Attribute matchers

An attribute matcher compares the values of a specified attribute in the incoming device fingerprint with the existing device fingerprint of the user. Context-based access uses the information that is returned by the attribute matchers to calculate the risk score.

In some scenarios, multiple attributes or a set of composite attributes must be matched. For example, longitude, latitude, and accuracy are three attributes that are related to location. In a given scenario, two device fingerprints are considered a match if the distance between two location points is not greater than a specified threshold value. In this scenario, the comparison of only the longitude attribute does not provide accurate results. The matcher must do a more complex comparison or composite matching, where it matches multiple attributes from both fingerprints.

The matcher returns one of the following results after it compares the attributes values in the registered device fingerprint and the incoming device fingerprint:

Matched: The decision that the matcher returns if the attribute value in the registered device fingerprint and the incoming device fingerprint value are the same or considered equivalent.
Mismatched: The decision that the matcher returns if the attribute value in the registered device fingerprint and the incoming device fingerprint value are not the same or considered equivalent.
Indeterminate: The decision that the matcher returns if it cannot gather enough attribute information to determine a result.
Note: When the matcher returns Indeterminate as the result, the risk engine does not use the attribute in risk score calculations.

A mismatch increases the risk score that is based on the assigned weight of the attributes.

The matcher might not be used in the risk calculation in the following situations:

The incoming device fingerprint does not contain the required attributes.
The historical data is not available for a matcher to make a match or mismatch decision.

Risk-based access provides ready-to-use attribute matchers that compare composite attributes or analyze a range of attribute values. You can configure one or more of the attribute matchers that are described in the following sections.

Exact match matcher

The exact_match matcher checks whether the values of an attribute in a registered device and an incoming request exactly equal each other. Use this matcher if the more specialized matchers are not appropriate for the attribute.

IP address matcher

The IP address matcher (ipaddr_matcher) compares the IP address of a request with:

A trusted list (inclusion list) of IP addresses
An untrusted list (exclusion list) of IP addresses
The historical IP addresses of the device
The IP reputation of the device

The IP address matcher has the following properties:

Trusted addresses

IPV4 addresses: IP and Netmask: Specifies the IP address and its netmask to include. Include X.X.X.X as a value to compare the incoming IP address with the IP address with which the device is registered.
IPV6 addresses: IP and Prefix: Specifies the IP address and its prefix to include. Include X:X:X:X:X:X:X:X as a value to compare the incoming IP address with the IP address with which the device is registered.

Untrusted addresses

IPV4 addresses: IP and Netmask: Specifies the IP address and its netmask to exclude. Include X.X.X.X as a value to compare the incoming IP address with the IP address with which the device is registered.
IPV6 addresses: IP and Prefix: Specifies the IP address and its prefix to exclude. Include X:X:X:X:X:X:X:X as a value to compare the incoming IP address with the IP address with which the device is registered.

The IP address matcher returns one of the following decisions after it compares the incoming IP address with the IP address that belongs to the registered device:

MISMATCHED

The decision that the matcher returns if either of the following conditions are true:

The incoming IP address is in the list of untrusted IP addresses.
The incoming IP address is not in the list of trusted IP addresses, and the IP address has a reputation other than Dynamic IPs.

MATCHED

The decision that the matcher returns if the matcher finds the incoming IP address in the list of trusted IP addresses.

INDETERMINATE

The decision that the matcher returns if the following conditions are true:

The IP address is not in the list of untrusted IP addresses.
The IP address is not in the list of trusted IP addresses.
The IP address qualifies for one of the following conditions:
- Does not have a reputation.
- Has a Dynamic IPs reputation.

PIP matcher

The policy information point (PIP) matcher (pip_matcher) uses the value of a single-valued attribute to determine one of the following results:

Matched: The value of the attribute is MATCHED.
Mismatched: The value of the attribute is MISMATCHED.
Indeterminate: The value of the attribute is INDETERMINATE.

Note: The PIP matcher supports only single-valued attributes with String data types.

Write and configure a JavaScript PIP with the following capabilities if you prefer to use the PIP matcher:

The PIP determines attribute values.
The PIP compares attribute values.
The PIP returns match decisions that are based on the values of attributes that it compares.

Location matcher

The location matcher (location_matcher) checks whether the location of a device is within a specific distance from the previous known locations of the device. Configure the location matcher properties to specify the accuracy range and how to compare the location information.

Limitation: The retrieval of location attributes depends on the web browser and the settings that the user specifies in the web browser. The web browser must support the Geolocation API. An error might occur in some web browsers if a user tries to access a protected resource from a device with a wired internet connection.

The location-based analysis processes all three location attributes (longitude, latitude, and accuracy) collectively when it determines the match for the location. Though weights are assigned to all three attributes, the weight for only the longitude attribute is considered. The weights that are assigned to the supporting latitude and accuracy attributes are ignored.

The location matcher has two properties:

Comparison

Indicates how you want the attribute matcher to calculate the accuracy range of the location coordinates.

The following figure illustrates the closest points, midpoints, and farthest points of the accuracy ranges of two locations. In this figure, the circle represents the accuracy range and the center of the circle represents the location.

Figure 1. The closest points, midpoints, and farthest points on the accuracy ranges of two locations

Set the Comparison property to one of the following values:

Specify the value as closest to calculate the distance between the closest points on the accuracy range of two locations. This calculation is the most restrictive calculation.
Specify the value as midpoint to calculate the distance between the midpoints of the circles without considering accuracy.
Specify the value as farthest to calculate the distance between the farthest points on the accuracy ranges of the two locations. This calculation is the least restrictive calculation.

Distance

The maximum distance between the new location and the historic locations. The unit of the numeric value is in kilometers. The default value is 40.

Login time matcher

The login time matcher (login_time_matcher) compares and analyzes the historical login time data of the user with the current login time of the user. You must configure the attributes and properties that are required for login time analysis. The login time matcher primarily detects the logins per session. The first of the several access times that are captured within the session is considered the login time of the user. The result of the analysis determines the probability of a fraudulent user.

The login time matcher has one property:

Threshold: Indicates the probability that a user might log in at a particular time. Valid values are 0 to 1. The default value is .3. This default value indicates the probability that the user logs in approximately within an hour of the previous login times. If you set a lower value, the odds of the matcher returning true are higher and the risk score is lower. If you set a higher value, the odds of the matcher returning true are lower and risk score is higher. For example, if you set a value of 0.5, the matcher almost always returns false. The login time analysis collects data for eight login times before it provides input for risk score calculation.