Early fraud detection using a hybrid of messaging reputation and web activity

Phyllis Schneck CipherTrust Inc.

Current approaches to web fraud detection focus on web-based data and entities: the content of fraudulent websites, names used in URLs, domain names and new domain registrations that contain a name or brand not belonging to the registrant - most likely to be used to lure Internet traffic toward that brand. In electronic messaging systems, reputation systems are used to classify senders and content. In the past, web fraud detection and messaging reputation systems have been disjoint.

In this paper, we propose a hybrid fraud detection framework that combines messaging reputation systems and web activity monitoring systems to improve protection and provide a multi-dimensional view of fraud, from set-up to execution to helping law enforcement track a cross-section of organized crime.

Messaging reputation systems analyse the past and present behaviour of an identity. Types of identities in the messaging system include IP addresses, domain names, URLs and message signatures. Identities monitored and classified in the messaging ecosystem can be mined in the web activity databases to find aliases of related activity and to train systems. For example, a single domain identity can be tied to a web host and mapped back to tens of domain names that are being used for the same website. New spoofed sites that are advertised in messaging traffic can be fed to web crawlers as training accelerators to help target the crawling activity based on recently used websites. We further create the capability to search the web reputation database immediately upon identifying potential fraud of a messaging identity such as an IP address.

We demonstrate that this new hybrid web and messaging reputation framework enables:

    1. Faster fraud identification.
    2. Correlation of IP address reputation to messaging fraud such as phishing as well as web activities such as brand name misuse in site hosting.
    3. Improved training of both messaging and web reputation datasets with the real-time exchange of knowledge between behaviour of messaging entities with domain registration and web site content.

 del.icio.us  digg this! digg this

Quick Links

Poll
Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 24 comments

VB2014 sidebar

Malware Prevalence
Adware-misc |##########|
Java-Exploit |########|
Autorun |#####|
BHO/Toolbar-misc |####|
Conficker/Downadup |###|
 View this month's full report

Virus Bulletin currently has 231,355 registered users.