Early fraud detection using a hybrid of messaging reputation and web activity

Phyllis Schneck CipherTrust Inc.

Current approaches to web fraud detection focus on web-based data and entities: the content of fraudulent websites, names used in URLs, domain names and new domain registrations that contain a name or brand not belonging to the registrant - most likely to be used to lure Internet traffic toward that brand. In electronic messaging systems, reputation systems are used to classify senders and content. In the past, web fraud detection and messaging reputation systems have been disjoint.

In this paper, we propose a hybrid fraud detection framework that combines messaging reputation systems and web activity monitoring systems to improve protection and provide a multi-dimensional view of fraud, from set-up to execution to helping law enforcement track a cross-section of organized crime.

Messaging reputation systems analyse the past and present behaviour of an identity. Types of identities in the messaging system include IP addresses, domain names, URLs and message signatures. Identities monitored and classified in the messaging ecosystem can be mined in the web activity databases to find aliases of related activity and to train systems. For example, a single domain identity can be tied to a web host and mapped back to tens of domain names that are being used for the same website. New spoofed sites that are advertised in messaging traffic can be fed to web crawlers as training accelerators to help target the crawling activity based on recently used websites. We further create the capability to search the web reputation database immediately upon identifying potential fraud of a messaging identity such as an IP address.

We demonstrate that this new hybrid web and messaging reputation framework enables:

    1. Faster fraud identification.
    2. Correlation of IP address reputation to messaging fraud such as phishing as well as web activities such as brand name misuse in site hosting.
    3. Improved training of both messaging and web reputation datasets with the real-time exchange of knowledge between behaviour of messaging entities with domain registration and web site content.

 del.icio.us  digg this! digg this

Quick Links

Poll
Do current laws offer enough protection for ethical ('white-hat') hackers?
Yes, the current laws are fine
No, they prevent responsible disclosure of vulnerabilities
The current laws are too lax, we need to be stricter on hacking
I don't know
Leave a comment
View 4 comments

USENIX ATC

VB100 certification
VB100 This month's VB100 comparative on Windows XP brought something of a mixed bag, as several vendors appear to have decreased support for the platform in favour of the newer Windows 8. John Hawes has the full set of results.
See full results.

Virus Bulletin currently has 227,267 registered users.