Global Correlation Risk Delta

Unanswered Question
Oct 8th, 2009


I'm currently working on Tuning a pair of IPS modules in ASA's. We are currently in Promiscous and tuning/filtering to ensure we don't block any valid traffic when making the switch to inline.

We are using the new 7.0.1 code and getting the global correlation / reputation data - works great & rocks.

When viewing the events - there is a paramater - "Global Correlation Risk Delta" -- Could someone explain to me what that is?

I understand how it adjusts the RR based on reputation & have the chart (including it for those who do not have it - got it from a networkers prezo). However I am having a hard time figuring out what Global Correlation Risk Delta is/means/does...anyone know?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
PWCSinfosec Fri, 10/09/2009 - 06:11

I am acutally investigating the exact same question, so I look forward to any answers that come from this post.

Thanks for posting the chart. I see that it is the chart for "Standard" mode, do you happen to have the "Aggressive" mode chart? Or know who to contact for this chart?

melchib Fri, 10/09/2009 - 07:29


I only have the chart for Standard mode - which I cannot find anywhere on Cisco's website - at least the guy presenting at Networkers was kind enough to put it in his prezo. However, in that same prezo he mentions (when there is a negative reputation for the attacker) Aggressive Mode will Deny Packet Inline when RR reaches 83 and Deny Attacker Inline when RR reaches 95. I'll include the slides

marcabal Fri, 10/09/2009 - 11:17

Here is a basic description.

Without Global Correlation (versions prior to 7.0, or version 7.0 with the feature turned off) all alert triggerings will have a Risk Rating calculated.

How a Risk Rating is calculated is explained in the following White Paper on

Now with version 7.0 when Global Correlation is enabled there is now a new parameter added to the Risk Rating calculation ( + Global Correlation Risk Delta )

The Global Correlation Risk Delta is either 0 or a positive value and so can keep the Risk Rating the same, or raise the Risk Rating, but will not decrease the Risk Rating.

The Global Correlation Risk Delta is calculated based on both the Attacker IP address, and the Initial Risk Rating ( The Initial Risk Rating is the Risk Rating calculated without the Global Correlation Risk Delta).

When Global Correlation is enabled in version 7.0 the sensor will download a Reputation Database from the cisco servers. This reputation database contains lists of Public IP Addresses that have been known to be sources of attacks in the past. With that database a Negative Reputation Score is determined for each Address in the database. The Negative Reputation Score could range anywhere from a -0.5 to a -10. If only a few atttacks have been seen from the address, the score may be only slightl negative in the -0.5 - -3 range. The worst offending Attacker IP Addresses could have negative scores in the -8 to -10 range.

That Reputation Database is only for Public IP Addresses. So Private IP Addresses (addresses used only with NAT/PAT and are not Internet routable) will not exist in the Reputation Database.

If the attacker IP Address is a Private IP Address, or is a Public IP Address that is NOT in the Reputation Database, then the sensor will automatically set the Global Correlation Risk Delta to 0.

When added into the Original Risk Rating, the Risk Rating winds up the same (no change).

So Global Correlation has no effect on Private IP Addresses, or Public IP Addresses that do NOT have Negative Reputation.

It is only when the Attacker is from a Public IP Address with Negative Reputation that the Global Correlation Risk Delta is calculated.

Internally the sensor has a formula to calculate what that Delta should be.

The inputs to that formula are the Negative Reputation Score for the Atttacker IP, Original Risk Rating, as well as some proprietary variables for fine tuning the formula.

All of these are inputs to the formula, and the one output is the Delta.

The Delta is then Added to the Initial Risk Rating and results in a Higher Risk Rating.

The chart from your first post is a result of plugging in the highest 20 possible Risk Ratings, and 20 possible negative Reputation scores, and uses the original proprietary variable settings, and shows you what the formula will output as the Global Correlation Risk Delta.

So this should be used as just an example.

The formula will still be used for Risk Ratings lower than 80 that are not shown on the chart, and will also be used for Negative Reputation Scores that are not neatly rounded to a 0.5 number.

Also the proprietary variables are also subject to change, as we continue to fine tune the formula.

So the chart you've posted is a good example of the type of Deltas that the formula can output.

Because of this calculated Delta being added to the Risk Rating, the same attack coming from a known Negative Reputation Public Address will wind up with a Higher Risk Rating than the same attack coming from a Private IP Address (or even the same Public Address when not using Global Correlation).

The sensor then has features for how it can then make use of the Risk Rating.

And I will talk about this in the next post. I am limited by the number of characters in a single post or I would have put it into this post.

marcabal Fri, 10/09/2009 - 11:53

The sensor has a feature called Event Action Overrides.

This feature has been around since IPS 5.0.

This features allows the sensor to look at the calculated Risk Rating, and then add Event Actions to an alert based on that Risk Rating.

There is 1 default Event Action Override that a sensor ships with.

The sensor will add a Deny Packet InLine Event Action Override for ever alert with a Risk Rating between 90 and 100.

This default Event Action Override (as well as any other Event Action Override the user may have added themselves) will apply to All alerts.

So alerts for attackers with Private addresses, alerts with Public Addresses that do not have a Negative Reputation, as well as alerts with Publix Addresses that Do have Negative Reputation will be checked for the Event Action Overrides.

In the case of Private addresses, and Public addresses without Negative Reputation it is the regular Risk Rating that is compared to the Event Action Overrides.

In the case of Public Addresses that Do have Negative Reputation it is the Risk Rating resluting from the addition of the Global Correlation Risk Delta that is compared to the Event Action Overrides.

Since the Global Correlation Risk Delta increases the Risk Rating the chance of the alert being Denied by the default Event Action Override is much higher.

And so can provide you better protection.

Understand that the default event action override for Deny Packet InLine only really affects InLine deployments.

With Promiscuous deployments the only thing it does is let you know in the alert that the sensor could have denied the attack had you deployed it inline instead.

In addition to the regular Event Action Overrides, there also what I like to call Global Correlation Action Overrides.

These operate in a similar method as the regulat Event Action Overrides, BUT are not configured the same.

Where in the regular Event Action Override you can configure what the Risk Rating Range is for each Action, you can NOT do this directly with the Global Correlation Action Overrides.

The Global Correlation Action Overrides are configured with the Global Correlation Inspection Influence.

The Global Correlation Inspection Influence has 3 possible settings: Permissive, Standard, and Aggressive.

Regardless of which setting you use, the Global Correlation Risk Delta is still calculated the same way.

The Global Correlation Inspection Influence only affects actions might get added based on the final calculated Risk Rating.

In "Permissive mode", the Global Correlation Action Overrides are disabled, and no actions will be added by the Global Correlation feature itself.

The Risk Rating will have been changed by the Delta, and may match on the default Event Action Override for Deny Packet Inline. But that action would be from the regular Event Action Overrides and not Global Correlation Action Overrides.

Now the "Standard" does use Global Correlation Action Overrides.

As you saw in the presentation from Networkers it is able to add the Deny Packet InLine and the Deny Attacker InLine Event Actions.

Where the default Event Action Override will add a Deny Packet InLine event action when the Risk Rating is 90-100, the Standard mode will add a Deny Packet InLine event action when the Risk Rating is between 86-100. And will even add a Deny Attacker InLine if the Risk Rating is 100.

These are what I call the Global Correlation Action Overrides.

You see that they operate similar to the regular Event Action Overrides, but the Range for deny packet inline is 86-100 instead of the default 90-100 used in the default regular Event Action Overrides.

You will also see that Global Correlation also has a deny attacker inline action that could be added.

marcabal Fri, 10/09/2009 - 11:53

Continuation from previous post:

In "Aggressive" mode the Ranges used in the Global Correlation Action Overrides are lowered even further.

So in "Aggressive" mode the deny packer inline gets added when the Riak Rating is between 83-100. And deny attacker inline is added when the Risk Rating is between 95-100.

Here are some more key things to understand:

1) The Permissive, Standard, and Aggressive modes only apply to alerts where the Attacker has a negative reputation. So the Global Correlation Action Overrides that wil add deny packet inline and deny attacker inline only are checked when attacker has a negative reputation.

2) As I mentioned for the regular Event Action Overrides. The deny actions only take place when running in InLine mode. If running in promiscuous you just an additonal entry in the alert letting you know it would have done the deny if you had deployed it inline.

3) The Delta is calculated the same regardless of which mode is chosen.

4) The Risk Ranges for the Global Correlation Action Overrides mentioned above and in your slides ARE SUBJECT TO CHANGE. The ranges you see above are just the intiial settings that 7.0 was sent out with.

BUT when a reputation database is loaded as part of Global Correlation the sensor may pull down a NEW set of Ranges to use with the Standard and Agggressive modes.

So the Standard Mode may be using 85-100 as the deny packet inline range today, there does exist the possibility that tomorrow that range could be changed to 80-100 for example.

Just that the proprietary variables that I mentioned when calculating the Delta can be changed, so can these Ranges used in the different modes.

These settings are being fine tuned to give the best results.

Hope this helps to better explain the different actions of the features within Global Correlation.

Please let me know if something is still confusing and needs more explanation.

melchib Fri, 10/09/2009 - 12:04

Thanks Marcoa - Great Info, Very much appreciated. Cisco should have engineers write the release notes instead of the wonderful folks in marketing.

Thanks again,



This Discussion