Esphion

We like to describe netDeFlect, our anomaly detection solution, as proactive. However, you might ask, how can detection be proactive? After all, detection by definition takes place as or after something happens. Being proactive, however, implies that something is done before an event takes place. The dictionary definition of proactive (according to dictionary.com) is:

pro·ac·tive or pro-ac·tive
adj.
Acting in advance to deal with an expected difficulty; anticipatory...

Clearly, therefore, detection cannot be proactive.

In our case, though, the word proactive does not refer to the actual detection of an anomaly. As good as it is, even netDeFlect cannot detect an anomaly before it happens, of course. Our research department always works on great new technologies to be added into our products, but the ability to see into the future has not been implemented, yet.

In the context of netDeFlect, the word proactive means several things:

• The solution continuously adapts autonomously and does not require ongoing maintenance or continuous uploading of updated signatures. In other words, no specific action needs to be taken before an anomaly takes place. Without updates or ongoing maintenance and configuration, netDeFlect is always ready to detect a wide variety of network anomalies. In that respect, netDeFlect is proactive: It constantly adapts its detection mechanisms to the current network conditions. This is an always ongoing process, independent of the presence of any anomalies. Therefore, netDeFlect actively adapts. It acts in advance (constant adaptation) to deal with an expected difficulty (a network anomaly). This, of course, matches the dictionary definition of proactive. As a result, even previously unknown types of anomalies (zero-day) can be detected, analyzed and characterized.
• But not only netDeFlect is proactive. The network operators and organizations, which utilize netDeFlect, now can become proactive in their response to security incidences as well. Rather than waiting for a DDoS attack or a worm to take down servers, routers, or the entire network, they can now start to mitigate the anomaly before this happens. For example, netDeFlect can detect worm outbreaks or DDoS attacks within seconds. Also within seconds, the anomaly has been characterized and signatures have been extracted from the observed packets. Therefore, the anomalous traffic can now be filtered. From detection to successful mitigation, only seconds will have elapsed. So, the network operators proactively shut down the anomaly, before it could bring down the network, or the servers, or before a worm could infect a large number of hosts.

The detection of something can never be proactive. But as we can see, the way netDeFlect operates certainly is proactive, and the new capabilities that it provides to network operators, are so as well.

Juergen