Global Reputation Monitoring The FortiGuard Security Intelligence Database WHITE PAPER
FORTINET Global Reputation Monitoring PAGE 2 Overview Fortinet s FortiGuard Security Services delivers two essential services to Fortinet customers: Blocking spam emails before they reach customers mailboxes and blocking customers access to malicious web sites. To deliver real-time protection of emerging threats to Fortinet customers, the FortiGuard team has built one of the largest antispam and web filtering intelligence networks in the world. The FortiGuard Security Intelligence Database (SID) is a global intelligence database that creates and maintains a reputation score of email senders and websites. The FortiGuard SID is at the core of Fortinet s antispam and web filtering threat protection technology. Delivering a Global View Fortinet has collected information on hundreds of millions of email senders and web sites from around the world and used that information to create the FortiGuard SID, with data continuously being added. Every day, the FortiGuard Global Threat Research Team and the FortiGuard SID analyze millions of email messages and URL rating queries. Based on this analysis, the FortiGuard SID manages reputations of over 300 million IP addresses and maintains ratings on over 50 million websites. The FortiGuard SID contains the security reputation scores of email sender IP addresses and website URI, their volume and trend of messaging and web traffic, and other information used in Fortinet's antispam and web filtering technologies. It collects data from the approximately 500,000 Fortinet antispam appliances (both FortiGate and FortiMail) and FortiClient endpoint agents deployed worldwide, as well as Fortinet s global spam trapping network. When a Fortinet antispam appliance or endpoint receives an email, it extracts email signature information (including IP, URI, and checksum) and queries the FortiGuard Distribution Network (FDN) to determine if the email is spam. The FDN servers maintain all of the query histories in the form of antispam logs. It aggregates and analyzes these logs, providing a real-time, global view of spam and web traffic patterns. The FortiGuard team updates the reputations in the FortiGuard SID every three minutes and updates the web filtering ratings every 30 minutes. A Multi-Layered Approach to Spam Detection Fortinet uses several techniques to detect and filter spam: Global Filters Through the FDN, the FortiGuard antispam service provides two databases, FortiIP and FortiSig, as global filters. FortiIP is a sender IP reputation database, and FortiSig is a spam signature database containing three types of signatures: FortiSig1, FortiSig2 and FortiSig3. The FortiSig database also contains FortiRule, a database of dynamic heuristic rules. The FortiGuard team constantly updates these global filters, enabling FortiGate, FortiClient and FortiMail products to detect and filter most prevailing spam in the Internet. The details of the FortiIP and FortiSig databases are as follows: - FortiIP (Sender IP reputation database): Misconfigured or virus-infected hosts account for the majority of spam today. The FortiGuard Antispam Service maintains a global IP reputation database that builds and maintains the reputation of each IP. It uses a range of properties of the IP address, gathered from various sources, including whois information, geographical location, service provider, whether it is an open relay or hijacked host, and so forth. One of the key properties used to maintain the reputation is the email volume from this sender, as gathered from our FDN. By comparing a sender's recent email volume with its historical pattern, the FortiGuard Antispam Service updates each IP's reputation in real-time and provides a highly effective sender IP address filter. - FortiSig1 (Spamvertised URLs): Approximately 90% of spam has one or more URLs in the message body. These URLs link to spammers' websites promoting their products and services. In the phishing spam, these URLs direct one to a fraudulent bank or other financial institution's website in an attempt to obtain private financial information. The FortiGuard Antispam Service collects spam samples through our global spam trap network and spam sample submissions from
FORTINET Global Reputation Monitoring PAGE 3 our customers and partners. It extracts the URLs from the spam samples and subjects them to rigorous QA processes before augmenting the FortiSig Database. The URLs are then subject to the continuous aging process by which the database removes obsolete items promptly. - FortiSig2 (Spamvertised email addresses) Similar to the spamvertised URLs described above, another hallmark of spam is an email address in the message body that prompts the recipient to contact the spammers. By extracting these email addresses from the spam samples, the FortiGuard Antispam Service use these spamvertised email addresses to provide another powerful global filter to identify and filter spam. - FortiSig3 (Spam object checksums) To detect spam that avoids detection by FortiSig1 and FortiSig2 filters, the FortiGuard Antispam Service created an additional global filter: FortiSig3 (available in FortiOS 3.0 and later). Using a proprietary algorithm, FortiSig3 detects objects in spam and calculates a fuzzy checksum from each object (the object can be part of the message body or an attachment). FortiSig3 provides another highly effective global filter with virtually no false positives. - FortiRule (Dynamic heuristic rules) This is the latest component offered in the FortiGuard Antispam Service, available in FortiMail version 3.0 MR1 and later. This global filter uses dynamically updated heuristic rules to identify spam, exploiting various attributes in the spam message header, body, MIME header, and attachments. With manually crafted heuristic rules for specific spam attacks, FortiRule further increases the catch rate with virtually no false positives. Customized Filters Fortinet provides various customized spam filters to complement the Fortinet's antispam solution on FortiGate and FortiMail appliances and FortiClient endpoint agents. These customized filters range from banned words filters, local white and black lists of sender email address, heuristic rules, to highly sophisticated techniques such as Bayesian training in FortiMail (Consult the technical documentation of each respective product for more information on customized filters). Dedicated Service Team The FortiGuard Antispam Service Team completes Fortinet's antispam solution, providing Fortinet customers with a best in class antispam service. The dedicated service team of engineers and analysts is committed to responding to and resolving any false positive reports and other issues in 24 hours. The FortiGuard antispam service team also monitors and analyzes the latest spam techniques, continuously updates FortiIP and FortiSig databases, as well as researching and designing new spam filters. Measuring Reputation The FortiGuard SID calculates a reputation score for every email signature and website, from 1 to 9. A score of 1 means the signature/website is most likely malicious, eight means the signature/website is most likely clean, and nine indicates a white signature or site. To calculate the score, the FortiGuard SID uses proprietary algorithms that consider a wide range of parameters for spam reputation and web site reputation. The FortiGuard SID first analyzes global behaviors of the email or website, mined from the data collected from the installed base of FortiGate and FortiMail appliances and FortiClient endpoints. It examines a broad range of data to ensure that no one parameter or value triggers a spam listing or malicious site listing, to minimize both false positives and false negative. It analyzes the existing reputation in the context of new patterns, volumes, locations, and trends over a range of timestamps, starting with the last five minutes up to the previous 30 days. The FortiGuard Threat Research Team also uses its expertise in intelligent email and web traffic behavior analysis techniques to provide early detection of emerging threats. This expertise, combined with the global data collection and analysis techniques, ensure that FortiGate and FortiMail appliances, as well as FortiClient-protected endpoints indentify and block emerging threats.
FORTINET Global Reputation Monitoring PAGE 4 FortiGuard Security Information Database Portal (under development) The FortiGuard Threat Research Team is developing a portal to post an excerpt from the FortiGuard SID to give visitors access to summary data about IP/Web site reputation and current threats. The portal will provide a snapshot of current email spammers and malicious web sites. It will contain the following summary and detailed information: Estimated global daily email volume, both clean and spam, over the past month Top spam sender distributions by countries over the last 24 hours Top 10 spam sender IP addresses over the last 24 hours Distribution of malicious, illegal & unethical, and potentially liable websites among all websites visited over the last 24 hours Lookup function of the reputation information of an IP address and domain or website Figure 1: FortiGuard Security Information Database Portal (under development)
FORTINET Global Reputation Monitoring PAGE 5 Summary The FortiGuard Security Intelligence Database is a global intelligence database that creates and maintains a reputation score of email senders and websites. It combines Fortinet s ten years experience in detecting and blocking mail and web threats with the broad reach of 500,000 installed appliances for data collection to create one of the most respected threat intelligence databases in the world. It enables Fortinet s FortiGuard Security Services to deliver accurate and timely updates to subscribers based on real-time analysis of emerging threats, significantly reducing the risk of a successful attack. Fortinet (NASDAQ: FTNT) is a worldwide provider of network secur.ity appliances and the market leader in unified threat management (UTM). Our products and subscription services provide broad, integrated and high-performance protection against dynamic security threats while simplifying the IT security infrastructure. Our customers include enterprises, service providers and government entities worldwide, including the majority of the 2009 Fortune Global 100. Fortinet s flagship FortiGate product delivers ASIC-accelerated performance and integrates multiple layers of security designed to help protect against application and network threats. Fortinet s broad product line goes beyond UTM to help secure the extended enterprise from endpoints, to the perimeter and the core, including databases and applications. Fortinet is headquartered in Sunnyvale, Calif., with offices around the world. WPR-146 -R1-201004