How antifraud systems work. Part 1.
Until recently, the Fraud score architecture was the most popular architecture of antifraud systems. The Fraud score architecture received single parameters and fingerprints using the user's browser, and then, using logical expressions and a statistical base, assigned each parameter or group of parameters received a specific weight in the Risc Score rating, for example
: Risc Score
2. DNS vs. IP Subnet Difference = +2% Risc Score
3. Unique Canvas Footprint = +10% Risc Score
4. Unique Shader Parameters = +5% Risc Score
, etc.
As a result of this analysis, the user scored a kind of “Fraud Probability Rating” and, if this rating was below 35%, the protection systems considered all the user’s actions to be legitimate, with a slight increase in the rating, the protection system limited the user’s rights, and with a strong increase in the rating, he was completely blocked. There were exceptions and peculiarities, but in general everything worked exactly like
this.The Fraud score architecture was effective before the advent of advanced anti-detection mechanisms and allowed the user to ignore changes in some fingerprints, so very often one could come across statements like "I'm working with a regular browser, cleaning cookies , I use that plugin and everything works for me."
Over time, the Fraud score architecture has lost its effectiveness and is being replaced by a more advanced DGA architecture - Dedicated Group Analysis. Most modern anti-fraud systems are based on this architecture.
The DGA architecture uses the same statistical elements as the Fraud score architecture, but the logic of their processing has been radically changed.
Let's give an example:
Imagine a school in which there are three classes - 1A, 1B and 1C.
We are the cook at this school and we need to understand what kind of food and how much to cook for each of the classes. To solve this problem, we will use the data that we were provided - these will be the names.
1 A class. Students:
Igor, Anton, Sasha, Vova, Gena.
1 B class. Students:
Marina, Oleg, Aristarkh, Sergey, Olga.
1 to class. Students:
Saifuddin, Yuri, Pavel, Ilya, Maxim.
In order to understand what to cook for each class, we will assign each student a rating from 1 to 9, where 1 is the most "Russian" name and 9 is the most "foreign", and as a result we get:
1 A class. Pupils:
Igor (1), Anton (1), Sasha (1), Vova (1), Gena (1)
1 B class. Pupils:
Marina(1), Oleg(1), Evlampy(5), Sergey(1), Olga(1)
1st class. Students:
Saifuddin (9), Yuri (1), Pavel (1), Ilya (1), Maxim (1)
After we have assigned a uniqueness rating to each name, we will compile the overall uniqueness of the class using the standard arithmetic mean function:
1 A Class. Rating:
(1+1+1+1+1) / 5 = 1
1 B class. Rating:
(1+1+5+1+1) / 5 = 1.8
1 B class. Rating:
(1+1+9+1+1) / 5 = 2.6
According to the rating of the class, we will prepare:
For 1 A class - Pies and tea
For 1 B class - Pie and tea
For 1 C class - Echpochmaki and koumiss
Accordingly, we conclude that because of one unique student of Saifuddin, all other students of grade 1B will suffer, while Saifuddin will sit with a satisfied face and drink koumiss.
Next, for each class, we will determine the portion size by gender, but here the logic is clear and in grade 1B portions will be the smallest due to two girls.
Translating this example into anti-fraud systems, we conclude that even when all our parameters and fingerprints are changed, but some 1 remains unique (for example, Canvas), our overall Risc Score will increase to 26% in DGA systems, while as in Fraud score architecture systems, it would grow by only 10%.
A key feature of the DGA architecture is to tighten the rules for fraudsters, while not affecting the activities of real users.
Until recently, the Fraud score architecture was the most popular architecture of antifraud systems. The Fraud score architecture received single parameters and fingerprints using the user's browser, and then, using logical expressions and a statistical base, assigned each parameter or group of parameters received a specific weight in the Risc Score rating, for example
: Risc Score
2. DNS vs. IP Subnet Difference = +2% Risc Score
3. Unique Canvas Footprint = +10% Risc Score
4. Unique Shader Parameters = +5% Risc Score
, etc.
As a result of this analysis, the user scored a kind of “Fraud Probability Rating” and, if this rating was below 35%, the protection systems considered all the user’s actions to be legitimate, with a slight increase in the rating, the protection system limited the user’s rights, and with a strong increase in the rating, he was completely blocked. There were exceptions and peculiarities, but in general everything worked exactly like
this.The Fraud score architecture was effective before the advent of advanced anti-detection mechanisms and allowed the user to ignore changes in some fingerprints, so very often one could come across statements like "I'm working with a regular browser, cleaning cookies , I use that plugin and everything works for me."
Over time, the Fraud score architecture has lost its effectiveness and is being replaced by a more advanced DGA architecture - Dedicated Group Analysis. Most modern anti-fraud systems are based on this architecture.
The DGA architecture uses the same statistical elements as the Fraud score architecture, but the logic of their processing has been radically changed.
Let's give an example:
Imagine a school in which there are three classes - 1A, 1B and 1C.
We are the cook at this school and we need to understand what kind of food and how much to cook for each of the classes. To solve this problem, we will use the data that we were provided - these will be the names.
1 A class. Students:
Igor, Anton, Sasha, Vova, Gena.
1 B class. Students:
Marina, Oleg, Aristarkh, Sergey, Olga.
1 to class. Students:
Saifuddin, Yuri, Pavel, Ilya, Maxim.
In order to understand what to cook for each class, we will assign each student a rating from 1 to 9, where 1 is the most "Russian" name and 9 is the most "foreign", and as a result we get:
1 A class. Pupils:
Igor (1), Anton (1), Sasha (1), Vova (1), Gena (1)
1 B class. Pupils:
Marina(1), Oleg(1), Evlampy(5), Sergey(1), Olga(1)
1st class. Students:
Saifuddin (9), Yuri (1), Pavel (1), Ilya (1), Maxim (1)
After we have assigned a uniqueness rating to each name, we will compile the overall uniqueness of the class using the standard arithmetic mean function:
1 A Class. Rating:
(1+1+1+1+1) / 5 = 1
1 B class. Rating:
(1+1+5+1+1) / 5 = 1.8
1 B class. Rating:
(1+1+9+1+1) / 5 = 2.6
According to the rating of the class, we will prepare:
For 1 A class - Pies and tea
For 1 B class - Pie and tea
For 1 C class - Echpochmaki and koumiss
Accordingly, we conclude that because of one unique student of Saifuddin, all other students of grade 1B will suffer, while Saifuddin will sit with a satisfied face and drink koumiss.
Next, for each class, we will determine the portion size by gender, but here the logic is clear and in grade 1B portions will be the smallest due to two girls.
Translating this example into anti-fraud systems, we conclude that even when all our parameters and fingerprints are changed, but some 1 remains unique (for example, Canvas), our overall Risc Score will increase to 26% in DGA systems, while as in Fraud score architecture systems, it would grow by only 10%.
A key feature of the DGA architecture is to tighten the rules for fraudsters, while not affecting the activities of real users.