MetaFlows has developed a proprietary inter-domain correlation algorithm that is mathematically similar to Google's page ranking. Event scores are autonomously obtained from a global network of honeypot sensors monitored by the MSS. The honeypots are virtual machines that masquerade as victims. As the honeypots are repeatedly attacked, the MSS records both successful and unsuccessful hacker techniques and corresponding security event information. Security events that trigger true positives are ranked positively thus improving their visibility. This information is then propagated to our subscribers to improve event prioritization. This additional inter-domain correlation is important be cause it adds operational awareness based on dynamic intelligence.
Basic IDS / IPS events are generated by reconstructing a single session between two endpoints. Each session is examined for known security violation patterns. Unfortunately, most solutions stop here resulting in a very high false positive rate. Important events are often missed due to the huge volume of false positive or low priority network security events.
Using advanced correlation algorithms, the MetaFlows Security System (MSS) uses a novel and effective 3-layered system to reduce the problem of false positives while improving visibility of true positives.
In this subsequent phase the system gathers specific IDS alerts (also called dialog events) that form a typical behavior pattern for an infected host. Dialog events are fed directly into a separate correlation engine, where each host’s individual dialog production pattern is mapped and scored against an abstract Malware infection life cycle model. When the dialog correlation algorithm shows that a host’s dialog patterns map sufficiently close to the life cycle, the host is declared infected, and an infection profile is generated to summarize all evidence about the infection.
The core of the MSS resides in the Metaflows Cloud. Security event data from Metaflows customers’ sensors is automatically sent to the cloud. Our system compares and correlates event meta-data with an algorithm mathematically similar to Google’s page ranking algorithm. The resulting intelligence data is then sent back to individual sensors to rank security events that have significant global relevance. The outcome of the algorithm is that once a piece of intelligence reaches our system it is not equally distributed to all sensors. Instead, it is mathematically weighted and routed to where it is most relevant, just as the first few web pages of a Google search yield the most relevant information for a particular search.