[Owasp-appsensor-project] New Detection Point Candidate: AE13: Deviation from normal GEO location during login

[Colin Watson]

Good discussion.  DPs are just there as inspiration to
designers/implementers - we don't know the context.  The devil is in
the detail, and I don't see any harm in mentioning this type of idea,
but then add a summary of this discussion into the 'considerations'
and 'examples' sections.

I have a feeling there might be a chapter in the new book about
stochastic anomaly detection....

Colin

On 30 September 2011 17:06, Dennis Groves <dennis.groves at gmail.com> wrote:
> I think this is again part of the reason for using the stochastic anomaly
> detection over a rules based engine alone. The client actually has the risk
> appetite and they need to decide for themselves what is the right about
> of specificity and sensitivity for their risk appetite.  We can not decide
> that an event is really normal nor attack for any given situation especially
> when dealing in the hypothetical.
>
> --
> Dennis Groves, MSc
> dennis.groves at gmail.com
>
> "What is the use of living, if it be not to strive for noble causes and make
> this muddled world a better place for those who will live in it after we
> have gone."
>
> -- Winston Churchill, October 10th, 1908
>
>
> On Fri, Sep 30, 2011 at 5:03 PM, M Yilmaz <mehmety at gmail.com> wrote:
>>
>> But they are less likely to be logged in from multiple IPs under such a
>> circumstance. I like the principle of escalation here.
>>
>> On Fri, Sep 30, 2011 at 11:53 AM, Dennis Groves <dennis.groves at gmail.com>
>> wrote:
>>>
>>> the problem with this is that more and more people are going mobile
>>> thanks to iPhones and Droids. And their IP's are guaranteed to change during
>>> a session as they swap cell towers.
>>>
>>> --
>>> Dennis Groves, MSc
>>> dennis.groves at gmail.com
>>>
>>> "What is the use of living, if it be not to strive for noble causes and
>>> make this muddled world a better place for those who will live in it after
>>> we have gone."
>>>
>>> -- Winston Churchill, October 10th, 1908
>>>
>>>
>>> On Fri, Sep 30, 2011 at 4:47 PM, Colin Watson <colin.watson at owasp.org>
>>> wrote:
>>>>
>>>> Ryan
>>>>
>>>> Good idea.
>>>>
>>>> The related "SE5 Source Location Changes During Session" is just
>>>> session specific, but this new new idea is concerns information about
>>>> a user learnt (or set) over time.  So I was thinking it perhaps ought
>>>> to be a User Trend (UT) code?  But since it specifically mentions
>>>> login, it could be an Authentication Exception (AE) instead?
>>>>
>>>> Does it need to be just login?  Maybe if it were more generic, it
>>>> might also be used post authentication on say a banking payment
>>>> transfer function i.e. we don't care where they log in from, but if
>>>> the amount is more than $5,000 we will take more notice of their
>>>> location.
>>>>
>>>> So perhaps "UT4 Deviation from normal Geo Location"?
>>>>
>>>> Colin
>>>>
>>>> On 30 September 2011 16:30, Ryan Barnett <ryan.barnett at owasp.org> wrote:
>>>> > Most users normally log into an application from 1 or a few Geographic
>>>> > locations.  If the application learns these GeoIP locations, it can
>>>> > then
>>>> > detect when a user is logging into the application from a different
>>>> > location.  This would help to identify possible account hijacking
>>>> > attacks
>>>> > (from phishing, banking trojans).
>>>> > --
>>>> > Ryan Barnett
>>>> > _______________________________________________
>>>> > Owasp-appsensor-project mailing list
>>>> > Owasp-appsensor-project at lists.owasp.org
>>>> > https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>>>> >
>>>> >
>>>> _______________________________________________
>>>> Owasp-appsensor-project mailing list
>>>> Owasp-appsensor-project at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>>>
>>>
>>> _______________________________________________
>>> Owasp-appsensor-project mailing list
>>> Owasp-appsensor-project at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>>>
>>
>>
>>
>> --
>> Mehmet Yilmaz
>>
>
>