Multi-Session Intrusion Detection
The MetaFlows Security System (MSS) uses patented intrusion detection technology (Dialog Based Correlation) that does not require any tuning or significant configuration, and yet consistently finds malware and data exfiltrations that are routinely missed by all other products deployed in the same network. The key is multi-session traffic analysis.
Multi-Session Traffic Analysis
Multi-session traffic analysis (also called dialog-based correlation) automatically correlates IDS alerts involving a single internal asset with multiple external hosts over time.
Traditional IDS software generates alerts by reconstructing a single session between two endpoints and finding known patterns that confirm security violations within that specific session. This usually results in a very high false positive rate. Important events are often missed due to the huge volume of false positive or low-priority network security events.
MetaFlows uses Multi-Session Intrusion Detection Analysis. This advanced correlation technique gathers specific IDS alerts (also called dialog events) that form a typical behavior pattern for an infected host. Dialog events are fed directly into a separate correlation engine, where each host’s individual dialog production pattern is mapped and scored against an abstract Malware infection life cycle model.
When the dialog correlation algorithm shows that a host’s dialog patterns map sufficiently close to the life cycle, the host is declared infected, and an infection profile (a partial summary example is shown below) is generated to summarize all evidence about the infection.