PingOne

Introduction to predictors

Predictors are the basic building blocks that form risk policies. A predictor looks at a single factor, such as whether or not a user is trying to authenticate from an anonymous network. Each predictor yields an estimated risk level. For some predictors, the levels are Low and High. For other predictors, the levels are Low, Medium, and High.

PingOne Protect leverages the following risk predictors to learn user behavior and detect anomalies:

Predictor Description

Bot detection

Leverages advanced analysis of mouse, keyboard, touch, and mobile sensors, as well as device attributes, to detect non-human behavior, automated frameworks, recorders, and more.

This predictor is only available if you have a license for PingOne Protect. If you have a PingOne Risk license, contact your account team for more details.

IP velocity

Tracks the number of distinct IPs used per user.

User velocity

Tracks the number of distinct users per IP.

New device

Takes into account the risk associated with users trying to access applications from unknown devices or devices that have not been used for sign-on in the recent past.

Suspicious device

Scrutinizes browser, operating system, and hardware attributes to identify suspicious settings or inconsistencies between these attributes collected from the device.

This predictor is only available if you have a license for PingOne Protect. If you have a PingOne Risk license, contact your account team for more details.

Geovelocity anomaly

Analyzes location data to calculate if travel time between two session locations is physically possible.

User location anomaly

Detects a user’s sign-on location and checks it against previously saved authentication locations.

Anonymous network detection

Analyzes IP address data from a user’s device to determine if the address is originating from any type of anonymous network, such as unknown VPNs, Tor, or proxies to mask the IP address.

IP reputation

Analyzes data from different intelligence sources to determine the probability an IP address is associated with malicious activity and to request stronger authentication to verify the user’s identity.

User-based risk behavior

Compares a transaction with the typical behavior of that specific user.

Adversary-in-the-Middle (AitM)

Checks the domain name that the user is trying to access in order to identify AitM attacks.

Email reputation

Detects the use of disposable email addresses during registration.

Traffic anomaly

Monitors users, devices, and sessions to detect traffic anomalies, such as a large number of risk evaluations requested for a single user within a short period of time or a large number of users per device during a given time period.

Learn more about each predictor in Predictors.

The risk level for each predictor type is calculated separately. Most predictor types require training and learn from successful events. You can configure a fallback value for most predictor types to use if there is insufficient information to calculate a risk level.

You can also create custom predictors that leverage external or processed data. Learn more in Custom predictors.