New Page 1
IIS web application firewall, web application security, personal firewall, intrusion prevention, security data analytics   Home | News | Company | Contact   
.


(Page 1,2,3,4)  

 Behavior-Based Features

 Email Anomaly Detection             

This feature tracks outbound Email delivery behavior and provides alerts if there is unusual outbound email activity.  The Email Anomaly Detection Engine is based on the specific behavior of each computer's email activity over a period of time called the 'Training Period'.  This can be set to 7, 14, or 28 days within the Settings Menu.   In order to initiate training, the 'Enable Detection' checkbox must be selected.  The Anomaly Detection Engine will start immediately after the end of the training period.  You can also view the training statistics during or after the training period (see screenshot).

 

Email Anomaly Detection Alerts
There are several different alerts that may be displayed based on the type and amount of emails delivered within a certain period of time.  If there is an alert and the nature of the unusual email activity is unknown, it may be prudent to select the 'Block delivery' checkbox within the alerts to make sure there are no worms or viruses causing the activity.  Once the nature of the activity has been determined to be safe, the 'Block all outbound Email' option should be deselected from the settings menu or from the Menu Toolbar (see below).
 

       Allow Delivery        Block Delivery  
NOTE: Privatefirewall will display the Tray Alert for 30 seconds. If no action is taken, the alert will expire and the activity will be Allowed.

 Click 'Details/Options' in the Tray Alert to display an expanded Alert (see below), which contains more detailed information about the suspicious activity.


 


System Anomaly Detection                                                                      

The System Anomaly Detection layer analyzes the normal use patterns of running applications and generates alerts as it detects unusual activity. The System Anomaly Detection Engine applies a sophisticated algorithm to establish a baseline of normal use based on several system variables such as CPU utilization, thread count, and others. These variables are monitored over a specific period of time, called the 'Training Period', which can be set to 7, 14, or 28 days within the Main Menu (the default period is 7 days). The 'Enable Detection' checkbox, must be selected for Training to be active. Upon installation, Training is enabled by default and commences immediately upon installation.
 

User determination regarding each event that generates an alert is required when the "Require User Approval for Each Alert" box is selected. An on-screen alert (see below) will be displayed immediately as potential threats are detected. The alert provides event details and threat management options. Tray alerts will not be displayed when this option is selected.

Sensitivity Threshold: The Privatefirewall System Anomaly Detection layer generates alerts as it detects system activity that deviates from normal. The sensitivity with which Privatefirewall applies to system anomaly detection can be tuned by adjusting the Sensitivity Threshold. Decreasing the threshold increases the sensitivity, meaning that smaller deviations will generate alerts. Increasing the threshold will allow greater variance from normal activity. By default, the System Anomaly Detection Sensitivity Threshold is set to 60%.  In simple terms, activity deviating more than 60% from normal will generate an alert.

Selecting the Training Statistics button will display the System behavior data collected during training.  These may be viewed during or after the Training period (see screenshot).


 

The Anomaly Detection Engine will start immediately after the end of the training period, and will generate an alert whenever there is any activity that is not consistent with system use patterns established during the training period.  If there is an alert and the nature of the activity is unknown, it may be prudent to select 'Details/Options' on the tray alert to see more detailed information.
 NOTE: Privatefirewall will display a Tray Alert for 30 seconds. If no action is taken, the alert will expire and the activity will be Allowed.

Click 'Details/Options' in the Tray Alert to display an expanded Alert (see below), which contains more detailed information about the suspicious activity and additional threat management options.  If the 'Require user approval for each alert' box is checked in the settings menu, the expanded Alert will appear automatically and no tray alerts will be displayed.  If the ‘Web Search’ link is selected, a search containing the executable filename ('services.exe' in the alert below) will be performed in your default browser.

 


Back to Page 1

 
 
 

 

©1999-2010 PWI, Inc. All rights reserved. Privacy policy


personal firewall, intrusion prevention, security information management