Perception Update - Brute Force Behaviour Detection

Added ability to classify traffic containing repeated similar sessions.  This behaviour is indicative of malware attempting to brute force login to a server or service.

This classifier provides the analyst with an early indication of attempted unauthorised access to a server or service on their network.

Early stages of an attack are the most valuable indicators when it comes to active malware on your network.  Whether it’s exploit-stage activity at the perimeter or pivot-stage activity between hosts, a common behaviour for malicious software is to repeatedly bombard password protected systems with login attempts using different credentials every time.

This classification enables us to identify behaviour indicative of brute-forcing.  This enables the analyst to focus on the machine exhibiting this behaviour, tighten up security around hosts that regularly see this type of attack, or start to investigate the origin of active malware.

Of course, it could also be a single stage of a larger attack, and this enables the analyst to build a picture of the malware life-cycle, identifying the origin of the malware, it’s movement on the network (if any), and address the issue before any late stage attack activity occurs.

This update is sensor based, and will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own sensors using the software upgrade process.  If you have any further questions about this upgrade please contact us at