Device, system, and method of detecting malicious automatic script and code injection

摘要

Devices, systems, and methods of detecting user identity, differentiating between users of a computerized service, and detecting a possible attacker. The methods include monitoring of user-side input-unit interactions, in general and in response to an interference introduced to user-interface elements. The monitored interactions are used for detecting an attacker that utilizes a remote access channel; for detecting a malicious automatic script, as well as malicious code injection; to identify a particular hardware assembly; to perform user segmentation or user characterization; to enable a visual login process with implicit two-factor authentication; to enable stochastic cryptography; and to detect that multiple users are utilizing the same subscription account.

主权项

1. A method comprising:
determining whether a user, who utilizes a computing device to interact with a computerized service, (i) is a human user who operates an input unit of said computing device, or (ii) is an automatic script executed by a processor and which poses as a human user operating said input unit of said computing device; wherein the determining comprises: (a) at said computing device, monitoring client-side data that is actually entered manually through said input unit of said computing device; (b) at a remote server of said computing device, receiving information that was transmitted by the computing device to said remote server, wherein said information comprises data that said computing device presents to said remote server as data that was entered manually through said input unit of said computing device; (c) at said remote server of said computing device, further receiving from said computing device, indications of the manual operations that were actually performed by said human user through said input unit of said computing device, based on the monitoring of step (a); (d) at said remote server, detecting a mismatch between:
(I) the indications of manual operations that were actually performed by said human user through said input unit, said indications received from the computing device in step (c)and(II) said information that was received from the computing device in step (b), which comprises data that said computing device presents to said remote server as data that was entered manually through said input unit of said computing device; (e) based on the detected mismatch, determining that said automatic script was executed by said processor and posed as a human user operating said input unit of said computing device;
wherein step (d) comprises:based on monitoring of the user-side input-unit interactions, detecting a number of keystrokes entered via a keyboard within a pre-defined time period during which the computing device transmitted data to said server of the computerized service;determining a total number of keystrokes that a human is expected to manually enter in order to cause the computing device to transmit said data to said server of the computerized service;based on matching between (A) the number of keystrokes entered via the keyboard, and (B) the total number of keystrokes that the human is expected to manually enter in order to cause the computing device to transmit said data to said server, determining whether the computing device is operated by automatic script executed by said processor.