Abstract: A method may include receiving a first classification of a network address associated with a login attempt as an AVA, and in response, generating a first random number, selecting a first blocking length of time from a plurality of blocking lengths of time, calculating a first deny list duration based on summing the first random number and the first blocking length of time, and adding the network address to a deny list for the first deny list duration, and adding the network address to a parole list for a parole duration, receiving a second classification of the address as an AVA during the duration; and in response selecting a second blocking length of time from a plurality of blocking lengths, calculating a second deny list duration based on summing the second random number and the second blocking length and adding the address to the deny list for the second duration

Abstract: A method may include receiving a first classification of a network address associated with a login attempt as an AVA, and in response, generating a first random number, selecting a first blocking length of time from a plurality of blocking lengths of time, calculating a first deny list duration based on summing the first random number and the first blocking length of time, and adding the network address to a deny list for the first deny list duration, and adding the network address to a parole list for a parole duration, receiving a second classification of the address as an AVA during the duration; and in response selecting a second blocking length of time from a plurality of blocking lengths, calculating a second deny list duration based on summing the second random number and the second blocking length and adding the address to the deny list for the second duration.

Abstract: In an example aspect, a method includes receiving a plurality of login attempts from a network address over a length of time, querying log data to determine, for the network address, an average number of login failures of the plurality of login attempts over the length of time, calculating a failure rate metric based on the average number of login failures, determining that the failure rate metric exceeds a reference number of login failures for the length of time, the reference number of login failures based on a historical average number of login failures for the length of time, and based in part on the determining, adding the network address to a system deny list.

Abstract: In an example aspect, a method includes receiving a plurality of login attempts from a network address over a length of time, querying log data to determine, for the network address, an average number of login failures of the plurality of login attempts over the length of time, calculating a failure rate metric based on the average number of login failures, determining that the failure rate metric exceeds a reference number of login failures for the length of time, the reference number of login failures based on a historical average number of login failures for the length of time, and based in part on the determining, adding the network address to a system deny list.

Abstract: In an example aspect, a method includes receiving, using a hardware processing device, a first classification of a network address associated with a login attempt as an account validator actor. The method also includes based on the first classification, updating, using the hardware processing device, a system deny list to include the network address for a first length of time. The method also includes after expiration of the first length of time removing the network address from the system deny list, receiving a second of classification of the network address as an account validator actor, and updating the system deny list to include the network address for a second length of time.

Abstract: Disclosed herein are systems and methods for using machine learning for geographic analysis of access attempts. In an embodiment, a trained machine-learning model classifies source IP addresses of login attempts to a system as either blacklisted or allowed based on a set of aggregated features that correspond to login attempts to the system from the source IP addresses. The set of aggregated features includes, in association with each respective source IP address, a geographical login-attempt failure rate of login attempts to the system from each of one or more geographical areas that each correspond to the respective source IP address. Source IP addresses that are classified by the machine-learning model as blacklisted are added to a system blacklist, such that the system will disallow login attempts from such source IP addresses.

Abstract: A computing system includes a network circuit enabling the computing system to exchange information over a network, a customer database storing information pertaining to various user accounts pertaining to a plurality of users, and a risk assessment circuit. The risk assessment circuit is configured search at least one data source to identify a user attribute, determine that the user attribute bears a relationship to a first security credential that is either associated with or potentially associated with a user account, generate a security prompt responsive to the determination, and transmit the security prompt to a user computing device associated with the user.

Abstract: A computing system includes a network circuit enabling the computing system to exchange information over a network, a customer database storing information pertaining to various user accounts pertaining to a plurality of users, and a risk assessment circuit. The risk assessment circuit is configured search at least one data source to identify a user attribute, determine that the user attribute bears a relationship to a first security credential that is either associated with or potentially associated with a user account, generate a security prompt responsive to the determination, and transmit the security prompt to a user computing device associated with the user.