclient information 423, may also be sent to theserver 104. The values included in theclient information 423 correspond to the data entered and/or residing in fields, such as userid 240, password 244, and/or a malware variant added field, such as socialsecurity#308. The values included in theclient information 423 may be sent with the digital fingerprint 422 together as 420 and/or they may be retrieved directly from the form, such asform 232, when the form posts data to theserver 104. Alternatively, or in addition, the digital fingerprint 422 and/or the values included in theclient information 423 may be encrypted prior to being sent to theserver 104. - Once the digital fingerprint 422 is received at the
server 104, theserver 104 may compare the received digital fingerprint 422 with a fingerprint 424. As previously discussed, theserver 104, or a server controlled by a services provider, may create the digital fingerprint 424 based on the web page orweb content 412 that is to be presented to, or requested by a user of acomputer system 108. The digital fingerprint 424 may then be stored at theserver 104 or elsewhere for easy access. Alternatively, or in addition, the digital fingerprint 424 may be encrypted prior to being stored atserver 104. - A
server 104, or a server controlled by a services provider, may create the digital fingerprint 424 once for each web page that the services provider creates that requires a user to enter sensitive information, such as login information. After the digital finger print 424 has been created, the digital fingerprint 424 may be encrypted and stored. In some embodiments, the same digital fingerprint 424 may be valid or available for a predetermined period of time. For example, the digital fingerprint 424 may last a day, a month, a year, or be static. Alternatively, or in addition, the digital fingerprint 424 may be created specifically for a particular user, location of user—such as per internet protocol address, or may be created on a per session basis. For example, each time a user atcomputer system 108 established a session withserver 104, a new fingerprint 424 may be created. In other embodiments, the creation of the server-side fingerprint 424 may occur randomly. - Turning now to
FIG. 5 , details ofserver 104,code injector 408, andcomputer system 108, are depicted in accordance with at least some embodiments of the present disclosure.Server 104 may include aprocessor 504,memory 506, one or moreuser input devices 508, such as a keyboard and a pointing device, and one or moreuser output devices 510, such as a display, speaker, and/or printer. Alternatively, or in addition, theuser input 508 and theuser output 510 may be combined into one device, such as a touch screen display.Server 104 may further include, acommunication interface 512 for communicating withcode injector 408,computer system 108, and/or thecommunication network 112. -
Processor 504 is provided to execute instructions contained withinmemory 506 and/orstorage 502. As such, the functionality of theserver 104 is typically stored inmemory 506 and/orstorage 502 in the form of instructions and carried out by theprocessor 504 executing such instructions. Accordingly, theprocessor 504 may be implemented as any suitable type of microprocessor or similar type of processing chip. One example of theprocessor 504 may include any general-purpose programmable processor, digital signal processor (DSP) or controller for executing application programming contained withinmemory 506 and/orstorage 502. Alternatively, or in addition, theprocessor 504,memory 506, and/orstorage 502, may be replaced or augmented with an application specific integrated circuit (ASIC), a programmable logic device (PLD), or a field programmable gate array (FPGA). - The
memory 506 generally comprises software routines facilitating, in operation, pre-determined functionality of theserver 104. Thememory 506 may be implemented using various types of electronic memory generally including at least one array of non-volatile memory cells (e.g., Erasable Programmable Read Only Memory (EPROM) cells or FLASH memory cells, etc.). Thememory 506 may also include at least one array of dynamic random access memory (DRAM) cells. The content of the DRAM cells may be pre-programmed and write-protected thereafter, whereas other portions of the memory may selectively be modified or erased. Thememory 506 may be used for either permanent data storage and/or temporary data storage. - The
data storage 502 may generally include storage for programs and data. For example,data storage 502 may provide storage for a finger print creation module 516, acode injection module 518, afingerprint comparator module 520, and/or the general operating system and other programs anddata 522. One or more components of theserver 104 may communicate with one another utilizing abus 514. -
Code injector 408 may include a processor 526, memory 528, one ormore communication interfaces 530 for communicating with theserver 104, thecomputer system 108, and/or thecommunication network 112. In general, the code injector generally comprises one or more network appliances capable of inspecting, managing, and modifying network traffic communicating on thecommunication interface 530. - Processor 526 is the same or similar to
processor 504; that is, processor 526 is provided to execute instructions contained within memory 528 and/or storage 524. As such, the functionality of thecode injector 408 is typically stored in memory 528 and/or storage 524 in the form of instructions and carried out by the processor 526 executing such instructions. Accordingly, the processor 526 may be implemented as any suitable type of microprocessor or similar type of processing chip. One example of the processor 526 may include any general-purpose programmable processor, digital signal processor (DSP) or controller for executing application programming contained within memory 528 and/or storage 524. Alternatively, or in addition, the processor 526, memory 528, and/or storage 524, may be replaced or augmented with an application specific integrated circuit (ASIC), a programmable logic device (PLD), or a field programmable gate array (FPGA). - The memory 528 is similar or the same as
memory 506; that is, memory 528 generally comprises software routines facilitating, in operation, pre-determined functionality of thecode injector 408. The memory 528 may be implemented using various types of electronic memory generally including at least one array of non-volatile memory cells (e.g., Erasable Programmable Read Only Memory (EPROM) cells or FLASH memory cells, etc.). The memory 528 may also include at least one array of dynamic random access memory (DRAM) cells. The content of the DRAM cells may be pre-programmed and write-protected thereafter, whereas other portions of the memory may selectively be modified or erased. The memory 528 may be used for either permanent data storage or temporary data storage. - The data storage 524 is the same or similar to
data storage 502; that is, data storage 524 may generally include storage for programs and data. For example, data storage 524 may provide storage for a code injection module 534 and thecode injector 408firmware 536. One or more components of thecode injector 408 may communicate with one another utilizing abus 532. - As previously discussed,
computer system 108 may each be variously apersonal computer 108A, 108C a server of any type, a PDA, mobile device 108B such as a mobile phone, an interactive television, or any other device capable of loading and operating computer objects.Computer system 108 may include one ormore processors 540,memory 542, one or moreuser input devices 544, such as a keyboard and a pointing device, and one or moreuser output devices 548, such as a display, speaker, and/or printer. Alternatively, or in addition, theuser input 544 and theuser output 548 may be combined into one device, such as a touch screen display.Computer system 108 may further include a communication interface 546 for communicating with thecode injector 408, theserver 104, and/or thecommunication network 112. -
Processor 540 is the same or similar toprocessor 504; that is,processor 540 is provided to execute instructions contained withinmemory 542 and/orstorage 538. As such, the functionality of thecomputer system 108 is typically stored inmemory 542 and/orstorage 538 in the form of instructions and carried out by theprocessor 540 executing such instructions. Accordingly, theprocessor 540 may be implemented as any suitable type of microprocessor or similar type of processing chip. One example of theprocessor 540 may include any general-purpose programmable processor, digital signal processor (DSP) or controller for executing application programming contained withinmemory 542 and/orstorage 538. Alternatively, or in addition, theprocessor 540,memory 542, and/orstorage 538, may be replaced or augmented with an application specific integrated circuit (ASIC), a programmable logic device (PLD), or a field programmable gate array (FPGA). - The
memory 542 is similar or the same asmemory 506; that is,memory 542 generally comprises software routines facilitating, in operation, pre-determined functionality of thecomputer system 108. Thememory 542 may be implemented using various types of electronic memory generally including at least one array of non-volatile memory cells (e.g., Erasable Programmable Read Only Memory (EPROM) cells or FLASH memory cells, etc.). Thememory 542 may also include at least one array of dynamic random access memory (DRAM) cells. The content of the DRAM cells may be pre-programmed and write-protected thereafter, whereas other portions of the memory may selectively be modified or erased. Thememory 542 may be used for either permanent data storage or temporary data storage. - The
data storage 538 is the same or similar todata storage 502; that is,data storage 538 may generally include storage for programs and data. For example,data storage 538 may provide storage for an operating system, programs, anddata 552. Storage 528 may also includebrowser 556. Although depicted separately, thebrowser 556 may render and cause web code or web content to be displayed to a user view a user output device, such asuser output device 548. In general, thescript 428 generally executes withinbrowser 556, utilizingstorage 538,memory 542, andprocessor 540. One or more components of thecomputer system 108 may communicate with one another utilizing a bus 550. - Referring now to
FIG. 6 , an exemplary flow diagram depicting the operation of an example fingerprint creation process 600 in accordance with at least some embodiments of the present disclosure is depicted. In at least some embodiments, method 600 is performed by a device, such asserver 104 and/orcode injector 408. In at least some embodiments, method 600 is performed by a fingerprint creation module 516. More specifically, one or more hardware or software components may be involved in performing the method 600. Method 600 can be executed as a set of computer-executable instructions executed by a computer system and encoded or stored on a computer-readable medium. Hereinafter, the method 600 shall be explained with reference to the systems, components, modules, software, data structures, etc. described in conjunction withFIGS. 1-5 . More specifically, method 600 shall be explained as if executed by the Fingerprint Creation module 516. However, method 600 may be executed by hardware, software, and/or other modules previously described. - Method 600 is initiated at
step 604. Method 600 may continuously flow in a loop, flow according to a timed event, or flow according to a change in an operating or status parameter. Once method 600 has started, the fingerprint creation module 516 receives the web content that is to be protected atstep 608. For example, the web content may be a web page comprising various web code, such as HTML, XML, ASP, PHP, JavaScript etc. After receiving the content that is to be protected atstep 608, method 600 may pass to step 612, where specific objects identified in the web content are identified for the fingerprint creation process. For example, field 240, field 244, the content withincontent area 228, andcontent area 236 may be identified as particular objects or elements that are specifically identified. Thus, if a fingerprint is created utilizing those specific elements, any change to those elements will be reflected as a different fingerprint. Moreover, changes to the web page made between such elements may be reflected as a different fingerprint. - More specifically, the objects may be identified by their corresponding location within a document object model (DOM) tree. For example, the document object model is a platform and language-neutral interface that allows programs and scripts to dynamically access and update the content, structure, and style of a document. For instance, a DOM may consist of one or more nodes; that is, each element (i.e. every HTML element, the content within an HTML element, HTML attributes, and comments) may be considered to be a node. As such, each element is typically ordered in a hierarchical tree structure such that some nodes depend on other nodes. Therefore, if one or more nodes are provided, and a dependency among the one or more nodes exists, any change to one node may be reflected in a fingerprint. As an example, the text “LOG IN TO YOUR ACCOUNT” within
content area 236 may be a child node of thecontent area 232. If a fingerprint is created atstep 616, utilizing this node, then any change to the content of this node will be reflected in a changed fingerprint. Moreover, the content of one or more elements may be utilized to create a fingerprint. Accordingly, a fingerprint created utilizing “LOG INTO YOUR ACCOUNT” will be different than a fingerprint created utilizing “LOG INTO YOUR ACCOUNT, WE NOW REQUIRE SS#s”. - As another example, the fingerprint creation process may utilize other objects, elements, and/or content located within a web page, resource, and/or document. For example, such objects may include but are not limited to tags, such as HTML tags, headers, iFrames, content, location of content, location of tags, location of objects, one or more scripts, one or more fields, one or more offsets associated with a particular element and/or object from a particular location of another element and/or object. The fingerprint may be created using one or more well known fingerprint creation techniques such as, but not limited, to hashing, concatenation, encryption, or any other fingerprint creation technique that provides an output representative of an input.
- Alternatively, or in addition, the objects, elements, and/or content utilized to create the fingerprint may vary overtime and/or may be random. For example, a first fingerprint may be created using a first combination of objects, elements, and/or content of the web page, while a second finger print may be created using a second combination of objects, elements, and/or content of the web page. The first fingerprint may be created for a first user, session, or time, while the second fingerprint may be created for a second user, session, or time. Accordingly, the objects, elements, and/or content used to create a fingerprint may randomly change and/or be randomly identified. Alternatively, or in addition, one or more key, or important, objects, elements, and/or content may be identified such that the fingerprint may always include such importantly identified elements.
- As previously discussed, at
step 616, a fingerprint is created utilizing the objects elements, and/or content that have been identified. Additionally, atstep 616, a client-side executable code, such asscript 428, is created. This client-side executable code, or fingerprint script, is created such that when executed at a computer system, such ascomputer system 108, a fingerprint is created utilizing those same objects, elements, and or content identified instep 612. For example, if a first fingerprint of a website is created by the finger print creation module 516 using a first combination of objects, elements, and/or content of the web page, a client side executable code, such asscript 428, is created such that when executed at acomputer system 108, a fingerprint of the website, as rendered and/or displayed by thecomputer system 108, is created using the same first combination of objects, elements, and/or content. Method 600 then passes to step 620 where the fingerprint and the fingerprint script are stored. In some embodiments, the fingerprint may be encrypted prior to being stored. Method 600 then ends atstep 624. - Referring now to
FIG. 7 , an exemplary flow diagram depicting theoperational method 700 of a protected web page and/or web content in accordance with at least some embodiments of the present disclosure is depicted. In at least some embodiments,method 700 is performed by a device, such asserver 104,code injector 408, and/orcomputer system 108. In at least some embodiments,method 700 is performed by aserver 104,code injector 408, andcomputer system 108. More specifically, one or more hardware or software components, such ascode injection module 518, 534,fingerprint comparator module 520, andbrowser 556 may be involved in performing themethod 700.Method 700 may be executed as a set of computer-executable instructions executed by a computer system and encoded or stored on a computer-readable medium. Hereinafter, themethod 700 shall be explained with reference to the systems, components, modules, software, data structures, etc. described in conjunction withFIGS. 1-6 . More specifically,method 700 shall be explained as if executed by thecode injection module 518, 534,fingerprint comparator module 520, and/orbrowser 556. However,method 700 may be executed by hardware, software, and modules previously described. -
Method 700 is initiated atstep 704.Method 700 may continuously flow in a loop, flow according to a timed event, or flow according to a change in an operating or status parameter. Oncemethod 700 has started, the code injection module intercepts web content atstep 708. More specifically, the code injection module may intercept a web page destined for a specifiedcomputer system 108. Atstep 712, the code injection module may inject or add the client-side script, such asscript 428, to the web content destined for thecomputer system 108. For example, the code injection module may utilize specific rules, modify internet protocol traffic, and/or add a client-side script into the web content, such that the client-side script is executed at abrowser 556 of acomputer system 108. Next, themethod 700 may pass to step 716, where the web content, including the client-side script, is delivered to the requestor, such as thecomputer system 108. Next, themethod 700 may pass to step 720, where the client-side script is executed at thecomputer system 108. The execution of the client-side script, then produces a fingerprint of the of the web page or web content as displayed or rendered at thecomputer system 108, for example in thebrowser 556. Following the execution of the client-side script, theserver 104 may receive the fingerprint atstep 724. Next at step 728, theserver 104 may retrieve the previously stored server-side fingerprint and compare the server-side fingerprint with the client-side fingerprint to determine if they match, such as atstep 732. If the two fingerprints match, then there is a high likelihood that the web page displayed to a user at acomputer system 108 is the same web page or web content that was sent from theserver 104 to thecomputer system 108 and that malware has not adapted or modified any content. Accordingly, themethod 700 may end at 742. - Alternatively, or in addition, the
server 104 may receive the arguments that were submitted in fields, such as fields 240, and 244. The server may then perform a check to ensure that theserver 104 received the proper number of values, or arguments atstep 744. For example, if theserver 104 is expecting to receive two values, such as an userid and a password, as shown inFIG. 2 , but actually receives three values, such as an userid, password, and social security number, such as atstep 744, then theserver 104 may take appropriate action to disconnect the user atstep 736. Otherwise, if the server-side fingerprint and the client-side fingerprint match atstep 732 and the expected number of values matches the received number of values atstep 744, theserver 104 may determine that there has been no change between the two fingerprints atstep 748 and end atstep 742. - If, at
step 732, the server-side fingerprint, and the client-side fingerprint do not match, then the serve may take action atstep 736. Such action may include redirecting a user of acomputer system 108 to another website, logging information, such as the internet protocol address, and the values of fields submitted, and/or expressly notifying the user that theircomputer system 108 may be compromised. - Embodiments of the present invention have been described with particular reference to the examples illustrated. However, it will be appreciated that variations and modifications may be made to the examples described within the scope of the present invention. For example, in the foregoing description, for the purposes of illustration, methods were described in a particular order. It should be appreciated that in alternate embodiments, the methods may be performed in a different order than that described. It should also be appreciated that the methods described above may be performed by hardware components or may be embodied in sequences of machine-executable instructions.
- Those of skill in the art would understand that information and signals may be represented using any of a variety of different technologies and techniques. For example, data, instructions, commands, information, signals, bits, symbols, and chips that may be referenced throughout the above description may be represented by voltages, currents, electromagnetic waves, magnetic fields or particles, optical fields or particles, or any combination thereof.
- Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
- The various illustrative logical blocks, modules, and circuits described in connection with the embodiments disclosed herein may be implemented or performed with a general purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a field programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.
- The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC. The ASIC may reside in a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a user terminal.
- The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (21)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/729,410 US20220253489A1 (en) | 2013-03-15 | 2022-04-26 | Detecting a change to the content of information displayed to a user of a website |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201361802348P | 2013-03-15 | 2013-03-15 | |
US14/214,935 US11386181B2 (en) | 2013-03-15 | 2014-03-15 | Detecting a change to the content of information displayed to a user of a website |
US17/729,410 US20220253489A1 (en) | 2013-03-15 | 2022-04-26 | Detecting a change to the content of information displayed to a user of a website |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/214,935 Continuation US11386181B2 (en) | 2013-03-15 | 2014-03-15 | Detecting a change to the content of information displayed to a user of a website |
Publications (1)
Publication Number | Publication Date |
---|---|
US20220253489A1 true US20220253489A1 (en) | 2022-08-11 |
Family
ID=51534319
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/214,935 Active 2035-02-07 US11386181B2 (en) | 2013-03-15 | 2014-03-15 | Detecting a change to the content of information displayed to a user of a website |
US17/729,410 Pending US20220253489A1 (en) | 2013-03-15 | 2022-04-26 | Detecting a change to the content of information displayed to a user of a website |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/214,935 Active 2035-02-07 US11386181B2 (en) | 2013-03-15 | 2014-03-15 | Detecting a change to the content of information displayed to a user of a website |
Country Status (1)
Country | Link |
---|---|
US (2) | US11386181B2 (en) |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9509714B2 (en) * | 2014-05-22 | 2016-11-29 | Cabara Software Ltd. | Web page and web browser protection against malicious injections |
US9679134B1 (en) * | 2014-03-20 | 2017-06-13 | Symantec Corporation | Systems and methods for detecting display-controlling malware |
CN104778423B (en) * | 2015-04-28 | 2017-10-17 | 福建六壬网安股份有限公司 | The webpage integrity assurance of watermark contrast based on file driving |
JP2017004236A (en) * | 2015-06-10 | 2017-01-05 | 富士ゼロックス株式会社 | Information processor, network system and program |
RU2610254C2 (en) * | 2015-06-30 | 2017-02-08 | Закрытое акционерное общество "Лаборатория Касперского" | System and method of determining modified web pages |
US11017119B2 (en) * | 2018-12-14 | 2021-05-25 | Synergex Group | Methods, systems, and media for detecting alteration of a web page |
CN111475464B (en) * | 2020-03-19 | 2023-04-25 | 重庆邮电大学 | Method for automatically finding and mining fingerprints of Web component |
CN113300915A (en) * | 2021-07-21 | 2021-08-24 | 杭州安恒信息技术股份有限公司 | Device identification method, system, electronic apparatus, and storage medium |
US12086640B2 (en) | 2022-06-20 | 2024-09-10 | International Business Machines Corporation | URL (uniform resource locator) shortening service including a content integrity check |
CN117176807B (en) * | 2023-10-31 | 2024-01-26 | 神州灵云(北京)科技有限公司 | Method and device for merging network requests by using request fingerprints |
Citations (26)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5974481A (en) * | 1997-09-15 | 1999-10-26 | Digital Equipment Corporation | Method for estimating the probability of collisions of fingerprints |
US20020099767A1 (en) * | 2001-01-24 | 2002-07-25 | Microsoft Corporation | System and method for incremental and reversible data migration and feature deployment |
US20030200175A1 (en) * | 2002-04-23 | 2003-10-23 | Microsoft Corporation | System and method for evaluating and enhancing source anonymity for encrypted web traffic |
US20040003248A1 (en) * | 2002-06-26 | 2004-01-01 | Microsoft Corporation | Protection of web pages using digital signatures |
US20070067304A1 (en) * | 2005-09-21 | 2007-03-22 | Stephen Ives | Search using changes in prevalence of content items on the web |
US20070130327A1 (en) * | 2005-12-05 | 2007-06-07 | Kuo Cynthia Y | Browser system and method for warning users of potentially fraudulent websites |
US20070234409A1 (en) * | 2006-03-31 | 2007-10-04 | Ori Eisen | Systems and methods for detection of session tampering and fraud prevention |
US20080046738A1 (en) * | 2006-08-04 | 2008-02-21 | Yahoo! Inc. | Anti-phishing agent |
US20080172741A1 (en) * | 2007-01-16 | 2008-07-17 | International Business Machines Corporation | Method and Apparatus for Detecting Computer Fraud |
US20080307301A1 (en) * | 2007-06-08 | 2008-12-11 | Apple Inc. | Web Clip Using Anchoring |
US20090064337A1 (en) * | 2007-09-05 | 2009-03-05 | Shih-Wei Chien | Method and apparatus for preventing web page attacks |
US20100017615A1 (en) * | 2006-12-15 | 2010-01-21 | Boesgaard Soerensen Hans Martin | Digital data authentication |
US7788576B1 (en) * | 2006-10-04 | 2010-08-31 | Trend Micro Incorporated | Grouping of documents that contain markup language code |
US20100228718A1 (en) * | 2009-03-04 | 2010-09-09 | Alibaba Group Holding Limited | Evaluation of web pages |
US20100333213A1 (en) * | 2009-06-24 | 2010-12-30 | Craig Stephen Etchegoyen | Systems and Methods for Determining Authorization to Operate Licensed Software Based on a Client Device Fingerprint |
US7958555B1 (en) * | 2007-09-28 | 2011-06-07 | Trend Micro Incorporated | Protecting computer users from online frauds |
US20110277024A1 (en) * | 2010-05-07 | 2011-11-10 | Research In Motion Limited | Locally stored phishing countermeasure |
US8086953B1 (en) * | 2008-12-19 | 2011-12-27 | Google Inc. | Identifying transient portions of web pages |
US8103875B1 (en) * | 2007-05-30 | 2012-01-24 | Symantec Corporation | Detecting email fraud through fingerprinting |
US8205255B2 (en) * | 2007-05-14 | 2012-06-19 | Cisco Technology, Inc. | Anti-content spoofing (ACS) |
US8255280B1 (en) * | 2010-05-18 | 2012-08-28 | Google Inc. | Automatic vetting of web applications to be listed in a marketplace for web applications |
US20120255027A1 (en) * | 2011-03-31 | 2012-10-04 | Infosys Technologies Ltd. | Detecting code injections through cryptographic methods |
US8521735B1 (en) * | 2012-02-27 | 2013-08-27 | Google Inc. | Anonymous personalized recommendation method |
US20140019262A1 (en) * | 2012-07-11 | 2014-01-16 | Google Inc. | Predicting visibility of content items |
US20140164418A1 (en) * | 2013-02-28 | 2014-06-12 | Craig S. Etchegoyen | Unique device identification among large populations of homogenous devices |
US8880993B2 (en) * | 2011-04-21 | 2014-11-04 | International Business Machines Corporation | Handling unexpected responses to script executing in client-side application |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5889774A (en) * | 1997-03-14 | 1999-03-30 | Efusion, Inc. | Method and apparatus for selecting an internet/PSTN changeover server for a packet based phone call |
US7480910B1 (en) * | 2001-05-15 | 2009-01-20 | Adobe Systems Incorporated | System and method for providing information and associating information |
US20070094500A1 (en) * | 2005-10-20 | 2007-04-26 | Marvin Shannon | System and Method for Investigating Phishing Web Sites |
US8381292B1 (en) * | 2008-12-30 | 2013-02-19 | The Uab Research Foundation | System and method for branding a phishing website using advanced pattern matching |
US8862699B2 (en) * | 2009-12-14 | 2014-10-14 | Microsoft Corporation | Reputation based redirection service |
US9436763B1 (en) * | 2010-04-06 | 2016-09-06 | Facebook, Inc. | Infrastructure enabling intelligent execution and crawling of a web application |
US8640212B2 (en) * | 2010-05-27 | 2014-01-28 | Red Hat, Inc. | Securing passwords with CAPTCHA based hash when used over the web |
US8886836B2 (en) * | 2012-06-12 | 2014-11-11 | Facebook, Inc. | Providing a multi-column newsfeed of content on a social networking system |
-
2014
- 2014-03-15 US US14/214,935 patent/US11386181B2/en active Active
-
2022
- 2022-04-26 US US17/729,410 patent/US20220253489A1/en active Pending
Patent Citations (27)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5974481A (en) * | 1997-09-15 | 1999-10-26 | Digital Equipment Corporation | Method for estimating the probability of collisions of fingerprints |
US20020099767A1 (en) * | 2001-01-24 | 2002-07-25 | Microsoft Corporation | System and method for incremental and reversible data migration and feature deployment |
US20030200175A1 (en) * | 2002-04-23 | 2003-10-23 | Microsoft Corporation | System and method for evaluating and enhancing source anonymity for encrypted web traffic |
US20040003248A1 (en) * | 2002-06-26 | 2004-01-01 | Microsoft Corporation | Protection of web pages using digital signatures |
US20070067304A1 (en) * | 2005-09-21 | 2007-03-22 | Stephen Ives | Search using changes in prevalence of content items on the web |
US20070130327A1 (en) * | 2005-12-05 | 2007-06-07 | Kuo Cynthia Y | Browser system and method for warning users of potentially fraudulent websites |
US20070234409A1 (en) * | 2006-03-31 | 2007-10-04 | Ori Eisen | Systems and methods for detection of session tampering and fraud prevention |
US20080046738A1 (en) * | 2006-08-04 | 2008-02-21 | Yahoo! Inc. | Anti-phishing agent |
US7788576B1 (en) * | 2006-10-04 | 2010-08-31 | Trend Micro Incorporated | Grouping of documents that contain markup language code |
US20100017615A1 (en) * | 2006-12-15 | 2010-01-21 | Boesgaard Soerensen Hans Martin | Digital data authentication |
US20080172741A1 (en) * | 2007-01-16 | 2008-07-17 | International Business Machines Corporation | Method and Apparatus for Detecting Computer Fraud |
US9521161B2 (en) * | 2007-01-16 | 2016-12-13 | International Business Machines Corporation | Method and apparatus for detecting computer fraud |
US8205255B2 (en) * | 2007-05-14 | 2012-06-19 | Cisco Technology, Inc. | Anti-content spoofing (ACS) |
US8103875B1 (en) * | 2007-05-30 | 2012-01-24 | Symantec Corporation | Detecting email fraud through fingerprinting |
US20080307301A1 (en) * | 2007-06-08 | 2008-12-11 | Apple Inc. | Web Clip Using Anchoring |
US20090064337A1 (en) * | 2007-09-05 | 2009-03-05 | Shih-Wei Chien | Method and apparatus for preventing web page attacks |
US7958555B1 (en) * | 2007-09-28 | 2011-06-07 | Trend Micro Incorporated | Protecting computer users from online frauds |
US8086953B1 (en) * | 2008-12-19 | 2011-12-27 | Google Inc. | Identifying transient portions of web pages |
US20100228718A1 (en) * | 2009-03-04 | 2010-09-09 | Alibaba Group Holding Limited | Evaluation of web pages |
US20100333213A1 (en) * | 2009-06-24 | 2010-12-30 | Craig Stephen Etchegoyen | Systems and Methods for Determining Authorization to Operate Licensed Software Based on a Client Device Fingerprint |
US20110277024A1 (en) * | 2010-05-07 | 2011-11-10 | Research In Motion Limited | Locally stored phishing countermeasure |
US8255280B1 (en) * | 2010-05-18 | 2012-08-28 | Google Inc. | Automatic vetting of web applications to be listed in a marketplace for web applications |
US20120255027A1 (en) * | 2011-03-31 | 2012-10-04 | Infosys Technologies Ltd. | Detecting code injections through cryptographic methods |
US8880993B2 (en) * | 2011-04-21 | 2014-11-04 | International Business Machines Corporation | Handling unexpected responses to script executing in client-side application |
US8521735B1 (en) * | 2012-02-27 | 2013-08-27 | Google Inc. | Anonymous personalized recommendation method |
US20140019262A1 (en) * | 2012-07-11 | 2014-01-16 | Google Inc. | Predicting visibility of content items |
US20140164418A1 (en) * | 2013-02-28 | 2014-06-12 | Craig S. Etchegoyen | Unique device identification among large populations of homogenous devices |
Also Published As
Publication number | Publication date |
---|---|
US11386181B2 (en) | 2022-07-12 |
US20140281919A1 (en) | 2014-09-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20220253489A1 (en) | Detecting a change to the content of information displayed to a user of a website | |
Alabdan | Phishing attacks survey: Types, vectors, and technical approaches | |
US11552993B2 (en) | Automated collection of branded training data for security awareness training | |
US10367903B2 (en) | Security systems for mitigating attacks from a headless browser executing on a client computer | |
US20190260750A1 (en) | Client-site dom api access control | |
US10079854B1 (en) | Client-side protective script to mitigate server loading | |
US9348980B2 (en) | Methods, systems and application programmable interface for verifying the security level of universal resource identifiers embedded within a mobile application | |
US10264016B2 (en) | Methods, systems and application programmable interface for verifying the security level of universal resource identifiers embedded within a mobile application | |
US8813237B2 (en) | Thwarting cross-site request forgery (CSRF) and clickjacking attacks | |
Stock et al. | Protecting users against xss-based password manager abuse | |
US20120222117A1 (en) | Method and system for preventing transmission of malicious contents | |
Sun et al. | Model checking for the defense against cross-site scripting attacks | |
US20190222587A1 (en) | System and method for detection of attacks in a computer network using deception elements | |
US11140168B2 (en) | Content access validation system and method | |
US11729145B2 (en) | User interface for web server risk awareness | |
Mahmoud et al. | A comparative analysis of Cross Site Scripting (XSS) detecting and defensive techniques | |
Muscat | Web vulnerabilities: identifying patterns and remedies | |
Chaudhary et al. | Cross-site scripting (XSS) worms in Online Social Network (OSN): Taxonomy and defensive mechanisms | |
Papaspirou et al. | A tutorial on cross-site scripting attack: defense against online social networks | |
Kerschbaumer et al. | Injecting CSP for fun and security | |
Guan et al. | DangerNeighbor attack: Information leakage via postMessage mechanism in HTML5 | |
Kaur et al. | Cross-site-scripting attacks and their prevention during development | |
Thopate et al. | Cross site scripting attack detection & prevention system | |
Wardle et al. | How Long Does It Take To Get Owned | |
Shah et al. | Securing third-party web resources using subresource integrity automation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
AS | Assignment |
Owner name: WEBROOT INC., COLORADO Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GIULIANI, MARCO;TORTOIOLI, DAVIDE;VANDONI, RICCARDO;AND OTHERS;REEL/FRAME:060402/0942 Effective date: 20140314 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |
|
AS | Assignment |
Owner name: WEBROOT LLC, COLORADO Free format text: CERTIFICATE OF CONVERSION;ASSIGNOR:WEBROOT INC.;REEL/FRAME:064176/0622 Effective date: 20220930 Owner name: CARBONITE, LLC, MASSACHUSETTS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:WEBROOT LLC;REEL/FRAME:064167/0129 Effective date: 20221001 |
|
AS | Assignment |
Owner name: OPEN TEXT INC., CALIFORNIA Free format text: ASSIGNMENT AND ASSUMPTION AGREEMENT;ASSIGNOR:CARBONITE, LLC;REEL/FRAME:064351/0178 Effective date: 20221001 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |