True Machine Intelligence
In a nutshell, Vigiliti's patent pending True Machine Intelligence works by observing network traffic in the
enterprise and making numerical models of how normal traffic should look like. Then, the traffic that deviates
significantly from this norm is singled out and labelled abnormal. When a substantial amount of abnormal traffic
originates from or terminates into a host computer, that host is labeled abnormal. When a host is severely abnormal,
a real-time alert is generated. The abnormality and the alerts are visible on the user interface, along with
the most abnormal hosts. Usually, the abnormality is caused by human mis-behavior such as employee misuse,
malware activities such as botnets, or network faults.
The way the technology works is better explained by how a child learns how to recognize a flower.
When a child is very small, she does not know what flowers are like. She sees a lot of
green backgrounds and colorful things when her parents take her out to the garden. However as the child
grows older, and observes carefully, she will start to learn that there are these things with colorful petals
that are seen in the middle of green foliage. The child learns to spot them by looking at their
shape, color, number of petals and formations. There are no rules given by the parents to the child
which define what a flower looks like. The child learns by examples.
Download
white paper
In a similar fashion, True Machine Intelligence embedded in nLive Smart and Enterprise editions
learn by examples seen while observing the traffic for a period of time. Unlike antivirus, firewall and IDP
systems, which are generally based on pre-defined rules, nLive can spot abnormal traffic in the
network even when that abnormality is very specific to that network and was never seen before elsewhere.
This makes it suitable for detecting new and previously unknown problems and faults in the network.
nLive's machine intelligence technology uses what is called a 'positive model' of the traffic.
Positive modeling creates a knowledge-base of what is OK and normal in the user's environment and detects when
something changes in the traffic. Competing products use negative-models
to detect for strange activities. Negative models keep a set of 'bad behaviors' (such as malware signatures)
and look for them. A problem with negative modeling is that one can never have a complete list
of models of bad behaviors. Positive modeling reduces false alarms and false negatives.
| Problem Detection |
| Feature | Benefit |
|---|
| Multi-dimensional technology |
- Reduces false negatives: Ability to detect problems of all kinds regardless of what
type of changes are detected in the traffic
- Reduces false positives: Instead of focusing on each aspect (such as bandwidth) of the
traffic for problem detection individually, and thereby causing false alarms, multi-dimensional, multi-variate
method considers traffic features as a whole to detect problems.
|
| Automatic self-tuning |
- Completely automated self-tuning frees the user from needing to understand how the nLive technology
works and from directly interacting with it, saving time and effort.
|
| Machine learning technology |
- nLive embeds True Machine Intelligence (described above) and does not need to know beforehand what types of problems occur.
In fact, most problems are very unique to the user's network environment. It can still detect problems
without any such prior knowledge. This increases the confidence levels in the user.
- It understands and custom-fits models of traffic in a specific network to reduce false positives and negatives.
This is unlike 'one-size-fits-all' approach where a factory-setting is assumed to work best
in all networks. Such technologies require a lot of tweaking by the user.
|
| Problem tracking |
- nLive can 'track' a problem from its onset as opposed to just sending an alert. This ability reduces the
number of entries seen by the user in the problem tables thereby reducing user's data overload.
|
| Reporting and Advanced Analytics |
| Feature | Benefit |
|---|
| Distributed Database |
- The database is embedded in each sensor so there is no central database server. This saves
WAN bandwidth by not exporting traffic flow information across. This also increases fault tolerance of
the nLive system, and scales to very large enterprises.
|
| Drill-down capability |
- The user can just click on most user-interface elements like charts, graphs etc to
see more information and investigate. This saves time in rapidly narrowing down into
root causes of problems, when time is of essence.
|
| Visualizations |
- User interface provides multiple types of data visualizations to suite the type of
problems being investigated and the type of user. This gives the user choices
and allows them to pick the most convenient tools from the widgets to save time identifying
and isolating the root causes of problems or gathering the information they need from the traffic.
|
| Searching |
- nLive allows very extensive and powerful searching into the traffic, problems and scores.
You an search by host name, IP address, MAC address, subnet, octets, business-groups, applications,
ports, regions etc
- Searching also can be effectively conducted by clicking on contextual menus and drilling down
|
| Traffic Collection |
| Feature | Benefit |
|---|
| Capture interfaces |
- Capture traffic from multiple mirror/SPAN ports on switch
- Deduplicate packets that may have multiple copies
|
| State machine |
- Reduces thousands of packets into a handful of flows to minimize data overload for user
- Reduces unidirectional netflow into bidirectional event
- Decodes from layer2 through 7 to identify application traffic and dynamic ports
|
| Unique host identification |
- nLive identifies hosts by their names or MAC addresses so traffic profiling is accurate.
Users do not have to trace hosts by IP addresses in a DHCP environment. This gives them accurate
information without frustration.
|
