System Detection uses sophisticated data mining, machine learning, and behavioral-based statistical analysis and detection techniques

to significantly improve the ability of security managers to detect and protect against threats to the integrity of networks, systems, and applications. System Detection customers benefit from the improved effectiveness and reliability of security initiatives and the boost in productivity its Hawkeye products deliver. And, because System Detection's Hawkeye works with the security products organizations already own, their current investments are protected.

Panorama
Hawkeye Panorama examines network activity in near real-time to detect attacks and threatening activity with a high degree of accuracy, even in complex, traffic rich environments like peering centers, and network gateways. Its analysis and reporting capabilities provide security administrators with an unprecedented level of visibility and control into the threats that exist to their networks and systems, improving the reliability and accuracy of security efforts, and boosting productivity.

Capabilities and Features

Network Traffic Monitoring: Examines and analyzes TCP/IP header information and connection records to detect, identify, and track scan and probe activity associated with the reconnaissance, attack, and exploit of computer networks, delivering high-coverage and low false-positive rates in even high-bandwidth environments, including network gateways. Intelligence Profile: Gathers and calculates measurements and statistics regarding network traffic that characterize malicious surveillance and reconnaissance activities. Information provided includes the amount of traffic, number of attackers, levels of malicious activity, network resources that are frequently targeted for attack, frequent sources of attacks, analysis of attack timing, and source country of attack. Gateway Traffic Analysis: Supports asymmetric traffic analysis in network gateways and other environments where its not possible to view both source and target traffic flows. Distributed Architecture: Distributed and hierarchical architecture supports information sharing across organizations and communities of interest, expands visibility of attack and reconnaissance activity across geographic or organizational boundaries. Attack Detection and Analysis: Generates attack scenarios based on correlation and aggregation of malicious activity. Reporting: Extensive reporting and analysis capabilities, including attack activity associated with source and target IP addresses, target protocols and programs, and overall trends. Attack Archive: Storage of aggregate summary information regarding individual alerts, including aggregate cost information, number of attacks discovered, analyst comments, and attack scenario information, yielding an in-depth understanding of security threats and responses.

www.systemdetection.com
Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX03) 0-7695-1897-4/03 $17.00 2003 IEEE

Network Defender
Hawkeye Network Defender discovers new attack patterns, misuse, and abuse other systems miss by augmenting the accuracy, effectiveness, and reliability of perimeter security defenses, such as firewalls and intrusion detection systems, with data mining and machine learning statistical and empirical analysis algorithms.

Capabilities and Features

Statistical Analysis: Innovative data mining and machine learning techniques automatically identify behavioral patterns in existing systems. Using sophisticated models of normal activity, Defender assesses operational traffic, discovering new attacks and misuse, improving the accuracy and reliability of existing perimeter defense systems. Multiple Training Techniques: Using a mix of behavior anomaly detection techniques, Hawkeye Defender is uniquely capable of learning behavior using both clean (known to be free of attacks) and dirty data, simplifying model creation, and improving accuracy. Filtration and Correlation: Hawkeye Defender brings order to the flood of alerts and events generated by perimeter security systems by categorizing and naming alerts based on known attacks with similar characteristics, and aggregating alerts based on physical or virtual location (hosts used to scan, or subject of attacks), or behavioral characteristics (interprobe delay, number of bytes, flags, etc.). Attack Triage: Evaluates, prioritizes, and escalates attacks based on criteria including the importance of a given asset, the cost or difficulty of restoring the asset to service, the sensitivity or confidentiality of the resource, a cost-benefit analysis of an attack scenarios cost to respond vs. the expected damage, and attack scenario outcomes based on vulnerability assessments.

Email Mining Toolkit

System Detection has developed an online "behavior-based" security system employing anomaly detection techniques to detect deviations from a systems or users normal email behavior, rather than solely by attempting to identify known attacks against a system via signature-based methods. The Email Mining Toolkit is an offline email archive data mining analysis component of that system that assists security analysts in identifying misuse of email including policy violations, unauthorized mailings, authentication fraud, viruses, worms, and spam. EMT is applied to email files gathered from server logs or client email programs and computes information about email flows and aggregate statistical information from content fields of emails, without revealing those contents. EMT provides a set of models an analyst may use to support a wide range of analysis and detection tasks.

Capabilities and Features

Forensic Investigation: Inspection of an email archive and the computation of statistics and attributes of email attachments contained in that archive yielding information about individual emails, user behavior, and unusual, abnormal, or malicious attachments. Behavioral Analysis: Profiling user account activity, including count-frequency distributions among email senders and recipients and non-stationary and stationary temporal statistics showing a users average email behavior. Abuse and Misuse Detection: Automated detection of malicious email, self-propagating viruses, account misuse, SPAM, and security policy violations.

www.systemdetection.com
Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX03) 0-7695-1897-4/03 $17.00 2003 IEEE

Detection of Policy Violations: Aggregate population or group models of typical email groups (cliques) and their communication behavior to detect security policy violations.

System Detection's Email Mining Toolkit reveals detailed aspects of a user's communications activities.

System Detection, Inc. 5 West 19th Street K-2 New York, New York 10011-4240 USA (212) 206-1900 info@systemdetection.com www.systemdetection.com 2003 System Detection, Inc.

www.systemdetection.com
Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX03) 0-7695-1897-4/03 $17.00 2003 IEEE