The cognitix Threat Defender usescbehavior-based correlation, also called inline real-time correlation or Advanced Correlation (AC), to protect your network.

With advanced correlation, you can build complex scenarios of multi-staged policies to detect similar or related events in all network flows, both in real time and historically. All scenarios are evaluated for each network flow and no traffic can pass through the firewall without being handled by the correlation engine and its scenarios.

Advanced correlation can be used to implement the following use cases, for example:

  • Reduce the false positives of the intrusion prevention engine by providing IPS policies that are only enforced if several IPS events are detected for the same host or group of hosts in a predetermined period of time.
  • Isolate a host that accesses a website of high risk and low reputation and afterwards initiates outgoing connections with decentralized communication protocols, such as IRC or TOR.
  • Quarantine hosts that had contact with a “malicious” host within the network; where the malicious host accessed a URL with a bad reputation in the minutes preceding the communication.
  • Isolate a host that attempts a high number of connections to different hosts within a short time, as this indicates an infection trying to spread or an attempted Denial-of-Service attack.
  • Isolate a host that attempts a high number of connections on different ports to the same host within a short time, as this indicates a port scan to search for vulnerabilities.
  • When more multiple hosts transmit a file with a specified name or name-pattern to a certain country, isolate all of them.
  • Shape the throughput of RDP sessions when more then two clients establish RDP sessions to the same server.
  • When a host using DNS-tunneling is detected, isolate that client completely.
  • Isolate hosts that established SSH connections to external computers within 24 hours after visiting a website with a bad reputation and then downloading an .exe file.