Shulou(Shulou.com)06/01 Report--

Recently, a landmark acquisition of Cisco's return to cyber security was the purchase of Czech-based Cognitive Security. What housekeeping skills does the startup company, founded by a university teacher in the Czech Republic, have? Oh, it turns out to be DFI, or anomaly detection technology based on traffic.

The goal of Cognitvie is clear, and that is to detect APT, as well as 0muri daylight malicious codes, and other polymorphic malicious code.

Cognitive uses the following anomaly-based detection algorithms, which are not new, but they are practical.

Cognitive Analyst's products and services utilize a multi-stage detection algorithm to generate a Cognitive Trust Score (CTS), which is effectively a measure of 'Trustfulness' to the data which is being analyzed. Currently eight stages are used to increase the detection and accuracy of threats, and collectively generate an accurate CTS for an analyst to action and subsequently mitigate against an attack. A selection of these algorithms are summarized as follows:

MINDS algorithm [Ertoz et al, 2004] [a detection algorithm based on source / target analysis] The Minnesota Intrusion Detection System (MINDS) processes data from a number of flows: 1. Data from a single source IP to multiple destinations, 2. Flows from multiple sources to a single destination, or 3. A series of flows between a single source to a single destination.Xu et al. Algorithm [Xu, Zhang et al, 2005] [a traffic source classification algorithm] This algorithm serves to classify traffic sources. A normalized entropy is established (i.e. Establishing meaningful analysis to the apparent randomness of a data set), determined by applying static classification rules to the established normalized states.Volume prediction algorithm [Lakhina et al, 2004] [traffic prediction algorithm] uses the Principal Components Analysis (PCA) methodology, which is a mathematical procedure used to formulate predictive models. In order to build a model of traffic volumes from individual sources, values are determined based on the number of flows, bytes, and packets generated from each source. The PCA method then identifies the complex relationships between the traffic originating from distinct sources.Entropy prediction algorithm [Lakhina et al, 2005] [Entropy Prediction algorithm] This algorithm is similar to the PCA-based traffic modeling discussed above, but uses different features than just volume prediction. Entropy prediction aggregates traffic from source IPs, but instead of processing traffic volumes, it predicts the entropy of source and destination ports, and destination IPs.TAPS algorithm [Sridharan et al, 2006] [an algorithm for layer-by-layer traffic analysis] targets a specific class of attacks by classifying a subset of suspicious traffic sources and characterizing them by three features: 1. The number of destination IP addresses, 2. The number of ports in the set of flows from the source, and 3. The entropy of the flow size. The anomaly of the source is based on the ratios between these values.

In fact, I have mentioned this kind of technology many times. We have also made a lot of efforts and work in this area, and have also been used in our products.

[reference]

Anomaly-based detection technology

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.