Detecting Malware/APT Through Automatic Log Analysis

Legacy perimeter security mechanisms can be evaded very easily. It’s disappointing, but it’s true. Innovatively-designed malware and APTs have the potential to evade even the strongest signature-based security solutions that are currently being deployed across industries. This has encouraged IT companies to think beyond prevention and to design effective detection strategies. In recent times, companies have started analyzing traffic logs through a deployment of technology as well as professional services to detect attacks that are under way. However, even though traffic log analysis can promote the identification of malware activity, companies may not benefit from it much as the on-premises approach is incomplete, inefficient, and expensive at the same time.

Fortunately, the industry has started capitalizing on the capabilities of the cloud to conduct traffic log analysis in an efficient and cost-effective manner. Such an approach is mainly based on Big Data analytics and advanced machine learning algorithms that can detect even those types of malware that used to go undetected in the past.

[You might also like: High-Performance Visibility into SSL/TLS Traffic]

Analysis of HTTP/HTTPS Traffic Logs

It is extremely crucial to study HTTP/HTTPS traffic logs that are collated over an extended period of time to detect malware activities. Notably, the threats are interconnected, which means that logs should be processed at different levels such as user, unit, company, industry, and regional levels. However, the process would call for a great deal of memory and CPU usage and access to logs from security vendors and other companies as well. Aligned security solutions, such as firewalls, IPS, proxies, and IDS, cannot be considered for this purpose as they do not have the memory or processing power or access to the essential types of external information resources.

The Significance of the Use of Machine Learning

Given the fact that cyber criminals are making use of new malware continually, use of sophisticated machine learning algorithms is extremely crucial to review statistical features and identify if the traffic has resemblance with any known malware profile.

Making the Most Out of Big Data Analytics

Statistical analysis of Big Data, even though it is performed in the cloud, may turn out to be a challenging task. Big Data analytics and statistical analysis promote the creation of malware profiles and adoption of machine learning algorithms that, in turn, support traffic log analysis.

[You might also like: SIP Protection: What Your SIP Security Solution Should Have]

So how does Traffic Log Analysis work?

One option is to offer Traffic Log Analysis, as for the following process:

The traffic logs are processed by machine learning algorithms and if suspicious traffic gets identified, they are segregated into a channel. Analysis of the channel’s features is conducted, taking into consideration the profiles of the user, company, industry, and the region as a whole. Following the detection of malware, the user is updated immediately through the Protection API and the dashboard, which immediately send out a signal to the firewalls and proxies to block the threats. The service may also choose to analyze historical traffic log files to detect the initial point of infection. Additionally, the malware is downloaded to a sandbox environment for next-level review. If the malware falls in the botnet category, the data is transferred to a sort of Botnet Interception Module, which tracks traffic and detects compromised users and IP addresses.

Ensuring Privacy of Users’ Data

It’s extremely important to safeguard users’ confidential log data during transit and when it is stored. As the malware-induced threat environment continues to become complex and complicated, keeping user data safe becomes really challenging. So it is extremely important that companies providing Automatic Log Analysis services should deploy effective data protection systems, sophisticated technologies, efficient processes and resources to keep users’ data secure at all stages.

Download “Web Application Security in a Digitally Connected World” to learn more.

Download Now

Fabio Palozza

Fabio is Technical Director EMEA-CALA, responsible for Systems Engineering in the theater. With a long experience, he began his career in software development for aerospace systems before getting into IT vendor ecosystem with Bay Networks/Nortel and Juniper Networks, up to being Technical Director EMEA for the Telecom, Cloud and Content businesses. Fabio writes about technology strategy, trends and implementation.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center