Realeyes Technology

Slideshows

Realeyes AE and IDS
The Realeyes analysis engine is a C library of functions that can be used to build applications for performing sophisticated analysis of large data streams. The Realeyes IDS is the first application built using the Realeyes analysis engine, which allows it to maintain state information about TCP/IP sessions. This slideshow presents how the technology is implemented.

Realeyes GUI
The Realeyes IDS user interface is where the data is analyzed. This slideshow presents the features of the user interface.

Release Descriptions

Roadmap

The developers of the Realeyes IDS have used several security tools for monitoring networks and computer systems on a regular basis over the course of several years. While these tools are generally good at what they are designed to do, as a rule they do not scale well. And the number of security threats spanning the whole severity range is increasing at a tremendous rate. Keeping up with this growth is taxing the already limited resources devoted to securing computer networks and data systems.

To address this situation, the Realeyes IDS was designed with the following goals:

• Reduce false positives: Creating rules to detect exploits is difficult. And the developers of malware are constantly refining their ability to make detection more difficult. One way to improve the detection capability is to use information from a relatively trusted source, the target of the attack.
• Provide adequate information: When a human being evaluates a reported attack, more contextual information improves decisions on the appropriate action to be taken.
• Provide a broad view: The current toolset of those responsible for security includes a wide range of applications to search for unauthorized access, anomalous behavior, and known exploits. Unfortunately, many of these tools do not communicate with each other.

Features

• Analyze sessions: The Realeyes IDS performs a subset of the functions of a TCP/IP stack. It reassembles sessions and analyzes the data in context. This allows for activity to be monitored at particular times during the session, and also for both halves of a TCP session to be analyzed in context. An example of this is a rule to detect FTP brute force logins by detecting a password entry followed by a rejection message repeating several times.
• Report session data: In conjunction with the analysis, when a rule match is detected, the Realeyes IDS supplies enough of the session data to provide context for a human analyst to determine what happened.
• Special handling: There are some analyses that must be handled specially. Examples of these in the Realeyes IDS are:
  • Time monitoring: This allows for specified hosts and subnets to be monitored between certain times, such as midnight and 6:00 am, for any activity. It includes the ability to ignore certain IP addresses.
  • Hot IPs: This allows for specified Events to set either the source or destination IP address or both to be monitored for all activity for a specified time period.
  • TCP Options: The TCP Options field is loosely defined with a variable format and as such very effective for passing short messages.
• Variety of information: The occurrence of high volumes of activity unexpectedly can be a warning to investigate further. The Realeyes IDS will optionally collect statistics on network activity, including that of specific hosts or ports. Also the special handlers for monitoring activity in a variety of ways, such as time monitoring, provide information that might otherwise not be noticed.
• Trends analysis: The Realeyes system includes a database backend and a graphical user interface that provide the capability of saving incidents to be analyzed for trends. This allows large organizations to determine the effectiveness of their efforts to secure their systems.
• Reports: The requirements of management to justify expenditures come largely from the reports provided by the technical staff. The Realeyes IDSi reporting facitlies are capable of providing reports on all collected data.