Rule-based models

Rule-based normalization models compute the normalized risk score in a deterministic way. Instead of selecting a training data set for rule-based normalization, the used plug-in risk score can be configured directly.

Configuration of the plug-in risk score

For every plug-in risk score, the following elements can be configured:

• A threshold for the confidence of the plug-in risk score. If the confidence is below the threshold, the system will ignore the plug-in risk score. In this case, the plug-in risk score does not influence the computation of the normalized risk score.
• A condition for the plug-in risk score, with the following settings:
  • REQUIRED: If the plug-in risk score is missing, the normalized risk score will not be computed.
  • OPTIONAL: If the plug-in risk score is missing, the normalized risk score will be computed with the existing plug-in risk scores.
  • IGNORE: The plug-in risk score will be ignored.
• The weight of the plug-in risk score. It is possible to give different weights to the different plug-in risk scores from the different plug-ins.

The choice of the threshold value for the first two parameters is driven by the recorded plug-in risk scores. The third parameter is based on security concerns.

Plug-in risk score weight

Security concerns influence the assignment of a weight to a specific plug-in risk score. A high plug-in risk score weight means that you consider the risk score returned by this specific plug-in or detection service as a strong indicator for a fraudulent request. Whereas a low weight expresses the assumption that this specific plug-in may even return a high risk score in case of a legitimate request (and as a consequence should not be given too much importance/weight).

Computation algorithm

There are several methods or algorithms to compute the normalized risk score:

• Maximum normalization The system takes the maximum of all weighted plug-in risk scores as the normalized risk score: r_normalized = min(1,max_{j ε J} (r_j · w_j) ) with J as index set of all plug-in risk scores r_j that match the plug-in risk score and confidence condition. The configured weight is denoted by w_j.
• Weighted sum normalization The system takes the weighted sum of all plug-in risk scores as the normalized risk score: r_normalized = min(1,sum_{j ε J} (r_j · w_j) ) with J as index set of all plug-in risk scores r_j that match the plug-in risk score and confidence condition. The configured weight is denoted by w_j.
• Minimum normalization The system takes the minimum of all weighted plug-in risk scores as the normalized risk score: r_normalized = min(1,min_{j ε J} (r_j · w_j) ) with J as index set of all plug-in risk scores r_j that match the plug-in risk score and confidence condition. The configured weight is denoted by w_j.

The decision which algorithm to use is again a trade-off between security and user convenience. For an explanation, see the next chapter, Policy.