Current threat management systems are focused on blocking “bad” requests on a specific level (e.g., firewalls, operating systems, applications, routers, etc.). Generally, today's systems do not coordinate threat management activities across different applications, stack levels, or across distributed systems.
Most systems monitor activity only in a single or a very limited number of elements in a system. For example, a system may determine that a threat exists if a particular number of connection requests are received in a given amount of time. Some specific detection systems determine that a threat exists based on occurrences of only a very specific type of suspicious activity occurring in one or more elements of the system. However, current threat management systems do not generally detect the occurrence of suspicious activity in more than one element of a system and, based on the occurrence of that activity in the system, determine that a threat exists. For example, if a threat is determined when 8 attacks occur, if system A detects 4 attacks and system B detects 4 attacks, then because no single element of the system detects 8 attacks, no threat is determined. Further, when an element determines that a threat exists, countermeasures are deployed within that element, but other portions of the system may still be subject to attack. In summary, there is no system that allows a general correlation of activities in multiple elements of the system to detect threats and a coordinated deployment of countermeasures among the multiple elements to mitigate the detected.