Multi-Layered Device Recognition Solution Protects Against Weaknesses in Any One Strategy
February 25th, 2010 by Scott FranklinThe security strategy of “defense-in-depth” allows a system or an organization to prevent an attack by coordinating complementary defense techniques, taking advantage of the strengths of each one while relying on the combination to shore up weaknesses in the others. The end result is a more complex and nuanced system that is resilient to a much greater number of attacks.
In a similar vein, we can see that any single device recognition strategy on the Web is going to run into some serious limitations, mostly related to the quality and the variety of the data that can be collected from a browser. There are a number of sources of data that we can use to construct a view of a device on the Web, but most of them can be manipulated, and all of them have problems with uniqueness. How to build a system that is resilient to so much data uncertainty? Yeah, I know you’re already a step ahead of me – we design in depth.
The easiest method of identifying a device may be to simply write a cookie to the browser. But we all know how easy it is to defeat that method when you’re aware of it – you just delete them.
IP address also sounds like a decent attempt at identifying a client. For a good number of home broadband users, IP address isn’t bad, and even for corporate users, you may luck out and only find a few computers lurking behind any given firewall. There are many ISPs like AOL) that are known for their use of proxy servers, however, and any decent size organization could be hiding thousands of machines behind any given IP address.
Browsers also publish a User-Agent string, a description of the type and version of browser being run. These user-agent strings can provide a good deal of rich information about the browser, but they are pretty blunt hammers, narrowing down the range of possible matches to somewhere north of one in a thousand.
Each of these sources of data – browser cookie, IP address, and User-Agent string – is interesting by itself, but using them in concert to begin to build a view of the client computer from a number of different angles starts to look promising. Each one is spoofable to varying degrees, and each one has issues with uniqueness, but each operates through a different channel to provide its information, and thus requires a different strategy to avoid detection.
All of this is to say that there is no single unique value (or simple combination of values) hiding on the Web – device recognition requires a multi-layered solution. As iovation’s business has grown over the last five years, we’ve evolved from a native library device recognition service into a full spectrum reputation service supporting native and web integrations, business rules, pattern matching, and risk scoring. The capabilities we have in place have been built with the future in mind to support collection and analysis of reputation tracking on new transaction elements, and discovery of new risk indicators to continually improve real-time decision making for our subscribers while growing the Internet’s definitive online reputation authority.
The end result of such a multi-layered approach, an approach of “recognition-in-depth”, is that we don’t have to rely on any one technology to provide us with enough information to confidently recognize devices on the Web. In the ever-evolving landscape of Internet technology, that layer of insulation is a must – reliance on a single strategy means brittleness in the face of change. For example, Gartner Research recently published a research brief titled, Privacy Collides with Fraud Detection and Crumbles Flash Cookies, suggesting that companies avoid reliance on Flash stored objects completely, as the technology may be short for this world. Multi-layered device recognition means that we can still sleep at night when Flash fades away – and that means you can, too.
Tags: defense in depth, device recognition, pattern matching
