UISP
Support      # UniFI Identity Enterprise - Risk Score Calculations

2023-11-24 02:43:19 UTC

The User Risk Score is a calculated number (score) that reflects the risk severity level. Typically, risk scores are calculated by multiplying the user's risk probability, what it might impact, and weighting in other related factors when required.

Weighting factors

 Factors Weight Sign-in velocity 10% IP 30% Location 20% Device 20% Workhour 10% Velocity 10%

## Architecture

1. The system risk scoring service calculates the risk score based on events, such as sign-in, IP, location, and more. It structuralizes the data and then stores it in the database.
2. If a user’s action meets the risk level conditions set by the administrator in the security policy, then the system risk scoring service will calculate a risk score.
3. After the risk score is generated, the policy service will check whether the risk score matches the conditions set in the security rule.

Note: The risk score is an integer between 0 to 100.

## Calculation Factors

### Sign-In Velocity

Calculates the risk factor based on the sign-in rate in a minute.
Note that every time a user logs in within a minute, the risk score increases by 5 points. If the user logs in more than 5 times within a minute, the score is calculated as thus:

Equation: Sign-in Velocity Score = Sign-in Attempts * 5 + Sign-in Attempts - 5) * Sign-in Attempts

Examples:

1. If you log in 3 times within the last minute, then your sign-in velocity score will be calculated as thus:
`Sign-in Attempts = 3Sign-in Velocity Score = 3 * 515`
1. If you sign in 7 times at the last minute, then your risk score will be:
`Sign-in Attempts = 7Sign-in Velocity Score = 7 * 5+ (7-5) * 7= 35+2*7= 35+14= 49`

### IP

Calculates the risk factor based on the IP scores. The IP score uses a base score for calculations.
The base score uses the time window between two consecutive sign-ins as in the following table:

 Time Base Score Within 24 hours 10 Within 72 hours 20 Within 168 hours 30 Within 336 hours 50 Within 504 hours 70 Within 720 hours 80 Outside of 720 hours 90

Equation: IP score = Base score - Times appeared in the past month

Example

If you signed in UniFi Identity Enterprise using an IP within 72 hours of your last sign-in time, and you have used this IP to sign in UniFi Identity Enterprise 5 times in the past month then your IP score will be calculated as thus:

`Base score = 20Times appeared in the past month = 5IP score = 20-5= 15`

### Location

Calculates the risk score based on the users' geographic location. The risk score calculations use a base score that checks for matched location fields.
Location base score table:

 Time Base Score Country, state, and city all matched 40 Country and state matched 60 Only country matched 80 New country 100

Equation: Location score = Base score -Times appeared in the past month

Example:

1. A user signed in to a UniFi Identity Enterprise workspace from Los Angeles, California, the United States 3 times in the past month, then their location score will be:
`Base score= 40Times appeared in the past month: 3Location score = 40 - 3= 37`
1. Now, the same user signs in from San Francisco, California, U.S. for the first time. The user's score is adjusted to the following:
`Base score = 60Times appeared in the past month: 1Location score = 60 - 1= 59`

### Device

Calculates the risk score based on the sign-in device.

• The base score of a user device recorded in the system ESM Service is set to 50, but the base score will be set to 100 when a user signs in with a new device for the first time.
• Different browsers on the same device will be regarded as different devices.

Equation: Device score = 50 - Times the device appeared

Example:

1. A user signed in to a UniFi Identity Enterprise workspace using a registered mobile phone in UniFi Identity Enterprise’s ESM Service 3 times in the past month.
`Base score = 50Times device appeared = 3Device score = 50 - 3= 47`
1. Now, the same user signs in using the same device but through a new network browser.
`Base score = 100Times device appeared = 3Device score = 100 - 3= 97`
1. The same user then changes their phone at the end of the month and the number of sign-ins increases to 5 times in the past month.
`Base score = 100Times device appeared = 5Device score = 100 - 5= 95`

### Workhour

Calculates the risk score based on the site’s working hours.

If a user signs in during the site’s working hours, their base score is set to 30. For every sign-in outside of normal work hours, the user’s risk score increases by 10 points per hour after the site’s closing time.

Equation: Workhour score = 30 + 10 * [Hours past closing time]

Example:
The work hours of a site are 9:00-18:00. A user signs in to the site UniFi Identity Enterprise workspace at 20:00, then the score is calculated as thus:

`Hours past closing time = 20:00-18:00= 2Workhour score = 30 +10*2= 30 +20= 50`

### Velocity

The geographic distance and time elapsed between two successive sign-ins are used to calculate the sign-in attempt speed. The following table is then used to calculate a score. Note: The default velocity is 805 km/h (500 mph).

 Velocity Score Within 100KM/H Speed * 0.15 Between 100 - 300 KM/H Speed * 0.15 Between 300 - 500 KM/H Speed * 0.12 + 4 Between 500 - 800 KM/H Speed * 0.12 + 4 More than 800 KM/H 100 Not enough data to calculate speed 30
• Final risk score
Equation: Final risk score = Sign-in velocity score * 10% + IP Score * 30% + Location Score * 20% + Device Score * 20% + Workhour Score * 10% + Velocity * 10%

Example:
If a user has the following scores:

• Sign-in velocity score= 49
• IP score = 15
• Location score = 59
• Device score = 47
• Workhour score = 50
• Velocity = 100

Then their final risk score will be calculated as:

`Final risk score = 49 * 10% + 15 * 30% + 59 * 20% + 47 * 20%+ 50* 20% + 100 * 10%= 4.9+4.5+11.8+9.4+10+10= 50.6`

Based on the above example's final risk score, the system classifies the user’s risk score as Medium Risk.

##### Was this article helpful?
0 out of 0 found this helpful