PingOne

Predictors

When you add the PingOne Protect service to a PingOne environment, the environment includes one predictor of each basic type that’s supported.

For example, when you add PingOne Protect to your environment, you could have one Anonymous Network predictor and one IP Reputation predictor. The default name of the predictor is the name of the category.

PingOne Protect leverages the following risk predictors to learn user behavior and detect anomalies:

  • Bot detection

  • IP velocity

  • User velocity

  • New device

  • Suspicious device

  • Geovelocity anomaly

  • User location anomaly

  • Anonymous network detection

  • IP reputation

  • User-based risk behavior

  • Adversary-in-the-Middle (AitM)

  • Email reputation

  • Traffic anomaly

You can also customize the default predictors and supplement the default predictors with predictors of your own using custom and composite predictors.

Learn more about how the predictors work in Testing predictors.

Bot detection

This predictor is only available if you have a license for PingOne Protect. If you have a PingOne Risk license, contact your account team for more details.

Bot attacks are becoming more prevalent with malicious actors using a wide variety of attack vectors, from credential stuffing and brute force attacks to password spraying and fake accounts. PingOne Protect detects non-human behavior, automated frameworks, and recorders by analyzing mouse, keyboard, touch, and mobile sensors and device attributes. For example, if the predictor detects non-human behavior or an automated framework, it alerts as a high-risk event and recommends bot mitigation.

You can configure a fallback value for this predictor type to use if there is insufficient information to calculate a risk level.

The PingOne Signals (Protect) SDK is required for the bot detection predictor.

IP velocity

Compromised accounts can be associated with many different IP addresses. PingOne Protect detects the number of IP addresses a user is leveraging and alerts on anomalies. This predictor learns user behavior and dynamically adjusts the thresholds for each user. For example, if a user attempts to access their account from six different IP addresses within a short time frame, the IP velocity model detects an anomaly.

User velocity

Stolen user accounts are becoming more common. A malicious user can have multiple sets of credentials originating from the same IP address. PingOne Protect detects the number of users originating from the same IP address and alerts on anomalies.

For example, if a workforce organization has 50 users who typically work from the same IP address at their office location, but 100 users attempt to authenticate from this IP address, the user velocity model alerts on this anomaly. Thresholds for this predictor are changed dynamically.

New device

New device predictors allow your risk policy to take into account the risk associated with users trying to access applications from unknown devices or devices that have not been used in the past 12 months.

The new device predictor identifies individual devices using the following attributes and checks for the attributes in the following order:

  1. External device ID: If you want to maintain your own device IDs, you can assign external device IDs that are not managed by the PingOne Signals (Protect) SDK (for example, device serial number or mobile application installation ID).

    An example scenario where you might use external device IDs is if your mobile native app incorporates a WebView. In such cases, the mobile Signals SDK and the web Signals SDK provide different device IDs. By providing your own external device IDs, you have a consistent ID to identify devices. External device ID can be mapped through the API or in a DaVinci flow using the PingOne Protect connector.

  2. Device ID: When you implement the Signals SDK, it generates and stores a device ID for each user device. If the SDK payload has been successfully sent to the risk evaluation, you see a deviceID field in the response to the Create Risk Evaluation API request.

  3. Cookie + user agent: Set a persistent cookie and the user agent using the API, the PingOne Protect connector in a DaVinci flow, or PingOne Protect nodes in a PingOne Advanced Identity Cloud or PingAM user journey.

You can configure a fallback value for this predictor type to use if there is insufficient information to calculate a risk level. You can also set an activation date for the model to restart the learning process.

Suspicious device

This predictor is only available if you have a license for PingOne Protect. If you have a PingOne Risk license, contact your account team for more details.

The suspicious device predictor checks for suspicious settings or mismatches between browser, operating system, and hardware attributes to detect emulators, super user permissions, virtual machines, mirroring applications, tampered devices and more. PingOne Protect detects suspicious devices by analyzing various data points, including:

  • Operating system

  • Browser type and version

  • Hardware information

  • Device settings

Using these data points, the predictor can differentiate between legitimate and suspicious devices and doesn’t require any device history to detect anomalies. For example, the suspicious device predictor can detect attempts to attack with mobile emulators and flags such activity as high risk.

You can configure a fallback value for this predictor type to use if there is insufficient information to calculate a risk level.

You can also specify that the predictor requires that the payload from the Signals (Protect) SDK be provided as a signed JWT.

The PingOne Signals (Protect) SDK is required for the suspicious device predictor.

Geovelocity anomaly

Users frequently sign on to the same application from multiple locations throughout the day. A time lapse between two sign-on locations that is shorter than the time it would take to travel between the two points could indicate suspicious activity. PingOne Protect analyzes location data to calculate if travel time between two session locations is physically possible. If the elapsed time is calculated to be impossible, the user can be prompted with step-up authentication or denied access.

For example, if a user signs on to an application from the U.S. and then attempts to sign on again 2 hours later from Japan, the geovelocity anomaly predictor alerts on this anomaly.

You can configure a fallback value for this predictor type to use if there is insufficient information to calculate a risk level. You can customize a geovelocity anomaly predictor by creating an allow list of IP addresses for which these time and distance calculations should be ignored.

User location anomaly

User location anomaly predictors allow you to define a radius around the location of the previous successful sign-on attempts. If a sign-on attempt occurs at a location whose distance from the user’s expected location is greater than the radius you defined, it is considered Medium or High risk, depending on the extent of the deviation from the defined radius. This information can be used in authentication policies to reduce the risk of unintentional push notification approval and account takeover (ATO) attacks.

The default radius is 50 kilometers. The units for the radius can be set to miles or kilometers. The smallest radius that can be defined is 10 miles and the largest is 100 miles.

You can also configure a fallback value to use if there is insufficient information to calculate a risk level.

Anonymous network detection

Malicious actors typically use anonymous networks, such as unknown VPNs, Tor, and proxies to mask their IP address. PingOne Protect analyzes IP address data from a user’s device to determine if the address originates from any type of anonymous network. If so, the user can be prompted for step-up authentication or denied access.

You can configure a fallback value for this predictor type to use if there is insufficient information to calculate a risk level. PingOne Protect also supports creating an allow list of networks, ensuring that legitimate VPN users can access authorized resources.

IP reputation

IP addresses that have been involved in malicious activities, such as distributed denial-of-service (DDoS) attacks or spam activity, are considered risky. The more frequently an IP address is used for malicious activities, the higher its risk score. If a user attempts to access an application that is associated with an IP address previously involved with suspicious activity, the probability of potentially risky behavior increases. PingOne Protect analyzes data from different intelligence sources to determine the probability an IP address is associated with malicious activity and to request stronger authentication to verify the user’s identity.

You can configure a fallback value for this predictor type to use if there is insufficient information to calculate a risk level. You can also customize an IP reputation predictor by creating an allow list of IP addresses for which the IP reputation score should be ignored.

User-based risk behavior

The user-based risk behavior model compares a transaction with the typical behavior of that specific user. For example, if a user accesses an application that they rarely use but is frequently used within the organization, user-based risk behavior detects an anomaly, but user risk behavior doesn’t.

User-based risk behavior is a machine-learning model that continuously updates. The model learns each user’s behavior from various data points, including:

  • Operating system

  • Browser type and version

  • Activity time frame

  • Geolocation (country)

  • Application being accessed

  • Device settings and characteristics

The machine-learning model characterizes abnormal activity as low, medium, or high risk. Thresholds for this predictor are dynamic and might change between different users. You can configure a fallback value for this predictor type to use if there is insufficient information to calculate a risk level.

The PingOne Signals (Protect) SDK is required for the user-based risk behavior predictor type.

Adversary-in-the-Middle (AitM)

Adversary-in-the-Middle (AitM) is a variant of Man-in-the-Middle attacks. In AitM, a malicious actor uses a reverse proxy to position themselves between a user and an online service to obtain user credentials and session tokens. This type of attack circumvents the protection provided by OTP-based multi-factor authentication (MFA) and is a common technique in phishing attempts.

The predictor checks the domain name that the user is trying to access in order to identify AitM attacks.

When the risk evaluation result indicates an AitM attack, you should both block the attempt to access the resource and lock the user account because the malicious actors have obtained the user’s credentials. The account should be unlocked only after the user password has been changed.

The PingOne Signals (Protect) SDK is required for the Adversary-in-the-Middle predictor.

Email reputation

The use of disposable email addresses is a common characteristic of fraudulent activity. The email reputation predictor detects the use of disposable email addresses during registration.

You can add the predictor to your risk policies, and you can also define a specific course of action if the result.recommendedAction field in the risk evaluation response equals TEMP_EMAIL_MITIGATION, such as blocking the registration attempt.

Traffic anomaly

The traffic anomaly predictor detects traffic anomalies, such as brute force attacks, by monitoring various data points, including users, devices, and sessions. Currently, the predictor:

  • Detects situations where there are a large number of risk evaluations requested for a single user within a short period of time

  • Optionally can detect situations where the number of users per device during a given period of time is suspicious

  • Flags these activities as high risk

The traffic anomaly predictor will eventually include additional rules, some of which you’ll be able to enable or disable.

When a risk level of high is calculated for a traffic anomaly predictor, the result.recommendedAction field in the risk evaluation response returns the value DENY. In these situations, you should deny access because the repeated risk evaluations are likely a sign of a brute force attack.

Customizing predictors

Customize predictors only after you’ve accumulated sufficient event data and analyzed it.

When you define your own risk policies, you might be satisfied to use the out-of-the-box predictors provided and adjust the degree to which each predictor is taken into account. If you want to further refine the process, you can customize the individual predictors.

The PingOne Protect predictors can be:

  • Customized instances of the basic predictor types

  • Multiple risk predictors combined into a single composite predictor

  • Custom predictors that use risk data from external sources

There are three ways to customize the predictors that can be included in risk policies:

Fine-tune out-of-the-box predictors

You can customize the out-of-the-box predictors by:

  • Renaming the predictor

  • Editing the settings contained in some predictors.

For example, for the IP Reputation predictor, you can modify the fallback decision value or add a list of IPs that should always be considered low risk.

In addition to changing the settings of some default predictors, you can create additional predictors of certain types. For example, you can create:

  • A predictor of type User Location Anomaly called Strict User Location Anomaly with the distance set to 20 km and the fallback value set to High risk.

  • A second predictor of type User Location Anomaly called Lenient User Location Anomaly with the distance set to 50 km and the fallback value set to Medium risk.

This makes it easy for you to include the strict predictor in a risk policy that you use for highly-sensitive applications and include the more lenient predictor in a risk policy that you use for less-sensitive applications.

Create composite predictors

Each out-of-the-box risk predictor represents a single risk factor. In some cases, you might need to combine multiple risk predictors and factors into a single predictor, such as when you’re concerned about the use of an anonymous network only when a user location anomaly is also reported. This is where composite predictors come in.

In a composite predictor, you define conditions based on individual predictors, and you decide what level of risk should be assigned when the defined conditions are and are not met. Composite predictors can include both the standard predictor types provided and any custom predictors that you have created in addition to several risk factors, such as country and IP range.

In addition to taking into account the results of multiple individual risk predictors, you can include conditions that relate to the total number of predictors in a policy that were Low, Medium, or High risk.

Create custom predictors

In addition to including the out-of-the-box predictors in a risk policy, you can create custom predictors to include other sources of risk in your risk policies.

Custom predictors can include the following types of comparisons:

  • Numerical comparisons, using ranges you have defined for Low, Medium, and High risk

  • Checking if an IP falls into a range of IPs that you have defined

  • String-matching

    Find descriptions of the types of information that you can include as a custom predictor in the fields for the details and event objects in the Details data model and Event data model tables in the Risk evaluations section of the PingOne API documentation. You can also refer to the sample response to see an example Create risk evaluation API request.

    Learn more in Adding custom predictors.