Journey Model

Journeys are traversals through API endpoints on the web, it involves steps through web-urls in Darwinium Journey configuration. Darwinium provides a generalised framework for continuous monitoring of journeys to both API and Web traffic based on an automatic agglomeration of other signals.

It outputs a single score in the range of -1000 to 1000 into the attribute outcome[CHAMPION].journey_score and intended as a high-level, course-grained agglomeration of risk throughout an entire sequence of events.

Web Journeys

A web-journey is a collection of Steps made by a user as they navigate through a website. A Step is a "touch-point" within a website flow - it can be the loading of a page, a form submit, button click etc.

Following is an example of an Authorization Journey that encapsulates the login page, password/login recovery, failed login, two factor step-up and all other parts of the Authorisation process.

Similarly, for online payments, a Payment Journey could include all of the Payment Steps, such as, transaction history, funds transfer, insufficient funds, successful payment, two factor step-up etc.

Step Overview

A step is a “touch-point” within a website flow. As previously mentioned, it can be loading a page, a form-submit, payment, etc. Following is a schematic representation of workflow for a step (where feature generation, model execution and signal triggering take place):

• Features: Features are numerical values obtained through aggregation of user activities/interactions with device/web application/networks observed over time. In essence, these are indicators of user behavioural pattern.

• Models: Models, here, can be hand-crafted rule-based system or complex ML models which produce a result and score indicative of intent behind user-journey at a particular step.

• Signals: Signals are Boolean indicator (or “flag”) generated an output of conditional rules or through a output of ML model.

Algorithm

As mentioned before, a journey is a collection/sequence of steps wherein many signals/models are executed at each step. However, there is no way of sharing the intelligence/intent/learning gained in one step across the steps further in time.

In order to solve this problem, we propose a probabilistic sequence model based on Dynamic Bayesian Network (DBN) which not only accrues information/learning from all signals in one step but also transfers this information to next or further steps along the user journey. This presents a way to aggregate/combine any malicious/noble intent discovered in previous steps and allows us to take an immediate action whenever the malicious (fraud/scam/bot) score crosses a particular threshold.

Pseudocode for the Journey Model

• For each step:

  • Get initial prior: , and probabilities
    • denote the probabilities for signal  in step

• Calculate:

  • Log-Likelihood:
  • Log-Posterior:
  • step-probability:

• Assign: , Take a dot product of transition matrix A with

All the parameters of the model are obtained through Expectation-Maximization optimization algorithm where Log-Likelihood acts as an expectation. Signal probabilities are varied at each step to maximize the log-likelihood. The model also provides a way to cleanly explain its predictions in terms of log(odds) of each signal and a journey signature in terms of a bitmap (a string of 1s and 0s).