Documentation

Anomaly Detection Policy

Activate the Policy to detect anomalous transactions.

Suggest Edits

The Anomaly Detection Policy is an additional layer of security to protect your funds from fraudulent transactions. In this Policy, a forecasting engine uses the transaction history data to compute an average transaction value. Based on this value, it evaluates all the outgoing transactions. If any transaction deviates from this average value, indicating an unusually high amount, the engine automatically blocks it or sends notifications based on the configuration. The engine operates on a 1 hour velocity window to assess the transaction.

The engine undergoes regular training and analysis. It re-evaluates transaction history on a weekly basis, updating the average transaction amount. By continuously learning from past transaction trends, the engine adapts to evolving patterns, thereby improving its ability to accurately identify anomalies over time.

Important:

  • The Policy is suitable for wallets with a high volume of transactions, particularly for hot wallets.
  • The Policy is supported by all chains.
  • For wallets with low transaction count, it is recommended to use other policies like Spending Limit Policy and Transaction Limit Policy. To learn more, see manage your transaction policies .

You can choose from the following modes for handling anomalous transactions:

  • Log only mode: In this mode, the Policy will log anomalous transactions and notify you via emails, Slack, or SMS (if configured).
  • Reject mode: In this mode, the Policy will automatically reject the anomalous transaction and notify you via emails, Slack, or SMS (if configured).

Note:

  • If a legitimate transaction is rejected by the Policy configured for the “reject mode”, reinitiate the transaction. If multiple legitimate transactions are rejected, inform Liminal support at [email protected] to fine tune the Policy.
  • If you identify a suspicious transaction from a notification, inform Liminal to immediately freeze the associated wallet. This action halts all further transactions and activities from that wallet.

The following diagram illustrates the working mechanism of the Anomaly Detection Policy.

The flow in the above diagram is explained as follows.

  1. A transaction is initiated from your wallet.
  2. The forecasting engine fetches the transaction data from the database on a weekly basis and computes a forecasted limit/value.
  3. The transaction value is compared against the forecasted limit computed by the engine.
  4. If the transaction amount is below the forecasted limit, the transaction is broadcasted.
  5. If a transaction amount is above the forecasted limit, and you have configured the "reject only" mode of the Policy, it is rejected and notified to you via Opsgenie or Slack.
  6. If a transaction amount is above the forecasted limit, and you have configured the "log only" mode of the Policy, it is notified to you via Opsgenie or Slack.

Activate the Policy

Currently, the Policy is not accessible through the Vaults UI. To activate the Policy for hot wallets, contact Liminal at [email protected]. The Policy will be activated for all hot wallets. To activate the Policy for cold wallets, take the following steps.

  1. Raise a support ticket or send an email at [email protected] including the following details:
    • Requester email Id: Provide your email ID.
    • Subject: Select Enable Anomaly Detection Policy from the dropdown.
    • Issue Type: Select Policy from the dropdown.
    • Policy - Sub Type: Select Enable Anomaly Detection from the dropdown.
    • Description: Provide the following information:
      • Name of your organisation
      • List of wallet names and respective IDs for which you want to enable this Policy
      • Type of mode for handling anomalous transactions (You are advised to start with “log only mode” initially, and move to the “reject mode” gradually. This allows the engine to train over time and evaluate each transaction accurately.)
      • Channel types for receiving notifications
  1. Integrate with either Opsgenie or Slack notification channel. When an anomalous transaction is detected, Liminal sends an automated notification either via Opsgenie or Slack. For Opsgenie integration, set up your account in Opsgenie using its quickstart guide and share your credentials with Liminal. To set up Slack webhooks in a Slack channel, share your webhook endpoint URL with the Liminal.

Updated 27 days ago