Overview

Technology

Web Tap Enterprise

Web Tap Personal

Products - Technology

All of the Web Tap products utilize patent pending statistical analysis methods to detect security threats. The idea behind them is fairly straightforward: differentiate normal human web browsing from automated or malicious activity. In a typical web browsing session, requests follow particular patterns in terms of their content format, size, regularity, and timing. Web Tap looks for deviations from standard human-like browsing patterns to identify security threats such as spyware, web tunnels, and insider leaks. This page describes how Web Tap looks at a number of web traffic attributes to detect security threats.

Request Format

Spyware programs and web tunnels come in all shapes and sizes, but they have some similarities. They almost always contact their home servers using web requests in order to pass through proxy servers and firewalls.

For one reason or another, many spyware programs and web tunnels send HTTP (web) requests with a format that is distinctly different from that used by legitimate web browsers. Web Tap can take advantage of this difference to detect these programs using a request format filter.

Timed Requests

Some spyware programs rely on timers to determine when to check for updates or send out sensitive data. Naturally, human web traffic does not recur at fixed time intervals. Web Tap uses a delay time filter to identify timer-driven web requests.

Request Size

Web requests from normal browsing activity typically do not contain much data, even if the pages returned by the server are very large. Think about going to google.com, searching for a term, then clicking on a link. The amount of data your computer sends out is very small. It includes a few fixed headers, the URL that you type in (www.google.com), your search term (ex: "new security threats"), and the URL you click on (ex: "www.technewsworld.com/story/33610.html").

Web Tap uses a bandwidth filter to identify browsing sessions in which an abnormally large amount of data (this could even be as much as 20 kilobytes, the size of one small document) is sent out over the internet. This helps Web Tap detect spyware, tunnels, and insider leaks, even the perpetrator makes an effort to cover up his or her tracks. An example of this is posting an encrypted sensitive document to a private message board. Web Tap would still raise an alert due to the amount of data leaving the network; where it is sent and encryption do not matter.

Regularity

When a person is browsing the internet, activity at one site usually occurs in short sessions. People rarely browse the internet continually for hours at a time, and when they do they usually access a variety of different sites. This is not necessarily the case for web requests generated by spyware or a web tunnel. Some spyware will actually send out the address of every website you visit while you are browsing the web. Web Tap looks for traffic to particular sites that is abnormally frequent, unlike human browsing. This helps it detect active spyware and tunnels, even those that do not use fixed timers to send out data.

Time of Day

How often do employees browse the web at 3 AM? Not very. Web Tap can look at the time when web requests occur to differentiate spyware and tunnel traffic from human activity. Activity times can also be more subtle than night and day. Web Tap can create usage profiles on a per-client basis and generate alerts when it sees activity during typical down times. (Example: If a particular employee always takes lunch from 12 PM to 1 PM, then web browsing during this time is abnormal.)

Conclusion

Web Tap uses a variety of techniques to detect different types of security threats. More detailed information about these methods, as well as an evaluation can be found in the original Web Tap research paper. The paper examines the difficulty of designing a tunnel to avoid detection and takes a look at false positive rates.