Cloudflare is democratizing advanced client-side security, removing sales engagement barriers for its powerful tools. This move aims to make robust protection against emerging web threats accessible to everyone.
Client-side attacks, like data skimming via malicious scripts, are notoriously stealthy. They operate unnoticed, allowing pages to load and transactions to complete while user data is siphoned off. Recent incidents, such as a keylogger deployed on a major bank's employee store and malicious npm packages stealing cryptocurrency, highlight the persistent danger.
In response, Cloudflare announced two key changes today: Cloudflare Client-Side Security Advanced, formerly a Page Shield add-on, is now available for self-serve onboarding. Additionally, domain-based threat intelligence is now a free component of the basic Client-Side Security bundle for all users.
Smarter Detection, Fewer False Alarms
The core of Cloudflare's offering lies in its ability to analyze vast amounts of script data. The system assesses billions of scripts daily, leveraging browser reporting like Content Security Policy. This approach requires no additional scanners or instrumentation, ensuring zero latency impact on web applications.
Managing the sheer volume and volatility of client-side code presents a significant challenge. With thousands of unique scripts per enterprise zone, and roughly a third updating monthly, manual oversight is impossible. Cloudflare's strategy focuses on detecting malicious intent by analyzing script behavior through Abstract Syntax Trees (AST).
To combat the high cost of false positives—a common issue in security systems where rare, high-impact events can lead to frequent false alarms—Cloudflare has integrated a Large Language Model (LLM) into its detection pipeline. This LLM acts as a second opinion for its primary Graph Neural Network (GNN) detection engine.
The GNN excels at identifying structural patterns indicative of malicious code, even when obfuscated. However, its recall-driven approach can sometimes flag legitimate, complex scripts as suspicious. The LLM, with its deep understanding of JavaScript idioms and common coding practices, filters these false positives.
This two-stage process ensures high recall for novel threats while leveraging the LLM's semantic understanding to drastically reduce false alarms. The LLM inference runs on Cloudflare Workers AI, utilizing open-source models for enhanced JavaScript security.
Internal evaluations show this LLM validation layer reduces false positives by nearly three times, dropping the rate from around 0.3% to approximately 0.1% for total analyzed traffic. For unique scripts, the reduction is a staggering 200x.
Real-World Impact: Catching Zero-Day Exploits
This enhanced detection capability proved crucial in identifying a sophisticated attack targeting users' home routers. A malicious script, injected via compromised browser extensions, attempted to hijack DNS settings and change router passwords.
The script employed heavy obfuscation techniques, rendering it invisible to traditional threat intelligence platforms like VirusTotal, which serves as a useful threat intelligence platform. Cloudflare's GNN successfully identified the underlying malicious structure, and the Workers AI LLM confirmed its malicious intent, demonstrating the effectiveness of their approach to LLM for malicious script detection, as detailed in reports like The Generative AI Threat is Already in Your Browser: Malicious Chrome Extensions Explode in Latest Cyber Scourge.
This advancement underscores Cloudflare's commitment to building a more secure internet, making powerful security tools accessible to all businesses. The company continues to innovate in areas like JavaScript security.
