MetaFlows’ advanced malware detection uses patented intrusion detection software technology that does not require any tuning or significant configuration, and yet consistently finds malware and data breaches that are routinely missed by all other products deployed in the same network. The key is Multi-session traffic analysis.
Multi-session traffic analysis (also called dialog-based correlation) was originally embedded in a revolutionary Intrusion Detection software tool called BotHunter. Since then, MetaFlows has significantly extended and improved such technology for commercial use. Simply put, it automatically connects the dots between security alerts involving a single internal host with multiple external hosts over time.
Traditional intrusion detection software generates alerts by reconstructing a single session between two hosts and finding known patterns that confirm security violations within that specific session. This usually results in a very high false positive rate. Important events are often missed due to the huge volume of false positive or low-priority network security events.
MetaFlows uses Multi-Session Intrusion Detection Analysis. This advanced intrusion detection technique combines multiple security events (also called dialog events) that form a typical behavior pattern for an infected host. Dialog events from each internal host are mapped and scored against an abstract Malware infection life cycle model.
When the Multi-session analysis algorithm shows that a host’s dialog patterns map sufficiently close to the Malware life cycle, the host is declared infected, and an infection profile (a partial summary example is shown below) is generated to summarize all evidence about the infection.
Besides detecting active malware (we detect thousands per day), Multi-session analysis can also be reversed to detect lateral moves that would otherwise go unnoticed. For example, if an external host A scans one of your internal hosts B and then A later on also receives a large amount of data from another internal host C, our system generates an incident report indicting a possible intrusion through B and data exfiltration from C. Admittedly, these kinds of incident reports are rare, but when they occur, they can truly save your enterprise from disastrous data loss.
MetaFlows uses multiple network detection techniques to find and shut down hidden malware that is routinely missed by all other security products. The matrix below compares important features of existing network security products. As you can see from the matrix, our products can cast a much wider net than traditional intrusion detection systems.
Minimum hardware requirements are: