Introduction to predictors
Predictors are the basic building blocks that form risk policies. A predictor looks at a single factor, such as whether or not a user is trying to authenticate from an anonymous network. Each predictor yields an estimated risk level. For some predictors, the levels are Low and High. For other predictors, the levels are Low, Medium, and High.
PingOne Protect leverages the following risk predictors to learn user behavior and detect anomalies:
Predictor | Description | ||
---|---|---|---|
Bot detection |
Leverages advanced analysis of mouse, keyboard, touch, and mobile sensors, as well as device attributes, to detect non-human behavior, automated frameworks, recorders, and more.
|
||
IP velocity |
Tracks the number of distinct IPs used per user. |
||
User velocity |
Tracks the number of distinct users per IP. |
||
New device |
Takes into account the risk associated with users trying to access applications from unknown devices or devices that have not been used for sign-on in the recent past. |
||
Suspicious device |
Scrutinizes browser, operating system, and hardware attributes to identify suspicious settings or inconsistencies between these attributes collected from the device.
|
||
Geovelocity anomaly |
Analyzes location data to calculate if travel time between two session locations is physically possible. |
||
User location anomaly |
Detects a user’s sign-on location and checks it against previously saved authentication locations. |
||
Anonymous network detection |
Analyzes IP address data from a user’s device to determine if the address is originating from any type of anonymous network, such as unknown VPNs, Tor, or proxies to mask the IP address. |
||
IP reputation |
Analyzes data from different intelligence sources to determine the probability an IP address is associated with malicious activity and to request stronger authentication to verify the user’s identity. |
||
User-based risk behavior |
Compares a transaction with the typical behavior of that specific user. |
||
Adversary-in-the-Middle (AitM) |
Checks the domain name that the user is trying to access in order to identify AitM attacks. |
||
Email reputation |
Detects the use of disposable email addresses during registration. |
||
Traffic anomaly |
Monitors users, devices, and sessions to detect traffic anomalies, such as a large number of risk evaluations requested for a single user within a short period of time or a large number of users per device during a given time period. |
Learn more about each predictor in Predictors.
The risk level for each predictor type is calculated separately. Most predictor types require training and learn from successful events. You can configure a fallback value for most predictor types to use if there is insufficient information to calculate a risk level.
You can also create custom predictors that leverage external or processed data. Learn more in Custom predictors.