Interpreting the risk score algorithm

Auth0 IP Signals enables all users to obtain a score that indicates the risk level of an analyzed IP address. This article intends to explain how the core service gets this score and why.

Therefore, it applies to either the Auth0 IP Signals website, the CLI, or the Slack Bot as they are all direct API endpoint wrappers. This article will be based on the Auth0 Signals website, but it’s easy to translate the concepts to the different user interfaces.

Logged in or not logged in

If a user accesses the Auth0 IP Signals website, the first thing they will see is the text box with the user’s IP address. Below, a black text box shows the code that the user can use if he wants to perform the same query from the command line using the curl command. This article will detail later how to take advantage of these features, once the user already has an account created and is logged in.

If the user is not logged in, pressing the ‘Search’ button will give a score indicating the risk level of the IP address.

What is the confidence score?

The confidence score is the sum of analyzing different parameters of the IP address. Any user can obtain the following values:

  • Score 0: the IP address has not scored negatively in any individual test. Although the algorithm cannot ensure that the IP address is reliable (the algorithm tells you if it is NOT reliable), this is the most secure scenario. The algorithm’s opinion about the IP is NEUTRAL.

  • Score -1: the IP address has scored negative in some individual tests. The algorithm classifies the IP address as unreliable and, therefore, RISKY.

  • Score -2: The IP address has scored negative in two of the three individual tests. The algorithm classifies the IP address as unreliable and, therefore, VERY RISKY.

  • Score -3: The IP address has scored negative in all three individual tests. The algorithm classifies the IP address as unreliable and, therefore, the HIGHEST RISK.

It is already clear that there are values between -3 and 0, and that there are no positive values because the algorithm does not calculate confidence indices, but rather indices of DISTRUST.

Individual testing and scores

It is required to sign up for the service on the home page to obtain detailed information about the different tests and individual scores. If you have any doubts, you can check this Quickstart guide before continuing.

Once the user is signed up and logged in under the search text box, now the black text window displays the curl command with the corresponding API Key. If a user performs a search, in addition to the information with the global confidence score, the user will obtain detailed information in the following sections:

IP Address Blacklist

In this section, the user will get a zero rating if the IP address is not in any of the available blacklists. This result means that any of the maintainers of the previously mentioned open-source intelligence data sources did not report the IP address at this time.

If the score obtained is -1, the IP address is currently not in any of the available blacklists. This result means that some of the mentioned maintainers did report the IP address. In this case, it is necessary to be cautious about this IP address and treat it with care.

In case of a negative score, the user can see the list of blacklists where the IP address is. If the user is using the Slack Bot, he can view the information about the list by pressing the button with the list name. If you are using another display tool, you can consult the lists available on the old Apiity.io site.

Currently, the algorithm makes no difference in the score obtained if the IP address is in one or more lists; it is a negative result with one or more matches in the blacklists.

Hostname Blacklist

In this section, the algorithm will attempt to reverse the domain name associated with the IP address. If the service can resolve a domain, it will try to search the available blacklists of domains.

A result of zero in the rating means that neither the service can found an associated domain name or it found a domain, but it is not part of any blacklist.

If the result obtained is -1, the domain found is indeed on one of the blacklists of domains, and therefore it is necessary to be cautious about this IP address and handle with care.

As in the previous section, it is possible to consult the information on the lists with the Slack Bot on the old Apility.io site.

Activity in Blacklist

Auth0 Signals maintains historical IP address information. When the service finds a new IP address in a given list, and when the service cannot find it anymore. This information allows users to have an in-depth view of what kind of activity exists around an IP address and helps them determine if it is a “usual suspect” and, therefore, be cautious with it.

In this section, users will obtain a rating that will tell them if the IP address has had recent activity on any of the blacklists. This information is relevant, an IP address may no longer be listed on the current blacklists, but may have been in the recent past.

If there is no recent activity on the list, the score obtained in this section will be zero, and we can, therefore, conclude that users can use the IP address with confidence.

If there is recent activity on the list, the score obtained will be -1. We will conclude that the IP address has recent activity, and therefore we should be cautious with it and handle it with care.

The table will show us the following information:

  • The blacklist where the IP address is
  • The date when it happened
  • Whether that IP address was added or removed from the list.

If the user has the Slack Bot, he can consult the information for each one in the lists. Otherwise, the user can search the blacklist on the old Apility.io website.

Gelocation

Auth0 Signals displays information to the user about the geolocation of the IP address. The service displays this information for information purposes and has no impact on the overall score of the algorithm.

Network information

Auth0 Signals displays information to the user about the autonomous system of the IP address range assigned where the IP address queried belongs. The service displays this information for information purposes and has no impact on the overall score of the algorithm.

Whois information

The API version of the Auth0 IP Signals also offers detailed information about the IP address in the WHOIS registry. This structure is complex, and the developer can read in this section of the documentation of the full JSON object structure.

1 Like