CQAI: Using Machine Learning to Determine Transactional Intent

July 25, 2019 | by Matt Keil

Transactional Intent

When you consider normal online activities – such as email, messaging, social media, search, web browsing, etc. – there are plenty of tools available to determine if the transactional content is potentially malicious. But what about transactional intent? How do you determine if the intent is legitimate or malicious? For security operations and application development teams analyzing their public-facing web, mobile and API-based application transaction activity, the challenge is doubly difficult.

Are the actions your application is designed to encourage – login, account creation, browsing/shopping activity, etc. – always legitimate? Taken at face value, increased activity may appear to be legitimate and viewed positively. But when signs of user dissatisfaction, fraud, or theft begin to emerge, the intent of the increased activity becomes clear. It’s malicious, and more specifically, the business logic of your public-facing web, mobile or API-based application is being abused.

Bad actors are using a regularly refreshed set of stolen user credentials, sophisticated attack toolkits, and infrastructure to launch automated attack campaigns against your public-facing web, mobile and API-based applications. These attacks appear to be legitimate, or syntactically correct transactions, which makes them difficult to detect using common security tools that are looking for malicious content or rely on known-bad signatures.

Early attempts to detect business logic abuse, commonly referred to as automated malicious bot attacks, required JavaScript injection into each and every public-facing web application, and SDK modification for each mobile application. Unfortunately, API-based applications had no feasible means of accepting JavaScript injection, so they were left unprotected.

The Cequence Security Application Security Platform takes an unobtrusive, intelligence-based approach to determine the intent of the transactions hitting your public-facing web, mobile, and API-based applications, allowing you to take appropriate action based on the findings. This is accomplished by CQAI, the patented AI-powered analytics engine within the platform. CQAI uses multiple techniques including machine learning, and heuristics to identify all of your public-facing web, mobile and API-based applications, looking at their respective transactions to uncover the intent.

Any application vulnerability exploits or automated malicious bots that are discovered by CQAI can be mitigated using response options that include block, rate limit, geo-fencing or deception. And because CQAI does not require any application instrumentation, it discovers all of your applications as soon as they are deployed, eliminating any security induced friction and effectively baking security into your application development workflow.

To learn more about CQAI, and how it can determine transactional intent, check out our new video below:


Matt Keil


Matt Keil

Director of Product Marketing

Additional Resources