Same IPs marked as suspicious over several months about suspicious_login HOT 9 CLOSED

Hey Christoph, apologies for not updating you on this but I lost track of the issue.

The warnings and emails stopped when I set the app password for the user as you mentioned.

from suspicious_login.

From the graphs the classifier believes that it has a recall of 100% and precision of 81%, when that is actually false given that no real suspicious login has happened (yet at least).

FYI during training we simulate suspicious requests by using randomized IPs and assigning IPs from other one user to another user (shuffle).

How can I ensure that the app recognises legitimate logins over suspicious ones? There are no links in the warning emails asking whether that was a legitimate login or not. How does the app learn which suspicious logins are actually suspicious?

No, currently the app uses unsupervised learning, there is no user feedback.

from suspicious_login.

Do you have many users that access the instance from the same IP? I have to check the logic but maybe we shuffle the training data in a way that a user gets assigned an IP for the suspicious data set that it would otherwise also use as their legit login address. This is just a suspicion and I have to check the details.

from suspicious_login.

Yes, most users access the instance from the same IP. But most users don't generate so many warnings daily/weekly/monthly when they change their location and therefore IP. Usually after one warning/email and the model learns the new pattern.

But this one user that is a bit more dynamic than others (but the set of IPs is usually the same) keeps generating warnings for the same IPs over the span of a few days or even months. Sometimes the same IP is seen as suspicious for a few days in a row.

from suspicious_login.

Does the affected user use app passwords for the connected clients?

from suspicious_login.

No they don't

from suspicious_login.

Ok, it would certainly help if they did because app password logins are never considered suspicious

from suspicious_login.

hey @eibex any update?

from suspicious_login.

cool and thanks for the update :)

from suspicious_login.