v4

Risk Scoring

A key aspect of IP intelligence is risk scoring. Assigning a numerical value to behavior has many benefits; however, it also has drawbacks. While we provide a risk score through our API, we want to be transparent about how it is calculated, its drawbacks, and how you can build a more intelligent system internally.

Synthient uses the following data sources when assigning a risk score.

  • Behavioral: Device clustering on an IP address from torrenting and browsing traffic.
  • Residential Proxy, VPN, and other Anonymized Indicators.
  • Honeypots: Exploit scanning, credential stuffing, and phishing data.

We encourage all enterprise clients to use their own internal scoring system for a variety of reasons:

  • Every use case is different: whether you are trying to stop large-scale bot farms or mitigate DDoS attacks, the risk can vary significantly. You may notice that certain proxy providers target your platform more aggressively than others.
  • Context is everything: in most scenarios, you’ll have additional context that we lack. Our risk score will lack important context on data that we may not have visibility into.
  • Lacking granularity

Building a Risk Scoring Engine

The following contains key considerations for customers using the enterprise data.

Handling Residential Proxies

Due to the nature of residential proxies, they have a short lifespan and are also used by legitimate users. A common challenge for teams working on residential proxy detection is distinguishing fraudulent from legitimate traffic. To reduce the number of false positives, we encourage using the Firehose in combination with an expiring cache-based system. Clients may want to take a more aggressive approach that reduces false positives by filtering all observed proxies within a 5-10-minute window. Clients are advised to use additional detection signals alongside the main data for improved accuracy.

Working with VPNs and Static Proxies

As part of the Bulk Feeds product, clients can export IP addresses and ranges associated with ISP/Datacenter proxies and VPNs. ISP and Datacenter proxies are used exclusively for automated behavior and should be treated as either outright or high risk. VPNs are more complicated and should be treated as medium to high risk in most scenarios.

Using Device Clustering

Synthient receives browsing data from 3rd parties. This data allows for finding device clusters on a single IP address or known bad TLS fingerprints. This data is used in the risk score, with a penalty similar to the residential proxy frequency used.