Combating Web Fraud with Predictive Analytics. Dave Moore Novetta Solutions dmoore@novetta.com

Similar documents

ICSA Labs Web Application Firewall Certification Testing Report Web Application Firewall - Version 2.1 (Corrected) Radware Inc. AppWall V5.6.4.

Using SAML for Single Sign-On in the SOA Software Platform

HTTP Response Splitting

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Using Traffic Direction Systems to simplify fraud... and complicate investigations!

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

Device Fingerprinting and Fraud Protection Whitepaper

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Cyber Security Workshop Ethical Web Hacking

Arnaud Becart ip- label 11/9/11

Repsheet. A Behavior Based Approach to Web Application Security. Aaron Bedra Application Security Lead Braintree Payments. tirsdag den 1.

DNS Pinning and Web Proxies

Networks and the Internet A Primer for Prosecutors and Investigators

From Network Security To Content Filtering

HTTP/2: Operable and Performant. Mark

Learn How to Defend Your Online Marketplace from Unwanted Traffic

Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers

Information Extraction Art of Testing Network Peripheral Devices

CSCI Computer Network Attacks and Defenses

An outline of the security threats that face SIP based VoIP and other real-time applications

Security-Assessment.com White Paper Leveraging XSRF with Apache Web Server Compatibility with older browser feature and Java Applet

No. Time Source Destination Protocol Info HTTP GET /ethereal-labs/http-ethereal-file1.html HTTP/1.

User Behaviour Analytics

TCP/IP Networking An Example

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP LTM v10 with Citrix Presentation Server 4.5

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Designing federated identity management architectures for addressing the recent attacks against online financial transactions.

Presented by Evan Sylvester, CISSP

ACORD. Lync 2013 Web-app Install Guide

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

Malicious Mitigation Strategy Guide

TrustDefender Mobile Technical Brief

Greater Than One. Defeating strong authentication in web applications. - Brendan O Connor

WHITEPAPER. Fraud Protection for Native Mobile Applications Benefits for Business Owners and End Users

Biocryptology is an encryption-based. entry to a network or the Internet that. are vulnerable to third parties through

Multi-Factor Authentication of Online Transactions

a. StarToken controls the loss due to you losing your Internet banking username and password.

Online Data Services. Security Guidelines. Online Data Services by Esri UK. Security Best Practice

Malicious Network Traffic Analysis

How to create Revenue and Value with IT Security. It can be done. Andre Bertrand

DentalTek Privacy Statement

10 Things Every Web Application Firewall Should Provide Share this ebook

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS

Securing SharePoint Server with Windows Azure Multi- Factor Authentication

DESTINATION MELBOURNE PRIVACY POLICY

Reading an sent with Voltage Secur . Using the Voltage Secur Zero Download Messenger (ZDM)

The data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.

Detecting Credit Card Fraud

IBM Advanced Threat Protection Solution

20/20 Insight and WebResponse Whitelist & Settings Information

WompMobile Technical FAQ

Web Security. Crypto (SSL) Client security Server security 2 / 40. Web Security. SSL Recent Changes in TLS. Protecting the Client.

Unified Security Management and Open Threat Exchange

CUSTOMERS & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT WHO IS WHO ONLINE

Group-IB. Stages of Sustainable Solid Development. Acquisition by Leta Group. Creation of CERT-GIB. International Expansion. Group-IB is founded

1 SIP Carriers. 1.1 Tele Warnings Vendor Contact Versions Verified Interaction Center 2015 R2 Patch

Hypertext for Hyper Techs

GS-AN045 S2W UDP, TCP, HTTP CONNECTION MANAGEMENT EXAMPLES

1. Right click using your mouse on the desktop and select New Shortcut.

Protocol-Level Evasion of Web Application Firewalls

WatchGuard QMS End User Guide

THE PROXY SERVER 1 1 PURPOSE 3 2 USAGE EXAMPLES 4 3 STARTING THE PROXY SERVER 5 4 READING THE LOG 6

Why Device Fingerprinting Provides Better Network Security than IP Blocking. How to transform the economics of hacking in your favor

Barracuda Networks Web Application Firewall

The SMB Cyber Security Survival Guide

El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada

Knowing Your Enemy How Your Business is Attacked. Andrew Rogoyski June 2014

DETECTING THE ENEMY INSIDE THE NETWORK. How Tough Is It to Deal with APTs?

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

ZNetLive Malware Monitoring

Radware s Behavioral Server Cracking Protection

Rise of the Machines: An Internet-Wide Analysis of Web Bots in 2014

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

BITS-Pilani Hyderabad Campus CS C461/IS C461/CS F303/ IS F303 (Computer Networks) Laboratory 3

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

How To Understand The History Of The Web (Web)

Threat Intelligence: What is it, and How Can it Protect You from Today s Advanced Cyber-Attacks A Webroot publication featuring analyst research

TRAFFIC DIRECTION SYSTEMS AS MALWARE DISTRIBUTION TOOLS

Overview of computer and communications security

How To Deal With A Converged Threat From A Cloud And Mobile Device To A Business Or A Customer'S Computer Or Network To A Cloud Device

Project #2. CSE 123b Communications Software. HTTP Messages. HTTP Basics. HTTP Request. HTTP Request. Spring Four parts

Nessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson

HTTP Authentication. RFC 2617 obsoletes RFC 2069

Application Firewalls

This guide will walk you through the process of disabling pop-up blockers found in three popular web browsers.

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Trend Micro Hosted Security. Best Practice Guide

Security A to Z the most important terms

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Using Big Data to Align IT Security with Business Risk Mark Seward, Senior Director, Security and Compliance

Transcription:

Combating Web Fraud with Predictive Analytics Dave Moore Novetta Solutions dmoore@novetta.com

Novetta Solutions Formerly, International Biometric Group (IBG) Consulting DoD, DHS, DRDC IR&D Identity Cyber

Fundamental problem Machines are the proxies of personal identity. Attributing machine activity to a person is difficult, even when the session is authenticated. Contrast this to the pre-internet society, where presence established trust.

Fundamental problem Old question Are you who you claim to be? New question Are you what you claim to be? Both questions are equally relevant in our generation of ubiquitous computing.

Machine-enabled anonymity Account takeover Click & impression fraud Content scraping Espionage Fake account registration Identity theft Spam Vandalism Vulnerability scanning Vulnerability exploitation

Machine-enabled anonymity Edward Snowden acquired ~1.7MM NSA files using a Web crawler. Bradley Manning used a simple Web client to acquire files. Sanger, David E. and Eric Schmitt, Snowden Used Low-Cost Tool to Best N.S.A., The New York Times, 8 Feb 2014, <http://www.nytimes.com/2014/02/09/us/snowden-used-low-cost-tool-to-best-nsa.html?_r=1>. Fisher, Max, The free Web program that got Bradley Manning convicted of computer fraud, The Washington Post, 30 Jul 2013, <http://www.washingtonpost.com/blogs/worldviews/wp/2013/07/30/the-free-web-program-that-got-bradleymanning-convicted-of-computer-fraud/>.

How can we distinguish humans from bots? Bot traps Challenge-response IP address reputation Device fingerprinting

How can we distinguish humans from bots? Bot traps Challenge-response IP address reputation Device fingerprinting Limited, ineffective, and burdensome

What is it, really? PA is the application of software and statistical modeling to determine the outcome of an unknown, future event based on prior knowledge. Why is it a buzzword? PA describes any software that uses statistical models to make decisions. Most applications of Machine Learning (ML) do this. Everyone is now predictive. PA and Authentication are identical in our use case, where the future event in question is the likelihood that a user agent will commit fraud.

What s a user agent? A user agent is an application that requests content from the Web on behalf of a person. Web browsers Internet Explorer, Firefox, Chrome, Safari, Search engine crawlers GoogleBot, BingBot, YandexBot, Slurp, Everyone else

User agents make assertions of identity. Firefox 27.0, Windows 7 User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 Host www.google.com DNT 0 Connection Accept-Language Accept-Encoding Accept keep-alive en-us,en;q=0.5 gzip, deflate text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

User agents make assertions of identity. This is true for all major desktop and mobile Web browsers, as well as search engine crawlers.

User agents make assertions of identity. User agents can claim to be anything. Spoofing is trivial. Rightfully, Web security experts often advise not to take those assertions at face value.

User agents make assertions of identity. Novetta computer scientists have discovered it is entirely possible to harness those assertions to detect bots and combat Web fraud.

Basic concept Gather statistics on the behaviors of user agents. Train an ML classifier (e.g. neural network) to learn the behaviors of known user agents. Deploy the classifier to detect false assertions of identity on the premises of a Web application.

Feature selection Device features Human features Packet headers Keystroke dynamics Capability test results Mouse dynamics Geolinguistic validation Touch and swipe dynamics IP address validation Request time deltas

How it performs ~0.15% equal error rate (EER) when the claim is a desktop or mobile Web browser. Higher error rates for lesser known user agents. This rarely matters in practice.

How it performs Fast, efficient We can confidently determine the likelihood of spoofing in the first request of a session. Robust Not dependent on JavaScript, which users can disable.

Policies for effective implementation Allow Standard desktop and mobile Web browsers verified by the proposed system. Standard search engine crawlers verified by hostname lookups. Custom exceptions. Deny Everyone else.

Applications Implementations Breach prevention Fraud prevention Scraping prevention Spam prevention Threat intelligence Web (HTTP) Email (SMTP) VoIP (SIP)

Takeaways Personal identity and user agent identity are equally important in establishing trust on the Internet. User agent assertions are verifiable, especially for the everyday Web browsers. User agent verification enhances privacy by establishing trust for anonymous sessions.

Questions? dmoore@novetta.com