The MetaFlows Security System Malware Protection is ADVANCED. We’re talking behavioral and signature detection, multi-layered, Malware-butt kicking advanced. The MSS finds Malware using a 3-layer approach where each level is highly scalable and works independently to progressively increase the detection accuracy.
Layer1: Session level
This is the most basic level of intrusion detection carried out by hardened Linux-based open source components. Our fine-tuned and extremely robust Session-level process can scale from 100 Mbps to 10 Gbps using inexpensive, standard server hardware.


Layer 2: Multiple-Session
With multiple-session correlation, we identify typical infection behavior by looking at alerts belonging to a single home machine. The MSS positively scores alerts based on observing at least two events corresponding to the typical phases of a Bot Infection.
- Inbound scanning
- Exploit
- Egg download
- C&C communication
- Outbound scanning/propagation
Multiple-session analysis (unlike traditional IDS) reduces false positives almost entirely and brings true positives to the forefront. This proprietary analysis is performed by Cyber-TA’s BotHunter (licensed to MetaFlows by SRI International). BotHunter intelligence feeds and rules are updated weekly from the SRI Malware Threat Center.

Layer3: Multiple-Domain (Predictive Global Correlation)
Research funded by the National Science Foundation has led to the development of a proprietary multiple-domain correlation algorithm that is mathematically similar to Google’s page ranking. Event scores are autonomously obtained from a global network of virtual machines that masquerade as victims. As the victims are repeatedly attacked and infected, the MSS records security event information of both successful and unsuccessful hacker techniques and subsequent nefarious activities. This information is then combined with 5 additional network intelligence sources and then propagated in real time to each of our users to augment the session level and multiple-session-level ranking described above. This additional inter-domain correlation is important because it adds operational awareness based on real-time, measured intelligence.
With multiple-session correlation, we identify typical infection behavior by looking at alerts belonging to a single home machine. The MSS positively scores alerts based on observing at least two events corresponding to the typical phases of a Bot Infection.
- Inbound scanning
- Exploit
- Egg download
- C&C communication
- Outbound scanning/propagation
Multiple-session analysis (unlike traditional IDS) reduces false positives almost entirely and brings true positives to the forefront. This proprietary analysis is performed by Cyber-TA’s BotHunter (licensed to MetaFlows by SRI International). BotHunter intelligence feeds and rules are updated weekly from the SRI Malware Threat Center.

You can always learn more about how we are protecting networks better here.