Cloudflare's Client-Side Security Architecture with AI-Powered JavaScript Detection

The Challenge of Client-Side Security at Scale

Client-side skimming attacks, often involving malicious JavaScript injection, pose a significant threat because they can operate stealthily without disrupting user experience. Detecting these threats at Cloudflare's scale—assessing 3.5 billion scripts daily across thousands of enterprise zones—is a massive data and computational problem. The sheer volume and high volatility of JavaScript code (roughly a third of scripts update monthly) make manual review impossible and traditional signature-based detection insufficient for zero-day threats. The system needs to discern malicious intent from benign but complex or obfuscated code, a task complicated by a severe class imbalance where benign scripts are infinitely diverse compared to known malicious samples.

Two-Stage AI-Powered Detection Architecture

Cloudflare's solution is a sophisticated cascading classifier architecture that leverages both a Graph Neural Network (GNN) and a Large Language Model (LLM) to achieve both high recall for new threats and extremely low false positive rates. This pipeline is crucial for maintaining effective security without overwhelming customers with alerts. The system collects signals using browser reporting (e.g., Content Security Policy) without requiring app instrumentation or adding latency.

Stage 1: Graph Neural Network (GNN) for High Recall

• Function: The GNN is the frontline detection engine, optimized for high recall to catch novel, zero-day threats.
• Mechanism: It operates on the Abstract Syntax Tree (AST) of JavaScript code, learning structural representations that identify execution patterns independent of obfuscation (renaming, minification). This allows it to generalize across syntactic variations of the same semantic behavior.
• Performance: While highly effective, even a sub-0.3% false positive rate at Cloudflare's scale (billions of scripts daily) generates millions of false alarms, leading to alert fatigue for security teams.

Stage 2: Large Language Model (LLM) for Precision Filtering

• Function: The LLM acts as a second opinion, specifically designed to drastically reduce false positives flagged by the GNN.
• Mechanism: If the GNN flags a script as potentially malicious, it's forwarded to an open-source LLM (currently gpt-oss-120b on Cloudflare Workers AI) for semantic evaluation. The LLM, with its deep understanding of real-world JavaScript practices, can distinguish sketchy-but-innocuous obfuscation from genuinely malicious intent. If the LLM determines the script is benign, it overrides the GNN's verdict.
• Efficiency: Most benign scripts are filtered by the GNN, avoiding the higher computational cost of the LLM. This cascading design offers the best of both worlds: the GNN's structural pattern detection combined with the LLM's semantic filtering.
• Impact: This LLM layer reduced the overall false positive rate by nearly 3x (from ~0.3% to ~0.1% on total traffic) and by ~200x (from ~1.39% to 0.007% on unique scripts), significantly improving the signal-to-noise ratio for customers. This precision allows lowering the GNN's threshold, enabling detection of even more subtle, obfuscated true attacks.