Detecting hidden attack code at line speed
A key component of the Cayuga Networks Decisis™ detection engine, Code Flow Analysis™ (CFA) technology inspects inbound network traffic and sessions for indications of obfuscated attack code. When the engine sees potential code snippets flowing towards a web server, CFA determines if it represents valid code, and if so, in which language it is written.
Easier said than done — how CFA detects bad traffic at web speed
Decisis starts with a null hypothesis. In other words, it operates on the assumption that any potential snippet of code detected is not code. CFA analyzes the grammar of the snippet across multiple languages—in parallel across the whole packet stream at web speed—to identify the likely language and verify that the transitions are grammatically allowed in the observed language.
Then using Bayesian Inference, CFA adds this observed data on each incremental snippet in the stream to update the probability distribution of whether or not the null hypothesis is still correct—i.e., is it or isn’t it valid code. The detection engine’s Sifter, then looks for evidence in the response to verify that an attacker has targeted this code at a real vulnerability in the web application layer attack surface.
If Decisis rejects the null hypothesis, it sets the attack detection anomaly score to high and alerts the threat experts at Cayuga Central. This elevation triggers an active investigation to determine if the suspicious code flow represents a material threat by automatically replaying it in a sandboxed detonation chamber, or by analyzing it manually.