Impersonation detection systems quantify the risk that someone is impersonating a user who has rights to access a resource. An example of an impersonation detection system is a web server of an online bank that receives login attempts (e.g., submissions of usernames and passwords) from people wishing to access accounts. Along these lines, in response to a login attempt to access a user's account, the web server extracts any of a number of features describing the login attempt, e.g., geolocation, login time, hostname, autonomous system number/name, country of origin. The web server then quantifies the risk that the login was attempted by an imposter by inputting the extracted features into a risk model that outputs a risk score, where higher risk scores indicate higher risk that the login was attempted by an imposter. When the risk score is greater than a threshold, the web server may deny access to the user's account.
Conventional approaches to impersonation detection use a third party server to store historical login attempt data and generate risk scores based on the historical login attempt data. For example, when the web server of the online bank receives a login attempt that involves a user's account, the web server sends the features describing the login attempt to the third party server. The third party server then inputs the features and the user's historical login attempt data into a risk model that outputs a risk score. The third party server sends the risk score to the web server so that the web server may grant or deny access to the user's account.