UAD
The strength in pattern analysis relies on a consistent method of feeding data. If data is not viewed as raw as it can possibly be, the results will be extremely inconsistent. UAD takes all of the data prior to being scanned and strips it of potential variables that prevent patterns from being recognized. UAD decomposes data to state that allows the data to remain consistent for the application of pattern analysis. An example is an email. If email were examined with out stripping it of the variables, patterns would be ineffective due to the obfuscation of HTML code. Some E-mails contain HTML code while others are text. Some attachments are zipped up while others are not. These inconsistencies will provide inconsistent results in detecting patterns. UAD solves this by decomposing data to its most recognizable state to keep it consistent for the VFind engine.
VFind
VFind is the core engine for Pattern Authority. As data is sent through the VFind engine, CVDL definitions are applied to the data to define it as a threat or not a threat depending on the definition set. VFind is different from other threat specific engines such as an AV engine because it employs parallel analysis of data, allowing the data to be simultaneously scanned for different threat types (i.e. spam, virus, spyware, unwanted content, IP, compliance, etc.). Engines that have attempted to do this have been plagued by performance issues. VFind was developed as a tool for allowing the military to retain complete control of its AV defense system. As a response to unknown military threats VFind needed to identify threats of unknown data structures. The threat wasn't always going to be a virus. In some instances it may be a signal of an impending threat through dirty words, obfuscated patterns and malicious content. VFind efficiently interprets CVDL definitions allowing for broad based threat scanning. Just as the military has specific unidentified threats, niche business markets and individual businesses have unidentified threats that VFind can address from a pattern analysis view point.
CIT
Pattern Authority uses CIT to maintain the integrity of the definitions and the updates that happen to them. CIT creates a hash of files to determine that they are in fact unchanged, or the updates that have happened match the updates that were suppose to happen. CIT can also be used to further harden the appliance and create a hash database of the files on the system to verify integrity of the machine.
CVDL
The CVDL is a schema that allows a human analyst the ability to define a pattern that VFind will scan for. Rather than define a pattern by understandable components such as words or phrases, CVDL is designed to search for patterns as defined by the analyst. This method of analysis is known as linguistic heuristics, but offers more than just language structure pattern analysis. Patterns can include structure, content, file type, source or destination, in addition to words, phrases and other variables. For instance rather than create a definition that blocks every obfuscated data transmission of the word “confidential”, CVDL allows for the creation of 1 definition that identifies obfuscated, misrepresented characters, spaces etc. that would represent the pattern of the word confidential without blocking its correct spelling. This is effective for stopping variants of a threat.
Mini-Web
This is the web server developed to help simplify integration efforts. Using Mini-Web, OEMs can create a secure web based and customized interface to maximize use of the pattern Authority engine. For instance, included with Mini-web is the code for creating a custom filter creator. This web page would allow a customer to create a complex definition without the knowledge of our CVDL.
