I think it should be best, after the original network recognition that any other connection should be treated as intruder alert and should not just notify for new network as it happens in the firewall of CIS free version, i say that because i have wi-fi and this occurs. I believe the firewall by itself should do that.
It also should have a mechanism to detect phishing from the original pages. Although i do not know if those apply on the paid version. I believe those, too, should stop someone that we call intruder along with the other features you have integrated.
Thank you