Rule-based models
Rule-based normalization models compute the normalized risk score in a deterministic way. Instead of selecting a training data set for rule-based normalization, the used plug-in risk score can be configured directly.
Configuration of the plug-in risk score
For every plug-in risk score, the following elements can be configured:
- A threshold for the confidence of the plug-in risk score. If the confidence is below the threshold, the system will ignore the plug-in risk score. In this case, the plug-in risk score does not influence the computation of the normalized risk score.
- A condition for the plug-in risk score, with the following settings:
- REQUIRED: If the plug-in risk score is missing, the normalized risk score will not be computed.
- OPTIONAL: If the plug-in risk score is missing, the normalized risk score will be computed with the existing plug-in risk scores.
- IGNORE: The plug-in risk score will be ignored.
- The weight of the plug-in risk score. It is possible to give different weights to the different plug-in risk scores from the different plug-ins.
The choice of the threshold value for the first two parameters is driven by the recorded plug-in risk scores. The third parameter is based on security concerns.
Plug-in risk score weight
Security concerns influence the assignment of a weight to a specific plug-in risk score. A high plug-in risk score weight means that you consider the risk score returned by this specific plug-in or detection service as a strong indicator for a fraudulent request. Whereas a low weight expresses the assumption that this specific plug-in may even return a high risk score in case of a legitimate request (and as a consequence should not be given too much importance/weight).
Computation algorithm
There are several methods or algorithms to compute the normalized risk score:
Maximum normalization
The system takes the maximum of all weighted plug-in risk scores as the normalized risk score:
rnormalized = min(1, maxj ∈ J(rj · wj))
J is the index set of all plug-in risk scores rj that match the plug-in risk score and confidence condition. The configured weight is denoted by wj.
Weighted sum normalization
The system takes the weighted sum of all plug-in risk scores as the normalized risk score:
rnormalized = min(1, sumj ∈ J(rj · wj))
J is the index set of all plug-in risk scores rj that match the plug-in risk score and confidence condition. The configured weight is denoted by wj.
Minimum normalization
The system takes the minimum of all weighted plug-in risk scores as the normalized risk score:
rnormalized = min(1,minj ∈ J(rj · wj))
J is the index set of all plug-in risk scores rj that match the plug-in risk score and confidence condition. The configured weight is denoted by wj.
The decision about which algorithm to use is a trade-off between security and user convenience. For an explanation, see the next chapter: Policy.