What is Multi-session Correlation?

   Traditional IDS: A1;A2;A3 are independent                Multi-session: A1, A2, A3 are correlated
Traditional network intrusion detection systems (IDS) generate alerts by finding known threat patterns within a single TCP session. This is very blunt. Important events (A3) are often missed due to the high volume of false positive alerts (A1). To be effective, traditional IDS need constant tuning and expert analysis.

Multi-session correlation is an evolution of dialog-based correlation extended to leverage diverse global threat intelligence. Simply put, it automatically connects the dots between notable TCP sessions between a single internal host and multiple external hosts over time. It produces incident reports containing multiple events related to the same threat (A2+A3) rather than giving you independent alerts. This works much better, it will save you time and money in defending your enterprise.

You can try it on your network for free. Register at nsm.metaflows.com and build your own network malware detection appliance within minutes. All you need is some decent hardware with 2 Network Interface Cards and a span/mirror port from your switch.

Leave a Reply

Your email address will not be published. Required fields are marked *