TrojanID is a system which enables detection of abnormal communications between the corporate network and the internet.
This process allows to narrow down potential compromised computers, as opposed to conducting a time-consuming forensics on each computer on the network.
The TrojanID methodology includes:
- Recording all network traffic between the office network and the internet
- Insertion of the raw traffic into a structured database capable of handling and analyzing such data volume
- Use of statistical analysis algorithms derived from our hands-on experience to categorize to two distinct communication profiles:
- Communication which is classified as an anomaly and is not in conformance to an enterprise environment
- Communication which is classified as "beyond suspicion" such as windows updates, anti-virus updates etc., in order to reduce the data volume by a magnitude and allow faster analysis for following investigation actions
- Review of the anomaly-tagged and uncategorized communication by security experts in order to identify communication that may be generated by a resident malware.
This methodology is the most cost-effective manner to detect malware that communicates to the internet in medium and large scale networks.