Adaptive Behavior Baselining

Strong network security has one big drawback: the risk of over-blocking. With all traditional security systems there is a high probability of blocking legitimate traffic, which may interrupt business-critical processes and reduce productivity. You may think that this is the price to pay for safe networks in your company. Or that the only alternative is to do without automatic blocking, simply alarming the administrator instead, who will soon be overwhelmed by the sheer number of alarms and start ignoring them. But these are not the only options anymore. cognitix Threat Defender offers a real solution to this problem.

Threat Defender can be set up to continuously learn (and forget!) normal behavior to create a  behavior baseline that adapts to the normal activity in your network. We call that adaptive behavior baselining. When it detects suspicious behavior, Threat Defender graylists the corresponding traffic. This means suspicious and unknown traffic is blocked and only the learned normal behavior is allowed. To eliminate false positives, suspicious traffic can be further investigated, reducing the risk of blocking legitimate traffic. This way the system stays operational while threats are stopped quickly and cannot spread horizontally.

How is this implemented?

To create an adaptive baseline for normal, permitted behavior, Threat Defender continuously tracks the source and destination IP addresses of the traffic in an event tracking table (ETT). The learned IP addresses are stored for 24 hours and then forgotten so that the baseline is continuously adapted.

Threat Defender monitors the network traffic for suspicious behavior using its integrated threat intelligence system. If it detects a threat intelligence incident, Threat Defender adds the IP and MAC addresses of the involved client to a dynamic network object (DNO). This DNO stores all suspicious clients for two hours.

Traffic of suspicious clients is evaluated further to eliminate false positives. Threat Defender checks for all traffic of clients in the DNO if the source and destination address of the flow is already tracked in the ETT. If yes, the flow constitutes learned, normal behavior and is allowed. Otherwise, the traffic is rejected. This keeps the suspicious clients operational while stopping threats and keeping them from spreading horizontally.

To set up this scenario, you need only four rules. The rules are processed in a top-down approach:

  • Rule 1: Add clients that trigger a threat intelligence hit to the DNO.

  • Rule 2: Check the communication destinations of suspicious clients in the DNO.

    • If the communication destination is stored in the event tracking table, allow the traffic.

    • Otherwise, continue processing the next rule.

  • Rule 3: Drop traffic from suspicious clients in the DNO, because this is unknown traffic.

  • Rule 4: Track the source and destination for all clients that are not in the DNO in the event tracking table in order to learn normal communication.

Get our newsletter

Subscribe to our mailing list

* indicates required

cognitix GmbH will use the information you provide on this form to be in touch with you and to provide updates and marketing. Please let us know all the ways you would like to hear from us:

You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, or by contacting us at We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms.

We use MailChimp as our marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to MailChimp for processing. Learn more about MailChimp's privacy practices here.