How it Works
AWARE NetAnalyzer accurately detects diverse network transactions to predict the order and time window for malware occurrences that elude conventional IDS/IPS. The software works by identifying communication sequences which occur during an infection process. The results are then modeled as a loosely ordered set of exchanges between and among internal hosts and external entities.
NetAnalyzer generates alerts using a rule-based heuristics engine (the "AWARE" Attack Warning and Response Engine), a statistical scan anomaly detection engine and a statistical payload anomaly detection engine to generate infection dialog warnings. Alerts are visible to users via a GUI for reporting and detailed analysis. Users may also choose to export alerts to their SIEM platforms like HP ArcSight using the Common Event Format (CEF).
When the system detects a potentially malicious dialog, it weights them based on specific behavioral patterns to detect multiple exploit vectors employed by today’s advanced malware.
AWARE produces a “forensic confidence score” based on a dialog correlation matrix, and combination of dialog warnings for a given local host. The system must find at least two dialog events before forensic confidence reaches actionable levels.
AWARE is then able to diagnose advanced malware attacks and infections based on a correlated sequence of inbound exploits, binary downloads, command and control communication and outbound scans. AWARE also detects the peer-to-peer propagation and attack preparation activities of coordinated malware variants.