Brute force Login Detection

Goal

Detects large spikes of failed user logins that could indicate a potential brute-force attack being performed by a threat actor. To achieve this we learn the usual failed login attempts for a user.

Description

This is based on a simple statistical method to compute the normal behaviour for each user. This means to control the normal amount of failed logins for every user.

With that info, we produce an alert when there is a large deviation from normal behaviour.

Characteristics

Name

Brute force Login Detection

Data involved

VPN events. Currently it is working on SonicWall devices.

Alert Generation

Only produces high severity alerts.

Raw outputs of the model

A boolean value that indicates if we have to produce the alert.

PreviousRare destination Country detection NextMany Logins OK from the same IP

Last updated 2 months ago