General malware detection¶
Because all malicious activity leaves footprints in network traffic, the visibility provided by traffic data can be an invaluable asset against modern malware.
By ingesting large volumes of network information through Plixer Scrutinizer, Plixer One Enterprise can provide general malware detections and extract additional value from the same flow data.
Overview¶
The Plixer ML Engine uses classification - a machine learning technique that relies on models that have been trained on labeled data - to predict whether a host’s behavior is indicative of common classes of malware, including command and control, banking trojans, exploit kits, etc. Each prediction is returned in the form of a percentage, which represents the degree to which the observed traffic patterns match those it has learned to be associated with malware. If that percentage exceeds a preset detection threshold, a high-severity Event is generated under the corresponding Alarm Policy in the Plixer Scrutinizer Alarm Monitor.
Enabling malware classification
To optimize resource utilization, malware detection is configured at the ML inclusion level, enabling or disabling classification for all hosts associated with the inclusion. The Malware Detections setting can be accessed from the Manage ML Inclusions page, where it can be toggled on or off in the inclusion configuration tray.
Investigating malware detections
Once a detection is reported as an Alarm, the appropriate response can be determined using a combination of Plixer Scrutinizer workflows, including:
Note
General ML-driven malware detections are reported under the ML Engine malware alert Alarm Policy. A separate Malware Command and Conquer Activity Detected policy is used for detections via Flow Analytics.
Drilling down into the Alarm and checking the timeline to determine whether the detection is an isolated observation or an ongoing Event
Inspecting Event Artifacts to see which hosts were involved and drilling into them to gain further insights from Plixer Endpoint Analytics
Running Source and Destination Reports on the hosts to check for traffic between them and external IP addresses
Hint
After running an initial Report, it can be refined directly from the output view to enable further investigation.
Workflows¶
The following workflow(s) are examples of Plixer One Enterprise’s malware detections being used as starting points for investigating suspicious network activity: