Multi-Session IDS/IPS Correlation

The MetaFlows Security System (MSS) detects and prevents Cyber-threats using multiple, collaborative intelligence sources at once, rather than using a traditional single-source, proprietary intelligence feed. Furthermore, instead of solely relying on a single functional component (like IDS or sandboxing), the MSS performs multifunctional traffic analysis looking for multiple red flags in the behavior of hosts on the network.

This unique, multi-functional, multi-session, behavioral detection technology simultaneously lowers both false positive and false negative rates. Improved detection accuracy yields tremendous cost savings in terms of human capital and automation (while improving security).

Multi-Session Traffic Analysis

Our software monitors your network traffic to quickly find Malware infected systems, or those that are part of a Botnet. Unlike other IDS systems, it compares IDS alerts from multiple sessions and combines them to find typical infection patterns or abusive behavior.

Traditional IDS software generates alerts by reconstructing a single session between two endpoints and finding known patterns that confirm security violations within that specific session. This usually results in a very high false positive rate. Important events are often missed due to the huge volume of false positive or low-priority network security events.

MetaFlows uses Multi-Session Intrusion Detection Analysis. This advanced correlation technique gathers specific IDS alerts (also called dialog events) that form a typical behavior pattern for an infected host. Dialog events are fed directly into a separate correlation engine, where each host’s individual dialog production pattern is mapped and scored against an abstract Malware infection life cycle model.

When the dialog correlation algorithm shows that a host’s dialog patterns map sufficiently close to the life cycle, the host is declared infected, and an infection profile is generated to summarize all evidence about the infection.

SC Magazine Hall of Fame

SC Magazine has inducted MetaFlows in the 2014 Industry Innovators: Hall of Fame.
They write: "We were pleased that this Innovator continues to blaze the trail ahead for perimeter defense in an environment increasingly consisting of less and less perimeter to defend. The problem is a tough one and MetaFlows has brought creativity and insight to the solution. This is one of the most positive uses of the cloud for security purposes that we have seen in quite a while. More...

Top 20 Most Promising Enterprise Security Companies in 2015

CIO Review Magazine has selected MetaFLows as one of the top 20 Most Promising Enterprise Security Companies in 2015..
In the article Cost Effectively Tackling Advanced Security Threats, MetaFLows' Chief Scientist Livio Ricciulli provides a road map for tackling the new security challenges facing Enterprises in the upcoming decade. More...


A single security appliance using our ground-breaking multi-core processing capability can inspect up to 800 Mbps on a single processor or up to 5 Gbps on a dual processor off-the-shelf appliance.

A graph illustrating BotHunter performance for different sustained traffic levels

As you can see from the graph, running multiple session analysis on only one core barely breaches the 100 Mbps level, even on a very fast and modern CPU (Intel i7 950). At 250 Mbps it can only process 60% of the traffic. Using 8 cores greatly improves performance, allowing us to run at speeds exceeding 600 Mpbs on a single multi-core processor. Even higher throughput can be achieved using multiple CPUs.

How to Get Our Software

You can easily install software on your own hardware to monitor 10 Mbps to 10 Gbps networks, or it can be deployed on a turn-key Metaflows security appliance. The software can be deployed on CentOS 6, as a virtual machine, or in your cloud-based assets. Activation requires registration with Metaflows (free). Register here, then download and install our software using one of the links below.

Find hidden threats in you network today. Try multi-session analysis today.
Start Free 14-Day Trial Schedule a Demo

Follow us
MetaFlows on Google GroupsMetaFlows on LinkedIn