cognitix Threat Defender uses behavior-based correlation, also called inline real-time correlation or Advanced Correlation, to analyze traffic and correlate events across multiple traffic flows.


The single-pass correlation and policy engine of cognitix Threat Defender correlates current traffic flows as well as historical information from previous flows. Based on the detected behavior, granular multi-level policy rules can be created and dynamically executed.


Attacks are often hard to detect as attackers hide in seemingly harmless communication to prevent detection by network security systems, such as next-generation firewalls. The only way to detect such threats is to analyze the behavior of the network to spot subtle changes in the communication. Once relationships between seemingly unrelated events are discovered, they can be analyzed further to determine if they contain any threats or abnormal behavior which may indicate that the network is under attack.


Behavior-based correlation can be used to implement the following use cases, for example:

  • Reduce the number of false positives created by the intrusion prevention engine by providing IPS policies that are only enforced if several IPS events are detected for the same host or group of hosts in a predetermined period of time.
  • Isolate a host that attempts to establish a high number of connections to different hosts within a short time, as this indicates an infection trying to spread or an attempted Denial-of-Service attack.
  • Isolate a host that attempts to establish a high number of connections on different ports to the same host within a short time, as this indicates a port scan to search for vulnerabilities.
  • Shape the throughput of RDP sessions when more than two clients establish RDP sessions to the same server.
  • When a host using DNS tunneling is detected, isolate that client completely.

Additional Information

For further information, see the Threat Defender user documentation or contact us.