AWARE NetAnalyzer accurately detects infections by identifying the transaction sequences and time window across multiple network flows that elude conventional IDS/IPS.
The software works by identifying communication sequences which occur during an infection process. The results are then modeled as a set of "dialog" exchanges between and among internal hosts and external entities.
When AWARE detects potentially malicious, coordination-centric dialogs, it generates and sends events to a correlation engine for real-time analysis. Appropriate weights are then applied to the events based on matching one or more lifecycle stages. Next, based on a plurality of events and scores, the system generates an "infection profile," and sends it to a threat analytics engine for further classification and clustering, which tracks it over time so that each dialog infection warning contributes to the overall infection sequence score.
The threat analytics engine assigns scores to each "infection profile" based on the amount and diversity of forensic evidence, and presents them via a GUI for reporting, drill-down and detailed analysis. Users may also choose to export alerts to SIEM platforms like HP ArcSight using the Common Event Format (CEF).
- Live threat intelligence updates from the TaaSera Threat Center;
- Quick reports with search filters;
- Analytics reports with drill-down views, visualization bar charts, and geo-location map views;
- Offline analysis (of infection profiles imported from an archive);
- Management of multiple, distributed sensors;
- SIEM integration (HP/ArcSight-CEF certified);
- Log file management with third party storage; and built-in contextual help panes.