Are sequential patterns used in practice?



  • I study computer security and I read articles about the potential usage of sequential pattern mining in IDPS products:

    I am curious if any of you have seen these sequential patterns and set any rule for them in practice e.g. in a SIEM or IDPS system. I have the impression that most products support only association rules and don't analyse the sequence of the events, packets, etc. I think some attacks can be detected only by checking the sequence, because a single event or packet does not contain enough info about the ongoing attack. I guess most people do this manually instead of using sequential pattern mining and matching algorithms or they use a fully automated system and don't even know about this kind of filtering. Am I right or is this used in practice?



  • This depends on a lot of factors, like: vendor of the IDS, the settings, which signature is being triggered and what kind of attack is being initiated. In short yes, UTMs of the common vendors (CP, Fortinet, PANW) all store a copy of the traffic in memory for analysis.

    For instance, you could configure in an IDS that a RDP Brute-force attack is only flagged as such when the signature has been identified X amount of times in the last N seconds. This is to prevent any false positives, especially when you have an IPS blade on top of it conducting preventive actions.

    With regards to SIEM this completely flexible, you can build use-cases in numerous ways and correlate alerts from various sources. For instance in the case mentioned above, you could correlate this with the log sources from the source-device and a Directory Service.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2