General malware detection

Because all malicious activity leaves footprints in network traffic, the visibility provided by traffic data can be an invaluable asset against modern malware.

By ingesting large volumes of network information through Plixer Scrutinizer, Plixer One Security can provide general malware detections and extract additional value from the same flow data.

Overview

The Plixer ML Engine uses classification - a machine learning technique that relies on models that have been trained on labeled data - to predict whether a host’s behavior is indicative of common classes of malware, including command and control, banking trojans, exploit kits, etc. Each prediction is returned in the form of a percentage, which represents the degree to which the observed traffic patterns match those it has learned to be associated with malware. If that percentage exceeds a preset detection threshold, a high-severity Event is generated under the corresponding Alarm Policy in the Plixer Scrutinizer Alarm Monitor.

Enabling malware classification

To optimize resource utilization, malware detection is configured at the ML inclusion level, enabling or disabling classification for all hosts associated with the inclusion. The Malware Detections setting can be accessed from the Manage ML Inclusions page, where it can be toggled on or off in the inclusion configuration tray.

Investigating malware detections

Once a detection is reported as an Alarm, the appropriate response can be determined using a combination of Plixer Scrutinizer workflows, including:

Note

General ML-driven malware detections are reported under the ML Engine malware alert Alarm Policy. A separate Malware Command and Conquer Activity Detected policy is used for detections via Flow Analytics.

Hint

After running an initial Report, it can be refined directly from the output view to enable further investigation.

Workflows

The following workflow(s) are examples of Plixer One Security’s malware detections being used as starting points for investigating suspicious network activity: