Parameters of logon fraud detection features in different versions - Fraud Detection

Logon fraud detection protects user accounts that hold high-value assets—balances, bank cards, points, and credit limits—against account theft, malicious attacks, customer complaints, and reputation damage.

Editions

Logon fraud detection is available in two editions to meet the risk control requirements of enterprises across industries and growth stages.

Feature	Basic Edition	Advanced Edition
Real-time analysis	Yes	Yes
Return value	Quantitative scores	Quantitative scores and risk tags
Device risk monitoring	No	Yes. Detects emulators, multi-boxing instances, device farms, multi-tasking software, cloud phones, and hook devices.
Device fingerprint	No	Yes
Gang analysis	No	Yes
Log delivery to Simple Log Service	No	Yes. Authorize Fraud Detection to deliver logs to Simple Log Service, which stores them free of charge for one year.

Service event parameters

Service event parameters are the request parameters passed to the common request parameter ServiceParameters in JSON format. The following sections describe the parameters for Logon Fraud Detection events in both editions.

Important

Alibaba Cloud Fraud Detection does not validate the format of string input parameters—this maximizes adaptability. Validate data formats on your side before sending. For example, a Chinese mainland mobile phone number must be 11 digits and start with 1.

Required parameters

Parameter	Edition	Description	Type	Example
`accountId`	Basic and Advanced	The unique ID of the account. Required unless `mobile` is provided.	String	`10123****`
`operateTime`	Basic and Advanced	The UTC timestamp of the event, accurate to the second. When scanning historical data for risks, pass the actual historical timestamp to avoid misidentification.	Long	`1522555200` (2018-04-01 12:00:00 UTC)
`ip`	Basic and Advanced	The public IPv4 address of the client when the event occurs.	String	`42.120.XX.XX`
`mobile`	Basic and Advanced	The mobile phone number. Numbers in the Chinese mainland need no country code. For numbers outside the Chinese mainland, use the format `<country-code>-<number>`. Required unless `email` is provided. You must specify either `mobile` or `mobileMd5`.	String	Chinese mainland: `138**1111`; outside the Chinese mainland: `001-718123**`
`mobileMd5`	Basic and Advanced	The MD5 hash of the mobile phone number. Pass a 32-character lowercase alphanumeric string. The source number must be 11 digits starting with 1. You must specify either `mobile` or `mobileMd5`.	String	`e7beea81b7a03b38508428fbeeb3****`
`email`	Basic and Advanced	The email address of the user. Required unless `mobile` is provided.	String	`admin****@aliyun.com`

Optional parameters

Providing more parameters improves detection accuracy.

Parameter	Edition	Description	Type	Example
`deviceToken`	Advanced only	The device token from the Device Risk SDK.	String	`MzQvo1d7scyZ3tl_RcJZo_...`
`nickName`	Basic and Advanced	The account alias.	String	`admin****`
`userAgent`	Basic and Advanced	The `User-Agent` request header.	String	`Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36`
`refer`	Basic and Advanced	The `Referer` request header.	String	`https://www.aliyun.com/`
`mac`	Basic and Advanced	The media access control (MAC) address of the device.	String	`C0:77:36:2E:XX:XX`
`operateSource`	Basic and Advanced	The client type. Valid values: `PC`, `H5`, `App`.	String	`PC`
`appVersion`	Basic and Advanced	The app version number. Applies when `operateSource` is `App`.	String	`1.0`
`deviceType`	Basic and Advanced	The device type. Valid values: `PC`, `MOBILE`.	String	`PC`

Example ServiceParameters payload

The following example shows a complete ServiceParameters object with required and optional fields annotated.

{
  // Required fields
  "accountId": "10123****",
  "operateTime": 1522555200,
  "ip": "42.120.XX.XX",
  "mobile": "138****1111",

  // Required (alternative to mobile — specify either mobile or mobileMd5)
  // "mobileMd5": "e7beea81b7a03b38508428fbeeb3****",

  // Required (alternative to mobile — specify either mobile or email)
  // "email": "admin****@aliyun.com",

  // Recommended — improves detection accuracy
  "nickName": "admin****",
  "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36",
  "refer": "https://www.aliyun.com/",
  "mac": "C0:77:36:2E:XX:XX",
  "operateSource": "App",
  "appVersion": "1.0",
  "deviceType": "MOBILE",

  // Advanced Edition only
  "deviceToken": "MzQvo1d7scyZ3tl_RcJZo_QOytAjy1LWRRLoRKo5oZSoo_JGj1ZoR5JGoRo5jcdn57gV5kxVRcLER5RQoZSvRZZQRcROjcMW5csZR_RGy_55RKJ_oooqZ7dSV5gRnKxOV7eWVQQjRtlRQoAjRcM0"
}

Response parameters

The response includes a score field and, in Advanced Edition, a tags field—both nested inside the Data response parameter.

Score interpretation

The following table maps score ranges to risk levels and recommended actions, based on the Alibaba Cloud risk control team's experience. Adjust thresholds to match your business requirements.

Score range	Risk level	Recommended action
[0, 35)	Low	Allow the operation, or tag it for observation.
[35, 65)	Medium	Require simple verification, such as SMS or security question verification.
[65, 85)	Medium-high	Require stronger verification, such as SMS plus identity verification.
[85, 100]	High	Require high-strength verification, or restrict access to high-risk business operations.

Risk tags (Advanced Edition only)

Risk tags are returned in the tags field and provide detailed signals about the detected risk. For definitions of all risk tag values, see the Risk Tag Definitions module in the Access Management section of the Fraud Detection console.

The following example shows the structure of a response that includes both score and tags.

{
  "Data": {
    "score": 78,
    "tags": ["<risk-tag-1>", "<risk-tag-2>"]
  },
  "RequestId": "...",
  "Code": 200
}

For all common response parameters, see Common response parameters.