Deep Behavioral Profiling

The most complex user behavior profiling solution on the market using behavioral biometrics and payment transaction context to identify any fraudster or impostor.

Behavioral Biometry

ThreatMark brings various features available as separate products to suit the needs of any customer. Business goals and practical application may differ, but the main idea and core technology remains the same – collecting very granular, technical data from end-user devices and analyzing users‘ behavior during their online presence.

The behavioral data consists of real action points, for example, application logon, navigation to a specific page, transaction checkout, etc. Above that, we collect information that describe the user not as a client but as a human being. Namely, the ThreatMark JavaScript probe can gather

  • mouse events (movements, clicks),
  • keyboard typing dynamics,
  • site navigation patterns,
  • interaction with website elements, such as buttons and forms.

This set of information represents “behavioral biometry” which can, with reasonable amount of data and proper processing, uniquely characterize any individual user.


Deep Profiling

Collected data about mouse cursor positions or keystrokes do not provide much valuable information per se. In ThreatMark, we employ sophisticated engineering and automatic extraction to structure the data. The result is a vectorized representation of each user which can contain 1000–15000 atomic features, depending on the model scope and target.

To get deep and thorough behaviometrical profiling, we then add contextual information. Any action performed by a user complements their behavior. For example, a person’s behavior may be slightly different when sending €10 as opposed to €10,000, or when asking for financial leverage, or just browsing legal agreement. For this reason, we do not only compare a user’s behavior in the current session to their previous sessions; we also look at how other people behave in the same context. Overall, context enables creating multiple models for various scopes and significantly reduces false positives.


Continuous Re-authentication

Various models scopes and context allow ThreatMark to perform so-called “continuous re-authentication” – an assessment of user behavior and actions during their whole journey in the online application, not only at logon. So if the session gets hijacked after a successful login, ThreatMark can detect it in a matter of seconds and alert the client. Continuous re-authentication also helps reduce false positives thanks to elaborate score calculations. For example, when calculating an action or context score, we also take into account what a user was doing and what score did they have before the currently calculated event within same session.