Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

To help discern legitimate traffic from fraud, it helps to understand user intent as shown through their behavior.

Joshua Goldfarb, Global Solutions Architect — Security

July 25, 2022

4 Min Read
Cartoon of an eight ball from billiards, with human arms and legs, wearing a red cape that's billowing in the unseen breeze
Source: Diego Schtutman via Alamy Stock Photo

For many years, security monitoring relied on gathering data from layer 4 of the OSI model through such data types as NetFlow. Because layer 4 data dealt with the transport layer, it isn't the most informative — though for a period of time, it was what security teams could reliably get access to and efficiently query. Then, as technology improved, security teams found themselves with access to a much richer data set: layer 7 data. Proxy logs, DNS logs, packet capture (PCAP), and other layer 7 data sources became available, and it was a game-changer for security teams.

Layer 7 data allows us to interrogate the application layer. Specifically, as it relates to digital channels such as Web and mobile, layer 7 data lets us understand what is happening within the end-user application session. This gives us essential context around the end user's activity. Unfortunately, layer 7 data does not allow us to understand the "how" behind what is happening. Questions such as "How is the end user behaving?", "What is the end user's intent?", and "Is this legitimate end-user activity?" can only be answered by looking beyond layer 7.

To understand intent — the "how" behind the "what" — we need to closely examine the behavior of the end user in the session. This additional behavioral insight is critical to an enterprise's ability to separate legitimate traffic from fraud. In other words, the difference between the legitimate use of an application and abuse of that application (i.e., fraud) is the intent of the end user responsible for the activity. When we look at the concept of fraud in this manner, it is easy to see that visibility into "what" the end user is doing inside the application session isn't enough. We also need visibility into "how" they are doing it.

Behaviors That Could Signal Fraudulent Use

Some people refer to this end-user layer above layer 7 of the OSI model as layer 8. And as the Sesame Street song says, eight is great. Let's take a look at some of the ways in which layer 8 data can help us better detect fraud.

Optimized mouse movements. Legitimate users tend to have very random mouse movements when interacting with an application. The reason is simple: Legitimate users aren't interacting with the application "professionally" and thus don't have any need or incentive to optimize their mouse movements. Fraudsters, on the other hand, who may be trying to access tens, hundreds, or thousands of accounts fraudulently, have every motivation to optimize their mouse movements to save time.

Pasting. I don't know about you, but I don't often cut and paste my username and password or first name and last name from a text file. As it turns out, most legitimate users don't either. Fraudsters, as you might imagine, do this quite frequently, particularly when it comes to account takeover (ATO).

Strange keys. If you are a legitimate user, chances are that you use a fairly standard set of letters, numbers, and special characters when interacting with an application. It is fairly unlikely that you would use function keys, keyboard shortcuts, or other unusual combinations. Fraudsters who are looking to save time, however, often do exactly that.

A signature device. Fraudsters typically have one or a few favorite devices that they have configured exactly as they want them. Fraudsters will often use these same devices to log in to a relatively large number of accounts on the same application. Because of this, if we invest in accurate and reliable device identification and track logins by device, we can often use that knowledge to understand when we might be dealing with a fraudulent session.

Other tricks. Fraudsters often rely on environment spoofing, VPN, and other tricks to try to appear to be legitimate users. Legitimate users do this far less frequently, though it does still happen.

The above user behaviors are a few examples of the differences in behavior between legitimate users and fraudsters. None of these behaviors in and of themselves can tell us with 100% certainty whether a given session is legitimate or fraudulent. They can, however, provide us valuable insight into the "how" behind the "what." That, in turn, can help us make far more accurate assessments around what is fraud. Understanding end-user behavior (layer 8 data) allows us to increase our detection rates, while at the same time lowering our false positive rates.

About the Author(s)

Joshua Goldfarb

Global Solutions Architect — Security, F5

Josh Goldfarb is currently Global Solutions Architect — Security at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights