Correlation

IPS reduces false positive events and distinguishes successful attacks from attack attempts using event correlation.

Several predefined correlation rules identify anomalous network event sequences. Custom-made correlations can be created to complement the predefined correlations.

Example:

StoneGate IPS sensor, connected to a internal broadcast domain with Capture Interface, detects exploit attempt against file share service using vulnerability in Microsoft RPC. Thirty seconds later, the file server starts to do aggressive port scan to the surrounding network. According to defined correlation rule, the IPS analyzer correlates the suspicious events and reacts accordingly, for example:

Isolate the attacker from the network by blacklisting the client on StoneGate IPS sensors and FW engines.
Request inline IPS sensor to Terminate the anomalous network traffic.
Request Network Access Control (NAC) system to disconnect the User, IP address from the network.
Alert an administrator by sending an SMS to her/his mobile phone.

Benefits

Improve quality of the alerts
Accurate and reliable detection makes possible to use heavier prevention mechanisms