Our target market definition is simple – virtually every company, non-profit institution or government organization in the developed world is nowadays dependent on network access and information services.
Securing networks and systems against automated and human-driven attacks is becoming more and more important with growing number of information and asset misuse scenarios. Current solutions are surprisingly fragile when facing sophisticated adversaries or even very simple code coming in by unexpected ways, such as flash drives, laptops, VPN or infected websites.
Covering the gaps
Our product is designed to cover the gaps left by the current generation of network security tools. Its firm positioning as an anomaly detection tool allows it to seamlessly handle both the known and unknown attacks, and the experiments show that our solution is ideally suited for detection, prioritization and handling of the attacks that would bypass or evade perimeter defenses.
Hitting the new attacks before they become widespread
This ability is crucial with the current slow but steady growth of self-modifying and adaptive malware. Current research and experimental versions of malware can already adapt to evade detection by a specific intrusion detection system, and it is therefore crucial to develop security solutions that would refrain from using clearly specified attack signatures or profiles, and move towards the solutions that are robust with respect to learning and strategically reasoning adversary.
Multi-algorithm anomaly detection is a difficult target for evasion, as it can define complex and mutable decision rules that are almost impossible to be discovered by the attacker before they change again.
Addressing the limitations
However, the anomaly detection approach has many shortcomings, and we actively address them with the self-monitoring and self-optimizing features of our solution. These industry-unique features offer the user near-real time estimate of the solution’s ability to detect various classes relevant of attacks in the current traffic background. They also allow the system to self-optimize itself, increasing user confidence and decreasing system management costs.
Results
Various AI techniques combined in the system are stacked to progressively reduce the error rate. The individual anomaly detection algorithms are tuned to be highly sensitive, typically returning about *100 false alarms for each true alert*. We progressively reduce this number by anomaly aggregation (50:1) between algorithms, individual trust modeling, which captures the long-term experience with real-time built traffic profiles (10:1), simple average of trustfulness between models (7:1) and adaptive, optimized average, that brings down the error rate to two roughly two false alerts for each true alert, and this ratio is further reduced by incident classification and processing rules. See our publications for more specific results and broader set of scenarios.
Interface
Our advantage is in packing advanced artificial intelligence and a high number of algorithms in a self-managing appliance/software with standard and simple interfaces. Initial configuration and customization is possible, but the whole system is designed with simple operation in mind.
Honesty
As a system that does only process network traffic statistics, we cannot (and do not) claim the ability to detect all the attacks, with isolated, single-flow buffer overflows as an example of what we miss. Our solution is effective only against the classes of attacks that are observable in the NetFlow data, but our efficient error suppression algorithm allows us to increase the sensitivity significantly.
