The MetaFlows Security System

Multi-functional, multi-session behavioral detection that reliably finds and shuts down malware hidden in your network

What Makes MetaFlows Different

Unlike traditional IDS systems that rely on single-source intelligence and individual session analysis, MetaFlows uses multiple collaborative intelligence sources and multi-session behavioral detection

Traditional IDS

  • Single-source proprietary intelligence
  • Single-session analysis
  • High false positive rates (5-10%)
  • Misses multi-stage attacks
  • Signature-dependent detection
  • Limited behavioral analysis

MetaFlows Approach

  • Multiple collaborative intelligence sources
  • Multi-session correlation across time
  • Ultra-low false positives (<1%)
  • Tracks complete attack chains
  • Behavioral pattern recognition
  • Multi-functional traffic analysis

This unique multi-functional, multi-session approach simultaneously lowers both false positive and false negative rates. The result is improved detection accuracy that yields tremendous cost savings in human capital and automation while dramatically improving security.

System Architecture

Built on open standards for flexibility, scalability, and best-in-class cost-performance

The MetaFlows Security System uses a distributed architecture with two main components: sensors and controllers. A single controller can manage anywhere from 1 to 1,000+ sensors, providing centralized management and analysis at any scale.

MetaFlows Architecture Diagram

Distributed sensor and controller architecture

Sensors

Sensors run on standard Linux (CentOS or RHEL) augmented with our multi-functional deep packet inspection software and proprietary kernel drivers. Key features:

  • Full root access: Easily augment with site-specific applications or configurations
  • Automatic updates: OS updates via standard package management, MetaFlows software self-updates
  • Flexible deployment: Install on customer hardware, VMware, or EC2 instances
  • High performance: Scales to 10 Gbps using PF_RING technology

Controller

The controller provides centralized management and analysis capabilities:

  • Web GUI for system management of all sensors
  • Receives and stores metadata continuously exported by sensors
  • Web-based forensic analysis application
  • Automated reports and email alerts
  • Security intelligence feed management and distribution

Typical Workflow

From detection to remediation in minutes

1

Detection

Sensor detects suspicious behavior through multi-functional network traffic analysis

2

Alert

Metadata and automated incident report sent in real-time to controller and/or third-party SIEM

3

Notification

Controller triggers email alert or analyst sees event on real-time console

4

Analysis

Analyst reviews metadata/report through web interface or SIEM, queries sensor for payload data

5

Documentation

Analyst files incident report with relevant metadata and payload evidence

6

Remediation

Instantiate remediation policies through Soft IPS or verify existing protections

Core Capabilities

Multi-functional analysis working together to detect threats

๐ŸŽฏ

BotHunter: Multi-Session Detection

Coordinates activities across multiple sessions to detect malware infection lifecycles that traditional IDS systems miss.

  • Inbound scanning detection
  • Exploitation attempt tracking
  • Egg download monitoring
  • C&C communication identification
  • Propagation and exfiltration detection
๐Ÿ”

Signature Detection

IDS/IPS events generated by reconstructing sessions and examining them for known security violation patterns.

  • 20,000+ rules (ET-PRO and VRT)
  • Updates every 12 hours
  • Highly customizable rule sets
  • Multi-core parallelization
๐Ÿฆ 

Network Antivirus

Monitor file transmissions across your network with 50+ antivirus engines and optional sandbox analysis.

  • Monitors .exe, .dll, .pdf, Office docs, .zip
  • 50+ antivirus solutions
  • High-priority alerts on 3+ positives
  • Cuckoo sandbox integration
  • Amazon EC2 VPC sandbox support
๐Ÿ›ก๏ธ

Soft IPS Technology

Block unwanted traffic in passive mode without inline deployment risks or performance impact.

  • No inline deployment required
  • Zero impact on network availability
  • Scales to 10 Gbps on commodity hardware
  • Active blocking of bots, malware, P2P
  • Learns which hosts need isolation
๐Ÿ“Š

Flow Analysis

Automatically highlights network patterns showing scans, anomalous bandwidth usage, or data exfiltration.

  • Automated flow aggregation
  • Bandwidth anomaly detection
  • Scan pattern identification
  • Integrated with event correlation
๐Ÿ”ฌ

File Carving

Extract files from packet logs to analyze suspected downloads, exploit payloads, or data exfiltration.

  • Real-time file extraction
  • VirusTotal integration
  • Launched from historical or real-time views
  • Precise packet log selection
๐Ÿ“ก

Passive Service Discovery

Discover network services, user agents, DNS names, and DHCP leases by processing packet payloads.

  • No active scanning required
  • Comprehensive service inventory
  • Real-time network visibility
  • Asset discovery and tracking
๐ŸŽฏ

Vulnerability Scanning

Execute external vulnerability scans against public-facing systems to identify exposure before attackers exploit it.

  • Initiated from Real-Time or Historical views
  • CVE references and detailed reports
  • Correlation with security incidents
  • Evidence collection for compliance
  • Integration with IPS for auto-quarantine
๐Ÿ”—

SIEM Integration

Import and export security events in multiple formats for seamless integration with existing infrastructure.

  • Syslog, CEF, OSSEC formats
  • Supports all major SIEM platforms
  • Bi-directional data flow
  • Unified correlation platform

Performance & Scalability

Industry-leading deep packet inspection cost-performance ratio

Thanks to MetaFlows' pioneering work on open source core-based IDS parallelism (PF_RING), our appliances achieve exceptional performance on commodity hardware. This approach provides enormous flexibility while delivering one of the best cost-performance ratios in the industry.

IDS Throughput vs. Processing Cores (8C Appliance)

Performance chart showing IDS throughput scaling with cores

8-core parallel processing achieves nearly 700 Mbps sustained throughput with 6,765 ET Pro Snort signatures

24C Appliance Performance Comparison

24C appliance performance across different configurations

Sustained Snort performance with varying rule counts: GCC vs ICC compiler, NAPI vs DNA mode

64C Appliance Full System Performance

64C appliance performance with all features enabled

64C appliance processes nearly 8 Gbps sustained with 10,003 Snort rules enabled

Performance Highlights

  • 8C Appliance: Up to 800 Mbps sustained throughput
  • 24C Appliance: 800-5,000 Mbps sustained throughput
  • 64C Appliance: 5,000-10,000 Mbps sustained throughput
  • Process-level parallelism effectively scales across cores
  • PF_RING DNA provides superior performance over NAPI mode
  • Intel ICC compiler offers 25% performance improvement at high rule counts

Appliance Options

From small offices to large enterprises, we have the right appliance for your needs

High Performance Appliances
Appliance Throughput Hardware Application
MSS-Silver <100 Mbps 1 CPU, VMware, Amazon EC2 Small Enterprise, Cloud Security
MSS-APP-8C 100-800 Mbps 1 CPU (8 Cores), Amazon EC2 Small/Medium Enterprise, Cloud
MSS-APP-24C 800-5,000 Mbps 2 CPU (32 Cores) Medium Enterprise
MSS-APP-64C 5,000-10,000 Mbps 4 CPU (64 Cores) Medium/Large Enterprise

Deployment flexibility: MetaFlows software can be deployed on customer's own hardware or provided through our turnkey appliances. Our appliances are based on carefully selected commodity hardware that undergoes rigorous QA testing. We maintain nearly 100% availability across dozens of production deployments.

Deployment Options

Passive or inline, your choice

Capability Inline IPS Soft IPS (Passive)
Blocks TCP โœ“ Yes โœ“ Yes
Extracts Attacker Invariants Dynamically โœ— No โœ“ Yes
Block IP from Console โœ— No โœ“ Yes
Blocks UDP and ICMP โœ“ Yes โœ— No
Software Failure Impact All Traffic Stops All Traffic Through
Hardware Failure Impact All Traffic Stops All Traffic Through
Power Loss Impact All Traffic Through All Traffic Through
Performance Impact ~200 ยตs Latency None

Passive Configuration

Soft IPS reliably blocks unwanted traffic in passive mode

MetaFlows' Soft IPS reliably blocks unwanted traffic in passive mode by injecting spoofed TCP packets to disrupt communications. This refined approach is as effective as inline deployment without the reliability and latency concerns. Nearly all our customers use Soft IPS.

System Configuration Options

Product Security Events & Logs Sensor Configuration Payloads
MSS SaaS MetaFlows Cloud MetaFlows Cloud Sensor Disk/SAN
MSS SaaS Local Local Sensor Disk MetaFlows Cloud Sensor Disk/SAN
MSS GE Global Enterprise Controller Global Enterprise Controller Sensor Disk/SAN
MSS Standalone External SIEM Sensor Disk Sensor Disk/SAN

Ready to See It in Action?

Schedule a personalized demo to see how MetaFlows can protect your network

Request Demo