Skip to main content
Version: 1.8.x.x LTS

Rule-based models

Rule-based normalization models compute the normalized risk score in a deterministic way. Instead of selecting a training data set for rule-based normalization, the used plug-in risk score can be configured directly.

Configuration of the plug-in risk score

For every plug-in risk score, the following elements can be configured:

  • A threshold for the confidence of the plug-in risk score. If the confidence is below the threshold, the system will ignore the plug-in risk score. In this case, the plug-in risk score does not influence the computation of the normalized risk score.
  • A condition for the plug-in risk score, with the following settings:
    • REQUIRED: If the plug-in risk score is missing, the normalized risk score will not be computed.
    • OPTIONAL: If the plug-in risk score is missing, the normalized risk score will be computed with the existing plug-in risk scores.
    • IGNORE: The plug-in risk score will be ignored.
  • The weight of the plug-in risk score. It is possible to give different weights to the different plug-in risk scores from the different plug-ins.

The choice of the threshold value for the first two parameters is driven by the recorded plug-in risk scores. The third parameter is based on security concerns.

Plug-in risk score weight

Security concerns influence the assignment of a weight to a specific plug-in risk score. A high plug-in risk score weight means that you consider the risk score returned by this specific plug-in or detection service as a strong indicator for a fraudulent request. Whereas a low weight expresses the assumption that this specific plug-in may even return a high risk score in case of a legitimate request (and as a consequence should not be given too much importance/weight).

Computation algorithm

There are several methods or algorithms to compute the normalized risk score:

  • Maximum normalization The system takes the maximum of all weighted plug-in risk scores as the normalized risk score: rnormalized = min(1,maxj ε J (rj · wj) ) with J as index set of all plug-in risk scores rj that match the plug-in risk score and confidence condition. The configured weight is denoted by wj.
  • Weighted sum normalization The system takes the weighted sum of all plug-in risk scores as the normalized risk score: rnormalized = min(1,sumj ε J (rj · wj) ) with J as index set of all plug-in risk scores rj that match the plug-in risk score and confidence condition. The configured weight is denoted by wj.
  • Minimum normalization The system takes the minimum of all weighted plug-in risk scores as the normalized risk score: rnormalized = min(1,minj ε J (rj · wj) ) with J as index set of all plug-in risk scores rj that match the plug-in risk score and confidence condition. The configured weight is denoted by wj.

The decision which algorithm to use is again a trade-off between security and user convenience. For an explanation, see the next chapter, Policy.