Documentation

Anomaly Detection policy

Activate the policy to detect anomalous transactions.

Suggest Edits

The Anomaly Detection policy is an additional layer of security to protect your funds from fraudulent transactions. In this policy, a forecasting engine uses the transaction history data to compute an average transaction value. Based on this value, it evaluates all the outgoing transactions. If any transaction deviates from this average value, indicating an unusually high amount, the engine automatically blocks it or sends notifications based on the configuration. The engine operates on a 1 hour velocity window to assess the transaction.

The engine undergoes regular training and analysis. It re-evaluates transaction history on a weekly basis, updating the average transaction amount. By continuously learning from past transaction trends, the engine adapts to evolving patterns, thereby improving its ability to accurately identify anomalies over time.

Important:

  • The policy is suitable for wallets with a high volume of transactions, particularly for hot wallets.
  • The policy is supported by all chains.
  • For wallets with low transaction count, it is recommended to use other policies like Spending Limit policy and Transaction Limit policy. To learn more, see manage your transaction policies .

You can choose from the following modes for handling anomalous transactions:

  • Log only mode: In this mode, the policy will log anomalous transactions and notify you via emails, Slack, or SMS (if configured).
  • Reject mode: In this mode, the policy will automatically reject the anomalous transaction and notify you via emails, Slack, or SMS (if configured).

Note:

  • If a legitimate transaction is rejected by the policy configured for the “reject mode”, reinitiate the transaction. If multiple legitimate transactions are rejected, inform Liminal support at [email protected] to fine tune the policy.
  • If you identify a suspicious transaction from a notification, inform Liminal to immediately freeze the associated wallet. This action halts all further transactions and activities from that wallet.

The following diagram illustrates the working mechanism of the Anomaly Detection policy.

The flow in the above diagram is explained as follows.

  1. A transaction is initiated from your wallet.
  2. The forecasting engine fetches the transaction data from the database on a weekly basis and computes a forecasted limit/value.
  3. The transaction value is compared against the forecasted limit computed by the engine.
  4. If the transaction amount is below the forecasted limit, the transaction is broadcasted.
  5. If a transaction amount is above the forecasted limit, and you have configured the "reject only" mode of the policy, it is rejected and notified to you via Opsgenie or Slack.
  6. If a transaction amount is above the forecasted limit, and you have configured the "log only" mode of the policy, it is notified to you via Opsgenie or Slack.

Activate the policy

Currently, this policy is not accessible through the Liminal Vaults UI. However, you can take the following steps to activate the policy for your wallets.

  1. Raise a support ticket including the following details:
    • Requester email Id - Provide your email ID.
    • Subject - Enter Enable Anomaly Detection Policy in the field.
    • Issue Type - Select Policy from the dropdown.
    • Anomaly Detection Policy - Select Enable Anomaly Detection from the dropdown.
    • Description - Provide the following information:
      • Name of your organisation
      • List of wallet names along with their respective IDs for which you want to apply this policy
      • The mode for handling anomalous transactions (recommended to start with "log only" mode and gradually move to "reject mode", allowing the engine to learn and improve the accuracy of transaction evaluation)
      • One or more preferred channels for receiving notifications

The following screenshot is a sample support ticket for your reference.

  1. Integrate with either Opsgenie or Slack notification channel. When an anomalous transaction is detected, Liminal sends an automated notification either via Opsgenie or Slack. For Opsgenie integration, set up your account in Opsgenie using its quickstart guide and share your credentials with Liminal. To set up Slack webhooks in a Slack channel, share your webhook endpoint URL with the Liminal.

Updated 2 days ago