One of the most difficult things to do today is to identify a legitimate user. Part of the problem is that the definition of a legitimate users depends greatly on the application. Your public facing website, for example, may loosely define legitimate as «can open a TCP connection and send HTTP request» while a business facing ERP or CRM system requires valid credentials and group membership as well as device or even network restrictions.