Predictors - PingOne Services - PingOne Cloud Platform - PingOne

User and entity behavior analytics

There are two types of user and entity behavior analytics predictors:

User risk behavior (organization-wide)

To understand the behavior patterns of workforce users within an organization, PingOne Protect leverages user risk behavior and machine learning.

For example, if an organization’s workforce users primarily work on Mac operating system, but a user accesses an application on Windows operating system, the user risk behavior predictor detects an anomaly.

PingOne Protect continuously learns the behaviors of users inside an organization by analyzing many data points, including:

• Operating system
• Browser type and version
• Activity time frame
• IP range
• Geolocation (country)
• IP reputation
• Application being accessed

Using these data points, the machine-learning model characterizes abnormal activity as low, medium, or high risk and prompts the user for the appropriate authentication action.

This organization-based risk predictor works at the PingOne environment level and only uses data from one PingOne environment.

You can configure a fallback value for this predictor type to use if there is insufficient information to calculate a risk level.

User-based risk behavior (individual user)

Unlike the user risk behavior model, which compares a transaction with typical behavior within an organization, the user-based risk behavior model compares a transaction with the typical behavior of that specific user.

For example, if a user accesses an application that they rarely use but is frequently used within the organization, user-based risk behavior detects an anomaly, but user risk behavior doesn't.

User-based risk behavior is a machine-learning model that continuously updates. The model learns each user's behavior from various data points, including:

• Operating system
• Browser type and version
• Activity time frame
• Geolocation (country)
• Application being accessed
• Device settings and characteristics

The machine-learning model characterizes abnormal activity as low, medium, or high risk. Thresholds for this predictor are dynamic and might change between different users. You can configure a fallback value for this predictor type to use if there is insufficient information to calculate a risk level.

Note:

The PingOne Signals (Protect) SDK is required for the user-based risk behavior predictor type.

Velocity

User velocity

Stolen user accounts are becoming more common. A malicious user can have multiple sets of credentials originating from the same IP address. PingOne Protect detects the number of users originating from the same IP address and alerts on anomalies.

For example, if a workforce organization has 50 users who typically work from the same IP address at their office location, but 100 users attempt to authenticate from this IP address, the user velocity model alerts on this anomaly. Thresholds for this predictor are changed dynamically.

IP velocity

Compromised accounts can be associated with many different IP addresses. PingOne Protect detects the number of IP addresses a user is leveraging and alerts on anomalies. This predictor learns user behavior and dynamically adjusts the thresholds for each user. For example, if a user attempts to access their account from 6 different IP addresses within a short time frame, the IP velocity model detects an anomaly.

Anonymous network detection

Malicious actors typically use anonymous networks, such as unknown VPNs, Tor, and proxies to mask their IP address. PingOne Protect analyzes IP address data from a user’s device to determine if the address originates from any type of anonymous network. If so, the user can be prompted for step-up authentication or denied access.

You can configure a fallback value for this predictor type to use if there is insufficient information to calculate a risk level. PingOne Protect also supports creating an allow list of networks, ensuring that legitimate VPN users can access authorized resources.

IP reputation

IP addresses that have been involved in malicious activities, such as distributed denial-of-service (DDoS) attacks or spam activity, are considered risky. The more frequently an IP address is used for malicious activities, the higher its risk score. If a user attempts to access an application that is associated with an IP address previously involved with suspicious activity, the probability of potentially risky behavior increases. PingOne Protect analyzes data from different intelligence sources to determine the probability an IP address is associated with malicious activity and to request stronger authentication to verify the user’s identity.

You can configure a fallback value for this predictor type to use if there is insufficient information to calculate a risk level. You can also customize an IP reputation predictor by creating an allow list of IP addresses for which the IP reputation score should be ignored.

Geovelocity anomaly

Users frequently sign on to the same application from multiple locations throughout the day. A time lapse between two sign-on locations that is shorter than the time it would take to travel between the two points could indicate suspicious activity. PingOne Protect analyzes location data to calculate if travel time between two session locations is physically possible. If the elapsed time is calculated to be impossible, the user can be prompted with step-up authentication or denied access.

For example, if a user signs on to an application from the U.S. and then attempts to sign on again 2 hours later from Japan, the geovelocity anomaly predictor alerts on this anomaly.

You can configure a fallback value for this predictor type to use if there is insufficient information to calculate a risk level. You can customize a geovelocity anomaly predictor by creating an allow list of IP addresses for which these time and distance calculations should be ignored.

User location anomaly

User location anomaly predictors allow you to define a radius around the location of the previous successful sign-on attempts. If a sign-on attempt occurs at a location whose distance from the user's expected location is greater than the radius you defined, it is considered Medium or High risk, depending on the extent of the deviation from the defined radius. This information can be used in authentication policies to reduce the risk of unintentional push notification approval and account takeover (ATO) attacks.

You can configure a fallback value for this predictor type to use if there is insufficient information to calculate a risk level. You must also set a distance for the radius. The minimum radius distance is 10 miles (16 kilometers), and the maximum radius distance is 100 miles (160 kilometers).

Device

New device

New device predictors allow your risk policy to take into account the risk associated with users trying to access applications from unknown devices or devices that have not been used in the past 90 days.

You can configure a fallback value for this predictor type to use if there is insufficient information to calculate a risk level. You can also set an activation date for the model to restart the learning process.

Note:

This predictor requires that you include the input from the PingOne Signals (Protect) SDK or provide a persistent cookie. Best practice is to use the data from the SDK. If the SDK payload has been successfully sent to the risk evaluation, you will see a deviceID field in the response to the Create Risk Evaluation API request.

Suspicious device

Important:

This predictor is only available if you have a license for PingOne Protect. If you have a PingOne Risk license, contact your account team for more details.

The suspicious device predictor checks for suspicious settings or mismatches between browser, operating system, and hardware attributes to detect emulators, super user permissions, virtual machines, mirroring applications, tampered devices and more. PingOne Protect detects suspicious devices by analyzing various data points, including:

• Operating system
• Browser type and version
• Hardware information
• Device settings

Using these data points, the predictor can differentiate between legitimate and suspicious devices and doesn't require any device history to detect anomalies. For example, the suspicious device predictor can detect attempts to attack with mobile emulators and flags such activity as high risk.

You can configure a fallback value for this predictor type to use if there is insufficient information to calculate a risk level.

Note:

The PingOne Signals (Protect) SDK is required for the suspicious device predictor.

Bot detection

Bot attacks are becoming more prevalent with malicious actors using a wide variety of attack vectors, from credential stuffing and brute force attacks to password spraying and fake accounts. PingOne Protect detects non-human behavior, automated frameworks, and recorders by analyzing mouse, keyboard, touch, and mobile sensors and device attributes. For example, if the predictor detects non-human behavior or an automated framework, it alerts as a high-risk event and recommends bot mitigation.

You can configure a fallback value for this predictor type to use if there is insufficient information to calculate a risk level.

Customizing predictors

When you define your own risk policies, you might be satisfied to use the out-of-the-box predictors provided and adjust the degree to which each predictor is taken into account. If you want to further refine the process, you can customize the individual predictors.

The PingOne Protect predictors can be:

• Customized instances of the basic predictor types
• Multiple risk predictors combined into a single composite predictor
• Custom predictors that use risk data from external sources

When you create a new predictor, it is included by default in any risk policies that you subsequently create.

When creating predictors, consider the following points regarding the relationship between the Predictors page and the Risk Policies page:

• When you create a new environment, it includes a default risk policy.
• When you first go to the Predictors page, you see the predictors that are included in the default risk policy.
• When you customize predictors, you see the change immediately in any risk policies that use the predictors that you modified.
• When you create new predictors, you can use them when you update existing risk policies or when you create new risk policies.

Most of the predictor types allow you to define a Fallback Predictor Decision Value. This is the risk level that should be assigned to the predictor if there is insufficient information to calculate the risk level. This can occur for a number of reasons, such as:

• The predictor is still in the training period.
• The basic information required cannot be obtained, for example, the location of the user.

There are three ways to customize the predictors that can be included in risk policies:

Fine-tune out-of-the-box predictors

You can customize the out-of-the-box predictors by:

• Renaming the predictor
• Editing the settings contained in the predictor.

  For example, for the IP Reputation predictor, you can modify the fallback decision value or add a list of IPs that should always be considered low risk.

In addition to changing the settings of the default predictor in each category, you can create additional predictors of that type. For example, you can create:

• A predictor of type User Location Anomaly called Strict User Location Anomaly with the distance set to 20 km and the fallback value set to High risk.
• A second predictor of type User Location Anomaly called Lenient User Location Anomaly with the distance set to 50 km and the fallback value set to Medium risk.

This makes it easy for you to include the strict predictor in a risk policy that you use for highly-sensitive applications and include the more lenient predictor in a risk policy that you use for less-sensitive applications.

Create composite predictors

Each out-of-the-box risk predictor represents a single risk factor. In some cases, you might need to combine multiple risk predictors and factors into a single predictor, such as when you're concerned about the use of an anonymous network only when a user location anomaly is also reported. This is where composite predictors come in.

In a composite predictor, you define conditions based on individual predictors, and you decide what level of risk should be assigned when the defined conditions are and are not met. Composite predictors can include both the standard predictor types provided and any custom predictors that you have created in addition to several risk factors, such as country and IP range.

In addition to taking into account the results of multiple individual risk predictors, you can include conditions that relate to the total number of predictors in a policy that were Low, Medium, or High risk.

For more information, see Adding composite predictors.

Create custom predictors

In addition to including the out-of-the-box predictors in a risk policy, you can create custom predictors to include other sources of risk in your risk policies.

Custom predictors can include the following types of comparisons:

• Numerical comparisons, using ranges you have defined for Low, Medium, and High risk
• Checking if an IP falls into a range of IPs that you have defined
• String-matching

For the types of information that you can include as a custom predictor, see the fields in the details and event objects in the Details data model and Event data model tables in the Risk evaluations section of the PingOne API documentation. See also the sample response for a Create risk evaluation API request.

For more information, see Adding custom predictors.