Unknown Virus Detection and Alerting

Pick proactive, intelligent analytics to hold the chance you deserve to stave off unknown risks.

Challenges

In 2017, the devastating ransomware “WannaCry” hit more than 100 countries and regions across the globe. Hundreds of thousands of computers in government sectors, education, hospitals, energy, communications, manufacturing, and many other industries were seriously infected.
The ever-evolving ransomware and new malware have exposed the disadvantages of legacy signature or pattern-based detection methods. Unable to be updated in time to block zero-day attacks and with low detection accuracy, they are no longer an effective means of detection and protection against emerging unknown viruses.

Ravaging ransomware

Frequent emergence of new viruses

Ineffective traditional detection approaches

Improved defense technologies

Solutions

Early

Security vulnerability alerting and system reinforcement

Raises timely alerts on new viruses by illustrating the attack process, the vulnerability that the attack attempts to exploit, and the way to tackle it. Plus assist for customers with network troubleshooting, system patching and upgrade, infection detection, and virus removal.

Real-Time

Unknown Virus Detection and Analytics

Use anomaly monitoring, threat intelligence, correlation analytics, and other advanced technologies to scan for unknown viruses in real time and locate them accurately to guarantee a prompt and effective virus treatment.

Proactive

Unknown virus response and handling

Leverage provenance tracking, graph analysis, and machine learning algorithms to rapidly locate the source of infection by unknown viruses and block, intercept, or clear them up using security equipment interworking and expert rule-based emergency treatment.

Security Vulnerability Alerting and System Reinforcement

HanSight security analytics team raises alerts to industry customers on the latest virus attack, including the attack process, the vulnerability that the attack attempts to exploit, and the way to tackle it.

HanSight first-line security team assists customers, according to the security alerts, in network forensic, system patching and upgrade, infection detection, and virus removal.

Real-Time Unknown Virus Detection and Analytics

Unknown virus detection by network anomaly

Establish network anomaly monitoring models to monitor particular protocols and ports such as SMB, 445, RDP, and 3389, and determine whether an unknown virus intrusion occurs based on the status of relevant ports, IP addresses, and protocols.

parse and analyze network traffic to establish traffic monitoring models to monitor the network traffic related to specific ports, protocols, or assets, and determine whether an unknown virus intrusion occurs based on the crest or the history data in the event of anomalous traffic peaks.

Unknown virus detection by host anomaly

Collect host behavior data including processes, network, files, registry, DLL loading, and driver loading, and scan and analyze the data to determine whether an unknown virus intrusion occurs based on the host behavior.

Unknown virus detection by behavior anomaly

Analyze how a virus behaves in the spread, execution, communication, installation control, and outbreak stages to establish virus-induced behavior anomaly detection models.

Create correlation rules for virus-induced behavior anomalies to discover virus-related anomalous behavior during port scan, network connection scan, file download scan, and other real-time security scans to determine whether an unknown virus intrusion materializes.

Unknown virus detection by threat intelligence

Extract malicious IP addresses, URLs, code, and other information related to new-type viruses and continuously update the IOCs of all latest virus attacks into threat intelligence.

Create threat intelligence-based correlation rules to raise alerts when an item hits threat intelligence during real-time security scans to determine whether an unknown virus intrusion occurs.

Unknown Virus Response and Treatment

Unknown virus provenance tracking and analysis

Merge alerts on unknown viruses and rapidly locate suspicious IP addresses through query, drilling down, correlation analysis, and forensic investigation.

Perform graph analytics on infected hosts having unknown virus alerts, exercise machine learning-powered statistical analysis on the tendency of virus attacks, and rapidly locate the source of infection by unknown viruses; and create targeted detection rules for already confirmed viruses and scan the entire network to determine (identify) the impact and scope of infection.

Unknown virus emergency treatment

Deliver security policies among interworking security devices such as firewalls and IPSs to block or intercept malicious IP addresses, domains, files, and processes; quarantine all infected assets based on the provenance tracking and analysis result for unknown viruses to ensure that no new source of infection arises; and analyze the infected assets to inspect and clear up the virus before restoring the assets.

Applicable Industry

  • All

Supported System

  • Host operating system
  • Endpoint operating system
  • Network system

Application Scenario

  • Security vulnerability alerting and system reinforcement
  • Unknown virus detection by network anomaly
  • Unknown virus detection by host anomaly
  • Unknown virus detection by behavior anomaly
  • Unknown virus detection by threat intelligence
  • Unknown virus response and handling

Data Source

  • Network traffic data
  • Security device logs
  • Operating system logs
  • Threat intelligence
  • EDR alerts

Compliance and Best Practice

  • China’s Cybersecurity Law
  • Classified Cybersecurity Protection Regulations 2.0
  • Industry regulations
  • ISO 27001

Customer Benefits

Value-add approach to traditional defense means

Real-time monitoring for unknown viruses

Accurate location of infected assets

Prevention of business interruption

Application Cases

Ransomware treatment without business interruption

Perform real-time monitoring for network and behavior anomalies, rapidly locate the source of infection through correlation analytics and graph analysis, scan the entire network to determine the scope of infection, quarantine the infected devices, and take appropriate actions.

Mining malware detection and treatment by threat intelligence

Monitor network connections and network activities in real time and correlate assets to any illegal connection with the mining pool marked in the high-confidence threat intelligence to identify, locate, and take actions on the assets infected with mining malware.

Trojan infection treatment by behavior analytics and monitoring

Monitor network connections and file downloads in real time for anomalies, locate the source of infection through network traffic monitoring and correlation analytics, quarantine compromised websites via security device interworking, and take actions on infected assets.