Metaflows Shield iconShared Network Intelligence

Find Malware Hidden in Your network

MetaFlows has developed a proprietary inter-domain correlation algorithm that is mathematically similar to Google's page ranking. Event scores are autonomously obtained from a global network of honeypot sensors monitored by the MSS. The honeypots are virtual machines that masquerade as victims. As the honeypots are repeatedly attacked, the MSS records both successful and unsuccessful hacker techniques and corresponding security event information. Security events that trigger true positives are ranked positively thus improving their visibility. This information is then propagated to our subscribers to improve event prioritization. This additional inter-domain correlation is important because it adds operational awareness based on dynamic intelligence.

See our latest global incident report statistics

A diagram illustrating how the Metaflows ranking system works.

Layer 1: The Basic Session Level

Basic IDS / IPS events are generated by reconstructing a single session between two endpoints. Each session is examined for known security violation patterns. Unfortunately, most solutions stop here resulting in a very high false positive rate. Important events are often missed due to the huge volume of false positive or low priority network security events.

Layer 2: Multiple Session Correlation

In this subsequent phase the system gathers specific IDS alerts (also called dialog events) that form a typical behavior pattern for an infected host. Dialog events are fed directly into a separate correlation engine, where each host’s individual dialog production pattern is mapped and scored against an abstract Malware infection life cycle model. When the dialog correlation algorithm shows that a host’s dialog patterns map sufficiently close to the life cycle, the host is declared infected, and an infection profile is generated to summarize all evidence about the infection.

Benefits of Multiple Session Correlation

  • Virtually eliminates false positives because it requires multiple symptoms to trigger.
  • Catches existing bots already active on a network.
  • Requires no configuration. Updated network intelligence and event scoring data is automatically downloaded from the Metaflows Intelligence Cloud every 12 hours.

Layer 3: Shared Intelligence Correlation

The core of the MSS resides in the Metaflows Cloud. Security event data from Metaflows customers’ sensors is automatically sent to the cloud. Our system compares and correlates event meta-data with an algorithm mathematically similar to Google’s page ranking algorithm. The resulting intelligence data is then sent back to individual sensors to rank security events that have significant global relevance. The outcome of the algorithm is that once a piece of intelligence reaches our system it is not equally distributed to all sensors. Instead, it is mathematically weighted and routed to where it is most relevant, just as the first few web pages of a Google search yield the most relevant information for a particular search.

Benefits of Shared Intelligence Correlation

  • Catches more threats by using multiple sources of intelligence.
  • Automatically prioritizes threats based on network behavior.
  • No user configuration required. The prioritization is continuously performed in the MetaFlows cloud.