TaaSERA

Advanced Malware Behavior Detection

How it Works

TAAS NetAnalyzer™ accurately detects diverse network transactions to predict the order and time window for malware occurrences that elude conventional IDS/IPS. The software works by identifying communication sequences which occur during an infection process. The results are then modeled as a loosely ordered set of exchanges between and among internal hosts and external entities.

NetAnalyzer generates alerts using a rule-based heuristics engine, a statistical scan anomaly detection engine and a statistical payload anomaly detection engine to generate infection dialog warnings. Alerts are visible to users via a GUI for reporting and detailed analysis. Users may also choose to export alerts to their SIEM platforms like HP ArcSight using the Common Event Format (CEF).

When the system detects a potentially malicious dialog, it will weight them based on specific behavioral patterns to detect multiple exploit vectors employed by today’s advanced malware.

NetAnalyzer uses an “n-gram distribution” of payload to represent the occurrence frequency of possible n-byte sequences in the payload, and to determine the deviation distance from normal network traffic. Events are subsequently sent to a dialog correlation engine for further analysis, and tracked over time so that dialog infection warning contributes to the overall infection sequence score.

TaaSERA software produces a “forensic confidence score” based on a dialog correlation matrix, and combination of dialog warnings for a given local host. The system must find at least two dialog events before forensic confidence reaches actionable levels.

TAAS NetAnalyzer is then able to diagnose advanced malware attacks and infections based on a correlated sequence of inbound exploits, binary downloads, command and control communication and outbound scans. TAAS software also detects the peer-to-peer propagation and attack preparation activities of coordinated malware variants.

Best of all, TaaSERA's correlation engine is able to find undetected malware because it does not require a strict ordering of events to make a conclusive determination, giving TaaSERA technology a unique advantage over today’s malware detection tools.

bothunter