Advanced correlation

IDS/IPS event analysis is very challenging because of false positive clutter. When a large number of security events are false positives, it becomes difficult for operators to find actionable intelligence to protect their organization. Our approach is not only to use the latest daily, state-of-the-art security updates but also to add ranking to prioritize/de-prioratize events using advanced correlation algorithms.  The MetaFlows Security System (MSS) uses a novel and effective 3-layered system to minimize the problem of false positives while  improving the visibility of true positives.

how ranking works How Ranking Works

How Ranking Works

Session Level

session icon1 How Ranking WorksBasic IDPS events are generated by reconstructing a single session between two endpoints and finding known patterns that indicate a security violation. Most IDPS systems stop here and ask the user to analyze and correlate different session-level event using their own expertise. This is can be very useful and is the basis of IDS today. In many cases, however,  multiple session-level events need to be re-conciliated in a larger context to become actionable thus overwhelming the operators.

Intra-session

intra session icon1 How Ranking WorksMetaFlows adds a second-level analysis (also called dialog-based correlation) to generate better network security intelligence. During this phase alerts from multiple sessions belonging to a single home machine are combined and scored to identify typical infection behavior. By using two or more events corresponding to the typical phases of a Bot Infection, this automatic re-conciliation process brings actionable security events to the forefront of session-level events thus improving security.

Intra-domain

intra domain How Ranking Works

MetaFlows also performs Intra-domain correlation. In this phase event scores are autonomously obtained from a global network of virtual machines that masquerade as victims .The security event information that triggers false positives are ranked negatively, thus providing insight into events that should be routinely ignored or turned off. Security event information that triggers true positives are ranked positively thus improving their visibility. This information is then propagated in real time to each individual sensor in the system to augment the session-level and intra-session-level analysis described above. This additional intra-domain correlation is important because it adds operational awareness based on real-time intelligence well beyond the local network.

 

Learn More

How Ranking Workspdf icon How Ranking Works