Network data and risk signals provide critical information about how users connect to your application, helping to identify suspicious activities and potential fraud.

Network Data

Network data provides fundamental information about a user’s connection to your application. Here’s an example of the network data collected:

{
  "network": {
    "ip_address": "2600:1700:261:b810:4d06:c3c4:86e:ffc",
    "service_provider": "AT&T Internet",
    "connection_type": "isp"
  }
}

IP Addresses

Verisoul collects IP address information from user sessions. We prioritize collecting IPv6 addresses when available, followed by IPv4. In some cases, multiple IP addresses (both IPv6 and IPv4) may be collected from a single session. This can occur when:

  • A device switches between networks during a session
  • Different traffic is being routed through different networks
  • Network transitions occur (e.g., moving from Wi-Fi to cellular)

Service Provider

The service provider field identifies the Internet Service Provider (ISP) or network operator responsible for the IP address. This information helps establish the legitimacy of the connection and can be used to identify patterns associated with specific providers.

Connection Type

The connection type categorizes the network based on its primary purpose or organization. This classification provides context about the nature of the connection. Possible values include:

  • isp: Standard residential internet service provider
  • mobile: Mobile carrier networks
  • hosting: Cloud service providers and hosting facilities
  • education: Educational institution networks
  • government: Government agency networks
  • private_relay: Privacy services like Apple’s Private Relay

Network Risk Signals

Verisoul analyzes network data to generate risk signals that can indicate potential fraud or suspicious activity. Most of these signals are generated through machine learning models, with the exception of Tor detection.

Device-Network Mismatch

This signal indicates a discrepancy between the reported device characteristics and the network properties. Our system performs deep packet inspection to determine the device type based on networking cards used, then compares this with the reported device characteristics.

A device-network mismatch is a strong indicator of proxy or VPN usage, as it suggests the device is presenting inconsistent networking information.

Datacenter

The datacenter signal identifies when a connection is originating from a cloud service provider or hosting facility rather than a residential or mobile network. This classification is based on the ISP information and network characteristics.

Datacenter IPs are frequently used for automated attacks and fraudulent activities, as they provide anonymity and can be provisioned quickly. This signal can occur alongside proxy or VPN signals.

Tor

Tor detection identifies connections coming from the Tor anonymity network. Unlike our other network signals, Tor detection is primarily based on known exit node lists rather than machine learning models.

Tor connections mask a user’s true location and identity by routing traffic through multiple relays, making them a common tool for users attempting to hide malicious activity.

VPN

VPN (Virtual Private Network) detection identifies when users are routing their traffic through encrypted tunnels to mask their true location and IP address. Rather than simply checking IP addresses against known VPN provider lists, Verisoul performs 11 real-time active tests from the client side to collect data and run a machine learning model.

Our VPN detection includes:

  • Deep packet inspection
  • Latency analysis
  • Location analysis
  • Traffic pattern recognition

Proxy

Proxy detection identifies when users are routing their traffic through intermediary servers. While similar to VPNs in some ways, proxies often lack encryption and may operate differently.

Our system distinguishes between different types of proxies:

  • Open proxies
  • Anonymous proxies
  • Transparent proxies
  • Residential proxy networks
  • Mobile proxy networks

Like our VPN detection, proxy identification uses multiple real-time tests and machine learning rather than simple IP list matching.

Implementation Notes

In some cases, the distinction between proxy and VPN can be blurred. Our system attempts to classify the connection as accurately as possible based on its characteristics, but will prioritize identifying the most likely category.

The datacenter signal can occur alongside proxy or VPN signals, as many proxy and VPN services operate from datacenter environments.

Our approach to network risk signal detection focuses on active testing and behavioral analysis rather than static lists, allowing us to identify new and evolving evasion techniques.

Reducing False Positives

Our real-time active testing approach significantly reduces false positives compared to traditional IP-based detection methods. Static IP reputation databases can lead to false positives because:

  • IP addresses frequently rotate among users
  • Multiple legitimate users may share the same IP address (especially with carrier-grade NAT)
  • IP addresses previously used for proxies may be reassigned to legitimate users
  • VPN and proxy services regularly change their infrastructure

By performing real-time active tests from the client side rather than relying solely on IP reputation databases, we can accurately determine the current network characteristics of each session. This approach ensures that users aren’t incorrectly flagged based on historical IP data, providing a more accurate and fair risk assessment.