Christmas Packets: Web Browsing and the Festive Period
The web browsing behaviour of users changes as the end of the year approaches. The holiday season can provide a large distraction from work duties that may need to be managed. Equally, even during periods when the office is closed, there will be some individuals who cannot resist accessing work systems. Managing these changes in behaviour is difficult for network administrators unless they know what to expect.
The anonymised, aggregated telemetry from web scanning appliances shows how corporate users’ web browsing behaviour changes from day-to-day and over the seasons. We can visualise these changes by comparing each day’s traffic to that of an average work day in order to see by just how much traffic rises or falls during the Christmas period.
Search Engine Websites
Plotting visits to this category of website shows the typical rise and fall of corporate web traffic throughout the working week. Web requests to search engine websites on Saturdays is approximately 25% of that seen during the working week of Monday to Friday, with Sunday being slightly higher at 30%.
Thursday, December 20, marks a clear change in browsing behaviour. Traffic on Friday, December 21, is lower than would be expected for a Friday, and the rise on traffic on the following Sunday is not seen. Traffic on Christmas Eve is about 40% of a normal weekday. However, the amount of traffic on Christmas Day, 24% of normal, isn’t noticeably different from that of a typical Saturday.
Corporate Webmail Traffic
Traffic to corporate webmail servers follows a similar pattern to that of search engines with high weekday traffic followed by drops over the weekend. However, unlike search engines, we see a clear peak in traffic occurring on Tuesday, December 18, possibly as users check their email for the last time before leaving the office. Traffic falls steadily over the following week reaching a minimum on Saturday, December 22, which is even lower that Christmas Day itself. Thursday, December 27, appears to mark a point where some employees are returning to work, and those who remain on holiday may be beginning to think about returning to work. On this date, traffic reaches 85% of that expected for a normal weekday despite it being in a period when many offices are closed.
Traffic drops over the time of New Year. On Wednesday, January 2, traffic rises to 80% of an average week day. Thursday, January 3, sees web requests regaining the same magnitude as an average week day, although Friday, January 4, seems a little quiet, before web requests are back to normal from the next Monday.
Interest in shopping builds steadily through the autumn with clear peaks on November 19 and 26. November 26 is known as Cyber Monday, the Monday following Thanksgiving in the U.S., which is recognised as a popular day for ordering online. Our data shows that the preceding Monday is actually a busier day for online purchases, suggesting that is around the time of the last two weeks in November that Christmas purchases are being planned and made.
A traffic peak on December 27 is also visible for this category, suggesting that users are not only checking work email on this date, but also resuming their habitual web browsing activities.
Daily web requests to alcohol related websites grow throughout the autumn with a clear peak on Wednesday, December 12, possibly coinciding with a peak in office parties. The December 27 peak in activity is also visible but at a much higher relative magnitude. Whereas visits to corporate webmail websites on this day were at 80% of an average weekday, visits to alcohol related websites are at 174% of the number expected.
Discussions of increased visits to shopping and alcohol websites may unfairly brand users as shirkers. During the period from the beginning of January to Christmas, requests to business related websites do not drop; on the contrary, there appears to be a slight increase to such websites during mid-December. It is likely that that seasonal-related browsing is performed in addition to normal activities. There is certainly scant evidence of a drop in visits to business related websites, or corporate webmail services on the same dates, as the high peaks traffic to shopping websites are observed.
Christmas remains a religious occasion and this is reflected in the pattern of web requests. There is a slight upwards trend in visits to religious websites during the autumn but it is pattern of traffic during the last 10 days of December, which is notably different from that to other categories. On December 22, traffic to search engines drops to 22% of the weekday average, but traffic to religious web sites holds strong at 83% of the weekday average for this category. This increases to 93% on Christmas Eve, while search engine traffic rises weakly to 38%. On Christmas Day, search engine traffic drops to 24%, whereas visits to religious websites holds strong at 88% of the weekday average.
Conversely, visits to religious websites do not show the sharp peak in traffic on December 27. Nevertheless, traffic to these sites remains strong at 72% of weekday average; we do not see a strong peak because unlike other categories, traffic to this category does not drop over the Christmas period.
The traffic to websites within a particular category may change drastically from weekday to weekend, and over the Christmas period, but in absolute terms traffic to search engines dwarfs traffic to other categories.
We can indicate by how much more frequent requests to search engines are by expressing the number of category web requests as a fraction of the number of requests for search engine web pages.
Traffic to business websites is 90% of traffic to search engines. However, in comparison, religion is only 0.32%, business webmail only 0.15%, and alcohol only 0.09%. Even over the period December 20 – 31, visits to religious websites only rises to a tiny percentage, 0.46%, of visits to search engines.
Surprisingly, visits to risky, poor reputation websites drop as the year draws to an end. Potentially, this is evidence of users visiting familiar trusted websites as their browsing patterns change. Notably, there are no corresponding peaks in visits to low reputation websites on the dates corresponding to the spikes in visits to shopping websites on November 19–26.
The number of web malware blocks shows a fairly chaotic picture. We can no longer see clear patterns relating to the working week, nor trends over time. A handful of dates have malware blocks that are more than two standard deviations above the mean value. November 22 and 26 both have an extremely high number of malware blocks. These dates corresponding to Thanksgiving day in the US and cyber Monday, the peak shopping day. This may be evidence of criminals seeking to distribute malware on dates where large amounts of web traffic can be expected and security teams may be taking time off.
The peak of December 26 is particularly noticeable, since this is a day when we observe low web traffic, yet we also experience a high number of malware blocks. Potentially, this is also evidence of criminals picking specific days to release web malware when security teams may be assumed to be working, at best, with a reduced capacity.
Understanding the normal behaviour of network users is vital for security managers to be able to identify abnormal behaviour which may be indicative of an attack or a successful breach. In addition to assisting in the identification of attacks, the rise and fall of network traffic also gives us a fascinating insight into how users’ behaviour changes during the Christmas period. These patterns are likely to be repeated year after year, and can be used by network and systems administrators to anticipate periods of high and low network demand.
Cisco’s Web Security Appliance not only gives network administrators insight into the behaviour of users on their own network, but also allows administrators to fine tune policies to protect users and to control traffic only when required.
As the year draws to a close, the web browsing activity of users will change, but their need to surf the web securely, to remain free from malware infection, and to continue having access to corporate resources, no matter their location, will remain constant.