UniFI Identity Enterprise - Risk Score Calculations

2023-11-24 02:43:19 UTC

The User Risk Score is a calculated number (score) that reflects the risk severity level. Typically, risk scores are calculated by multiplying the user's risk probability, what it might impact, and weighting in other related factors when required.

Weighting factors

Factors Weight
Sign-in velocity 10%
IP 30%
Location 20%
Device 20%
Workhour 10%
Velocity 10%

Architecture

  1. The system risk scoring service calculates the risk score based on events, such as sign-in, IP, location, and more. It structuralizes the data and then stores it in the database.
  2. If a user’s action meets the risk level conditions set by the administrator in the security policy, then the system risk scoring service will calculate a risk score.
  3. After the risk score is generated, the policy service will check whether the risk score matches the conditions set in the security rule.

Note: The risk score is an integer between 0 to 100.

Calculation Factors

Sign-In Velocity

Calculates the risk factor based on the sign-in rate in a minute.
Note that every time a user logs in within a minute, the risk score increases by 5 points. If the user logs in more than 5 times within a minute, the score is calculated as thus:

Equation: Sign-in Velocity Score = Sign-in Attempts * 5 + Sign-in Attempts - 5) * Sign-in Attempts

Examples:

  1. If you log in 3 times within the last minute, then your sign-in velocity score will be calculated as thus:
Sign-in Attempts = 3
Sign-in Velocity Score = 3 * 5
15
  1. If you sign in 7 times at the last minute, then your risk score will be:
Sign-in Attempts = 7
Sign-in Velocity Score = 7 * 5+ (7-5) * 7
= 35+2*7
= 35+14
= 49

IP

Calculates the risk factor based on the IP scores. The IP score uses a base score for calculations.
The base score uses the time window between two consecutive sign-ins as in the following table:

Time Base Score
Within 24 hours 10
Within 72 hours 20
Within 168 hours 30
Within 336 hours 50
Within 504 hours 70
Within 720 hours 80
Outside of 720 hours 90

Equation: IP score = Base score - Times appeared in the past month

Example

If you signed in UniFi Identity Enterprise using an IP within 72 hours of your last sign-in time, and you have used this IP to sign in UniFi Identity Enterprise 5 times in the past month then your IP score will be calculated as thus:

Base score = 20
Times appeared in the past month = 5
IP score = 20-5
= 15

Location

Calculates the risk score based on the users' geographic location. The risk score calculations use a base score that checks for matched location fields.
Location base score table:

Time Base Score
Country, state, and city all matched 40
Country and state matched 60
Only country matched 80
New country 100

Equation: Location score = Base score -Times appeared in the past month

Example:

  1. A user signed in to a UniFi Identity Enterprise workspace from Los Angeles, California, the United States 3 times in the past month, then their location score will be:
Base score= 40
Times appeared in the past month: 3
Location score = 40 - 3
= 37
  1. Now, the same user signs in from San Francisco, California, U.S. for the first time. The user's score is adjusted to the following:
Base score = 60
Times appeared in the past month: 1
Location score = 60 - 1
= 59

Device

Calculates the risk score based on the sign-in device.

  • The base score of a user device recorded in the system ESM Service is set to 50, but the base score will be set to 100 when a user signs in with a new device for the first time.
  • Different browsers on the same device will be regarded as different devices.

Equation: Device score = 50 - Times the device appeared

Example:

  1. A user signed in to a UniFi Identity Enterprise workspace using a registered mobile phone in UniFi Identity Enterprise’s ESM Service 3 times in the past month.
Base score = 50
Times device appeared = 3
Device score = 50 - 3
= 47
  1. Now, the same user signs in using the same device but through a new network browser.
Base score = 100
Times device appeared = 3
Device score = 100 - 3
= 97
  1. The same user then changes their phone at the end of the month and the number of sign-ins increases to 5 times in the past month.
Base score = 100
Times device appeared = 5
Device score = 100 - 5
= 95

Workhour

Calculates the risk score based on the site’s working hours.

If a user signs in during the site’s working hours, their base score is set to 30. For every sign-in outside of normal work hours, the user’s risk score increases by 10 points per hour after the site’s closing time.

Equation: Workhour score = 30 + 10 * [Hours past closing time]

Example:
The work hours of a site are 9:00-18:00. A user signs in to the site UniFi Identity Enterprise workspace at 20:00, then the score is calculated as thus:

Hours past closing time = 20:00-18:00
= 2
Workhour score = 30 +10*2
= 30 +20
= 50

Velocity

The geographic distance and time elapsed between two successive sign-ins are used to calculate the sign-in attempt speed. The following table is then used to calculate a score. Note: The default velocity is 805 km/h (500 mph).

Velocity Score
Within 100KM/H Speed * 0.15
Between 100 - 300 KM/H Speed * 0.15
Between 300 - 500 KM/H Speed * 0.12 + 4
Between 500 - 800 KM/H Speed * 0.12 + 4
More than 800 KM/H 100
Not enough data to calculate speed 30
  • Final risk score
    Equation: Final risk score = Sign-in velocity score * 10% + IP Score * 30% + Location Score * 20% + Device Score * 20% + Workhour Score * 10% + Velocity * 10%

Example:
If a user has the following scores:

  • Sign-in velocity score= 49
  • IP score = 15
  • Location score = 59
  • Device score = 47
  • Workhour score = 50
  • Velocity = 100

Then their final risk score will be calculated as:

Final risk score = 49 * 10% + 15 * 30% + 59 * 20% + 47 * 20%+ 50* 20% + 100 * 10%
= 4.9+4.5+11.8+9.4+10+10
= 50.6

Based on the above example's final risk score, the system classifies the user’s risk score as Medium Risk.

Was this article helpful?
0 out of 0 found this helpful