ipasis
Blog/Security Engineering

Combining Device Fingerprinting with IP Reputation for Advanced Fraud Detection

January 23, 20266 min read

Perimeter security relies on the accuracy of incoming signals. Relying solely on IP reputation allows sophisticated attackers using residential proxies to slip through. Relying solely on device fingerprinting allows attackers using anti-detect browsers to evade capture.

To build a resilient fraud detection system, security engineers must correlate these two disparate data streams. This guide details the technical implementation of combining client-side entropy (Device Fingerprinting) with network-layer intelligence (IP Reputation).

The Theory: Correlating Entropy and Network Truth

The Device Fingerprint

Device fingerprinting collects attributes from the client browser (Canvas API, WebGL, AudioContext, Screen Resolution, Installed Fonts) to generate a unique hash.

Weakness: Fingerprints change with browser updates and can be spoofed by tools like Selenium or Puppeteer.

The IP Reputation

IP intelligence analyzes the connection layer to determine the ISP, ASN, and whether the IP belongs to a VPN, Proxy, Tor exit node, or Hosting provider.

Weakness: Residential proxies allow bad actors to route traffic through legitimate ISP connections, masking their true origin.

The Intersection

The power lies in the mismatch and velocity between these two signals. A clean IP coupled with a high-velocity device hash indicates a compromised residential peer being used for account takeovers (ATO).

Implementation Architecture

The implementation requires a two-step verification process:

  1. Client-Side: Generate the device hash (e.g., using an open-source library or custom script) and send it headers.
  2. Server-Side: Capture the remote IP, query the IPASIS API, and correlate against the device hash in your persistent store (Redis/PostgreSQL).

Python Implementation (FastAPI Example)

The following snippet demonstrates a middleware approach that correlates IP risk scores from IPASIS with a device hash header.

import requests
from fastapi import FastAPI, Request, HTTPException
import redis

app = FastAPI()
r = redis.Redis(host='localhost', port=6379, db=0)

IPASIS_API_KEY = "YOUR_API_KEY"

def get_ip_reputation(ip: str) -> dict:
    """Query IPASIS for network intelligence."""
    try:
        response = requests.get(f"https://api.ipasis.com/json/{ip}?key={IPASIS_API_KEY}", timeout=2)
        return response.json()
    except requests.RequestException:
        # Fail open or closed depending on security posture
        return {}

@app.middleware("http")
async def fraud_detection_middleware(request: Request, call_next):
    client_ip = request.client.host
    device_hash = request.headers.get("X-Device-Hash")

    if not device_hash:
        # Require device hash for sensitive endpoints
        return await call_next(request)

    # 1. Get Network Intelligence
    ip_data = get_ip_reputation(client_ip)

    # 2. Velocity Check: Count IPs associated with this device hash in last hour
    # If a single device hash is rotating IPs, it is likely a bot using a proxy pool.
    ip_count_key = f"device:{device_hash}:ips"
    r.sadd(ip_count_key, client_ip)
    r.expire(ip_count_key, 3600)
    unique_ips = r.scard(ip_count_key)

    # 3. Decision Logic
    is_risky_ip = ip_data.get("is_proxy", False) or ip_data.get("is_hosting", False)

    # SCENARIO A: Proxy Pool Attack
    if unique_ips > 3:
        # High confidence bot: One device rotating multiple IPs
        raise HTTPException(status_code=403, detail="Suspicious activity detected (Velocity).")

    # SCENARIO B: High Risk IP + New Device
    # If the IP is a VPN/Proxy and we haven't seen this device before
    if is_risky_ip:
        # Trigger 2FA or CAPTCHA
        pass 

    response = await call_next(request)
    return response

Advanced Correlation Signals

Beyond velocity, verify the consistency between the two datasets.

1. Geolocation Mismatch

Compare the Timezone offset from the device fingerprint (new Date().getTimezoneOffset()) against the Timezone returned by the IPASIS geolocation API. A user claiming to be in London (IP) with a browser timezone set to -0500 (New York) is highly suspicious.

2. OS/TCP Stack Mismatch

Device fingerprints report a User-Agent. If the UA claims to be Windows 10, but IPASIS passive OS fingerprinting suggests the TCP packet structure originated from a Linux kernel, this indicates User-Agent spoofing.

3. ISP vs. Browser Profile

If the Device Fingerprint indicates a corporate-managed Chrome enterprise profile, but IPASIS identifies the ASN as a residential ISP (e.g., Comcast Cable), this is an anomaly worth flagging for manual review.

FAQ

Q: Can a user simply delete cookies to reset their device fingerprint? Yes. However, modern fingerprinting techniques rely on immutable hardware characteristics (Canvas/WebGL) rather than cookies. Even if they clear cookies, the hash remains consistent. If they do successfully change the hash, the IP reputation acts as the fail-safe.

Q: How does this impact GDPR/CCPA compliance? Fraud prevention is generally considered a "Legitimate Interest" under GDPR (Recital 47). However, you should not use this data for marketing tracking. Ensure your privacy policy explicitly states that device and IP data are processed for security purposes.

Q: What is the false positive rate? Combining signals reduces false positives. Blocking solely on IP reputation often blocks legitimate VPN users. By adding device fingerprinting, you can "Allow" known devices even if they are using a VPN, while blocking unknown devices on that same VPN.

Secure Your Stack

Data-driven security requires accurate inputs. Don't let your backend fly blind.

Integrate IPASIS today to get real-time detection of proxies, VPNs, and bad actors directly in your API responses.

Get Your API Key →

Start detecting VPNs and Bots today.

Identify anonymized traffic instantly with IPASIS.

Get API Key