On Thu, Feb 18, 2016 at 1:11 PM, Sachith Withana <[email protected]> wrote:
> Hi Tishan, > > Couple of questions, > 1. How would you "define" the regions? > OK. Then Let's say different countries. > 2. wouldn't a user use an app across regions ? (basically requests coming > from different regions) > User will use across regions/countries. But not within per say 1 hour. Also at the end of the day this is an alert. Not a command to block the user. What I wanted to convey is, when we state "Unusual Request IP Detenction" the rules should be about unusual ip patterns, not unusual access counts or time. Thanks Tishan > > Thanks, > Sachith > > On Thu, Feb 18, 2016 at 12:55 PM, Tishan Dahanayakage <[email protected]> > wrote: > >> Hi Sachith, >> >> On Thu, Feb 18, 2016 at 12:17 PM, Sachith Withana <[email protected]> >> wrote: >> >>> Hi all, >>> >>> I'm working on Request source IP change alerting for APIM analytics - If >>> the source IP is different from the usual IP range of a access token >>> bearer, we should send an alert out. This possibly means that the access >>> token is in the hands of someone else. >>> >>> There will be couple of triggers that would generate the alerts for >>> unusual request ip changes ( where the ip would lie outside the users >>> 'usual' ip range) >>> >>> >>> 1. Time difference between the last access time and the current >>> access time >>> This means if a certain ip has not been used for a x amount of time >>> ( x is configurable) >>> and gets a request from that ip, an alert would be generated. ( much >>> like Gmail requesting you to login when you access it from a different >>> continent) >>> >>> 2. The request count for the ip is low >>> ( ex: couple of accesses for a whole month) and gets a request from >>> that IP >>> an alert would be generated ( again the count is configurable) >>> >>> >>> Both of above criteria are more like abnormal request patterns. Not >> unusual ip changes AFAIU. Isn't it? Shall we have some rules such as ip >> changes between different regions within short time period? >> >> >> Thanks >> Tishan >> >> >>> 1. >>> >>> This would be implemented maintaining an event table for each consumerID >>> with IPs accessed along with the count for that specific consumerID,IP pair >>> and the last accessed time for that pair and comparing the incoming >>> requests against it. >>> >>> >>> WDYT? >>> >>> Thanks, >>> Sachith >>> -- >>> Sachith Withana >>> Software Engineer; WSO2 Inc.; http://wso2.com >>> E-mail: sachith AT wso2.com >>> M: +94715518127 >>> Linked-In: <http://goog_416592669> >>> https://lk.linkedin.com/in/sachithwithana >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Tishan Dahanayakage >> Software Engineer >> WSO2, Inc. >> Mobile:+94 716481328 >> >> Disclaimer: This communication may contain privileged or other >> confidential information and is intended exclusively for the addressee/s. >> If you are not the intended recipient/s, or believe that you may have >> received this communication in error, please reply to the sender indicating >> that fact and delete the copy you received and in addition, you should not >> print, copy, re-transmit, disseminate, or otherwise use the information >> contained in this communication. Internet communications cannot be >> guaranteed to be timely, secure, error or virus-free. The sender does not >> accept liability for any errors or omissions. >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Sachith Withana > Software Engineer; WSO2 Inc.; http://wso2.com > E-mail: sachith AT wso2.com > M: +94715518127 > Linked-In: <http://goog_416592669> > https://lk.linkedin.com/in/sachithwithana > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Tishan Dahanayakage Software Engineer WSO2, Inc. Mobile:+94 716481328 Disclaimer: This communication may contain privileged or other confidential information and is intended exclusively for the addressee/s. If you are not the intended recipient/s, or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you received and in addition, you should not print, copy, re-transmit, disseminate, or otherwise use the information contained in this communication. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions.
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
