|
|
|
| Technology behind
|
|
 |
|
Click to enlarge |
| |
|
True Machine Intelligence
In a nutshell, Vigiliti's patent pending True Machine
Intelligence works by observing network traffic in the
enterprise and making numerical models of how normal
traffic should look like. Then, the traffic that
deviates significantly from this norm is singled out and
labelled abnormal. When a substantial amount of abnormal
traffic originates from or terminates into a host
computer, that host is labeled abnormal. When a host is
severely abnormal, a real-time alert is generated. The
abnormality and the alerts are visible on the user
interface, along with the most abnormal hosts. Usually,
the abnormality is caused by human mis-behavior such as
employee misuse, malware activities such as botnets, or
network faults.
The way the technology works is better explained by how
a child learns how to recognize a flower. When a child
is very small, she does not know what flowers are like.
She sees a lot of green backgrounds and colorful things
when her parents take her out to the garden. However as
the child grows older, and observes carefully, she will
start to learn that there are these things with colorful
petals that are seen in the middle of green foliage. The
child learns to spot them by looking at their shape,
color, number of petals and formations. There are no
rules given by the parents to the child which define
what a flower looks like. The child learns by examples.
In a similar fashion, True Machine Intelligence embedded
in nLive Smart and Enterprise editions learn by examples
seen while observing the traffic for a period of time.
Unlike antivirus, firewall and IDP systems, which are
generally based on pre-defined rules, nLive can spot
abnormal traffic in the network even when that
abnormality is very specific to that network and was
never seen before elsewhere. This makes it suitable for
detecting new and previously unknown problems and faults
in the network.
nLive's machine intelligence technology uses what is
called a 'positive model' of the traffic. Positive
modeling creates a knowledge-base of what is OK and
normal in the user's environment and detects when
something changes in the traffic. Competing products use
negative-models to detect for strange activities.
Negative models keep a set of 'bad behaviors' (such as
malware signatures) and look for them. A problem with
negative modeling is that one can never have a complete
list of models of bad behaviors. Positive modeling
reduces false alarms and false negatives. |
|
|
|
|
|
|
|
- Determine security
threats
- Locate network bottlenecks
- Capture network abusers
- Get complete traffic visibility
|
|
|
|
|
|
|
|
