Software for Strategy Patterns

Data from computers, networks, databases and even external sources can be useful in detecting malware strategies. Since data may come from different sources in different forms, it is first converted to a uniform format. This format makes all data into rows of data.

After the data is collected, it sent through a "fat pipe" to the analyzer. This is where the strategy patterns are detected. This part involves some mathematical analysis related to game theory. There are only a few such patterns even in large data streams. Therefore the user will have to deal with only a summary containing a manageable amount of information.

Data to streams

Even though organizations do not detect malware for long periods, it is not for lack of data. Computers collect a lot of data, in various formats and different locations. Our software converts data from diferent sources into time series. These time series can then be integrated to understand what is going on in a network or system. For example, packets containing malware can be associated with a user's web behavior. The network data may be captured by a packet capture system like tcpdump while the user's web behavior may be recorded in sqlite databases.

Audit

Audit data captures selected event information into logs. This information is converted to time series. This can be used to detect hackers who try to avoid triggering flags, but still moving through the system. Our analysis looks for this type of persistent movement, not necessarily dramatic actions.

Nagios

Nagios is a network management system that can monitor a wide variety of equipment. We track nagios data and convert it into a stream of information that can be related to other activities.

Process

Most computers track their processes, monitoring various parameters such as memory and CPU usage. While process accounting tracks some of this data, we monitor at a finer level.

Packets

We monitor high volume packet data and convert it into manageable time series of actions.

Sqlite

Web browsers typically keep their activity information in sqlite databases. We convert this data into time series so that we can determine patterns of web user strategies.

Sysstat

The sysstat tools monitor systems over longer periods, keeping rotating logs of activity typically for 30 days. This data is structured into various categories. We reduce this to a convenient time series of roughly 100 time series.

Mathematical Analysis

The heart of our software is mathematical analysis that discovers strategy patterns.

To discover strategy patterns, we analyze computer systems (including networks) as a mathematical space where intruders try to compromise safety. Since intruders lack perfect information about the system, they are generally forced to conduct experiments. Mathematical methods can detect such patterns of experimentation, even though they do not fit the traditional understanding of patterns. The patterns here are comparable to changing patterns of traditional patterns.