Company News Products Data Tools Support Documentation Q & A Contact Us

Documentation Home
Help! Errors
Help! False Positives
Help! Spam Leakage
Installation Guides
Features
Procedures
SNF Community
Software
Technology
Tools
Direct Support
Glossary
Q&A

Features

Intelligence

Plays Well With Others

The active components of the SNF scanning engine adapt to load conditions in order to maintain optimal throughput without starving other processes on the system. In addition, SNFs fully multi-threaded engine is highly optimized to make the most efficient use of the available computing power whether that is a single processor core or a a large multi-processor system. Load sensing, lowest queue first job allocation ensures that all available processors are used when needed and only one procssor is used when that will suffice. Natural spiral timing dynamics ensure that polling operations are kept efficient while preventing processing delays.

Real-Time Collaborative Learning

The GBUdb IP reputation system captures real-time data on IP behavior and shares that information with all other SNF nodes in the world. All GBUdb nodes work together and compare notes on message sources by sharing their experiences.

Each node maintains its own purpose built database in memory while storing periodic snap-shots for reporting and re-start recovery. This provides each SNF node with direct real-time access to IP reputation statistics without performing expensive per-message queries over the network.

SNF is also smart about sharing GBUdb data: Each node only talks about the most relevant information, and only asks about IPs it is dealing with locally. As a result the exchanges between GBUdb nodes are short, efficient and powerful.

Unlike most conventional IP reputation systems, GBUdb is not a one-size-fits-all solution! In addition to sharing GBUdb data with the other SNF nodes in the network, each SNF node maintains its own personality and perspective. This allows each SNF node to develop its own localized behaviors. Sources that send nothing but spam to one system are blocked there even while being allowed through on other systems that receive regular legitimate mail from the same source.

Automated Training Tools

The sad truth these days is that most ISPs send out more than 90% spam! There are many reasons for this but whatever the reasons this unfortunate fact means that IP reputation systems have a difficult time distinguishing between good and bad message sources accurately. All of the messages travelling through these ISPs, no matter what their original source, appear to be coming from the ISP's servers.

When you use the connecting IP to evaulate a message from one of these sources then you are actually averaging together all of the legitimate and illegitimate traffic from that ISP -- That is a very noisy (innacurate) signal.

SNF includes two automated training tools that help see past this problem and dramatically improve the accuracy of the GBUdb IP reputation system.

Drilldown

The drilldown feature allows SNF to use pattern matches on trusted Recieved: headers to automatically add GBUdb Ignore flags for ISP servers. You simply enter known, trusted reverse-dns data that is added by your system for ISP sources and SNF will follow the trusted chain of Received: headers through the message to locate the original source.

The effect is that the ISPs equipment becomes known as infrastructure and becomes transparent. Then the original message source is finally selected as the source for the message. As a result, GBUdb can accurately score the original IP source for the messages going through that ISP instead of working with averaged statistics for the ISP's servers.

Messages coming from bots that send through the ISP are then attributed to the bots while legitimate messages being sent through the ISP by legitimate sources are attributed to those legitimate sources.

Source-Header

Unfortunately, some ISPs don't preserve the Received: header chain. Luckily those ISPs do sometimes add headers that identify the original source for the message. In these cases, SNF has a feature to use these special headers when determining the message source.

In order to prevent forgery, the Source-Header feature is only activated when the correct pattern is identified in the top (trusted) Received: header.

The result is that when a message arrives from one of these ISPs the source IP for the message is extracted from the special header and so GBUdb can then train on and score the message using that orignial source.

The Bigger Brain

Message Sniffer is built on a foundation of self organizing, collaborative learning systems. Each SNF node contributes information about its experiences (statistics, observations, performance data, and partial analysis); and each SNF node benefits from the experiences of the others. The whole is larger than the sum of its parts.

Virtual Spamtrap Network

Each SNF node acts as part of our Virtual Spamtrap Network. Unlike conventional honey-pots and spam trap networks our VSN does not depend on specific email addresses that must be cultivated and might be avoided or poisoned by blackhats.

Instead, our network carefully identifies and samples new spam content delivered from known spam sources no matter where those messages might be going! Without any specific spmatrap addresses to wash from their delivery lists there is no where for the bot-nets to hide. (This feature can be disabled if there are security concerns).

Realtime Behavior Analysis

Each SNF node provides real-time telemetry on the performance of each pattern matching rule and the observed behavior of individual message sources (IPs). This allows us to optimize the rulebase and IP reputation systems in real-time while building high-resolution data sets that can be used to generate new attack-response models and tools to take advantage of that new knowledge.

Realtime Spam-Storm Detection

GBUdb and pattern-rule matching rates can be used to generate extremely accurate "storm-sign" signals for each SNF node. This storm detection system can be used to change local response parameters when a system is under stress and allow us to focus attention on systems that are showing unusual activity in real-time.

However, the SNF "brain" is still bigger than that -- There are also specialized systems that interact with this shared consciousness by extracting specialized information and injecting new knowledge.

One example of this is our wavefront detection system which can detect larger features in the IP behavior data, cross-reference that with pattern matching information, and detect new spam delivery patterns as they develop. This ability to see "the bigger picture" and use that data to inform the GBUdb and rule production systems improves the larger systems' ability to respond quickly and accurately to new and evolving threats.

In addition to the SNF nodes that our customers are directly familiar with, the SNF system consists of a growing number of collaborating components ranging from new bots that seek out interesting features in delivery behaviors and new patterns in unwanted messages, to improved training systems, instrumentation, and automated tools that help our people to see more clearly, respond more effectively, and plan ahead with greater precision and purpose.

Copyright © 2007 - 2011 ARM Research Labs, LLC