Identification of anomalous network security token usage via clustering and density estimation

Fraudulent use of network security tokens is a serious concern for any system that contains data that must be secured against illicit access, duplication, or manipulation. Anomaly-based techniques to classify logins as fraudulent or legitimate have been proposed and used successfully, however the lack of clear mathematical structure in the space of IP addresses means that many of these methods require significant supplemental information such as payload, failed token usages, or user activity upon the secured network in order to achieve accurate detection rates. When this additional information is not available, such as in network-based intrusion detection systems, many systems to detect fraudulent security token usage require a series of usages before a classification can be made. We present an anomaly detection system based upon IP addresses, a mapping of geographic location as inferred from IP address, and usage timestamps that is capable of identifying fraudulent token usage with as little as a single instance of fraudulent usage while overcoming the often significant limitations in geographic IP address mappings.