Esc

Web Session Activity Analysis

D3-WSAA
D3-WSAA (Web Session Activity Analysis)

Definition

Monitoring changes in user web session behavior by comparing current web session activity to a baseline behavior profile or a catalog of predetermined malicious behavior.

How it works

User web session data is collected over a period of time to create a user behavior profile. Data collected includes clicks made on a website, average time between clicks, filling out web forms, order in which pages are viewed, and downloading files. Current user web session behavior is then compared against the use behavior profile to identify anomalies and a likelihood that the current user web session is malicious. Current user web session behavior can also be compared to predetermined known malicious behavior profiles that are developed through analysis of malware in run time at a threat research facility.

Considerations

  • Potential for false positives from anomalies that are not associated with malicious activity.
  • Attackers may not differentiate their web session activity enough to trigger an alert.
loading...
json
loading...

References

All
Patent

The following references were used to develop the Web Session Activity Analysis knowledge-base article.

(Note: the consideration of references does not imply specific functionality exists in an offering.)

Host intrusion prevention system using software and user behavior analysis

MITRE Comments

The patent describes a technique for performing behavior based threat detection. User and code behavior data is collected and stored to create baseline user and code behavior profiles. User behavior data collected over a user session or over multiple sessions can include a user:

  • clicking on a link
  • scrolling down a page
  • opening or closing a window
  • downloading a file
  • saving a file
  • running a file
  • typing a keyword

Code behavior monitored includes code:

  • copying itself to a system folder
  • setting a run key to itself in the registry
  • setting a second runkey to itself in the registry in a different location
  • disabling OS tools in the registry
  • opening a hidden file

The user interaction and the code process executed during the user session are monitored and compared with predetermined malicious behavior profiles that are typically present in a malicious user session. The predetermined collection of malicious behaviors are created based on analysis of families of malware in run time in a threat research facility. If a match is made an action is taken that can include isolating the computer on which the user interaction occurs and limiting network access to or from the computer.

Reference Type: Patent Organization: Sophos Ltd Author: Clifford C. Wright
Source: https://patents.google.com/patent/US20110023115A1

System and Method for Detection of a Change in Behavior in the Use of a Website Through Vector Velocity Analysis

MITRE Comments

This patent describes a technique for detecting fraudulent behavior on a website. Website behavior is mapped to build a multidimensional representation of user actions on a website that is updated as additional actions are recorded. Example actions on a website that are recorded include clicks by a user on the website and entering data into forms. Current behavior is compared against baseline recorded behavior and if current behavior deviates above a threshold, an alert is issued.

Reference Type: Patent Organization: Silver Tail Systems Author: Mike Eynon; Laura Mather; Erik Westland; Jim Lloyd
Source: https://patents.google.com/patent/US20100235909A1/en?oq=US+20100235909+A1

System and Method for Network Security Including Detection of Attacks Through Partner Websites

MITRE Comments

This patent describes a technique for detecting man-in-the-browser attacks. Current user session data is compared with the average user session that is based on collected data representing average values across all user sessions over a data-collection period. User session data includes average time between clicks and the order in which website pages are viewed. The comparisons are combined to generate a score that indicates the likelihood that the current session is a man-in-the-browser attack.

Reference Type: Patent Organization: EMC IP Holding Co LLC Author: Matt Frantz; Andreas Wittenstein; Mike Eynon; Laura Mather; Jim Lloyd; James Schumacher; Duane Murphy
Source: https://patents.google.com/patent/US20110302653A1/en?oq=US+20110302653+A1

System and method thereof for identifying and responding to security incidents based on preemptive forensics

MITRE Comments

This patent describes detecting abnormal behavior related to a security incident by collecting and analyzing forensic data in real time. Forensic data may include:

  • URLs visited
  • data downloaded or streamed
  • messages received and sent
  • amount of memory used for processing

The data is then analyzed according to a set of dynamically created rules to determine normal behavior patterns associated with the network or user devices. Anomalies between current behavior and normal behavior patterns trigger an alert.

Reference Type: Patent Organization: Palo Alto Networks Inc Author: Gil BARAK; Shai MORAG
Source: https://patents.google.com/patent/US20160142424A1

A knowledge graph of cybersecurity countermeasures