Models
At the core of Castle, detecting threats quickly and accurately is our key focus. We are continuously investing in our models in order to improve its performance and strive towards 0% false-positive rates as new attacks get introduced.
Create New AccountCastle’s bot detection looks for scripted or automated behavior. Client side sensors evaluate and fingerprint both web and mobile devices.
Castle’s ATO detection incorporates User & Entity Behavioral Analysis (UEBA) to build patterns of norms for each user, and detect anomalous activity on a per-device level.
Castle learns from historical traffic patterns unique to each app, so automated attacks like credential stuffing and spam registration are quickly caught.
Our models are constantly maximized for performance. Each time a user reports a device, solves a captcha, or completes MFA, they are labeling and training the models.
Our risk scores range are calibrated into ranges with usability in mind. Normal ranges between 0 and 59, Anomalies between 60-89, and threats between 90-100 with a threat certainty of 99.9%.
Castle is constantly learning and adjusting it’s models to your specific app & users. We learn good behaviors from your good users to better detect anomalies and minimize false-positives. We listen when devices are reported to detect emerging threats.
We are regularly rolling out new models to keep ahead. Once we have a candidate model, we evaluate it’s performance against historical data, monitor it on live data, and activate it once performance gains are a certainty.
Castle produces 2 risk scores for every event: Bot Risk and ATO Risk. Bot Risk highlights automated, scripted activity. But not all bots are bad. ATO Risk highlights account takeovers in action, even when human-powered.
When we surface a threat, we highlight any key risk signals that were detected. Use these insights for analysis, or make them actionable through Policies.
We leverage a blend of techniques and constantly trial new tactics to improve performance and minimize false-positives. Here are a few examples of how we locate, assess, and determine each threat.
We’re always monitoring incoming streams of events, looking for anything really weird to happen. Sudden, large amounts of traffic (like rate limiting). Odd proportions of events (spike in failed logins over successful logins). Any surprising mix of events that we haven’t seen before.
We look at entropy of different factors. For example, at scale, most users are on the latest Chrome, Safari, or Firefox versions. Attackers however, often attempt to mask an onslaught by rotating through a multi-faceted set of User Agents. If you plot this on a histogram, entropy appears very flat and easy to see.. after the fact. We apply entropy analysis on real time streams of events, across a range of parameters, detecting it as it’s happening.
Sometimes it’s best to stick to the basics. The client didn’t run JS properly? A mismatch between the request timezone and client timezone? Incoming headers don’t align with the expected User Agent? Dozens of these tried-and-true, simple traps run in parallel to help to catch the majority of common bot attacks with low false-positive rates.
You can test and deploy a fully automated, user-centric approach to account security for free.
Create Free Account