Layer 1: The Basic Session Level
Basic IDS / IPS events are generated by reconstructing a single session between two endpoints. Each session is examined for known security violation patterns. Unfortunately, most solutions stop here resulting in a very high false positive rate. Important events are often missed due to the huge volume of false positive or low priority network security events.
Layer 2: Multiple Session Correlation
In this subsequent phase the system gathers specific IDS alerts (also called dialog events) that form a typical behavior pattern for an infected host. Dialog events are fed directly into a separate correlation engine, where each host’s individual dialog production pattern is mapped and scored against an abstract Malware infection life cycle model. When the dialog correlation algorithm shows that a host’s dialog patterns map sufficiently close to the life cycle, the host is declared infected, and an infection profile is generated to summarize all evidence about the infection.
Benefits of Multiple Session Correlation
- Virtually eliminates false positives because it requires multiple symptoms to trigger.
- Catches existing bots already active on a network.
- Requires no configuration. Updated network intelligence and event scoring data is automatically downloaded from the Metaflows Intelligence Cloud every 12 hours.
Layer 3: Machine Learning
The core of the MSS resides in the Metaflows Cloud. Security event data from Metaflows customers’ sensors is automatically sent to the cloud. Our system compares and correlates event meta-data with an algorithm mathematically similar to Google’s page ranking algorithm. The resulting intelligence data is then sent back to individual sensors to rank security events that have significant global relevance. The outcome of the algorithm is that once a piece of intelligence reaches our system it is not equally distributed to all sensors. Instead, it is mathematically weighted and routed to where it is most relevant, just as the first few web pages of a Google search yield the most relevant information for a particular search.
Benefits of Shared Intelligence Correlation
- Catches more threats by using multiple sources of intelligence.
- Automatically prioritizes threats based on network behavior.
- No user configuration required. The prioritization is continuously performed in the MetaFlows cloud.