Imunify360 Blog

Imunify360 Heuristics: Improving Threat Detection

Written by Greg Zemskov | Apr 1, 2020 10:08:34 AM

Imunify360 has six core components: Web Application Firewall, Linux Malware Scanner, Proactive Defense, IDS/IPS, WebShield, and Cloud-Based Security. The last component, Cloud-Based Security, runs according to what we call heuristics. 

In Imunify360, heuristics are a set of rules based on information coming in from thousands of Imunify-protected servers all over the world. These servers send threat information to the Imunify cloud server, where it’s automatically processed by dozens of scripts. It’s also manually processed by our Analytics team. 

Once it’s processed, this threat information is used to generate heuristics: blocking or whitelisting rules that significantly improve Imunify’s threat detection rate. 

 

Creating Dynamic Heuristics On The Fly

Imunify360 heuristics use data accumulated in the cloud to protect against real-time threats that might not be recognized in the specific rules used on a single server. Let’s take a look at a typical situation addressed by these heuristics: 

  1. Our cloud-based system continuously monitors ModSecurity/OSSEC and Proactive Defense incidents, counting how many occur across all Imunify360-protected servers.

  2. It notices that the number of incidents exceeded a set threshold, indicating an attack.

  3. Complex heuristics are created that consider and correlate several conditions, such as the user enumeration attack, path transversal probes, and CVEs.

  4. It propagates a new blocking rule across Imunify Agents with these heuristics, which are used to block the attack globally for a specific period of time. 

Producing Static Heuristics Through Analysis

In addition to the dynamic heuristics described above, Imunify360 heuristics also include static rules produced by our Analytics team. The team analyzes the behavior of bots and users on the server, then creates rules that distinguish between attackers and legitimate users. This lowers the false-positive rate to near-zero. 

The Analytics team also monitors alerts per cluster of specific customer IPs. It distinguishes between good requests (ones that are natural and legitimate for selected network subnet or group of servers) and bad requests (ones that are not). This cluster analysis allows the team to tailor heuristics to a specific set of customers, which maximizes their effectiveness.

 

Some Examples Of Imunify Heuristics

Let’s start with some simple heuristics, the rules that block known bad bots. Here we can see them taking into account thousands of requests from known bad user agents:

 

This chart logs the performance of two heuristics: “IOTexploiters” and “SSH Brute-Force Attacks.” The first IOTexploiter heuristic accumulates, analyzes and blocks System Command Injection attempts. The second, SSH Brute-Force Attacks, calculates successful vs. failed SSH logins, and reacts accordingly:

 

Attacks based on CAPTCHA requests are also blocked by our heuristics, which are triggered by statistical analysis. This chart shows the number of these incidents occurring during one day. As you can see, there are many such incidents in any given day: 

 

This final chart displays a single day of web shell attacks, which target well-known paths on infected servers. By detecting these sorts of attacks in real time, Imunify360 can generate the heuristics needed to block them:

 

Evaluating Our Heuristics Approach

Most security solutions on the market employ only local rules in ModSecurity and other components, but this approach isn’t effective in neutralizing modern threats. That’s why we developed our cloud-based heuristics approach. 

If you’d like to evaluate our heuristics approach firsthand, you can try Imunify360 free for 14 days. Just request a trial here, or contact us directly at sales@imunify360.com.