Analysis Methods Performed by Sensors

The Sensor performs multiple layers of analysis in real time:

• Signature-Based Detection: Traditional Suricata rules (ET Pro + custom) with fast_pattern and rich metadata.
• Machine Learning-Based Anomaly Detection: Random Cut Forests, Isolation Forests (and evaluated alternatives) on protocol features (DNS entropy/volume, HTTP UA anomalies, TLS handshake timing) as well as netflow statistics.
• Behavioral Anomaly Detection: RisingWave materialized views for behavioral-based detection.
• Statistical Anomaly Detection: Netflow analysis for exfiltration (bytes out/in ratio) and long-duration connections.
• Protocol Anomaly Detection: Malformed packets, unusual handshake timing, ALPN mismatches.
• High-Fidelity Threat Intelligence: Real-time matching against C2, TI, and OSINT feeds (IPs, domains, URLs, hashes).

Encrypted Traffic Analysis (performed even without decryption keys):

• Statistical analysis of netflow (packet/byte ratios, inter-packet timing).
• TLS certificate analysis (validity period, subject/issuer anomalies, chain length).
• IP analysis and matching to threat intelligence (suspicious ASNs, countries, known C2 infrastructure).
• JA3 and JA4 fingerprinting of client and server TLS parameters.