Since device recognition provides the platform for iovation’s Device Reputation service, we recently conducted a study to examine device shelf-life. The study looked at all transactions seen by ReputationManager over a multi-day period and identified the age of each device associated to fraudulent behavior during that period. The distribution of devices by age—depicted in the chart below—shows that 57 percent of devices involved in fraud during that period were initially identified by iovation more than 90 days prior to the transaction.

What this suggests is that iovation’s ability to continue to recognize older devices provides significant uplift to its subscribers, and conversely that systems which assume a shorter device shelf-life may be missing important opportunities to identify fraud.

The increase in the number of shared devices can in part be understood by analyzing the population of “reactivated” devices. Reactivated devices are devices that iovation re-identifies after having not seen the device for more than 90 days. By studying these devices in contrast to the device population as a whole, it is clear that iovation’s expanding customer base is a significant contributor to this trend as a vast majority of reactivated devices have been seen in multiple customer networks.

Since the beginning of 2008, iovation’s reactivated device rate has doubled every 5 months and continues to climb. This demonstrates that as iovation’s device network continues to grow, device crossover is also increasing.

Inactive Devices

As iovation’s device network grows and evolves, it is useful to distinguish between active and inactive devices since active devices have more interesting behavior and are involved in fraudulent or abusive activity now. To answer the question “what is active?”, I measured the percentage of devices that are re-identified over varying periods of time. Graphing the result of this analysis produces a curve that tails off considerably by 90 days, which means a very small percentage of devices that have not been identified in the preceding 90 days will ever be identified again. Therefore, for this study, devices that had not been re-identified in the last 90 days were considered to be inactive. This data set is based on data from the first 3 months of 2008.

How to read this graph: Devices not seen for 30 days have an approximately 40% chance of returning, whereas devices not seen for 90 days have an approximately 1% chance of returning.

Reactivated Devices

Devices that are re-identified after more than 90 days of inactivity are considered reactivated devices.

For the 18-month period from April 2008–September 2009, the following chart shows the percentage of the active device population that is made up of reactivated devices.

For the month of September 2009, I compared the population of active devices with the population of reactivated devices to see how their characteristics differ. From that comparison, it was determined that:

• Reactivated devices are 3 times more likely than all active devices to have been seen in more than one customer network.
• Reactivated devices are no more or less likely to have a reputation.

The following chart shows the percentage of reactivated devices that had subscriber cross-over as compared to the percentage of all active devices with subscriber cross-over.

Conclusion

Analysis of iovation’s network shows a clear correlation between reactivated devices and devices with cross-over between subscribers, and we are seeing a significant increase in both as the number of our subscribers grows. This upholds our belief that a database of device reputations, shared by online companies, across multiple industries, offers valuable and relevant information to individual sites in their fight against online fraud and abuse.

Based on data iovation has collected from performing over two billion device identification requests, we’ve developed techniques to more accurately assess the relevance of an IP address in identifying and re-recognizing a device. This allows us to use IP address as a factor, when appropriate, and ignore it when not.

One of the keys to successfully utilizing IP addresses in device fingerprinting is to understand how different service providers manage their IP addresses. Some service providers go to great lengths to assign the same IP address to the same user over time, even when DHCP (Dynamic Host Configuration Protocol) is used for obtaining an IP address. Other providers make use of a smaller pool of IP addresses, requiring them to reissue the same IP addresses to different users over time. Mobile service providers present the most extreme example of this type.

To better understand the issue, I decided to take a closer look at some of our data. Over a recent 30-day window, I collected data from device identification requests in which we could definitively say that the correct device was identified via its fingerprint. (By limiting the study to these requests, the correlation of IP addresses to devices can be done with confidence because the device identifier is a statistical truth value.)

Analysis of this data (presented below) shows which IP addresses are associated with multiple end-user devices, ultimately allowing for a better understanding of different service providers’ policies with respect to reusing IP addresses. This information, in turn, allows us to determine how effective different IP addresses will be for unique device identification.

Metrics Computed
For each service provider, the following metrics were computed:

• Number of IP addresses (IPA)
• Number of IP address and device combinations (IPD)
• The ratio of IPD to IPA

Many service providers have an IPD to IPA ratio very close to 1, suggesting a policy that attempts to assign a user with the same IP address over time. On the other hand, some service providers have an IPD to IPA ratio over 100, suggesting a policy that liberally reuses IP addresses among users. Of course, there are service providers everywhere in-between.

Examples

1. On the low end of the scale (where a single IP address tends to correlate directly to a single device) is H3G Italy. During the study period, 20,509 IP addresses managed by this service provider were encountered, with 22,545 device and IP address combinations, giving them an IPD to IPA ratio of 1.09.
2. On the high end of the scale (where a single IP address tends to be associated with multiple devices) is danger.com. From this service provider we encountered 54 unique IP addresses covering 4,967 device and IP address combinations, resulting in an IPD to IPA ratio of 91.9.

Results
On aggregate, I grouped the values of IPD to IPA ratios into ranges and each range was analyzed using frequency distributions. Based on a device fingerprinting system’s optimal performance goals and tolerance for false positives, the service provider’s IPD to IPA ratio can be used to determine the role of the IP address in device identification.