Since the performance overhaul of the last release, we’ve concentrated our efforts to bring you additional refinements to the accuracy and information value in Flowmon ADS 11.1.
- Proxy correlation in a stream
- Point-and-click analysis via interactive event visualization
- Improved evaluation of false-positive rules
For better data fidelity, communications taking place via a proxy server are correlated so that detection is performed using data with the real destination’s IP address rather than the proxy’s.
Figure 1 Correlation configuration dialog
This correlation feature has been fully implemented for the new stream architecture of Flowmon ADS 11.x.
Interactive event visualization
To make analysis more intuitive, ADS 11.1 visualizes events interactively to give you a quicker understanding of the structure of events.
Simply by clicking on an IP address in the exploded view, you will see which other hosts took part in the communication and how much data was transferred. For example, when you have detected the activity of an attacker, you can easily explore other activities they may have engaged in and what other hosts they contacted.
Figure 2 Node size and line thickness correspond to the amount of data transferred; node and line color (green to red) corresponds to the number of flows.
Improved false positive processing
The new version also aims to reduce noise by refining the processing of false positives.
False-positive rules are now evaluated on an all match basis to further reduce the number of incorrectly detected events. This measure results in fewer false positives when multiple rules are applied at the same time.
In addition, the usage statistics of false-positive rules have been simplified and now include timestamps of last usage and usage count.
Figure 3 Detail of the usage statistics of a false-positive rule
Flowmon ADS 11.1 delivers refined detection capability with intuitive point-and-click analysis. It is a vital asset to any security analyst’s toolbox.
Do you have any feedback about Flowmon ADS 11.1? Let us know!