Multi-Session IDS Statistics: High Priority IDS Rules (12/04/2020 12:48am to 12/11/2020 12:48am UTC)

High priority network IDS rules are involved in multi-session incident reports which have a high probability of being cyber attacks. The severity associated with each trigger is derived by observing what the associated cyber attack does and customer feedback on how severe they perceive the incident to be. The tpr is calculated with respect to the global count of the same rule ID, whether or not it caused a compromise.

The table below the bubble graph shows the sortable raw data. The first column is the invariant extracted from the events. If you have an account with MetaFlows, you can click on certain invariants to see if your sensors have detected it. The other columns should be self-explanatory. Hovering over a bubble or set of overlapping bubbles shows the raw data represented by the bubble(s) selected. This selection is sticky so that you can go to the table and inspect the data or click on the links within the table. To see all rows in the table, click outside any bubble.

MetaFlows uses Multi-Session Intrusion Detection Analysis. This advanced correlation technique gathers specific network IDS alerts (also called dialog events) that form a typical behavior pattern for an infected host. Dialog events are fed directly into a separate correlation engine, where each host’s individual dialog production pattern is mapped and scored against an abstract malware infection life-cycle model. Once a multi-session pattern crosses over a threshold, the hosts and the network IDS rules involved are marked as true positives. These true positive hits are then used to derive the graph you see below. This graph essentially provides a measure of the power of each network IDS rule in indicating a compromise.

High-Priority network IDS ID Description Avg Priority (avgp) Total Priority (totp) True Positive Rate (tpr) Severity (avgp * tpr) Prevalence (totp * tpr)