We Built a System to Detect Attacks Invisible in Individual Systems Through Cross-System Log Correlation #
A firewall port scan, VPN authentication failure, application login attempt. Each individual event has low severity. But when the same IP appears simultaneously across these 3 layers, it is not coincidence—it is an attack campaign. We implemented a multi-layer correlation engine in BASTION and demonstrated cross-layer campaign detection in actual attacks.
Individual Device Monitoring Has Structural Blind Spots #
Until now, BASTION has analyzed logs for each device to detect anomalies. A firewall port scan, bot attacks on a web server, AD authentication failures—whenever any device exceeds a threshold, we block it.
However, this approach cannot detect campaigns that combine attacks below the threshold.
To detect this “invisible in isolation, but visible across systems” pattern, we implemented a multi-layer correlation engine in BASTION.
Multi-Layer Defense Architecture #
The infrastructure monitored by BASTION is composed of 5 defensive layers.
| Layer | Defense Target | Detected Events |
|---|---|---|
| L1: Network Boundary | Firewall | Port scans, DDoS, malformed packets |
| L2: VPN / Remote Access | VPN Gateway | TLS errors, authentication failures, certificate probing |
| L3: Authentication Infrastructure | AD / LDAP | Login failures, account lockouts, credential stuffing |
| L4: Application | Web Server / Cloud Applications | Bot spam, vulnerability scans, login attempts |
| L5: Endpoint | Windows Clients | Suspicious PowerShell execution, USB connections, privilege escalation |
Traditionally, these 5 layers were monitored independently. The multi-layer correlation engine tracks all layers horizontally by correlating them with the same IP.
Trace Accumulation and Correlation #
The core of the multi-layer correlation engine is a mechanism to accumulate “traces” of attack source IPs across layers.
Even when individual layers show low severity, as traces accumulate across multiple layers, the correlation score rises and auto-block engages as a campaign.
Traces Decay #
Traces are not persistent. They are automatically deleted after a period without updates. If attackers stop scanning, traces disappear and false positive risk decreases. Conversely, if traces overlap across multiple layers in a short time, the correlation score rapidly rises and blocking engages. A “remember, but forget” design.
Actual Campaign Detection #
Shortly after implementing the multi-layer correlation engine, campaign detection engaged on an actual attack.
Multi-Layer Correlation Campaign Detection
Attack source IP: xx.xxx.156.12
Appearance layers (3 layers): L1_network, L3_auth, L4_app
Total events: 120
The same IP was detected across multiple defensive layers.
This IP exhibited the following behavioral patterns.
| Layer | Detection Content | Individual Judgment |
|---|---|---|
| L1: Network Boundary | Access blocked by firewall | — (normal noise range) |
| L3: Authentication Infrastructure | Authentication-related events detected | — (below threshold individually) |
| L4: Application | Access detected at application layer | — (below threshold individually) |
No single layer would have triggered a high judgment. But because the same IP appeared in 3 layers, the multi-layer correlation engine judged it as a campaign and auto-block engaged.
Why This Matters #
Fundamental Difference from Fail2Ban #
Fail2Ban is an excellent tool, but it can only perform single log file threshold judgment. “Ban if 10 403s appear in nginx-error.log”. This is a judgment confined to one device’s one log.
The multi-layer correlation engine tracks behavioral patterns of the same IP across all device logs. It detects “low-frequency, multi-layer” attack campaigns from log context—something individual devices cannot detect.
Accuracy Improves as Connected Devices Increase #
When a new device’s syslog is connected to BASTION, one “layer” is added to multi-layer correlation. As layers increase, the behavioral pattern of the same IP is observed from more angles, improving campaign detection accuracy.
This is a characteristic absent in traditional monitoring tools (independent analysis per device). With BASTION, as monitored targets increase, the entire system’s defensive capability strengthens.
The “Just Point syslog” Design Was a Prerequisite #
The mechanism implemented in Article 4 that “automatically determines device type by just pointing syslog” was also an onboarding design for multi-layer correlation. Since no configuration file editing or device registration is required when adding new devices, we can connect all machines in customer environments to BASTION in a short timeframe. Easy connection supports the practicality of multi-layer correlation.
Safety Design #
Since multi-layer correlation auto-blocks, false positive risk management is critical.
| Safety Mechanism | Purpose |
|---|---|
| Automatic trace decay | Traces without updates are auto-deleted. Prevents false judgments from old traces |
| Whitelist matching | Private IPs, company IPs, DNS servers are never blocked |
| Duplicate block check | Already-blocked IPs are not double-blocked |
| 24-hour auto-release | Even false blocks recover automatically in 24 hours |
| Immediate release from Slack | Upon business impact, immediately releasable via Slack command |
Summary #
We implemented a multi-layer correlation engine in BASTION to automatically detect attack campaigns across all system logs. Even attacks below individual device thresholds are judged as campaigns if the same IP appears across multiple defensive layers, triggering auto-block.
Immediately after implementation, cross-layer campaign detection engaged on an actual attack across 3 layers, completing proof of concept. BASTION is evolving from “individual device monitoring tool” to “cross-system attack campaign detection engine”.
BASTION is a service that realizes AI security monitoring in closed environments.
By connecting your entire infrastructure to BASTION, multi-layer correlation defense becomes effective.
