Threat Scoring

Understanding the Unified Score

WebDecoy calculates a unified threat score for every detection, providing a single number (0-100) that represents the overall risk level of a visitor or request.

Why a Unified Score?

Instead of presenting dozens of individual signals, WebDecoy combines them into one actionable number:

Multiple Signals → Weighted Analysis → Unified Score → Clear Action

Without Unified Score	With Unified Score
”Is this IP bad? Is the user agent suspicious? What about missing headers? Are they using automation?"	"Score: 78 - Block this request”

Score Range

Score	Risk	Color	Action
0-20	MINIMAL	🟢 Green	Allow
21-40	LOW	🔵 Blue	Log
41-60	MEDIUM	🟡 Yellow	Monitor/Challenge
61-80	HIGH	🟠 Orange	Challenge/Block
81-100	CRITICAL	🔴 Red	Block

---

Score Components

The unified score is calculated from multiple weighted components.

Component Categories

Component	Weight	Description
Attack Signatures	25%	Detected attack patterns (SQLi, XSS, etc.)
Honeypot Match	20%	Decoy/honeypot interaction
IP Reputation	15%	AbuseIPDB score, threat lists
User Agent	15%	Bot signatures, anomalies
Header Analysis	10%	Missing/suspicious headers
Fingerprint	10%	Browser fingerprint consistency
Behavior	5%	Behavioral patterns

Attack Signatures (0-100)

Detected attack patterns in the request:

Pattern	Score Contribution
SQL Injection	+30-40
XSS (Cross-Site Scripting)	+25-35
Command Injection	+35-45
Path Traversal	+20-30
XXE (XML External Entity)	+30-40
LDAP Injection	+25-35
NoSQL Injection	+25-35

Example:

Request: POST /api/login
Body: {"password": "' OR '1'='1"}

Attack Signature Score: 85
- SQL Injection detected (confidence: high)

Honeypot Match (0-100)

Interaction with honeypot resources:

Interaction	Score
Decoy link accessed	70-90
Hidden form field filled	60-80
API honeypot triggered	75-95
Multiple honeypots hit	90-100

Example:

Decoy: /admin/backup.zip accessed
Honeypot Score: 85

IP Reputation (0-100)

Based on threat intelligence:

Source	Data
AbuseIPDB	Abuse confidence score
Threat Lists	Known malicious IPs
Hosting Detection	Datacenter/hosting IPs
Proxy/VPN	Anonymization services

Example:

IP: 192.168.1.100
AbuseIPDB Score: 45
Is VPN: Yes
Is Hosting: Yes

IP Reputation Score: 60

User Agent Analysis (0-100)

Examines the browser/bot identifier:

Signal	Score Impact
Known bot signature	+30-50
Automation tool markers	+40-60
Inconsistent UA	+20-30
Empty/missing UA	+50-70
Suspicious patterns	+15-25

Example:

User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1)
BUT: IP not from Google

User Agent Score: 75
- Fake Googlebot detected

Header Analysis (0-100)

Checks HTTP header completeness and consistency:

Signal	Score Impact
Missing Accept header	+15-20
Missing Accept-Language	+10-15
No cookies	+5-10
Inconsistent headers	+20-30
Suspicious header values	+15-25

Example:

Headers present: User-Agent only
Missing: Accept, Accept-Language, Accept-Encoding

Header Score: 55

Fingerprint Analysis (0-100)

Browser fingerprint consistency:

Signal	Score Impact
Canvas anomaly	+20-30
WebGL inconsistency	+15-25
Font mismatch	+10-15
Timezone/language mismatch	+15-20

Behavior Analysis (0-100)

Behavioral patterns:

Signal	Score Impact
Instant form submission	+20-30
Linear mouse movement	+15-25
No scroll events	+10-15
Rate limit exceeded	+25-35

---

Threat Levels

Scores are grouped into threat levels for easier interpretation.

MINIMAL (0-20)

🟢 Score: 12
Level: MINIMAL

Meaning:

• Very low risk
• Likely legitimate user
• Normal browsing patterns

Recommended Action:

• Allow the request
• No logging needed (unless monitoring all traffic)

LOW (21-40)

🔵 Score: 35
Level: LOW

Meaning:

• Some suspicious signals
• Could be a curious user or minor automation
• Worth monitoring

Recommended Action:

• Allow the request
• Log for analysis
• Monitor for patterns

MEDIUM (41-60)

🟡 Score: 52
Level: MEDIUM

Meaning:

• Multiple suspicious signals
• Possible bot or scanner
• Warrants attention

Recommended Action:

• Consider challenge (CAPTCHA)
• Log and alert
• Review manually if pattern continues

HIGH (61-80)

🟠 Score: 73
Level: HIGH

Meaning:

• Strong indicators of automation or malicious intent
• Likely a bot or attacker
• Significant risk

Recommended Action:

• Challenge or block
• Alert security team
• Add to watchlist

CRITICAL (81-100)

🔴 Score: 92
Level: CRITICAL

Meaning:

• Multiple high-confidence indicators
• Almost certainly malicious
• Active attack or aggressive scanning

Recommended Action:

• Block immediately
• Alert security team
• Consider IP blocking
• Investigate the source

---

Threat Categories

Beyond the score, detections are categorized by threat type.

Category Types

Category	Description	Typical Score
Bot	Automated software	40-80
Attacker	Active exploitation attempt	70-100
Scanner	Vulnerability scanning	50-80
Crawler	Content scraping	30-60
Scraper	Data extraction	40-70
Legitimate	Verified good actor	0-20
Unknown	Insufficient data	20-40

Category Determination

Categories are assigned based on:

1. Behavior patterns - What actions are they taking?
2. Target resources - What are they accessing?
3. Attack signatures - Are they attempting exploits?
4. Historical data - What have they done before?

Good Bot Recognition

Known legitimate bots are categorized separately:

Bot Type	Examples	Treatment
Search Engines	Googlebot, Bingbot	Allow, low score
Social Media	Facebook, Twitter	Allow, low score
Monitoring	Pingdom, UptimeRobot	Allow, low score

---

Score Explanation Dialog

WebDecoy provides a detailed breakdown of how scores are calculated.

Accessing the Explanation

1. Open a detection’s detail panel
2. Click on the threat score number
3. The score explanation dialog opens

Explanation Contents

┌─────────────────────────────────────┐
│  Score Breakdown                     │
├─────────────────────────────────────┤
│  Final Score: 78                     │
│  Threat Level: HIGH                  │
├─────────────────────────────────────┤
│  Components:                         │
│  ├── Attack Signatures: 85 (25%)    │
│  ├── Honeypot Match: 80 (20%)       │
│  ├── IP Reputation: 60 (15%)        │
│  ├── User Agent: 75 (15%)           │
│  ├── Headers: 55 (10%)              │
│  ├── Fingerprint: 40 (10%)          │
│  └── Behavior: 30 (5%)              │
├─────────────────────────────────────┤
│  Key Signals:                        │
│  • SQL Injection detected            │
│  • Decoy link accessed               │
│  • Missing Accept-Language header    │
│  • IP reported 12 times on AbuseIPDB │
└─────────────────────────────────────┘

Signal Details

Each signal shows:

• Type: What was detected
• Confidence: How certain (high/medium/low)
• Contribution: Impact on final score
• Evidence: Specific data that triggered it

---

Using Scores Effectively

Setting Block Thresholds

Use Case	Recommended Threshold
High-security (financial)	60
Standard websites	75
Public content	85
Monitoring only	100 (no blocking)

Score-Based Actions

// Example decision logic
if (score >= 80) {
  blockRequest();
  alertSecurityTeam();
} else if (score >= 60) {
  challengeWithCaptcha();
  logAsHighRisk();
} else if (score >= 40) {
  logForReview();
} else {
  allowRequest();
}

Adjusting Sensitivity

If you’re seeing too many false positives:

1. Increase your block threshold (e.g., 75 → 85)
2. Add legitimate bots to allowlist
3. Review high-scoring detections manually

If you’re missing threats:

1. Lower your block threshold (e.g., 75 → 65)
2. Enable more detection features
3. Add stricter rules for sensitive endpoints