Risk Score
NOTE: Risk Score is available with Verify API v4. By default, Risk Score is turned off. To activate it, contact your Arkose Labs CSM (Customer Success Manager).
For each session, Arkose Bot Manager determines Risk Scores based on multiple signals collected throughout the session and the associated triggered telltales. The Verify API returns two risk scores in an additional session_risk
field:
- Global Risk Score: A risk score based on the global telltales that fired during the session. The Global Risk Score ranges anywhere from
0
to100
with100
being the highest risk level. - Custom Risk Score: A risk score based on customer-specific telltales. The Custom Risk Score ranges from
0
or100
with100
being the highest risk level.
Risk Categories
Every session is assigned to a risk category:
-
NO-THREAT
: No threat or risk detected.- No telltale was triggered.
-
ALLOWLIST
:- A telltale created from an Allowlist was triggered.
- Overrides all other Risk Category values; if an Allowlist telltale is triggered, the session gets an
ALLOWLIST
risk category. Note that it is not possible for both an Allowlist and a Denylist telltale to trigger in the same session.
-
DENYLIST
:- A telltale created from a Denylist was triggered.
- Overrides all other Risk Category values; if a Denylist telltale is triggered, the session gets a
DENYLIST
risk category. Note that it is not possible for both an Allowlist and a Denylist telltale to trigger in the same session.
-
BOT-STD
: Basic botnet / Automation- Assigned when only global telltales belonging to standard botnets were identified.
-
BOT-ADV
: Advanced botnet / Automation- Assigned when at least one global telltale in the session belonged to advanced botnets.
- Overrides
BOT-STD
(i.e. if there are both standard and advanced botnet telltales in a session, the session gets aBOT-ADV
risk category)
-
FRD-FRM
: Fraud farms (Captcha solvers)- Assigned when at least one global telltale in the session belonged to fraud farms.
- Overrides
BOT-STD
andBOT-ADV
(i.e. if any telltale belongs to a fraud farm, the session gets a
FRD-FRM
risk category, regardless of any botnet telltales).
-
CUSTOM
: Custom (for any customer-specific telltales addressing unique customer-specified traffic patterns)- At least one customer-specific telltale was triggered.
- All global risk category values override
CUSTOM
. For a session to have aCUSTOM
risk category value, both a customer-specific telltale must have triggered and no global telltales can have triggered (i.e. if any global telltale was triggered, the session is assigned the appropriate global risk category as specified above)
For more details on individual global telltales and their contributions to various categories, please see the Global Telltales page in the Arkose Labs Knowledge Base. To access the Knowledge Base, you must have a support login.
Risk Bands
Risk Bands define the level of risk by what band a session's numerical risk score falls into.
The greater of the Global and Custom Risk Scores determines which band Arkose assigns to the session. Note that since a session’s Custom Risk Score can only be either 0
or 100
, any triggered customer-specific telltales automatically put the session in the High risk band.
The risk bands are defined as follows, with each band inclusive of its start and end values.
Band | Score Range Start | Score Range End |
---|---|---|
High | 81 | 100 |
Medium | 41 | 80 |
Low | 0 | 40 |
Using Risk Scores
Arkose Labs suggests these guidelines for interpreting and using Risk Score related information:
-
The Global Risk Score detects common threats across Arkose Labs customers. It may provide more granular insight into the threat.
-
The Custom Risk Score detects threats specific to a given customer.
-
The two scores may overlap. Global and customer-specific telltales may detect the same attack based on different anomalies found in the session
-
Both the risk score and risk category must be considered when choosing the most appropriate response strategy.
Two ways of using risk scores are:
-
Influencing the challenge strategy. For more on how the integration process looks like, please contact your Arkose CSM (Customer Success Manager).
-
Within a customer’s Internal Detection Models. If a customer wants to just use risk scores for informative purposes and not use it to tune challenges, then no integration changes are needed. Once turned on, you can consume Risk Score data via Verify API responses.
For more detailed suggestions as to what actions to take for different combinations of Risk Scores, Risk Bands, and Risk Categories, see Risk Score Usage (Support login required).
Verify API Response Fields and Values
Reminder: The full Verify API Response, except for the below description of its
session_risk
field, is described on the Server-Side Instructions page .
When Risk Score has been turned on, your Verify API responses include an additional field, session_risk
. Its value is a JSON object, with its own fields and subfields as described in the table below.
Note the following special cases, which affect the JSON object’s value. You need to take the possibility of these cases into account when writing code that processes session_risk
's value.
-
If no Arkose global or generic telltales triggered during the session, its Global Risk Score is
0
. -
If no customer-specific telltales triggered during the session, its Custom Risk Score is
0
. -
If both risk scores are
0
, therisk_category
field is not returned. You should treat it as a"NULL"
risk category. Note: This means there may be 0 or 1risk_category
fields in asession_risk
value. -
If both the Global and Custom Risk Scores are
0
, therisk_band
value is"Low"
. -
risk_category
is the only optional field (i.e., it is not returned if there is no category value due to no telltales triggering). All other fields and subfields are always returned, includingsession_risk
as a whole. So if the Global Risk Score is0
,global
's value is a score of"0"
and atelltales
' value of an empty array ([]
). If the Custom Risk Score is0
,custom
's value is a score of"0"
and atelltales
' value of an empty array ([]
). See the second response example further below.
Field | Subfield | Subfield | Subfield | Description and Values |
---|---|---|---|---|
session_risk | An object containing all risk score information and conclusions. Made up of the following subfields. | |||
risk_category | Name of the risk category determined by the session's risk score. One of "BOT-STD" (standard botnet), "BOT-ADV" (advanced botnet), "FRD-FRM" (fraud farm) or "CUSTOM" (custom category based on customer-defined telltales).If both the Global and Custom Risk Scores are 0 , session_risk 's value will not have a risk_category field. | |||
risk_band | Risk band category indicating risk severity as determined by risk scores. One of "High" , "Medium", or "Low"` | |||
global | Object containing the Global Risk Score value and the global telltales used to calculate it. An array of objects consisting of score and telltales fields. | |||
custom | Object containing the Custom Risk Score value and the global telltales used to calculate it. An array of objects consisting of score and telltales fields. | |||
score | Risk Score value. If under global , the Global Risk Score. If under custom , the Custom Risk Score.A string of an integer between 0 and 100 , such as "87" . If under custom , it will be either "0" or "100" . | |||
telltales | Telltales that contributed to calculating a Risk Score. If under global , the Global Risk Score. If under custom , the Custom Risk Score.An array of objects consisting of name andweight fields. | |||
name | Name of a triggered telltale that contributed to calculating a Risk Score. A string starting with g- to signify global, such as"g-h-cfp-1000000000" or a string that does not start with g- meaning it is a custom telltale like "outdated-os-yandex" | |||
weight | The weight given this triggered telltale when calculating a Risk Score. Note that a telltale’s weight is not necessarily the same as the eventual total score. A string of an integer between "1" and "100" . Not "0" since a triggered telltale must have some weight. |
Sample Verify API Response With session_risk
session_risk
"session_risk"
{
"risk_category": "BOT-STD",
"risk_band": "High",
"global"
{
"score": "15",
"telltales":[
{
"name": "g-h-cfp-1000000000",
"weight": "7"
}
{
"name": "g-os-impersonation-win",
"weight": "8"
}]
}
"custom"
{
"score": "100",
"telltales":[
{
"name": "outdated-browser-customer-2",
"weight": "100"
}
{
"name": "outdated-os-customer",
"weight": "100"
}]
}
}
Sample Verify API Response With session_risk
With No Triggered Telltales
session_risk
With No Triggered TelltalesNote that this response has no risk_category
field.
"session_risk"
{
"risk_band": "Low",
"global"
{
"score": "0",
"telltales":[]
}
"custom"
{
"score": "0",
"telltales":[]
}
}
Updated about 1 year ago