This algorithm handles common abbreviations, common nicknames, common acronyms, and date format.

Access Authentication

In the context of an HTTP transaction, the basic access authentication is a method designed to allow a web browser, or other client program, to provide credentials – in the form of a user name and password – when making a request.


Rule result which can impact users such forcing them to register a security profile, KBA-challenging them, blocking access, asking them for PIN or password, and so on.

Actions Group

An actions group is a set of responses that are triggered by a rule.

Action groups are used as results within rules so that when a rule is triggered all of the actions within the groups are activated.

Adaptive Risk Manager

A category of Oracle Adaptive Access Manager features. Business and risk analytics, fraud investigation and customer service tools fall under the Adaptive Risk Manager category.

Adaptive Strong Authenticator

A category of Oracle Adaptive Access Manager features. All the end-user facing interfaces, flows, and authentication methods fall under the Adaptive Strong Authenticator category.

Agent Case

An OAAM Agent case is used to manage and conduct investigations on fraudulent sessions and transactions. The following are some specific functions of an Agent type case. Agent cases are used to perform the following:

  • An investigator utilizes a case to capture findings gathered in the process of investigation

  • Cases are used to manage the life cycle of an investigation.

  • White/black listing of devices, location and other entities.

  • Influence future risk evaluations based on findings

  • Export finding to a spreadsheet

The decision to create a fraud case stems from its sources. Examples of sources are as follows:

  • Investigators monitor or analyze the sessions from a given day continuously. If they find a high "fraud" alert that warrants immediate attention, they file an Agent case. A Fraud Investigator picks up the case and begins investigating further. The Fraud Investigator can create an agent case for alerts, multiple block sessions from a user, multiple blocked sessions from a device, high risk scores, and other situations.

  • A configurable action creates an Agent case automatically as a supplementary action that is triggered based on a result action and/or a risk score after a checkpoint execution.

  • A CSR case is escalated because investigation is needed for some reason.

Agent Case Feedback

Agent case "feed" back closed findings into the risk engine to improve accuracy of future evaluations automatically.

For example, an investigator creates an Agent case and links several fraudulent sessions to it. Later, the investigator closes the case with a disposition of confirmed fraud. A predictive model is rebuilt every "n" hours to take into account data from sessions linked to cases with a confirmed fraud disposition. Investigators can determine the frequency of rebuilding the models. Each session in the system is compared to see how close it is to the fraudulent ones. The closer the match the higher the risk. An example evaluation would be, was the probability more than 50% that this login session is fraudulent based on all sessions linked to confirmed fraud cases?


Rule results containing messages targeted to specific types of Oracle Adaptive Access Manager users.

Alert-centric Investigation Workflow

A Fraud Investigators starts each investigation by searching for sessions or transactions with high severity alerts and reviewing suspect transactions to identify fraud. He views the data involved in an incident and locates related situations by using the complex data relationships captured by OAAM. He creates a case to link data to narrow the investigation. When fraud is identified the investigator records findings, blacklists entities, and closes out cases with a disposition.

Alert Group

Alerts are indicators to personnel (CSR, Investigators, and so on). An alert group contains graded messages that can be triggered by a rule.

Alert groups are used as results within rules so that when a rule is triggered all of the alerts within the groups are activated.

Answer Logic

Answer Logic is a unique combination of Knowledge Based Authentication with registration, answer, and fuzzy logic used in the processing of challenge question responses. It increases the usability of a challenge answer flow by accepting variations of the valid answer.


Attributes are the particular pieces of information associated with the activity being tracked. An example is the time of day for a login. Patterns collect data about members. If the member type is User, the pattern will collect data about users.


The process of verifying a person's, device's, application's identity. Authentication deals with the question "Who is trying to access my services?"

Authentication Status

Authentication Status is the status of the session (each login/transaction attempt creates a new session).

Examples are listed below:

  • If a user logs in for the first time and he goes through the registration process, but decides not to complete the registration process and logs out, the authentication status for this user session is set as "Pending Activation."

  • If a user logs in from a different device/location, he is challenged. He answers the challenge questions incorrectly in all the three attempts, the authentication status for this session is set as "Wrong Password."

  • If a user logs in and is taken to the final transaction page or success page, the authentication status for the particular session is set as "Success."

  • If the user is a fraud and is blocked, the status for the session is set as "Block."


Authorization regards the question "Who can access what resources offered by which components?"

Auto-generated case

An auto-generated case is created when a security administrator configures an action to create an Agent case when specific rules trigger. In other words, the new Agent case is dynamically created as a result of a particular event. This Agent case contains the session data for which it was created. An investigator starts his investigation by performing a search for all cases with New status.

Auto-generated Investigation Workflow

The investigator starts each investigation by searching for new Agent cases dynamically created as a result of a particular event. He performs a search for all cases with new status. The fraud investigator selects the first case. A session is already linked to the case so he drills in on the session for which the case was generated. He looks at the case and other data in the linked session. He views the data involved in an incident and locates related situations by using the complex data relationships captured by OAAM. When fraud is identified the investigator records findings, blacklists entities, and closes out cases with a disposition.


Autolearning is a set of features in Oracle Adaptive Access Manager that dynamically profile behavior in real-time. The behavior of users, devices and locations are recorded and used to evaluate the risk of current behavior.

Black List

A given list of users, devices, IP addresses, networks, countries, and so on that are blocked. An attack from a given member can show up on a report and be manually added to a blacklist at the administrator's discretion.


If a user is "Blocked," it is because a policy has found certain conditions to be "true" and is set up to respond to these conditions with a "Block Action." If those conditions change, the user may no longer be "Blocked." The "Blocked" status is not necessarily permanent and therefore may or may not require an administrator action to resolve. For example, if the user was blocked because he was logging in from a blocked country, but he is no longer in that country, he may no longer be "Blocked."


Software applications that run automated or orchestrated tasks on compromised PCs over the internet. An organization of bots is known as a bot net or zombie network.

Browser Fingerprinting

When the user accesses the system, OAAM collects information about the computer. By combining all that data, the site creates a fingerprint of the user's browser. This fingerprint could potentially uniquely identify the user. Information gathered that makes up the browser fingerprint include the browser type used, extensions installed, system fonts, and the configuration and version information from the operating system, and whether or not the computer accepts cookies.

The browser and flash fingerprints are tracked separately. The fingerprints are available in the session listing and details pages and you can get further details about the fingerprint by opening the respective details pages. Hence, you can have both fingerprints available, but if the user has not installed flash then the digital fingerprint (flash) is set to null.


Patterns are configured by an administrator and Oracle Adaptive Access Manager uses that configuration to create buckets as it needs them. Administrators do not deal or see buckets directly in any way.

Patterns are configured to create either one bucket or multiple buckets. Buckets are containers that are used to capture the frequency of behaviors. Rules evaluate the counters in these buckets for specific members to determine if a situation is anomalous.

Cache Data

Information about historical data during a specified time frame

Cache Policy

Groups offer two Cache Policy options: Full Cache or None.

The "Full Cache" option caches group contents in server memory for the lifetime of the server. Static lookup groups and read-only groups are good candidates for the "Full Cache" option. Administrators must be careful using this option as it uses server memory. A long list of elements can have an adverse affect since groups are re-cached if there are changes to the list.

The "None" Cache Policy option does not use cache and consults the database every time. Device group types are set to "None" because in most cases, they are dynamic and manipulated while the server is running. If you have groups that stay static for the lifetime of the server, you can use the "Full Cache" option instead of "None."


Cases provide tools to track and solve customer service issues.

A case is a record of all the actions performed by the CSR to assist the customer as well as various account activities of the customer. Each case is allocated a case number, a unique case identification number.

Case Created

The date and time the case was created.

Case Description

The details for the case. A description is required for cases.

Case Number

A unique identification number allocated to each case.

Case Status

Case Status is the current state of a case. Status values used for the case are New, Pending, Escalated, or Closed. When a case is created, the status is set to New by default.

Case Type

Type of case.

  • CSR - CSR Cases are used in customer care situations associated within the normal course of doing business online and over the phone when providing assistance to customers. The customer support representatives can use the CSR set of tools for handling inquiries associated with Oracle Adaptive Access Manager. A CSR case is attached to a user.

  • Escalated - When a CSR Manager identifies that a particular case needs additional investigation and escalates the case and the CSR Case becomes an escalated case. It is associated with a user.

Challenge Questions

Challenge Questions are a finite list of questions used for secondary authentication.

During registration, users are presented with several question menus. For example, he may be presented with three question menus. A user must select one question from each menu and enter answers for them during registration. Only one question from each question menu can be registered. These questions become the user's "registered questions."

When rules in OAAM Admin trigger challenge questions, OAAM Server displays the challenge questions and accepts the answers in a secure way for users. The questions can be presented in the QuestionPad, TextPad, and other pads, where the challenge question is embedded into the image of the authenticator, or simple HTML.

Challenge Type

Configuration of a type of challenge (ChallengeEmail, ChallengeSMS, ChallengeQuestion)


A checkpoint is a specified point in a session when Oracle Adaptive Access Manager collects and evaluates security data using the rules engine.

Examples of checkpoints are:

  • Pre-authentication - Rules are run before a user completes the authentication process.

  • Post-authentication - Rules are run after a user is successfully authenticated.

Configurable Actions

Actions that a security administrator configures that are performed based on the rule execution result. Configurable actions are available for checkpoints. One or more configurable action can be specified for a checkpoint. The configurable action is associated with a trigger criteria, which is either an action or result score or both. The configurable action can be specified so that it executes either in synchronous mode or asynchronous mode. Custom configurable actions can be implemented and added to the application. They have to be coded in Java language and they have to implement a predefined interface

Once the configurable action is associated to a checkpoint, it is ready to be triggered after the rules execution of a checkpoint is complete. After the checkpoint is executed, the rules engine returns a result that specifies the final action, score, and the other result actions. Based on the final action and score, relevant configurable actions are executed in synchronous or asynchronous mode.

Completed Registration

Status of the user that has completed registration. To be registered a user may need to complete all of the following tasks: Personalization (image and phrase), registering challenge questions/answers and email/cell phone.

Complex Entity

An entity can be linked to multiple entities based on a relationship name. A complex entity has other entities linked to it by a relationship name.


Conditions are configurable evaluation statements used in the evaluation of historical and runtime data.


A cookie (also browser cookie, computer cookie, tracking cookie, web cookie, internet cookie, and HTTP cookie) is a small string of text stored on a user's computer by a web browser. A cookie consists of one or more name-value pairs containing bits of information such as user preferences, shopping cart contents, the identifier for a server-based session, or other data used by websites. It is sent as an HTTP header by a web server to a web client (usually a browser) and then sent back unchanged by client each time it accesses that server. A cookie can be used for authenticating, session tracking (state maintenance), and maintaining specific information about users, such as site preferences or the contents of their electronic shopping carts.

Creation Method (Buckets)

Patterns are configured to create either one bucket or multiple buckets. Buckets are containers that are used to capture the frequency of behaviors. Rules evaluate the counters in these buckets for specific members to determine if a situation is anomalous.

  • Single-bucket patterns create and populate one bucket with the exact data points and value ranges specified in the pattern.

    For example, if you choose to create an authentication pattern for users (member type) with the country United States (attribute), exactly one bucket is created and populated with users. If a user logs in from the United States, he or she becomes a member of the bucket and the bucket counts are incremented; if he or she does not log in from the United States, the bucket count is not incremented.

  • Multi-bucket patterns usually create more buckets than single-bucket patterns. They create buckets as required based on the parameter configurations.

    You configure the data types and samples you want Oracle Adaptive Access Manager to generate buckets from, and then during pattern processing Oracle Adaptive Access Manager creates buckets as needed to capture behaviors.


Customer service representatives resolve low risk customer issues originating from customer calls. CSRs has limited access to the OAAM Administration Console

  • View the reason why a login or transaction was blocked

  • View a severity flag with alert status to assist in escalation

  • Complete actions such as issuing temporary allow for a customer

CSR Manager

A CSR Manager is in charge of overall management of CSR type cases. CSR Managers have all the access and responsibilities of a CSR plus access to more sensitive operations.


Provides a real-time view of activity via aggregates and trending.

Data Elements

An entity is a set of attributes. Data elements are what is used to describe the attributes that make up an entity. For example, the credit card entity has attributes such as address line 1, address line 2, city, zip, and state. Data elements, such as description, length, type, and so on, are used to describe each attribute.

Data Mining

Data mining is the practice of automatically searching large stores of data to discover patterns and trends that go beyond simple analysis. Data mining uses sophisticated mathematical algorithms to segment the data and evaluate the probability of future events. Data mining is also known as Knowledge Discovery in Data (KDD). Data mining can answer questions that cannot be addressed through simple query and reporting techniques.

Data Type

Entity data may be configured as one of four types including string, numeric, date and Boolean. The string data type is used for the majority of use cases. The numeric data type should be used when arithmetic calculations will be performed on the data by the rules. The date data type is used for data specific data. Boolean data type is used for True/False data.

Date of Last Case Action

In cases, the date when last action occurred.

Date of Last Global Case Action

The last action performed against the user online.

Date of Last Online Action

Date when last online action was executed

Delivery Channel

Delivery mechanism used to send the OTP to the user. Email, SMS, IM, and so on are delivery channels.


A computer, PDA, cell phone, kiosk, etc used by a user

Device Fingerprinting

Device fingerprinting collects information about the device such as browser type, browser headers, operating system type, locale, and so on. Fingerprint data represents the data collected for a device during the login process that is required to identify the device whenever it is used to log in. The fingerprinting process produces a fingerprint that is unique to the user and designed to protect against the "replay attacks" and the "cookie based registration bypass" process. The fingerprint details help in identifying a device, check whether it is secure, and determine the risk level for the authentication or transaction.

A customer typically uses these devices to log in: desktop computer, laptop computer, PDA, cell phone, kiosk, or other web enabled device.

Device Identification

During the registration process, the user is given an option to register his device to the system. If a user tries to login from a registered device, the application knows that it is a safe and secure device and allows the user to proceed with his transactions. This process is also called device identification.

Digest Identification Scheme

The Digest Identification Scheme creates a unique identifier by hashing the values of the selected elements of the entity. The resultant key is usually cryptic.

display scheme

The display scheme consists of the elements you want to present and the order when you want to display the value of an entity in a user interface. For example, if you want to display an address, you would want to show address line 1 as the first item, address line 2 as the second item, city as the third item, state as the fourth item, and zipcode as the fifth item.


When an investigation is complete a case is closed with a disposition. A disposition both summarizes how the case was resolved and how the findings may influence future risk evaluation.

Device Registration

Device registration is a feature that allows a user to flag the device (computer, mobile, PDA, and others) being used as a safe device. The customer can then configure the rules to challenge a user that is not coming from one of the registered devices.

Once the feature is enabled, information about the device is collected for that user. To make use of the information being collected, policies must be created and configured. For example, a policy could be created with rules to challenge a user who is not logging in from one of the registered devices.


Information that is made unreadable to anyone except those owning special knowledge

Entities Editor

A tool to edit entities, a user-defined structure that can be reused across different transactions. Only appropriate and related fields should be grouped into an Entity.


An entity is a data structure that can be reused in multiple transactions. For example, the Address entity could be used as a shipping address, billing address, home address, and so on. Most entities also combine multiple data points into the structure for data optimization. For example, the set of properties in an address could include street number, street name, apartment number, city, state, postal code, and country entity properties.

Entities can be defined and associated as an instance of a transaction. For example, a security administrator can define a Customer entity to be used in an ecommerce transaction. As part of the Customer entity definition, he can link the Address entity as a Shipping Address and as a Billing Address. Shipping Address and Billing Address are two instances of the Address entity. An entity definition is the original model on which the entity instance is patterned. Entity instance creation will only be possible if its corresponding entity definition already exists in the database.

Entity Instance

When an entity linked to another entity or used in a transaction definition an instance is created such as home address or work address

entity Key

The entity Key is the unique identifier provided by the system integrator which is used when creating and updating entities via the API.

Entity Occurrence

When an entity instance is used in a runtime operation an individual occurrence is created such as the shipping address used in order number 356893


Tools for the configuration system properties and snapshots

Expiration Date

Date when CSR case expires. By default, the length of time before a case expires is 24 hours. After 24 hours, the status changes from the current status to Expired. The case could be in pending, escalated statuses when it expires. After the case expires, the user will not be able to open the case anymore, but the CSR Manager can. The length of time before a case expires is configurable.

Execution Types

Two execution types for configurable actions are listed:

  • Synchronous - Synchronous actions are executed in the order of their priority in ascending order. For example, if the user wants to create a case and then send an email with the Case ID, the user would choose synchronous actions. Synchronous actions will trigger/execute immediately.

    If the actions are executing in sequential order and one of the actions in the sequence does not trigger, the other actions will still trigger.

  • Asynchronous actions are queued for execution but not in any particular sequence. For example, if you want to send an email or perform some action and do not care about executing it immediately and are not interested in any order of execution, you would choose asynchronous actions.


User-defined enums are a collection of properties that represent a list of items. Each element in the list may contain several different attributes. The definition of a user-defined enum begins with a property ending in the keyword ".enum" and has a value describing the use of the user-defined enum. Each element definition then starts with the same property name as the enum, and adds on an element name and has a value of a unique integer as an ID. The attributes of the element follow the same pattern, beginning with the property name of the element, followed by the attribute name, with the appropriate value for that attribute.

The following is an example of an enum defining credentials displayed in the login page of an OAAM Server implementation:

bharosa.uio.default.credentials.enum = Enum for Login Credentials
bharosa.uio.default.credentials.enum.companyid.description=Company ID
bharosa.uio.default.credentials.enum.username=1 name
bharosa.uio.default.credentials.enum.username.description=User name

Escalated cases

These special escalated cases retain the user information used to create the CSR case. The flow is as follows: the CSR submits a CSR case for investigators to look into when there is suspicious activity associated with the case. Once escalated the case is treated as an Agent case. It is no longer visible to the CSR. Escalated cases from customer service have the Escalated status and when accessed for the first time, the status automatically changes to Pending. The investigator searches for cases with the Escalated status and filters the results on the severity column so the highest severity cases are shown at the top. Best practice is to open the escalated case and view the logs for notes entered by the CSR and CSR Manager. For example, the notes can show that the CSR escalated the CSR case to an Agent case because he suspected fraud activity.

Example of searching by Escalated status: A CSR Manager escalates a CSR case. Matt is a fraud investigator specializing in customer specific security issues. He searches for all cases with the Escalated case status.

Escalated Case Investigation Workflow

An investigator starts the investigation by searching for all the cases with the Escalated status. He filters the results on the severity column so the highest severity cases are shown at the top. He opens the escalated case and views the logs for notes entered by the CSR and CSR Manager. He searches for sessions based on the user in the case. He views the data involved in an incident and locates related situations by using the complex data relationships captured by OAAM. When fraud is identified the investigator records findings, blacklists entities, and closes out cases with a disposition.

Evaluation Priority

The priority in which the collected data is evaluated:

  • High

    Most of the resources are assigned for the data to be evaluated.

  • Low

    The resources assigned to data evaluation is half as much as the High priority.

Fat Fingering

This algorithm handles Answers with typos due to the proximity of keys on a standard keyboard.

Filter Panel

The Filters panel provides a quick way to perform targeted searches for sessions and transactions simultaneously. Investigators drag and drop individual data points from different pages, such as the case linked sessions tab, search sessions, search transaction and compare transactions.

Flash Fingerprinting

Flash fingerprinting is similar to browser fingerprinting but a flash movie is used by the server to set or retrieve a cookie from the user's machine so a specific set of information is collected from the browser and from flash. The flash fingerprint is only information if flash is installed on the client machine.

The fingerprints are tracked separately. The fingerprints are available in the session listing and details pages and you can get further details about the fingerprint by opening the respective details pages. Hence, you can have both fingerprints available, but if the user has not installed flash then the digital fingerprint (flash) is set to null.

Fraud Investigation

The purpose of a fraud investigation is to evaluate situations where the security policies have detected a high risk scenario that require human intelligence and/or non-electronic interaction to determine whether fraud has occurred and if there were other related incidents. Fraud investigators examine suspicious session and transaction data across events to locate related incidents.

Fraud Investigator

A Fraud Investigator primarily looks into suspicious situations either escalated from customer service or directly from Oracle Adaptive Access Manager alerts. Agents have access to all of the customer care functionality as well as read only rights to security administration and BI Publisher reporting.

Fraud Investigation Manager

A Fraud Investigation Manager has all of the access and duties of an investigator plus the responsibility to manage all cases. An Investigation Manager must routinely search for expired cases to make sure none are pending.

Fraud Scenario

A fraud scenario is a potential or actual deceptive situation involving malicious activity directed at a company's online application.

For example, you have just arrived at the office on Monday and logged into the OAAM Administration Console. You notice that there are a high number of logins with the status "Wrong Password" and "Invalid User" coming in from a few users. Some appear to be coming in from different countries, and some appear to be local. You receive a call from the fraud team notifying you that some accounts have been compromised. You must come up with a set of rules that can identify and block these transactions.

Gated Security

The multiple security checkpoints a user must pass through to gain access to sensitive data or transactions.

Grey List

Anyone not in the black list and white list. Grey list members are subject to various levels of challenges.


Collection of like items. Groups are found in the following situations

  • Groups are used in rule conditions

  • Groups that link policy to user groups

  • Action and alert groups


Hypertext Transfer Protocol

ID Label

When runtime entity data is displayed in the OAAM Administration Console the labels shown will be those defined in the ID Scheme tab of the entity definition.

ID Scheme

An ID scheme consists of the data elements that can uniquely identify an entity, in other words, you are defining the unique combination that identifies the entity. For example, the credit card entity has many attributes, but the way to uniquely identify a credit card is by using the 16-digit credit card number. In that case, the ID scheme is just the credit card number.

Another example, the address entity has address line 1, address line 2, city, state, and zipcode as attributes. Address line 1, address line 2, and zipcode, without the state and city attributes, can still be used to identify the address uniquely.

Investigation Workflow

OAAM provides three workflows, which make it easier for an investigator to examine fraudulent transactions. The investigation workflow includes interfaces to search and compare runtime data, isolate related incidents, capture findings, and affect future risk analysis. Each customer deployment generally utilizes a combination of the following three common workflows depending on business need:

  • Alert-centric

  • Auto-generated

  • Escalated

IP address

Internet Protocol (IP) address

Jail broken

Jail-breaking is the process of removing or circumventing the limitations that manufacturers impose on their devices. Jail breaking, while legal, is a form of privilege escalation that can present a heightened security risk to protected resources.


A job is a collection of tasks that can be run by OAAM. You can perform a variety of jobs such as load data, run risk evaluation, roll up monitor data, and other jobs.

KBA Phone Challenge

Users can be authenticated over the phone using their registered challenge questions. This option is not available for unregistered users or in deployments not using KBA.


Virtual keyboard for entry of passwords, credit card number, and on. The KeyPad protects against Trojan or keylogging.

Keystroke Loggers

Software that captures a user's keystrokes. Keylogging software can be used to gather sensitive data entered on a user's computer.

Key Identification Scheme

The Key Identification Scheme creates a unique identifier by simply concatenating the selected elements of the entity.

Knowledge Based Authentication (KBA)

OAAM knowledge based authentication (KBA) is a user challenge infrastructure based on registered challenge questions. It handles Registration Logic, challenge logic, and Answer Logic.

Last Case Action

The last action executed in the CSR case.

Last Global Case Action

The last action that occurred for this user in all CSR cases. Escalated cases are not taken into account.

Last Online Action

The last action that user executed, for example - Answered challenge question would show "Challenge Question" or if user is blocked, "Block."

Linked Entities

Linked entities are used to configure relationships between entities. Linked entities are created and updated via either the Entity CRUD API or via the transaction CRUD API.

An entity can be linked to another entity. A relationship is the association between entities. The Patient entity can be linked to another entity of type Address. The relationship between "Patient" and "Address" entities can be said to be one-to-one (1:1) because they have a one to one direct mapping. The Address entity is not dependant on the Patient and can reside by itself. It can be linked to other entities like Customers and Providers.

Link Name

When an entity is linked to another the linked entity is given a name which will be used to identify it in other Admin console screens including transaction definitions.


A city, state, country, IP, Network ID, etc from which transaction requests originate.


"Locked" is the status that Oracle Adaptive Access Manager sets if the user fails a KBA or OTP challenge. The "Locked" status is only used if the KBA or One Time-Password (OTP) facility is in use.

  • OTP: OTP sends a one-time PIN or password to the user through a configured delivery method, and if the user exceeds the number of retries when attempting to provide the OTP code, the account becomes "Locked."

  • KBA: For online challenges, a customer is locked out of the session when the Online Counter reaches the maximum number of failures. For phone challenges, a customer is locked out when the maximum number of failures is reached and no challenge questions are left.

After the lock out, a Customer Service Representative must reset the status to "Unlocked" before the account can be used to enter the system.


Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. Malware may contain key loggers or other types of malicious code.

Man-In-The-Middle-Attack (Proxy Attacks)

An attack in which a fraudster is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised

Manually Created Case

Only an investigator can create a manual Agent case directly. No user information is shown or required for creation of an Agent case. The only required inputs to create an Agent case are Organization ID, name, and description. Manually created Agent cases have a Pending status when the case is created.


Member represents the actor in the system.

Mobile Device

A mobile device is a device that runs a mobile operating system, such as the iOS mobile operating system from Apple, while a non-mobile device is a device that runs a non-mobile operating system, such as Mac OS X, Windows 7, and Linux desktop. Because mobile devices and non-mobile devices present different security challenges, mobile authentication and non-mobile authentication are managed separately in Mobile and Social. New mobile devices come online much more frequently and therefore require greater scrutiny, including fraud detection measures.

Mobile Security

Enhanced mobile security includes:

  • Better mobile browser UX

  • Mobile tuned security policies

  • REST services and SDK for mobile application developers

  • Hardened mobile device fingerprinting

  • Lost and stolen mobile device security

Multifactor Authentication

Multifactor authentication (MFA) is a security system in which more than one form of authentication is implemented to verify the legitimacy of a transaction. In contrast, single factor authentication (SFA) involves only a User ID and password.

Multiprocessing Modules (MPMs)

Apache httpd ships with a selection of Multi-Processing Modules (MPMs) which are responsible for binding to network ports on the machine, accepting requests, and dispatching children to handle the requests.

Mutual Authentication

Mutual authentication or two-way authentication (sometimes written as 2WAY authentication) refers to two parties authenticating each other suitably. In technology terms, it refers to a client or user authenticating himself to a server and that server authenticating itself to the user in such a way that both parties are assured of the others' identity.

Nested Policies

A nested policy is a secondary policy used to further quantify the risk score in instances where the original result output by the system is inconclusive. Nested Policies can be assigned to ensure a higher degree of accuracy for the risk score. A nested policy is run only when a specific sequence of answers is returned from the primary policy. Nested policies therefore reduce false positives and negatives.

OAAM Admin

Administration Web application for all environment and Adaptive Risk Manager and Adaptive Strong Authenticator features.

OAAM Server

Adaptive Risk Manager and Adaptive Strong Authenticator features, Web services, LDAP integration and user Web application used in all deployment types except native integration

One Time Password (OTP)

One Time Password (OTP) is a form of out of band authentication that is used as a secondary credential and generated at pre-configured checkpoints based on the policies configured.

OTP Anywhere

OTP Anywhere is a risk-based challenge solution consisting of a server generated one time password delivered to an end user via a configured out of band channel. Supported OTP delivery channels include short message service (SMS), eMail, and instant messaging. OTP Anywhere can be used to compliment KBA challenge or instead of KBA. As well both OTP Anywhere and KBA can be used alongside practically any other authentication type required in a deployment. Oracle Adaptive Access Manager also provides a challenge processor framework. This framework can be used to implement custom risk-based challenge solutions combining third party authentication products or services with OAAM real-time risk evaluations.

Oracle Adaptive Access Manager

A product to protect the enterprise and its customers online.

Oracle Adaptive Access Manager

  • provides multifactor authentication security

  • evaluates multiple data types to determine risk in real-time

  • aids in research and development of fraud policies in offline environment

  • integrates with access management applications

Oracle Adaptive Access Manager is composed of two primary components: OAAM Server and OAAM Admin.

Oracle Data Mining (ODM)

Oracle Data Mining is an option to the Oracle Database EE, provides powerful data mining functionality


The order determines how the data is concatenated while forming the data that identifies the entity.

Organization ID

The unique ID for the organization the user belongs in

Out Of Band Authentication

The use of two separate networks working simultaneously to authenticate a user. For example: email, SMS, phone, and so on.


Patterns are configured by an administrator and record the behavior of the users, device and locations accessing the system by creating a digest of the access data. The digest or profile information is then stored in a historical data table. Rules evaluate the patterns to dynamically assess risk levels.

Pattern Name

Patterns are features characteristic of an individual or a group. Usually these patterns represent behavior considered to be high risk based on industry expertise.

Pattern Status

Status is the current state of a Pattern. There are 4 states in pattern creation.

  • Active

    If data must be collected, the pattern must be in the active state.

  • Inactive

    If the pattern is complete, but you do not want to collect data, select Inactive.

  • Incomplete

    If pattern creation has started, but you need to save it for completion later, select Incomplete. Data is not collected for this state.

  • Invalid

    The administrator may choose to mark the pattern as invalid if he or she does not want the pattern used. Data is not collected for this state.

Personalization Active

Status of the user who has an image, a phrase and questions active. Personalization consists of a personal background image and phrase. The timestamp is generated by the server and embedded in the single-use image to prevent reuse. Each Authenticator interface is a single image served up to the user for a single use.


Pharming (pronounced farming) is an attack aiming to redirect a website's traffic to another, bogus website.


A criminal activity utilizing social engineering techniques to trick users into visiting their counterfeit Web application. Phishers attempt to fraudulently acquire sensitive information, such as user names, passwords and credit card details, by masquerading as a trustworthy entity. Often a phishing exercise starts with an email aimed to lure in gullible users.


This algorithm handles Answers that "sound like" the registered answer, regional spelling differences, and common misspellings


Authentication entry device used to enter a numeric PIN.


A plug-in is an extension and consists of a computer program that interacts with a host application (a web browser or an email client, for example) to provide a certain, usually very specific, function "on demand".


Policies contain security rules and configurations used to evaluate the level of risk at each checkpoint.

Policy Set

A policy set is the collection of all the currently configured policies used to evaluate traffic to identify possible risks. The policy set contains the scoring engine and action/score overrides.

Policy Status

Policy has three status which defines the state of the object or its availability for business processes.

  • Active

  • Disabled

  • Deleted

Deleted is not used.

When a policy is deleted, it is permanently deleted from the database.

By Default every new policy created has status as "Active."

Every copied policy has a default status as "Disabled."

Predictive Analysis

Predictive analytics encompasses a variety of techniques from statistics, data mining and game theory that analyze current and historical facts to detect if a transaction is anomalous or not and to provide a higher identity assurance.

Questions Active

Status of the user who has completed registration and questions exists by which he can be challenged.

Question Set

The total number of questions a customer can choose from when registering challenge questions.


Device that presents challenge questions for users to answer before they can perform sensitive tasks. This method of data entry helps to defend against session hijacking.

Registered Questions

A customer's registered questions are the questions that he selected and answered during registration or reset. Only one question from each question menu can be registered.

Registration Logic

The configuration of logic that governs the KBA registration process.

Risk Score

The numeric risk level associated with a checkpoint.

Row and Column

In element definition, row and column is the location where data is stored in the database. The row and column are automatically assigned. It is optional for the administrator to change these.

Rule Conditions

Conditions are the basic building blocks for security policies.


Rules are a collection of conditions used to evaluate user activity.


Score refers to the numeric scoring used to evaluate the risk level associated with a specific situation. A policy results in a score.

Scoring Engine

Oracle Adaptive Access Manager uses scoring engines to calculate the risk associated with access requests, events, and transaction.

Scoring engines are used at the policy and policy set levels. The Policy Scoring Engine is used to calculate the score produced by the different rules in a policy. The Policy Set Scoring Engine is used to calculate the final score based on the scores of policies.

Where there are numerous inputs, scoring is a able to summarize all these various points into a score that decisions can be based on.

Security Token

Security tokens (or sometimes a hardware token, hard token, authentication token, USB token, cryptographic token) are used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key for access a resource.

Severity Level

A marker to communicate to case personnel how severe this case is. The severity level is set by whomever creates the case. The available severity levels are High, Medium, and Low. If a customer suspects fraud, then the severity level assigned is "High." For example, if the customer wants a different image, then the severity level assigned is "Low." Severity levels of a case can be escalated or de-escalated as necessary.

Session Hijacking

The term Session Hijacking refers to the exploitation of a valid computer session - sometimes also called a session key - to gain unauthorized access to information or services in a computer system

Simple Entity

A simple entity is created without any previously linked entities or new linked entities.


A snapshot is a zip file that contains Oracle Adaptive Access policies, dependent components and configurations for backup, disaster recovery and migration. Snapshots can be saved to the database for fast recovery or to a file for migration between environments and backup. Restoring a snapshot is a process that includes visibility into exactly what the delta is and what actions will be taken to resolve conflicts. For information on snapshots, refer to Chapter 14, "Managing System Snapshots."


SOAP, originally defined as Simple Object Access Protocol, is a protocol specification for exchanging structured information in the implementation of Web Services in computer networks. It relies on Extensible Markup Language (XML) as its message format, and usually relies on other Application Layer protocols (most notably Remote Procedure Call (RPC) and HTTP) for message negotiation and transmission. SOAP can form the foundation layer of a web services protocol stack, providing a basic messaging framework upon which web services can be built.

Social Engineering

Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information to a fraudulent entity.

Spoofing Attack

In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.

Source Data

All parameters (data fields) for the transaction from the external application (client's end) that will be sent to the Oracle Adaptive Access Manager Server.


Spyware is computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent.

Strong Authentication

An authentication factor is a piece of information and process used to authenticate or verify the identity of a person or other entity requesting access under security constraints. Two-factor authentication (T-FA) is a system wherein two different factors are used in conjunction to authenticate. Using two factors as opposed to one factor generally delivers a higher level of authentication assurance.

Using more than one factor is sometimes called strong authentication.

Temporary Allow

Temporary account access that is granted to a customer who is being blocked from logging in or performing a transaction.

Temporary Allow Active

Temporary allow is active.

Temporary Allow Expiration Date

Date when temp allow expires.


Personalized device for entering a password or PIN using a regular keyboard. This method of data entry helps to defend against phishing. TextPad is often deployed as the default for all users in a large deployment then each user individually can upgrade to another device if they want. The personal image and phrase a user registers and sees every time they log in to the valid site serves as a shared secret between user and server.


Any process a user performs after successfully logging in can be termed as a transaction. Examples are making a purchase, bill pay, money transfer, stock trade, and address change. The core elements of an Oracle Adaptive Access Manager transaction are entities and transaction data. Entities can be defined and associated as an instance of a transaction. An entity is a user-defined data structure, which comprises of a set of attributes. The entity can be reused across different transactions. An example of an entity is an address. When associating the entity with a transaction he can create a shipping address and billing address from the address entity.

Transactional autolearning

Transactional autolearning includes:

  • Customizable patterning

  • Transaction rule conditions

Transaction Data

Data that is an abstract item or that does not have any attributes by itself, does not fit into any entity, which exists or is unique by itself is defined as transaction data.

Items that cannot fall into an entity are classified as standalone data.

A classic example is amount or code.

Transaction Definition

Application data is mapped using the transaction definition before transaction monitoring and profiling can begin. Each type of transaction Oracle Adaptive Access Manager deals with should have a separate transaction definition.

Transaction Key

This key value is used to map the client/external transaction data to transactions in the Oracle Adaptive Access Manager Server.


A rule evaluating to true.

Transaction Type

The Transaction Definitions that have been configured in this specific installation such as authentication, bill pay, wire transfer, and others.

Trigger Combinations

Additional results and/or policy evaluation based on rule outcome combinations. You can specify a score, action group and alert group based on different rule outcome combinations or you can point to a nested policies to further evaluate the risk.

Trojan/Trojan Horse

A program that installs malicious software while under the guise of performing some other task.


A business, person, credit card, etc that is authorized to conduct transactions.

Utility Panel

The Utility panel is specialized for performing searches and is readily accessible from every page in the OAAM workflows. It is used for quickly finding sessions and transactions that are related to one another based on common data.

Using the Utility Panel enables the investigator to:

  • Quickly locate sessions and transactions with data in common

  • Iterate on a query to expand and contract returns

  • Both view aggregate numbers of sessions and transactions found and drill in to expand investigation


Answer validation used in the KBA question registration and challenge process

Virtual Authentication Devices

A personalized device for entering a password or PIN or an authentication credential entry device. The virtual authentication devices harden the process of entering and transmitting authentication credentials and provide end users with verification they are authenticating on the valid application.


A computer program that can copy itself and infect multiple computers without permission or knowledge of the users.

White List

A list of trusted members. Any activity that originates from these users, devices, IP addresses, networks, countries, and so on can be trusted.