Network traffic from and to the Internet is analysed in real-time in order to detect suspicious patterns and anomalies such as malware, command and control server, bots, spyware, drive by sources, DDoS targets and sources and others.

More than 19,000 continuously updated (matched with IP reputation data) signatures and rules serve as the basis for detection. On-hand is also an additional behaviour-driven analysis for zero-day exploits and other unknown attacks without signatures as well as the detection of protocols even if varying ports are used. Moreover thousands of file types are identified via MD5 checksums and possible file extraction to let documents stay out or not get out.

Technical details: The module is highly scalable with a master/probe configuration option for decentralised internet breakouts. 1Gbit and 10Gbit interfaces are supported (copper and fibre).