Predictors

Bot attacks are becoming more prevalent with malicious actors using a wide variety of attack vectors, from credential stuffing and brute force attacks to password spraying and fake accounts. PingOne Protect detects non-human behavior, automated frameworks, and recorders by analyzing mouse, keyboard, touch, and mobile sensors and device attributes. For example, if the predictor detects non-human behavior or an automated framework, it alerts as a high-risk event and recommends bot mitigation.

You can configure a fallback value for this predictor type to use if there is insufficient information to calculate a risk level.

Compromised accounts can be associated with many different IP addresses. PingOne Protect detects the number of IP addresses a user is leveraging and alerts on anomalies. This predictor learns user behavior and dynamically adjusts the thresholds for each user. For example, if a user attempts to access their account from six different IP addresses within a short time frame, the IP velocity model detects an anomaly.

Stolen user accounts are becoming more common. A malicious user can have multiple sets of credentials originating from the same IP address. PingOne Protect detects the number of users originating from the same IP address and alerts on anomalies.

For example, if a workforce organization has 50 users who typically work from the same IP address at their office location, but 100 users attempt to authenticate from this IP address, the user velocity model alerts on this anomaly. Thresholds for this predictor are changed dynamically.

New device predictors allow your risk policy to take into account the risk associated with users trying to access applications from unknown devices or devices that have not been used in the past 12 months.

The new device predictor identifies individual devices using the following attributes and checks for the attributes in the following order:

You can configure a fallback value for this predictor type to use if there is insufficient information to calculate a risk level. You can also set an activation date for the model to restart the learning process.

The suspicious device predictor checks for suspicious settings or mismatches between browser, operating system, and hardware attributes to detect emulators, super user permissions, virtual machines, mirroring applications, tampered devices and more. PingOne Protect detects suspicious devices by analyzing various data points, including:

Using these data points, the predictor can differentiate between legitimate and suspicious devices and doesn’t require any device history to detect anomalies. For example, the suspicious device predictor can detect attempts to attack with mobile emulators and flags such activity as high risk.

You can configure a fallback value for this predictor type to use if there is insufficient information to calculate a risk level.

You can also specify that the predictor requires that the payload from the Signals (Protect) SDK be provided as a signed JWT.

Users frequently sign on to the same application from multiple locations throughout the day. A time lapse between two sign-on locations that is shorter than the time it would take to travel between the two points could indicate suspicious activity. PingOne Protect analyzes location data to calculate if travel time between two session locations is physically possible. If the elapsed time is calculated to be impossible, the user can be prompted with step-up authentication or denied access.

For example, if a user signs on to an application from the U.S. and then attempts to sign on again 2 hours later from Japan, the geovelocity anomaly predictor alerts on this anomaly.

You can configure a fallback value for this predictor type to use if there is insufficient information to calculate a risk level. You can customize a geovelocity anomaly predictor by creating an allow list of IP addresses for which these time and distance calculations should be ignored.

User location anomaly predictors allow you to define a radius around the location of the previous successful sign-on attempts. If a sign-on attempt occurs at a location whose distance from the user’s expected location is greater than the radius you defined, it is considered Medium or High risk, depending on the extent of the deviation from the defined radius. This information can be used in authentication policies to reduce the risk of unintentional push notification approval and account takeover (ATO) attacks.

The default radius is 50 kilometers. The units for the radius can be set to miles or kilometers. The smallest radius that can be defined is 10 miles and the largest is 100 miles.

You can also configure a fallback value to use if there is insufficient information to calculate a risk level.

Malicious actors typically use anonymous networks, such as unknown VPNs, Tor, and proxies to mask their IP address. PingOne Protect analyzes IP address data from a user’s device to determine if the address originates from any type of anonymous network. If so, the user can be prompted for step-up authentication or denied access.

You can configure a fallback value for this predictor type to use if there is insufficient information to calculate a risk level. PingOne Protect also supports creating an allow list of networks, ensuring that legitimate VPN users can access authorized resources.

IP addresses that have been involved in malicious activities, such as distributed denial-of-service (DDoS) attacks or spam activity, are considered risky. The more frequently an IP address is used for malicious activities, the higher its risk score. If a user attempts to access an application that is associated with an IP address previously involved with suspicious activity, the probability of potentially risky behavior increases. PingOne Protect analyzes data from different intelligence sources to determine the probability an IP address is associated with malicious activity and to request stronger authentication to verify the user’s identity.

You can configure a fallback value for this predictor type to use if there is insufficient information to calculate a risk level. You can also customize an IP reputation predictor by creating an allow list of IP addresses for which the IP reputation score should be ignored.

The user-based risk behavior model compares a transaction with the typical behavior of that specific user. For example, if a user accesses an application that they rarely use but is frequently used within the organization, user-based risk behavior detects an anomaly, but user risk behavior doesn’t.

User-based risk behavior is a machine-learning model that continuously updates. The model learns each user’s behavior from various data points, including:

The machine-learning model characterizes abnormal activity as low, medium, or high risk. Thresholds for this predictor are dynamic and might change between different users. You can configure a fallback value for this predictor type to use if there is insufficient information to calculate a risk level.

Adversary-in-the-Middle (AitM) is a variant of Man-in-the-Middle attacks. In AitM, a malicious actor uses a reverse proxy to position themselves between a user and an online service to obtain user credentials and session tokens. This type of attack circumvents the protection provided by OTP-based multi-factor authentication (MFA) and is a common technique in phishing attempts.

The predictor checks the domain name that the user is trying to access in order to identify AitM attacks.

When the risk evaluation result indicates an AitM attack, you should both block the attempt to access the resource and lock the user account because the malicious actors have obtained the user’s credentials. The account should be unlocked only after the user password has been changed.

The use of disposable email addresses is a common characteristic of fraudulent activity. The email reputation predictor detects the use of disposable email addresses during registration.

You can add the predictor to your risk policies, and you can also define a specific course of action if the result.recommendedAction field in the risk evaluation response equals TEMP_EMAIL_MITIGATION, such as blocking the registration attempt.

The traffic anomaly predictor detects traffic anomalies, such as brute force attacks, by monitoring various data points, including users, devices, and sessions. Currently, the predictor:

The traffic anomaly predictor will eventually include additional rules, some of which you’ll be able to enable or disable.

When a risk level of high is calculated for a traffic anomaly predictor, the result.recommendedAction field in the risk evaluation response returns the value DENY. In these situations, you should deny access because the repeated risk evaluations are likely a sign of a brute force attack.

When you define your own risk policies, you might be satisfied to use the out-of-the-box predictors provided and adjust the degree to which each predictor is taken into account. If you want to further refine the process, you can customize the individual predictors.

The PingOne Protect predictors can be:

There are three ways to customize the predictors that can be included in risk policies: