Each agent contains the entire body of markers the metaexpression that can identify all known network attacks. These makers, or behavior expressions, are sufficient to determine whether any given network conversation is a member of a known set of attacks.
These markers were created using extensive, time-consuming packet-level analysis of network conversations carried on by known attacks. The analysis breaks down the packet stream into conversations and assigns integer values to represent certain characteristics of the packets that make up each conversation, such as protocol, category and content.
These integers are then assembled to represent the stream and the analysis notes such characteristics as the frequency of the integers, their proximity to other integers and and the distance between each occurrence. These values are in turn assigned integers. The result is what TrustPipe calls a behavior expression for a given set of data being analyzed.
One or more behavior expressions come out of analyzing each network conversation. These expressions represent the behaviors necessary to define a conversation as part of a known attack.
As it turns out, it takes relatively few sets of behavior expressions to define all known attacks. For example, TrustPipe can identify all known viruses using just 14 sets of behavior expressions.
If a new variant of a virus is written, a traditional anti-virus platform would have to add a new signature to its library in order to detect it. By contrast, a new variant of a known virus would be detected by TrustPipe without adding anything to its body of behavior expressions, Evers says. New variants can change a virus's signature but not the behavior expressions that define it. "It's virtually impossible to obfuscate," he says.
In operation, the TrustPipe agent transforms each network transaction into a representation of integers that is mapped against the metaexpression to look for matches. When it finds them, it blocks the traffic. The agent is a network-layer shim in the operating system.
The company holds two U.S. patents on its technology.
TrustPipe is not a forensic tool, Evers says. While it is quick and accurate at detecting and blocking threats it can't identify which variant it has blocked. Other tools, such as anti-virus, are needed for that.
"It's not designed to replace anything," says West Coast Labs' Markle and it works differently from any other security technology he's come across. "What it does and the way it does it you can't say it's part firewall, part IPS. It just does what it does in an effective way."
TrustPipe is privately funded. Co-founder Kanen Flowers is the chief scientist and the principle inventor of the technology. He was a founder of nCircle Network Security. Evers was CEO of nCircle and led the team that created QuickBooks. He and Flowers have both worked at nCircle, kozoru and Inquisit.
Sign up for CIO Asia eNewsletters.