Shared Network Intelligence

IDS/IPS event analysis is challenging because of the constant presence of false positive clutter. When a large number of security events are false positives, it becomes difficult for operators to find useful data to help them protect their network. Our approach is not only to use the latest, state-of-the-art, security updates, but also to add ranking to prioritize events. Using advanced correlation algorithms, the MetaFlows Security System (MSS) uses a novel and effective 3-layered system to reduce the problem of false positives while improving visibility of true positives.

Layer 1: The Basic Session Level

session icon1 How Ranking WorksBasic IDS/IPS events are generated by reconstructing a single session between two endpoints and finding known patterns that indicate a security violation. Most systems stop here and ask the user to analyze and correlate different session-level event using their own ability. This is can be very useful and is the basis of IDS/IPS today. In many cases, however,  multiple session-level events need to be re-conciliated in a larger context to become actionable thus overwhelming the operators.

Layer 2: Multiple Session Correlation

intra session icon1 How Ranking WorksMetaFlows adds a second-level analysis (also called dialog-based correlation) to generate better network security intelligence. During this phase alerts from multiple sessions belonging to a single home machine are combined and scored to show typical infection behavior. By using two or more events corresponding to the typical phases of a Bot Infection, this automatic reconciliation process brings actionable security events to the forefront of session-level events thus improving security.

Benefits of this technology

  • Checkmark1 How Ranking Works Virtually eliminates false positives because it requires multiple symptoms.
  • Checkmark1 How Ranking Works Catches threats when they come in.
  • Checkmark1 How Ranking Works Catches existing bots already running in your network.
  • Checkmark1 How Ranking Works No user configuration required. Updated network intelligence is automatically downloaded from the MetaFlows cloud every 12 hours.

Layer 3: Shared Intelligence Correlation

intra domain How Ranking Works

The core of the MSS resides in the Metaflows Cloud. Security event data from Metaflows customers’ sensors is automatically sent to the cloud. There, it is compared and correlated with an algorithm mathematically similar to Google’s page ranking. The resulting intelligence data is then be pushed out back to the individual sensors to rank security events that have significant global relevance. The outcome of the algorithm is that once a piece of intelligence reaches our system it is not equally distributed to all sensors. Instead, it is mathematically weighted and routed to where it is most relevant, just as the first few web pages of a Google search yield the most relevant information for a particular search.

Benefits of this technology

  • Checkmark1 How Ranking Works Catches more threats using multiple sources of intelligence.
  • Checkmark1 How Ranking Works Automatically proritizes threats based on networks behavior.
  • Checkmark1 How Ranking Works No user configuration required. The prioratization is continously performed in the MetaFlows cloud.