New Features

Version 6.1

Multi-Aggregation

Cognitive Analyst is using multiple aggregators with different security policies to aggregate the results from the anomaly detection methods. We introduce three new aggregators that optimize detection of various network attacks and in effect significantly increase the detection accuracy of the whole system.

Quick Filter by IP

Quick Filter by IP is alternative to traditional saved filters that is suitable for quick ad-hoc filtering during analysis without storing the IP address as a filter. You can specify IP address to input box and after click on 'Filter' button, new tab/window with main dashboard filtered by this IP is opened. Quick filter is embedded into the URL and can therefore be easily bookmarked.

1-click Context Menu

New 1-click Context Menu can be shown using mouse right-click on a cell containing IP address. This menu provides a quick access to the context of an event and gives additional information.

Revelaing aggregations - 1-click Context Menu reveals all IP addresses and ports that are otherwise represented by the '*' symbol. Getting a raw list of all aggregated values is also supported for displaying of up to 1000 IP addresses or ports.

Quick Filter Events by IP - This feature further simplifies the way IP filtering can be accomplished. This effectively applies a Quick Flter to the selected IP address with a single click.

Analyze Event - Shortcut to the Flow analyzer window.

Analyze Responses to Event - Shortcut that functions the same way as the Analyze Event but also performs an inversion to show the other side of the communication.

Analyze All Flows To/From IP In Dataset - This shortcut gives a more broader context to the single IP address by providing an analytical view for a single 5-minute block of flows.

Version 6.0

New detection agent

Flags agent gives better detection of scans and brute force attacks by introducing new detection method based on the PCA (Principal Component Analysis) of cumulative TCP flags features.

Detail description of events

Each event is now accompanied by detailed description that provides for better incident assessment.

event_description.png

URL in Flows List table

Flows processed from the proxy log source are now able to carry information about URL destination. The new URL column in Flows List table allows for more detailed analysis.

flowlist_url.png

Analyst Status Overview

Troubleshooting of "no data shown" problems is easier with the new Analyst Status Overview box in the web UI.

statusBox.png

Integration with Zabbix

Cognitive Analyst installation now features its own Zabbix agent and pre-defined Zabbix template, and is thus easy to integrate with company-wide infrastructure monitoring.

zabbix.png

New command line tool

The PrintDR utility provides text output of analyzed flows similar to nfdump utility. It is possible to process its output with other text processing UNIX utilities. On top of nfdump format it adds information about anomaly detection result and classification.

Analyses of up to one month time window

UI performance was optimized to the level that it is now feasible to choose up to one month time period in the Calendar box using the Custom button, simplifying long-term analyses.

Persistent connections analyzer - technology preview

Specialized mechanism provides and displays information about long term and persistent connections, which can be among other things signs of bot-nets operating on the network. (Use right mouse click to acccess the menu)

persistence1.png

Version 5.2

Event bookmarking

It is now possible to bookmark individual events. The generated URL than represents a particular event and can be used for internal communication between team members or placed into other systems (e.g. ticketing system).

bookmark.png, 11kB

Version 5.1

Finding inverted flows in analyzer

Fast switching between both sides of the communication when analyzing NetFlow data is now a matter of a single click within the GUI.

searching.png, 20kB

Searching for arbitrary flows in analyzer

This is useful in situations when non-anomalous flows are searched in order or provide a context. Therefore searching was extended to include all captures flows.

Removal of Overview and Analysis

The newer version of the GUI (Highlights and Statistics) now fully replaces the previous version (Overview and Analysis).

new_version_1.png, 63kB

Version 5

Skype net detection

Distinguish skype from other peer to peer behavior easily. Activities of skype clients are classified as skype-like behavior, provided that correct MyNetworks setting is supplied.

Possibility to import data from proxy server

Web proxy logs from Cisco ironport, squid and TMG proxy servers can be integrated into Cognitive Analyst and used as an additional netflow data source.

New anomaly detection algorithm

Detection engine is upgraded with a new class of anomaly detection algorithm.

Faster UI

Much faster response from web UI, scalable to large amounts of processed traffic and time windows.

Consumes less disk space

Primary and analyzed data is stored in a more compact format, demanding less space on Cognitive Analyst server and/or a backup medium.

Current browser support

Cognitive Analyst web UI works in Internet Explorer 9, Firefox 9 and Chrome 16.

GUI report tool

It is possible to mark interesting events and export as tables or graphs to PDF or Office formats.

searching_1.png, 19kB

My networks setting

A setting that distinguishes your own network ranges from the outside. It is recommended to use this setting on networks that can communicate with the internet.

Outlying service clients classification

Automatic classification of service outliers, clients that use the service in a way that is much different from what other clients do.

Precise classification for new sevices and clients

Discover new anomalous services on your network, or users from unexpected destinations.

Version 4.3

Main Dashboard

The main dashboard now depicts an overview of the flows, categorized by overall trustfulness (the Cognitive Trust Score, or CTS), whereby green indicates the lowest risk (highest trust) , through to red which indicates the highest risk. In this version of the Cognitive Analyst, the table shows an overview of trustfulness based on a user selected timeframe (which could span minutes, days or even weeks). An events overview tab summarizes all of the categorized traffic, collected by the Cognitive Analyst, and provides details such as source and destination IP addresses, the type of events associated with the traffic, and total bytes, flows and events linked to those events.

download.png, 124kB

The main dashboard also allows the user to quickly select the top then IP sources of main concern, or the top ten IP targets, in the given timeframe selected by the user. An events list provides further details into the top events that can be analyzed by the user. (All IP addresses have been made anonymous).

Applying filters

In the current version of Cognitive Analyst, a new overview graph has been provided in a Dashboard interface, and can be configured using filters selected by the user. This graphical representation of filtered events allows users to quickly retrieve detailed information, and to drill down to finer details associated with an attacker's activities and their behavior.

download (1).png, 20kB

chart_applied_filter.png, 23kB

Customization via URL parameters

The state of the Dashboard screen has now been integrated into the URL address itself. This allows the user to modify the URL in their browser to customize the dashboard, which can then be saved in the user's favorites for future access, or to share with other security administrators. This URL can be edited to include pre-set filters, displayed tab, and time period.

addressbar.png, 6,0kB