Network Sniffing & Data Capture

The Challenge

Traditional fraud management solutions typically rely on data that already exists within the organization, such as log files and databases. Therefore, their analysis is limited to the available data and by the time in which this data is provided. Application logs do not reflect the user behavior and typically do not include vital information such as user queries; hence suspicious events related to information leakage and many fraud scenarios cannot be detected based on this information.

Intellinx Network Sniffing Capabilities

Intellinx provides a first-of-its-kind cross-platform surveillance system for unparalleled visibility of end-user activity in corporate applications across the enterprise. The system records the activity of internal and external end-users interacting with the corporate servers, as well as inter-server communication (e.g. SWIFT and ATM messages) by non-invasively sniffing network traffic. The sniffing is performed by connecting the Intellinx Sensor to the main corporate network switches through mirror ports or tap devices. The recorded user sessions and inter-server messages are analyzed and reconstructed in real-time, allowing visual replay of user activity screen by screen.

Intellinx effectively detects various types of internal and external fraud based on its ability to capture the full user behavior including how much time is spent on every screen, information on user queries, incomplete transactions and other user actions. This enables detection of actions suspected as intentional information leakage. The system can detect preparation of internal users for committing money theft from customer accounts – typically the perpetrator performs out-of-norm queries to find the victim accounts – capturing and analyzing these queries in real time enables detection and prevention before the fraud even occurred!

Utilizing a patented agent-less sniffing technology, Intellinx requires no change to organization infrastructure, generating no risk, no overhead, and no performance degradation on servers, networks or clients.

Sniffing-Overview-Diagram

Behavior Analysis for a Wide Range of Users

The system can monitor various types of end-users:

  • Internal business users
  • Privileged IT users
  • External users accessing corporate systems through the Web (such as e-Banking customers or insurance agents)

Forensics

The system encrypts the recorded data and digitally signs it so it can potentially serve as forensic evidence by courts. In several cases, data from Intellinx has been used in US Federal and State courts proceedings.

Data Collection from Log Files and other sources

In addition to sniffing Intellinx can capture data from other sources including log files (text or binary), database tables, XML and CSV files, Message Queues and other sources. The data can be captured in real-time or at pre-scheduled times. The system can be configured to parse collected data with complex layouts which can be dynamic or based on a data dictionary. Data collected from log files or other sources can be used for analytics, reporting and investigation similarly to data captured through network sniffing. The collected data can be analyzed in real-time and be correlated by the analytic engine with information captured through network sniffing.