For our final application chapter, we will be revisiting anomaly detection on login attempts. Let's imagine we work for a company that launched its web application in the beginning of 2018. This web application has been collecting log events for all login attempts since it launched. We know the IP address that the attempt was made from, the result of the attempt, when it was made, and which username was entered. What we don't know is whether the attempt was made by one of our valid users or a nefarious party.
Our company has been expanding and, since data breaches seem to be in the news every day, has created an information security department to monitor the traffic. The CEO saw our rule-based approach to identifying hackers from Chapter 8, Rule-Based Anomaly Detection, and was intrigued by our initiative, but wants us to move beyond...