Overview

The increasing use of encryption for malware and other malicious attacks is challenging the effectiveness of cybersecurity products. To solve the problem, there is a need for embedded traffic intelligence that can identify and classify encrypted and evasive traffic.

Available as a software development kit for embedded use in cybersecurity products, the Enea Qosmos ixEngine is the most widely deployed traffic classification engine in cybersecurity and networking. It delivers crucial intelligence about encrypted traffic flowing across a network and extracts detailed information about traffic using evasive techniques.

Enea Qosmos Deep Packet Inspection (DPI)-based software analyzes the data packets of traffic flows in real time, up to the application level. It immediately detects suspicious activity and raises the alert to possible threats. This granular visibility enables security solutions to accurately map traffic flows, understand network activity and immediately identify suspicious behavior, raising the speed and effectiveness of malware detection.

To maximize visibility into encrypted traffic, Qosmos ixEngine version 5 uses a combination of advanced techniques:
• Handshake Analysis: Extraction of metadata in handshake messages that remain clear
• Binary Pattern Analysis: Detection & matching of binary patterns against known applications and services
• Statistical Analysis: Packet and flow characteristics using custom models
• Behavioral Analysis: Encrypted session behavior versus characteristic protocol behaviors
• DNS Cache Analysis: Identification of mismatches between cache what the final resolution reveals

For detection and classification of evasive traffic (encrypted or not), the following techniques are used:
• Session Correlation: Regrouping and analysis of flows belonging to the same applications, clients & hosts
• Public IP/Port-Based Classification: Identification of discrepancies between traffic behavior and well-known apps/services, FQDNs, ports & publicly routable IP subnets
• Deep File Inspection: Packet reassembly, file type detection (280+), MIME type and file extension consistency check, and file hash computation
• Cryptocurrency Analysis: Multi-layered analytics to detect and classify cryptocurrencies and mining pools