Geo-based analysis for detecting abnormal logins

We claim: 1 . At a computer system including at least one processor, a computer-implemented method for establishing an acceptability model to determine the acceptability of a communication originating from a specified location, the method comprising: accessing a communication history for an electronic device, at least one similar user's communication history and one or more similar locations based on geographic topology data, the communication history including at least one previous communication between the electronic device and a computer system; accessing an updateable listing of locations based on the geographic topology data from which communications are receivable from the electronic device; and generating an acceptability model configured to provide a reachability score that indicates the acceptability of subsequent communications received from the electronic device based on the communication history, the similar user's communication history and the geographic topology data. 2 . The method of claim 1 , wherein the locations in the updateable listing of locations comprise geographic locations or logical locations. 3 . The method of claim 1 , wherein the communication history is part of a device profile for the electronic device, and wherein the acceptability of the received communication is determined according to information stored in the device profile. 4 . The method of claim 1 , wherein the updateable listing of locations includes those locations at which internet communications are accessible to the electronic device. 5 . The method of claim 4 , wherein the locations of the updateable listing of locations are mapped into a geographic topology model that shows the listed locations in their geographic positions. 6 . The method of claim 5 , wherein the geographic topology model further shows an indication of carrier networks in at least one geographic area. 7 . The method of claim 5 , further comprising: identifying electronic devices that have similar communication histories; determining one or more locations from which subsequent communications from the electronic device are likely to occur; and establishing a machine learning model that is configured to provide the likelihood that the electronic device's communications are acceptable based on the electronic device's communication history and communication histories of similar electronic devices. 8 . The method of claim 7 , wherein identifying electronic devices that have similar communication histories comprises identifying electronic devices that are located within a specified geographic region. 9 . The method of claim 8 , wherein one or more anchor points are established within the specified geographic region within the geographic topology model, the anchor points being implemented by the machine learning model in providing the likelihood that the electronic device's communications are acceptable. 10 . The method of claim 7 , wherein determining one or more locations from which subsequent communications from the electronic device are likely to occur comprises performing a fast lookup of available locations. 11 . The method of claim 1 , wherein at least one of the communications received from the electronic device comprises a login attempt that includes one or more login credentials. 12 . The method of claim 1 , wherein at least one of the communications received from the electronic device comprises an application access request. 13 . At a computer system including at least one processor, a computer-implemented method for evaluating the acceptability of a received communication, the method comprising: receiving a communication from a user's electronic device at a specified time, the communication including identification information that identifies the electronic device, the electronic device being associated with the user and the time of communication; accessing location information that identifies the current location of the electronic device; accessing a generated reachability score indicating the probability that the electronic device's current location was reachable based on the location of the electronic device's last communication; comparing the location from which the communication was received to the probability indicated by the reachability score to determine whether the communication's location is acceptable; and if the probability indicated by the comparison is below a threshold level, indicating that the communication is suspicious. 14 . The method of claim 13 , wherein the communication received from the electronic device includes login credentials and an internet protocol (IP) address for the electronic device. 15 . The method of claim 13 , wherein the accessed location information is received from an electronic device location mapping service. 16 . The method of claim 13 , wherein the reachability score includes a calculation of the electronic device's travel speed, the electronic device's travel speed being determined based on the geographical distance between the location of the last communication and the received communication and the amount of time between the communications. 17 . The method of claim 13 , wherein a Markov chain is used when generating the reachability score to calculate the probability that the electronic device's current location was reachable based on the location of the electronic device's last communication. 18 . The method of claim 13 , wherein communications from a plurality of electronic devices are associated with a single user's profile. 19 . A computer system comprising the following: one or more processors; one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by the one or more processors, cause the computing system to perform a method for establishing an acceptability model to determine the acceptability of a communication originating from a specified location, the method comprising the following: accessing a login history for an electronic device, the login history including at least one previous login attempt between the electronic device and a computer system; accessing an updateable listing of locations from which login attempts may be received from the electronic device; receiving at least one subsequent login attempt from the electronic device; and determining the acceptability of the subsequent login attempt from the electronic device based on the login history and one or more login histories for electronic devices similar to the electronic device. 20 . The computer system of claim 19 , wherein the login history is part of a device profile for the electronic device, and wherein the acceptability of the received login attempt is determined according to information stored in the device profile, the device profile being associated with a user.