Real-Time Threat Detection Patterns
Real-Time Threat Detection Patterns
Modern attacks often involve multiple stages and techniques that individual security controls might miss. Advanced Persistent Threats (APTs) deliberately operate below detection thresholds, using legitimate tools and credentials to avoid triggering alerts. Effective detection requires understanding attack chains and correlating seemingly unrelated events across time and systems.
Behavioral analytics provides powerful detection capabilities by establishing baselines of normal behavior and identifying deviations. Machine learning models can identify subtle patterns that rule-based systems miss. However, these systems require careful tuning to balance detection sensitivity with false positive rates. Explainable AI helps security analysts understand why the system flagged specific activities as suspicious.
// Example: Real-time threat detection engine
const EventEmitter = require('events');
const { Pipeline } = require('stream');
const ml = require('ml.js');
class ThreatDetectionEngine extends EventEmitter {
constructor(config) {
super();
this.config = config;
this.detectors = new Map();
this.correlationEngine = new CorrelationEngine();
this.threatIntel = new ThreatIntelligence(config.threatIntel);
this.models = {};
this.initializeDetectors();
}
initializeDetectors() {
// Initialize various detection modules
this.detectors.set('bruteforce', new BruteForceDetector());
this.detectors.set('injection', new InjectionDetector());
this.detectors.set('anomaly', new AnomalyDetector());
this.detectors.set('exfiltration', new DataExfiltrationDetector());
this.detectors.set('lateral', new LateralMovementDetector());
this.detectors.set('persistence', new PersistenceDetector());
}
async processEvent(event) {
const detectionResults = [];
// Run through all detectors
for (const [name, detector] of this.detectors) {
try {
const results = await detector.analyze(event);
if (results.length > 0) {
detectionResults.push(...results.map(r => ({
...r,
detector: name,
timestamp: new Date()
})));
}
} catch (error) {
console.error(`Detector ${name} failed:`, error);
}
}
// Correlate with other events
const correlations = await this.correlationEngine.correlate(event, detectionResults);
// Emit high-confidence threats
const threats = [...detectionResults, ...correlations].filter(t => t.confidence > 0.7);
for (const threat of threats) {
this.emit('threat_detected', threat);
await this.handleThreatDetection(threat, event);
}
return threats;
}
async handleThreatDetection(threat, event) {
// Enrich threat with context
const enrichedThreat = await this.enrichThreat(threat, event);
// Determine response actions
const actions = this.determineResponseActions(enrichedThreat);
// Execute automated responses
for (const action of actions) {
if (action.automated) {
await this.executeAutomatedResponse(action, enrichedThreat);
}
}
// Create incident if severity warrants
if (enrichedThreat.severity >= this.config.incidentThreshold) {
await this.createIncident(enrichedThreat);
}
}
determineResponseActions(threat) {
const actions = [];
// Define response playbooks
const playbooks = {
bruteforce: [
{ action: 'block_ip', automated: true, delay: 0 },
{ action: 'lock_account', automated: true, delay: 300 },
{ action: 'notify_user', automated: true, delay: 0 },
{ action: 'increase_monitoring', automated: true, delay: 0 }
],
sql_injection: [
{ action: 'block_request', automated: true, delay: 0 },
{ action: 'terminate_session', automated: true, delay: 0 },
{ action: 'capture_forensics', automated: true, delay: 0 },
{ action: 'isolate_system', automated: false, delay: 0 }
],
data_exfiltration: [
{ action: 'throttle_connection', automated: true, delay: 0 },
{ action: 'revoke_access', automated: true, delay: 60 },
{ action: 'preserve_evidence', automated: true, delay: 0 },
{ action: 'notify_dpo', automated: true, delay: 0 }
],
lateral_movement: [
{ action: 'isolate_endpoint', automated: false, delay: 0 },
{ action: 'force_reauthentication', automated: true, delay: 0 },
{ action: 'disable_service_accounts', automated: false, delay: 0 },
{ action: 'snapshot_system', automated: true, delay: 0 }
]
};
// Select appropriate playbook
const playbook = playbooks[threat.type] || [];
// Adjust based on confidence and severity
for (const action of playbook) {
if (threat.confidence >= 0.9 || threat.severity === 'critical') {
actions.push(action);
} else if (threat.confidence >= 0.7 && !action.risky) {
actions.push({ ...action, automated: false });
}
}
return actions;
}
}
class DataExfiltrationDetector {
constructor() {
this.userBaselines = new Map();
this.sessionData = new Map();
}
async analyze(event) {
const detections = [];
if (event.type === 'data_access') {
const userId = event.userId;
const volume = event.dataVolume || 0;
const sessionId = event.sessionId;
// Track session data volume
if (!this.sessionData.has(sessionId)) {
this.sessionData.set(sessionId, {
startTime: new Date(),
totalVolume: 0,
accessCount: 0,
resources: new Set()
});
}
const session = this.sessionData.get(sessionId);
session.totalVolume += volume;
session.accessCount += 1;
session.resources.add(event.resource);
// Check against baseline
const baseline = await this.getUserBaseline(userId);
// Volume anomaly
if (session.totalVolume > baseline.avgDailyVolume * 10) {
detections.push({
type: 'excessive_data_access',
severity: 'high',
confidence: 0.8,
description: `User ${userId} accessed ${session.totalVolume / 1e6}MB data (baseline: ${baseline.avgDailyVolume / 1e6}MB)`,
indicators: {
volume: session.totalVolume,
baseline: baseline.avgDailyVolume,
deviation: session.totalVolume / baseline.avgDailyVolume
}
});
}
// Velocity anomaly
const sessionDuration = (new Date() - session.startTime) / 1000 / 60; // minutes
const accessRate = session.accessCount / Math.max(sessionDuration, 1);
if (accessRate > baseline.avgAccessRate * 5) {
detections.push({
type: 'rapid_data_access',
severity: 'medium',
confidence: 0.7,
description: `Unusual access velocity: ${accessRate.toFixed(2)} requests/min`,
indicators: {
rate: accessRate,
baseline: baseline.avgAccessRate
}
});
}
// Resource diversity anomaly
if (session.resources.size > baseline.avgResourceCount * 3) {
detections.push({
type: 'unusual_resource_access',
severity: 'medium',
confidence: 0.65,
description: `Accessing unusually diverse resources: ${session.resources.size} different resources`,
indicators: {
resourceCount: session.resources.size,
baseline: baseline.avgResourceCount
}
});
}
}
return detections;
}
async getUserBaseline(userId) {
// In production, this would query historical data
return {
avgDailyVolume: 50 * 1e6, // 50MB
avgAccessRate: 10, // 10 requests/min
avgResourceCount: 5,
typicalHours: [9, 10, 11, 12, 13, 14, 15, 16, 17],
typicalResources: ['reports', 'dashboards', 'profiles']
};
}
}
class CorrelationEngine {
constructor() {
this.eventWindow = new Map();
this.attackPatterns = this.loadAttackPatterns();
}
async correlate(event, detections) {
const correlations = [];
// Add event to window
this.addToWindow(event);
// Look for attack chains
const chains = this.detectAttackChains();
for (const chain of chains) {
const correlation = {
type: 'attack_chain',
pattern: chain.pattern,
events: chain.events,
confidence: chain.confidence,
severity: 'critical',
description: `Detected ${chain.pattern} attack pattern involving ${chain.events.length} events`
};
correlations.push(correlation);
}
// Look for distributed attacks
const distributed = await this.detectDistributedAttacks();
correlations.push(...distributed);
return correlations;
}
detectAttackChains() {
const chains = [];
// Define common attack patterns
const patterns = {
'kill_chain': [
{ type: 'reconnaissance', window: 3600 },
{ type: 'initial_access', window: 1800 },
{ type: 'execution', window: 900 },
{ type: 'persistence', window: 1800 },
{ type: 'lateral_movement', window: 3600 },
{ type: 'exfiltration', window: 7200 }
],
'ransomware': [
{ type: 'initial_access', window: 1800 },
{ type: 'privilege_escalation', window: 900 },
{ type: 'defense_evasion', window: 600 },
{ type: 'discovery', window: 1800 },
{ type: 'lateral_movement', window: 3600 },
{ type: 'encryption', window: 300 }
]
};
// Check each pattern
for (const [patternName, stages] of Object.entries(patterns)) {
const matches = this.findPatternMatches(stages);
if (matches.length >= stages.length * 0.6) { // 60% match threshold
chains.push({
pattern: patternName,
events: matches,
confidence: matches.length / stages.length
});
}
}
return chains;
}
}