Early fraud detection using a hybrid of messaging reputation and web activity presented at Virus Bulletin 2006

by Phyllis Schneck (Ciphertrust inc.),

Tags: Security

URL : http://www.virusbtn.com/conference/vb2006/abstracts/Schneck.xml

Summary : Current approaches to web fraud detection focus on web-based data and entities: the content
of fraudulent websites, names used in URLs, domain names and new domain registrations
that contain a name or brand not belonging to the registrant - most likely to be used
to lure Internet traffic toward that brand. In electronic messaging systems, reputation
systems are used to classify senders and content. In the past, web fraud detection and messaging
reputation systems have been disjoint.
In this paper, we propose a hybrid fraud detection
framework that combines messaging reputation systems and web activity monitoring systems
to improve protection and provide a multi-dimensional view of fraud, from set-up to execution
to helping law enforcement track a cross-section of organized crime.Messaging reputation systems analyse the past and present behaviour of an identity.
Types of identities in the messaging system include IP addresses, domain names, URLs
and message signatures. Identities monitored and classified in the messaging ecosystem can
be mined in the web activity databases to find aliases of related activity and to train
systems. For example, a single domain identity can be tied to a web host and mapped back
to tens of domain names that are being used for the same website. New spoofed sites that
are advertised in messaging traffic can be fed to web crawlers as training accelerators
to help target the crawling activity based on recently used websites. We further create
the capability to search the web reputation database immediately upon identifying potential
fraud of a messaging identity such as an IP address. We demonstrate that this new hybrid web and messaging reputation framework enables:1. Faster fraud identification.

2. Correlation of IP address reputation to messaging fraud such as phishing as well as web activities such as brand name misuse in site hosting.

3. Improved training of both messaging and web reputation datasets with the real-time exchange of knowledge between behaviour of messaging entities with domain registration and web site content.