Predictors are the basic building blocks that form risk policies. A predictor looks at a single factor, such as whether or not a user is trying to authenticate from an anonymous network. Each predictor yields an estimated risk level. For some predictors, the levels are Low and High. For other predictors, the levels are Low, Medium, and High.

PingOne Protect leverages the following risk predictors to learn user behavior and detect anomalies.

Predictor Description

Bot detection

Leverages advanced analysis of mouse, keyboard, touch, and mobile sensors, as well as device attributes, to detect non-human behavior, automated frameworks, recorders, and more

Important:

This predictor is only available if you have a license for PingOne Protect. If you have a PingOne Risk license, contact your account team for more details.

IP velocity

Tracks the number of distinct IPs used per user

User velocity

Tracks the number of distinct users per IP

New device

Takes into account the risk associated with users trying to access applications from unknown devices or devices that have not been used for sign-on in the recent past

Suspicious device

Scrutinizes browser, operating system, and hardware attributes to identify suspicious settings or inconsistencies between these attributes collected from the device

Important:

This predictor is only available if you have a license for PingOne Protect. If you have a PingOne Risk license, contact your account team for more details.

Geovelocity anomaly

Analyzes location data to calculate if travel time between two session locations is physically possible

User location anomaly

Detects a user's sign-on location and checks it against previously saved authentication locations

Anonymous network detection

Analyzes IP address data from a user’s device to determine if the address is originating from any type of anonymous network, such as unknown VPNs, Tor, or proxies to mask the IP address

IP reputation

Analyzes data from different intelligence sources to determine the probability an IP address is associated with malicious activity and to request stronger authentication to verify the user's identity

User risk behavior (organization-wide)

Learns the behaviors of users inside an organization by analyzing many data points, including operating system, browser properties, activity time frame, IP range, and geolocation

User-based risk behavior (individual user)

Compares a transaction with the typical behavior of that specific user

Adversary-in-the-Middle (AitM)

Checks the domain name that the user is trying to access in order to identify Adversary-in-the-Middle attacks

Email reputation

Detects the use of disposable email addresses during registration.

For detailed information about each predictor, see Predictors.

The risk level for each predictor type is calculated separately. Most predictor types require training and learn from successful events. You can configure a fallback value for most predictor types to use if there is insufficient information to calculate a risk level.

You can also create custom predictors that leverage external or processed data. For more information, see Custom predictors.