Using Behavior-based Correlation

Threats are often distributed over multiple traffic flows and use various angles of attack. To detect possible threats, the correlation engine of Threat Defender correlates current flows with historical information from previous flows.

It expands the policy language to track communication events. This means correlation takes place inline, inside the policy engine. Data is correlated in real time, i.e. the moment it is generated. Reactions are immediate and applied to the packet that triggered them.

The following examples illustrate the possible usage of the correlation engine in a network environment.

Additional References: