Oracle Adaptive Access Manager's Predictive Analysis feature compliments configurable rules and behavioral profiling by enabling you to perform statistical risk analysis in real time using its out-of-the-box predictive analytic application that integrates ODM features, such as data mining and data analysis algorithms. Risk analysis is trained over time.
This chapter contains the following sections:
Important terms for predictive analysis are presented in this section.
Predictive analytics encompasses a variety of techniques from statistics, data mining and game theory that analyze current and historical facts to make predictions about future events.
Individual User Behavior Profiling: End user login behaviors are evaluated to determine how abnormal it is currently compared to their own past behavior, if there is past behavior captured.
Individual Device Profiling: Devices used for login have behavior that is evaluated to determine how abnormal it is currently compared to their own past behavior if past behavior has been recorded.
New Device Profiling: If a device does not have any historical data to profile then predictive techniques are used to determine how risky the device is.
User Type and Location Profiling: Predictive models evaluate the degree of anomaly based on the type of user (groups, Organization ID) rather than each individual user.
User Type and Time Profiling: Similar to location profiling, time profiling uses predictive techniques to identify anomalies in behavior when there is not much historical data for the specific user but there is production data related to users of the same type.
Data mining is the practice of automatically searching large stores of data to discover patterns and trends that go beyond simple analysis. Data mining uses sophisticated mathematical algorithms to segment the data and evaluate the probability of future events. Data mining is also known as Knowledge Discovery in Data (KDD).
Data mining can answer questions that cannot be addressed through simple query and reporting techniques.
Oracle Data Mining (ODM) is an option that extends Oracle Database 11g Enterprise Edition's out-of-the-box capabilities. ODM implements data mining and data analysis algorithms for prediction and anomaly detection and enables deployment of data mining models inside the database. The ODM option is not a separate component; functionality is built into the Oracle database kernel and operates on data stored in the database tables. There is no need to move data out of the database into files for analysis and then back from files into the database for storing. The data never leaves the database -- the data, data preparation, model building, and model scoring results all remain in the database.
Predictive models are supervised learning functions. Using predictive models, OAAM fine tunes its analysis; the more each model is trained, the more accurate the risk analysis becomes. The out-of-the-box predictive models are trained in two ways: the anomaly detection model trains automatically when fed historical access data, and the fraud classification model trains on the findings of human fraud investigators. You can configure additional models as required to meet specific deployment use cases. This approach to predictive risk analysis enables you to clearly see on which decisions outcomes are based and enables augmentation as required.
Make sure the following prerequisites are met before you activate the Predictive Analysis functionality:
Oracle 11g Enterprise Edition release of the database is being used
Oracle Data Mining (ODM) option
Identity Management Suite is installed
A reasonable amount (at least 100) of OAAM sessions exists that represent a variety of usual OAAM sessions
At least 100 or more sessions exist that are classified as "Fraud" and "Not Fraud" using the Agent Case functionality.
Note:
To mark a session as Fraud/Not Fraud, create an agent case link the session and close the Agent case with Disposition as either "Confirmed Fraud" or "Not Fraud".For testing purposes remember the criteria for marking sessions as "Fraud" or "Not Fraud" since the ODM (Oracle Data Mining) model will use that as the training data.
Create an ODM database user. Execute the SQL script create_odm_user.sql.
When it prompts for inputs, enter the ODM user name as the value of first parameter and then the password of ODM User as the value of second parameter.
The script is located in the $MW_HOME\oaam\cli\odm folder.
Set up the OAAM CLI environment. Make sure you have added the following to the CSF/Credential Store using Oracle Enterprise Manager Fusion Middleware Control:
OAAM Database User Name and Password with oaam_db_key as the keyname under the map oaam.
ODM Database User Name and Password with oaam_odm_db_key as the keyname under the map oaam.
Set the property oaam.db.url with the JDBC URL of the OAAM database in oaam_cli.properties.
By default Predictive Risk uses the OAAM_CLASSIFIED_REQUEST_VIEW. For predictive risk to work for sessions from non-flash devices you need to use "OAAM_CLASSIFIED_REQ_NOFLASH_VW".
OAAM_CLASSFIED_REQ_NOFLASH_VW view has all the requests (both flash and no-flash).
To set the OOTB ODM Model "OAAM Fraud Request Model" to use the no-flash data set the following properties before running initODM.sh:
oracle.oaam.odm.model.enum.oaam_fraud_request_model.data_table_name=OAAM_CLASSFIED_REQ_NOFLASH_VW oracle.oaam.odm.model.enum.oaam_fraud_request_model.inputdata_mapping=oracle.oaam.odm.datamapping.enum.user_request_data_noflash
Run the shell script initODM.sh in the OAAM CLI folder. This script does the following:
Seeds the ODM tables that have the normalized data of the browser and flash fingerprints
OAAM_DEVICE_BROWSER_FPRINTS
OAAM_DEVICE_FLASH_FPRINTS
Creates the following database views that are used as input data by the ODM models:
OAAM_CLASSIFIED_REQUESTS_VW
OAAM_INVESTIGATED_REQUESTS
OAAM_UNCLASSIFIED_REQUESTS_VW
OAAM_CLASSIFIED_REQ_NOFLASH_VW
OAAM_UNCLASSIFIED_REQ_NOFLASH_VW
Creates the following ODM Models if required data is present:
OAAM_ANOMALY_REQUEST
OAAM_FRAUD_REQUEST
Log in to OAAM Admin Server and link the Predictive Analysis Policy to All Users or the required user groups.
Log in to WebLogic Admin Server using the WebLogic Console and create a DataSource with JNDI name such as jdbc/OAAM_SERVER_ODM_DS and point it to the ODM Database User and add the Managed server of OAAM Server as the target.
Restart OAAM Server since ODM initialization updates some enum-related properties.
To test anomaly detection, try to log in from a different kind of browser or location which is not yet present in the OAAM database.
To test "fraudulent session prediction" functionality, log in in a similar session that is linked to an Agent case which is closed with the Confirmed Fraud disposition.
By Default Predictive Risk uses the OAAM_CLASSIFIED_REQUEST_VIEW. For predictive risk to work for sessions from non-flash devices you need to use "OAAM_CLASSIFIED_REQ_NOFLASH_VW".
OAAM_CLASSFIED_REQ_NOFLASH_VW view has all the requests (both flash and no-flash).
To set the OOTB ODM Model "OAAM Fraud Request Model" to use the no-flash data set the following properties and run initODM.sh:
oracle.oaam.odm.model.enum.oaam_fraud_request_model.data_table_name=OAAM_CLASSFIED_REQ_NOFLASH_VW oracle.oaam.odm.model.enum.oaam_fraud_request_model.inputdata_mapping=oracle.oaam.odm.datamapping.enum.user_request_data_noflash
Important points about rebuilding the ODM models are presented in this section.
Rebuilding the ODM models is one way to provide feedback to ODM with latest case creation data so that sessions can be appropriately flagged.
You can rebuild the ODM models at regular intervals so that ODM models are trained with the latest data in OAAM.
Based on the volume of requests, you can determine the frequency of rebuilding the models. It is recommended to rebuild the models every month at the end of the month.
You can set the date range of requests that have to be considered by the ODM models by setting the property oracle.oaam.predictive_analysis.request.period as follows:
Format of value is <Number of Years>,<Number of Months>,<Number of Days>,<Number of Hours>
Examples:
Everything can be indicated using 0 (zero). Use this option with caution, if there are more than a couple of million OAAM requests this could result in a very high model build times and database errors related to out-of-memory.
Last two years can be indicated using 2,0,0,0 or just 2.
Last two years and three months can be indicated using 2,3,0,0 or just 2,3.
Last 3 days can be indicated using 0,0,3,0
Last four hours can be indicated using 0,0,0,4
Setup OAAM CLI environment and run the script initODM.sh.
The following steps describe the flow of Predictive Analysis evaluation:
OAAM User Request goes for Post-Authentication checkpoint evaluation.
Predictive Analysis policy executes as part of Post-Authentication.
The Check if the current request is fraudulent rule is executed. As part of the execution it takes the required classification type and values of attributes from current request and executes the ODM SQL function prediction_probability() with the given model name. This call returns a prediction probability value which is tested to see if it falls in the given range. If so then the OAAM Suspicious Fraudulent Request alert is generated and risk score is set to 700.
The Check if the current request is anomalous rule is executed. As part of the execution it takes values of attributes from current request and executes the ODM SQL function prediction_probability() with the given model name. This call returns a prediction probability value which is tested to see if it falls in the given range. If so then the OAAM Anomalous Request alert is generated and the risk score is set to 600.
The following parameters of Predictive Analysis rule conditions can be tuned/changed:
ODM Model Name that is used for evaluation/scoring
Range of prediction probability to trigger the rule condition
Default return value in case of errors
Classification Type (applies only to the Check Fraudulent User rule condition)
To set the parameters you can go to the Predictive Analysis Policy and open the required rule and update the parameters.
Note:
The following sections describe advanced functionality which is typically performed by integrators who have Java coding knowledge and knowledge of both OAAM and ODM.Add the custom view definitions to $MW_HOME\oaam\cli\odm\custom_oaam_odm_views.sql.
Note:
Make sure the view definition SQL ends with ";" and there are no extra lines or comments in the fileIf you do not want to hard-code the OAAM Database User name then use the variable <oaam_user> wherever you refer to the OAAM schema. This will be replaced with the actual OAAM Database user name by initODM.sh when you run it next time.
When you run initODM.sh the next time, it will execute the SQL statements in custom_oaam_odm_views.sql that will create the custom views.
Add the SQL statements that grant select access OAAM tables to the file $MW_HOME\oaam\cli\odm\custom_oaam_grants_to_odm_user.sql.
Note:
Note: Make sure the view definition SQL ends with ";" and there are no extra lines or comments in the fileIf you do not want to hard-code the ODM Database User name then use the variable <odm_user> wherever you refer to ODM Database User. This will be replaced with actual ODM Database user name by initODM.sh when you run it next time.
When you run initODM.sh next time, it will execute the SQL statements in custom_oaam_odm_views.sql.
To add a new ODM Model, follow these steps:
Determine the type of model. Currently OAAM supports only CLASSIFICATION models.
Determine if the existing ODM view can be used to build the model. If not, create a new view and add that definition to $MW_HOME\oaam\cli\odm\custom_oaam_odm_views.sql.
Note:
Make sure the view definition SQL ends with ";" and there are no extra lines or comments in the file.Determine if any of your new views require additional grants to access the OAAM tables or any custom tables. Add those custom grants to $MW_HOME\oaam\cli\odm\custom_oaam_grants_to_odm_user.sql.
Note:
Make sure the grant statements end with ";" and there are no extra lines or comments in the file.Create a new ODM model using Oracle Data Miner or using the SQL command call dbms_data_mining.drop_model(). Refer to ODM documentation for details.
Test your ODM model using sample data. You can typically do this by executing the following:
For anomaly detection models:
Select prediction_probability(<model_name>, '0' using <value1> as attribute1, <value2> as attribute2, …. <valueN> as attributeN> from dual
For other classification models:
Select prediction_probability(<model_name>, <classificationValue> using <value1> as attribute1, <value2> as attribute2, …. <valueN> as attributeN> from dual
Once you are done with testing, add a new enum element to oracle.oaam.odm.model.enum with the following properties:
Table 17-1 Properties for oracle.oaam.odm.model.enum
| Property Name | Notes |
|---|---|
|
name |
Name of the model |
|
description |
Description of the model |
|
type |
Type of the model. Anomaly Detection: Classification: |
|
odm_model_name |
Exact name of the ODM model. The OAAM setup script uses this to create the ODM model. |
|
data_table_name |
Exact name of the input data table/view name. The model will be built using this table/view name. |
|
case_id_column |
Column in the data table/view that uniquely identifies each row. |
|
target_column |
Do not specify this for Anomaly Detection models. For classification models, specify the column whose value has to be predicted. Typically this column should have the values ('fraud' or 'not_fraud') as mentioned in the |
|
settings_table_name |
Name of the database table that has settings for the ODM model. You can use the existing tables 'OAAM_ANOMALY_MODEL_SETTINGS' for Anomaly Detection models and 'OAAM_ANOMALY_MODEL_SETTINGS' for Classification models if you don't have any explicit settings. |
|
inputdata_mapping |
Specify how the input required for evaluation/scoring is mapped to OAAM Data. You can use the following existing mappings if you do not have any new requirements. Otherwise refer to Section 17.10, "Adding Custom Input Data Mappings":
|
|
is_available |
Set it as 'false' so that |
This section contains information about adding custom input data mappings.
Custom input data mappings are needed if any of the following conditions apply:
You want to use fewer attributes (than what is available out-of-the-box) to evaluate/score the out-of-the-box ODM models
You want to create a custom ODM model based on custom table/view that has different set of attributes than the existing input data mappings.
You can use existing OAAM attributes and create custom input data mappings. This approach is useful if you are reusing the existing database view that uses OAAM request data that includes session, browser-fingerprint, flash-fingerprint, and location data.
Steps to create an input data mapping are as follows:
Add a new enum element to oracle.oaam.odm.datamapping.enum.
Set the inputdata_mapping property of model enum element to point to the newly added enum element.
Add the required list of name-values from the following list to the newly added enum element:
request_minute=request.minute
request_hour=request.hour
request_day_of_week=request.day_of_week
request_day_of_month=request.day_of_month
request_day_of_year=request.day_of_year
request_week_of_month=request.week_of_month
request_week_of_year=request.week_of_year
request_month=request.month
request_quarter=request.quarter
request_year=request.year
auth_status=request.auth_status
user_identifier=request.user_identifier
login_id=request.login_id
user_group_id=request.user_group
request_ip_address=request.ip_address
is_registered=request.is_registered
auth_client_type=request.auth_client_type
secure_client_type=request.secure_client_type
pre_auth_action=request.pre_auth_action
post_auth_action=request.post_auth_action
device_id=device.device_id
device_cookie_disabled=device.cookie_disabled
device_flash_disabled=device.flash_disabled
browser_country=browser.country
browser_language=browser.language
browser_language_variant=browser.language_variant
browser_name=browser.browser_name
browser_operating_system=browser.os
browser_user_agent_string=browser.user_agent_string
audio_video_disabled=flash_fingerprint.audio_video_disabled
has_accessibility=flash_fingerprint.has_accessibility
has_audio=flash_fingerprint.has_audio
has_audio_encoder=flash_fingerprint.has_audio_encoder
embedded_video=flash_fingerprint.embedded_video
has_ime_installed=flash_fingerprint.has_ime_installed
has_mp3=flash_fingerprint.has_mp3
supports_printer=flash_fingerprint.supports_printer
supports_screen_broadcast=flash_fingerprint.supports_screen_broadcast
supports_playback_screen_brd=flash_fingerprint.supports_playback_screen_brd
supports_streaming_audio=flash_fingerprint.supports_streaming_audio
supports_streaming_video=flash_fingerprint.supports_streaming_video
supports_native_ssl=flash_fingerprint.supports_native_ssl
contains_video_encoder=flash_fingerprint.contains_video_encoder
debug_version=flash_fingerprint.debug_version
flash_language=flash_fingerprint.flash_language
is_local_file_read_disabled =flash_fingerprint.is_local_file_read_disabled
manufacturer=flash_fingerprint.manufacturer
flash_operating_system =flash_fingerprint.flash_operating_system
aspect_ratio_of_screen =flash_fingerprint.aspect_ratio_of_screen
player_type=flash_fingerprint.player_type
is_color_screen=flash_fingerprint.is_color_screen
dots_per_inch=flash_fingerprint.dots_per_inch
screen_resolution=flash_fingerprint.screen_resolution
flash_version=flash_fingerprint.flash_version
country_id=location.country_id
state_id=location.state_id
city_id=location.city_id
metro_id=location.metro_id
isp_id=location.isp_id
routing_type=location.routing_type
connection_type=location.connection_type
connection_speed=location.connection_speed
top_level_domain=location.top_level_domain
sec_level_domain=location.secondary_level_domain
asn=location.asn
carrier=location.carrier
zip_code=location.zip_code
region_id=location.region_id
phone_area=location.phone_area
If you want OAAM to use custom attributes while evaluating/scoring an ODM model then you can develop custom java class that can be used to get values of the custom attributes.
Follow these steps to use custom attributes for building and evaluating ODM models
Add a new enum element to 'oracle.oaam.predictive_analysis.attribute_resolvers.enum'.
Add 'class' property with value as the fully qualified class name of the Java class that will have logic to return values for the custom attributes.
Add all the custom attributes as properties to the newly added enum element. Value of these properties can be the name/description of the attribute. Do not use 'name', 'description', 'class' as attribute names.
Develop the custom Java class that handles custom attributes.
It should extend the OAAM class oracle.oaam.integration.datamining.rules. OAAMAttributesResolver
It should implement a public constructor that takes requestId as the parameter. That constructor should call the super constructor.
It should extend the method public Object getValue(String attributeName) and have logic to return the value of given attribute. AttributeName will be in the format of '<enumElement>.<property>'
Deploy the custom Java class as an OAAM Extension using OAAM Extensions Shared Library. Refer to the Oracle Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager for deploying OAAM Extensions.
If you are using a custom database view then add a custom mapping by adding new enum element to 'oracle.oaam.odm.datamapping.enum' enum and add all the column names of the database view as properties to this enum element. Add the related custom attribute name as the value for these properties. Value should be in the format of <enumElement>.<property>.
If you are not using custom database view but just want to create custom mapping of existing request data then pick the required columns from the following and add them to your custom mapping enum element:
| A | B | C |
|---|---|---|
|
request_minute |
device_flash_disabled |
flash_language |
|
request_hour |
browser_country |
is_local_file_read_disabled |
|
request_day_of_week |
browser_language |
manufacturer |
|
request_day_of_month |
browser_language_variant |
flash_operating_system |
|
request_day_of_year |
browser_name |
aspect_ratio_of_screen |
|
request_week_of_month |
browser_operating_system |
player_type |
|
request_week_of_year |
browser_user_agent_string |
is_color_screen |
|
request_month |
audio_video_disabled |
dots_per_inch |
|
request_quarter |
has_accessibility |
screen_resolution |
|
request_year |
has_audio |
flash_version |
|
auth_status |
has_audio_encoder |
country_id |
|
user_identifier |
embedded_video |
state_id |
|
login_id |
has_ime_installed |
city_id |
|
user_group_id |
has_mp3 |
metro_id |
|
request_ip_address |
supports_printer |
isp_id |
|
is_registered |
supports_screen_broadcast |
routing_type |
|
auth_client_type |
supports_playback_screen_brd |
connection_type |
|
secure_client_type |
supports_streaming_audio |
connection_speed |
|
pre_auth_action |
supports_streaming_video |
top_level_domain |
|
post_auth_action |
supports_native_ssl |
sec_level_domain |
|
device_id |
contains_video_encoder |
asn |
|
device_cookie_disabled |
debug_version |
carrier |
|
zip_code |
||
|
region_id |
||
|
phone_area |