Skip to main content
Version: 1.0.x.x LTS

Rule-based models

Rule-based normalization models compute the normalized risk score in a deterministic way. Instead of selecting a training data set for rule-based normalization, the used plug-in risk score can be configured directly.

Configuration of the plug-in risk score

For every plug-in risk score, the following elements can be configured:

  • A threshold for the confidence of the plug-in risk score. If the confidence is below the threshold, the system will ignore the plug-in risk score. In this case, the plug-in risk score does not influence the computation of the normalized risk score.
  • A condition for the plug-in risk score, with the following settings:
    • REQUIRED: If the plug-in risk score is missing, the normalized risk score will not be computed.
    • OPTIONAL: If the plug-in risk score is missing, the normalized risk score will be computed with the existing plug-in risk scores.
    • IGNORE: The plug-in risk score will be ignored.
  • The weight of the plug-in risk score. It is possible to give different weights to the different plug-in risk scores from the different plug-ins.

The choice of the threshold value for the first two parameters is driven by the recorded plug-in risk scores. The third parameter is based on security concerns.

Plug-in risk score weight

Security concerns influence the assignment of a weight to a specific plug-in risk score. A high plug-in risk score weight means that you consider the risk score returned by this specific plug-in or detection service as a strong indicator for a fraudulent request. Whereas a low weight expresses the assumption that this specific plug-in may even return a high risk score in case of a legitimate request (and as a consequence should not be given too much importance/weight).

Computation algorithm

There are several methods or algorithms to compute the normalized risk score:

Maximum normalization

The system takes the maximum of all weighted plug-in risk scores as the normalized risk score:

rnormalized = min(1, maxj ∈ J(rj · wj))

J is the index set of all plug-in risk scores rj that match the plug-in risk score and confidence condition. The configured weight is denoted by wj.

Weighted sum normalization

The system takes the weighted sum of all plug-in risk scores as the normalized risk score:

rnormalized = min(1, sumj ∈ J(rj · wj))

J is the index set of all plug-in risk scores rj that match the plug-in risk score and confidence condition. The configured weight is denoted by wj.

Minimum normalization

The system takes the minimum of all weighted plug-in risk scores as the normalized risk score:

rnormalized = min(1,minj ∈ J(rj · wj))

J is the index set of all plug-in risk scores rj that match the plug-in risk score and confidence condition. The configured weight is denoted by wj.

The decision about which algorithm to use is a trade-off between security and user convenience. For an explanation, see the next chapter: Policy.