Malicious parties often seek to gain access to systems through a variety of means, including brute force attacks. Brute force attacks may be horizontal, in which the malicious party attempts to compromise the accounts of multiple legitimate users; vertical, in which the malicious party attempts multiple times to compromise the account of one legitimate user; or include both horizontal and vertical attacks. Additionally, attacks may be distributed, where multiple attackers attack one target; directed, where one attacker attacks one target; wide, where one attacker attacks multiple targets; and combinations thereof, which may include login attempts for brute force attacks or attempts to overwhelm the target(s) (such as a denial of service attack) or expose data from or manipulate data used by the targets (such as with a buffer overflow attack or SQL injection).
Malicious parties frequently make use of remote terminal access (RTA) protocols and productivity software to take control of multiple machines, physical or virtual, to carry out their attacks. This is a growing concern as more users turn to RTA to access virtual machines (VMs) run in a distributed computing environment remote from the users (i.e., the “cloud”). Users or administrators may close RTA ports which they do not use, shuffle the RTA numbers used, or set up allowed IP address lists, as protective measures to help block malicious attacks, but these steps may require significant resources to execute and the administrative ability to make the changes.
Malicious attacks, however, can be confused with legitimate communications, and network administrators have implemented various false-positive reduction schemes in addition to various security measures, which may improperly block IP addresses or secure accounts of legitimate users if the false-positive protections are not accurate enough. These false positives are frustrating to users, and require network administrators to expend resources to undo the security measure (e.g., unlock an account that was locked, restore access to files/systems that were blocked, remove an IP address from a blacklist) that was applied against the legitimate use case in response to a false positive.