A useful security product that offers a wide variety of interesting possibilities

GREYCORTEX MENDEL is a solution for detection, monitoring and analysis of advanced security incidents in network traffic. This solution is based on a combination of various types of detection technologies:

  • Intrusion Detection System (IDS), including Deep Packet Inspection (DPI)
  • Network Behavior Analysis (NBA); the analysis is based on the principles of artificial intelligence
  • Network Performance Monitoring (NPM) and Application Performance Monitoring (APM)
  • A tool for event correlation and risk assessment

During the initial design, the focus was on custom Advanced Security Network Metric (ASNM), large scale data mining based on artificial intelligence, and unique specialized algorithms providing detection of the entire scale of threats and anomalies. Immediate outcomes can be obtained via an intuitive user interface and user-defined reports. GREYCORTEX also brings a whole lot of other interesting options, e.g. for forensic purposes, it provides a complex and detailed overview and history of network traffic, behavior of users, network hosts, applications and services.

Data Sources

The main input is a network data from a mirror port on a backbone switch or a network tap. The NBA detectors are able to accept summarized data in the format of custom ASNM metrics or according to NetFlow v5/9 and IPFIX for IPv4 and IPv6. In addition to the network traffic, the product is able to identify identity context using the company’s LDAP or the Active Directory services. These technologies can also be used for user management and authentication.

Detection signatures dataset containing over 30,000 rules is obtained from external sources. IP address blacklists and their reputation (trustworthiness) are also obtained. These lists are regularly updated on an hourly or on a daily basis. This enables the tool to obtain information about generally known malware and about Command and Control (C&C) attack servers, sources of attack, and known botnets. Moreover, uses a list of known sources of spam, information about Tor[1] networks and about proxy servers as well as information about ownership and geographic position of the communicating hosts and domains.

ASNM protocol

The ASNM protocol is used to track over 70 attributes of each individual flow in the network. For each flow, it generates information about the source and the target, its duration, size of the data portion and packet counters. MENDEL also retrieves information about frequency spectrum and performance such as Application Response Time (ART), Round Trip Time (RTT), Jitter, and other.

The functions enabling the detection of anomalous and potentially undesirable behavior work similarly in NetFlow protocol; however, thanks to ANSM, they are more detailed and therefore more effective. Another difference consists in the ability to identify consistent bidirectional flows in the network. For application detection, a custom application protocol recognition mechanism similar to NBAR (Network-Based Application Recognition) standard used in Cisco devices is employed; the mechanism can recognize hundreds of protocols. The DPI technology enables extraction of metadata for almost 30 application protocols, even in tunneled traffic.

Detection mechanisms

The incident detection is based on two methods, first based on signatures (IDS) and anomaly detection (NBA) based on machine learning and artificial intelligence. The whole mechanism of learning consists in detailed modelling of the whole network on various levels. From models of the entire network to models of individual services of individual hosts and devices.

The application is continuously learning to distinguish characteristics of anomalous flows from the normal ones based on probability and statistical models without the need for decoding or decrypting the data. After installation into a network, it is necessary to let the application train itself in a new environment for at least a couple of hours. It gains the complete knowledge after approximately one week.

The following algorithms of machine learning are based on the ASNM protocol:

  • Selection of relevant individual metrics
  • Bayesian analysis based on learned probability of events
  • GMM/EM (Gaussian Mixture Models/Expectation-Maximisation) probability models

Probability based (Bayesian) modelling provides almost 1,000 parameters divided for each flow of a host in a network or subnetwork and its services provided locally or remotely. A separate model is created for each service of the host, network device, services aggregated on the network, subnetwork mask, state and ASN (Autonomous System Number).

Outputs

GREYCORTEX MENDEL enables the user to export the created events in various formats and send them via e-mail or to remote SIEM (Security Information and Event Management) servers for archiving or further processing. This makes it possible to generate alerts based on defined conditions and notifications about the detected anomalies. In this way, it is possible to create user configured reports containing text or graphic visualization of the detected events, network performance or applications and other data in the system. The messages can include a variety of adjustable elements including tables and graphs. The messages can be exported to standard document formats such as DOCX or PDF.

The e-mail system supports connection to standard e-mail servers with SMTP protocol and encrypted communication based on PGP (Pretty Good Privacy). The data exports can also be performed in preset intervals or during detection of a particularly important event. The tool also supports export to SIEM systems using Syslog, CEF format (Common Event Format) or IDEA (Intrusion Detection Extensible Alert). These messages can be previously configured and filtered according to the requirements of system integration.

It is possible to detect:

  • RAT Trojan horses (Remote Access Trojan) including C&C system activities
  • Zero-day type of vulnerabilities and exploitation of services
  • Malware on mobile and embedded devices
  • Long-term APT attacks (Advanced Persistent Threats)
  • Data leaks with DNS, SSH, HTTP(S), etc.
  • Tunneled traffic
  • Protocol anomalies indicating a long-term port scanning and other attacker activities
  • Masquerade attacks (the attacker pretends to be someone else), dictionary attacks and brute force attacks
  • Spam detection
  • Preparation for data theft and exfiltration (e.g. by employees)
  • Automated data harvesting
  • Data theft (e.g. from web applications)
  • Phishing attacks
  • Violation of internal security rules and policies
  • Faulty network settings
  • Network and application performance issues
  • Dos and DDoS attacks
  • New or unknown devices, e.g., of the BYOD type (Bring Your Own Device)

Data fusion and correlation techniques enable the detection of a wide spectrum of threats and activities. These techniques analyze the most interesting information about a particular network obtained through various detection mechanisms. It is possible to find event correlations, eliminate false positives and perform risk estimates. The system is also compatible with systems for risk categorization such as CVSS (Common Vulnerability Scoring System) or NIST Critical Infrastructure Cybersecurity Framework, etc.

Installation process

The application is supplied as a hardware appliance or as an installation ISO file for a virtual hypervisor. Depending on the mode of deployment, the appliance is supplied with 2, 4 or 8 network interfaces enabling the monitoring of the required number of source lines. The solution can be installed in a probe/collector configuration that enables monitoring geographically remote networks or as a cloud.

We tested the version 2.2.0 of the product at Karel Engliš College (VŠKE). For testing purposes, we selected the virtual deployment on the base of a fully functional 30-day demo. To ensure that the application runs correctly, it is necessary that the server includes a processor with at least 8 virtual cores, 32 GB of RAM, disk capacity of 500 GB and two network interfaces; VM-ESXi virtualization system was used. The installation went smoothly, without any issues.

Tabs for the individual configuration areas are placed well, they enable a quick transition to settings of monitored networks and policies (Policies tab), Detection mechanisms (Detection tab), notifications and exports (Exports tab), and authenticating mechanisms, users and their rights (Users tab). In the Network tab, there is a practical priority setting.

Use of the Tool

At first glance, working with GREYCORTEX is very pleasant, mainly thanks to the elaborate filtering options and user-configurable overview dashboards. The possibility of a quick display of the communication of each device and all its services was interesting for me. In particular, it is the security visibility and transparency network that the applications brings. The overview of incidents detected at the level of detection patterns is ideally complemented by incidents identified by NBA methods.

In the Detection tab, it is possible to display the defined blacklists and false alarms, set the NBA detection mechanisms and policies for IDS rules, create the necessary correlation rules, also capture and save network traffic on the basis of a defined filter into PCAP format files.

The Export tab allows to define exports; we at VŠKE use SIEM; therefore, the possibility of exporting the data into this system was interesting for us. However, we encountered an issue particularly relevant for schools; instead of one application we now need two: SIEM and GREYCORTEX.

Concluding Remarks

What particularly excites me about this product is the possibility to analyze incidents (we have quite a few of them in the student subnetwork) both from the point of view of their progress in time and in the smallest details. I also appreciate the elaborate elimination of false alarms. The documentation fulfills the basic criteria, but I believe it would be convenient to add some examples of typical settings. The product is still being developed and I am curious about what next the producer will come up with.

Doc. Ing. Jaroslav Dočkal, CSc.

Graduate of VDU Martin and VAAZ, currently the vice-dean of science and creative development at Karel Engliš College. He gives lectures at Masaryk University and University of Defence. He’ is also a lecturer at Cisco Academy, a tutor of HP and a member of DSM magazine editorial board.