Data Sheet
FAQ

    

New White Paper!

"Applying Neural Technology to Network Security"


To learn more about PWI enterprise security products, please visit the Privacyware web site.


Copyright © 2008 PWI, Inc.
All Rights Reserved
Privacy Policy
 
 
.

Frequently Asked Questions

Most common questions are answered below.  If you have any additional questions, send an email to info@pwicorp.com.

1.     What is it about ASE that leads you to call it a “breakthrough technology”?

2.     What does fuzzy metrics mean?  Where is it applied in ASE™?

3.     What does supervised and unsupervised learning theory mean?  Where are they applied in ASE™?

4.     What happens during the training period?

5.     How long is the training period?

6.     If ASE is in training mode on a server that’s already been compromised, are the baseline definitions it creates for normal and suspicious events corrupt?

7.     What types of data does ASE monitor and assess?

8.  After installing ASE, does the user continue to run existing security solutions such as firewalls, IDS and SIMs, or does ASE make them obsolete or redundant?

9.  Have you pre-configured any specific rules or documented any known threats?

10.  Does ASE actually prevent threats and intrusions?

11.  What are the technical requirements for installing and running ASE (i.e. operating system, software, processor, interfaces and amount of memory and disk space?

12.  What interface is required to integrate ASE with other applications?  






1.  What is it about ASE that leads you to call it a “breakthrough technology”?

ASE utilizes an innovative combination of applied mathematic and cybernetic approaches that enable machine analysis of network security information similar to that of an experienced system administrator.  ASE organizes security-related information generated by any combination of data aggregation tools, appliances and applications. This information is formed into rich multi-dimensional “event vectors” consisting of variable sets that can range from packet-level data sourced from firewalls to server and application-level information. 

Applying special fuzzy clustering algorithms, like-events are organically arranged into logical, multi-dimensional groups to form a baseline of normal and suspicious events (the meta-base). Although fully automated, ASE enables system administrators to pre-define event classifications and filters or apply them on the fly.  New events and event sequences are considered as they occur and then compared to the dynamic content of the meta-base. On the basis of this comparative analysis and considering past experiences, each event is classified, an appropriate mitigation policy triggered and the meta-base can be updated. 

New events with coordinates outside the boundaries of existing clusters are automatically categorized utilizing kernel mode classifiers. In response to alerts or as required, the system administrator can override the automated classification of single or multiple events and manually initiate retraining and re-querying of the meta-base. 







2. What does fuzzy clustering mean? Where is it applied in ASE™?

Fuzzy clustering is built on and applied to fuzzy sets. Fuzzy sets is a mathematical category describing sets of objects with marginal characteristics.  Fuzzy set theory draws inspiration from solving problems in pattern classification and cluster analysis. In most real situations, the question is not whether a given object is or is not a member of a class, but the degree in which the object belongs to the class.  This amounts to saying that most classes in real situations are fuzzy in nature.  The fuzzy nature of real world classification problems sheds light on the general problem of decision making in both random and non-random environments.  Fuzzy set theory normalizes this and produces more accurate pattern classifications and cluster analysis.  In ASE, fuzzy clustering is applied in the event analysis and classification functions.

 

 



3. What do you mean by supervised and unsupervised learning theories?  Where are they applied in ASE?

Supervised learning occurs when application decisions are influenced or adjusted by human intervention.  Unsupervised learning occurs when the application makes a decision on its own i.e. human intervention is not required.   These learning approaches are applied in ASE as it analyzes and then classifies new events.  

 



4. What happens during the training period?

ASE is a self-learning (adaptive) system that analyzes and categorizes security event data.  The data is represented as rich multi-dimensional vectors comprised of weighted variables.  The variables are sourced in unlimited combinations from the server request/response paradigm and from the information output generated by various security technologies such as firewalls, IDS and SIM applications.  ASE establishes its baseline perspective of normal and suspicious events during the initial training period.   When ASE is placed in monitor mode training continues but within the context of "continuing education". 

 






5. How long is the training period?

ASE is always learning and training itself.  The initial training phase commences when ASE is first installed and can be configured to span minutes or days.  The duration of the initial training phase is a function of the specific characteristics that define the environment ASE is monitoring and related factors such as processor speed, memory and an estimation of the number of unique events deemed sufficient to establish the baseline database.  While in monitoring mode, re-training can be manually initiated or automatically updated as designated by the system administrator.

 






6 If ASE is in training mode on a server that’s already been compromised, are the baseline definitions it creates for normal and suspicious events corrupt?

While this is possible, ASE mitigates the risk by filtering the events captured during the initial training phase against an extensive knowledgebase of commonly known and previously detected threats.  Exceptions and specific rules can also be manually configured by the system administrator.

 






7. What types of data does ASE monitor and assess?

The open data model that ASE employs allows it to accept and process data from a wide range of security and network monitoring applications and devices.  Non-network security data from devices such as card readers and scanners can also be integrated into the ASE data model.

 






8. After installing ASE, does the user continue to run existing security solutions such as firewalls, IDS and SIMs, or does ASE make them obsolete or redundant?

ASE is complementary to these technologies and enhances the investments made in them by making the data they collect work harder to produce actionable intelligence.  ASE can detect and prevent vulnerabilities, such as hacks on Port 80, which evade traditional firewalls.  ASE can also be used to monitor “internal” activities that occur behind the firewall and out of the “line of site” of typical NIDS and HIDS utilities. 

 






9. Have you pre-configured any specific rules or documented any known threats?

ASE does not require or utilize rules, signatures or policies.  However, during the training phase ASE uses a comprehensive knowledgebase of known intrusion profiles and related vulnerabilities to augment the creation of the baseline database and filter out existing known hacks or attacks.   

 



10. Does ASE actually prevent threats and intrusions?

The feature that differentiates ASE from other solutions is its effectiveness at detecting known and, most importantly, undocumented threats. ASE can be configured to initiate preventative and defensive actions to thwart intrusion attempts by issuing alerts and executing other user configurable actions.

 



11. What are the technical requirements for installing and running ASE (i.e. operating system, software, processor, interfaces and amount of memory and disk space?

ASE runs on Windows 2000 or .NET servers.  ASE is coded in C++ and requires a standard Intel processor (>700 MZH), 64MB minimum RAM and at least 100 MB of free disk space.   The ASE footprint is a function of the particular environment and the amount and complexity of the data being analyzed.  The number and size of organized event data can be controlled by the ASE administrator.  For standard configurations, the footprint is small and does not require additional processing speed or memory.  ASE leverages specialized algorithms to optimize the comparative analysis function to deliver high performance without need for additional hardware.  

 

 



12. What interface is required to integrate ASE with other applications?

 ASE is a modular set of DLLs and is integrated via a published API.