Understanding Impossible Travel Detection
Deep dive into how LiteSOC detects impossible travel attacks using the Haversine formula and behavioral analysis.
Impossible travel is one of the most reliable indicators of account compromise. When a user appears to log in from two distant locations in an impossibly short timeframe, something is wrong.
What is Impossible Travel?
Impossible travel occurs when authentication events happen from geographic locations that would be physically impossible to travel between in the given time window.
For example:
- Login from New York at 10:00 AM
- Login from London at 10:30 AM
- Distance: ~5,500 km
- Time needed (by plane): ~7 hours
This is a clear indicator of credential theft.
The Haversine Formula
LiteSOC uses the Haversine formula to calculate the great-circle distance between two points on Earth:
function haversineDistance(
lat1: number, lon1: number,
lat2: number, lon2: number
): number {
const R = 6371; // Earth's radius in km
const dLat = toRad(lat2 - lat1);
const dLon = toRad(lon2 - lon1);
const a =
Math.sin(dLat / 2) * Math.sin(dLat / 2) +
Math.cos(toRad(lat1)) * Math.cos(toRad(lat2)) *
Math.sin(dLon / 2) * Math.sin(dLon / 2);
const c = 2 * Math.atan2(Math.sqrt(a), Math.sqrt(1 - a));
return R * c;
}
Threshold Calculation
We assume a maximum travel speed of 1,000 km/h (faster than commercial flights) to account for:
- Private jets
- Multiple connecting flights
- Time zone variations
If the required speed exceeds this threshold, we flag it as impossible travel.
False Positive Mitigation
Not all impossible travel is malicious. LiteSOC accounts for:
- VPN Usage: Detected via IP intelligence
- Known Devices: Same device fingerprint reduces risk
- Business Travel Patterns: Learned over time
Conclusion
Impossible travel detection is a powerful tool in your security arsenal. LiteSOC makes it automatic — no configuration required.