Predictors are the basic building blocks that form risk policies. A predictor looks at a single factor, such as whether or not a user is trying to authenticate from an anonymous network. Each predictor yields an estimated risk level. For some predictors, the levels are Low and High. For other predictors, the levels are Low, Medium, and High.
PingOne Protect leverages the following risk predictors to learn user behavior and detect anomalies.
| Predictor | Description |
|---|---|
|
Bot detection |
Leverages advanced analysis of mouse, keyboard, touch, and mobile sensors, as well as device attributes, to detect non-human behavior, automated frameworks, recorders, and more Important:
This predictor is only available if you have a license for PingOne Protect. If you have a PingOne Risk license, contact your account team for more details. |
|
IP velocity |
Tracks the number of distinct IPs used per use |
|
User velocity |
Tracks the number of distinct users per IP |
|
New device |
Takes into account the risk associated with users trying to access applications from unknown devices or devices that have not been used for sign-on in the recent past |
|
Suspicious device |
Scrutinizes browser, operating system, and hardware attributes to identify suspicious settings or inconsistencies between these attributes collected from the device Important:
This predictor is only available if you have a license for PingOne Protect. If you have a PingOne Risk license, contact your account team for more details. |
|
Geovelocity anomaly |
Analyzes location data to calculate if travel time between two session locations is physically possible |
|
User location anomaly |
Detects a user's sign-on location and checks it against previously saved authentication locations |
|
Anonymous network detection |
Analyzes IP address data from a user’s device to determine if the address is originating from any type of anonymous network, such as unknown VPNs, Tor, or proxies to mask the IP address |
|
IP reputation |
Analyzes data from different intelligence sources to determine the probability an IP address is associated with malicious activity and to request stronger authentication to verify the user's identity |
|
User risk behavior (organization-wide) |
Learns the behaviors of users inside an organization by analyzing many data points, including operating system, browser properties, activity time frame, IP range, and geolocation |
|
User-based risk behavior (individual user) |
Compares a transaction with the typical behavior of that specific user |
|
Adversary-in-the-Middle (AitM) |
Checks the domain name that the user is trying to access in order to identify Adversary-in-the-Middle attacks |
|
Email reputation |
Detects the use of disposable email addresses during registration. |
For detailed information about each predictor, see Predictors.
The risk level for each predictor type is calculated separately. Most predictor types require training and learn from successful events. You can configure a fallback value for most predictor types to use if there is insufficient information to calculate a risk level.
You can also create custom predictors that leverage external or processed data. For more information, see Custom predictors.