Behind the scenes at Labs
Showing results for 
Search instead for 
Did you mean: 

HP Labs technology underpins HP ArcSight DNS Malware Analytics, a new solution from HP Security


HP_Labs_insignia_developed-with_blue.jpgContributed by Simon Firth, freelance technology journalist


Yesterday at HP Protect, the company’s annual enterprise security user conference in National Harbor, Maryland, HP introduced HP ArcSight DNS Malware Analytics (DMA), a security solution based substantially on research conducted at HP Labs.


HP ArcSight DMA inspects network traffic associated with the Domain Name System (DNS), a fundamental building block in how the internet works.  DNS maintains the mapping between domain names, like, and IP addresses, like  By inspecting DNS packets, DMA can identify servers, desktops, and mobile devices that have been infected by malware, helping users quickly detect high-risk threats, reduce the impact of data breaches, and enhance the overall security of their systems.


The technology began life at HP Labs several years ago, notes Bill Horne, HP’s Director of Security Research. “HP’s internal IT team wanted to collect our own DNS traffic,” he recalls, “and it turns out that’s really hard because you have to do it at scale – HP, for example, processes about 16 billion DNS packets a day.”



Screen shot of HP Arcsight DNS Malware Analytics dashboard


Still, the sheer data volumes were highly challenging.  “So we devised a system that throws out 99% of the logs,” explains Horne. “We use models to figure what we can be confident are safe DNS queries and responses and those we discard. That allows us to focus on the 1% that’s potentially suspicious.”  That still left a lot of data – 180 million packets a day – but a number that ArcSight, HP’s enterprise security event management platform, could easily handle.


Not only is it hard to collect this amount of data, but operations engineers don’t like to turn on logging because it has such a huge performance impact.  And worse, DNS logs typically don’t have all of the information needed to help reveal threats.  The Labs team used network packet sniffers to collect the DNS data, which didn’t impact the DNS server performance and allowed them to collect a more revealing set of data than they might otherwise.


As they developed a solution, Horne’s team realized that the DNS data could reveal information about attacks originating from within HP’s own network.

The information proved to be a goldmine. “We pulled it all into an HP Vertica platform and very quickly we started detecting all kinds of interesting things, including evidence of malware that hadn’t been detected yet by any other method,” Horne says.


As a result, HP Labs and HP IT worked together to deploy the malware detection service for HP’s own network and it soon proved itself by sending valuable alerts to HP’s Security Operations team. The obvious next step was to offer it to HP customers to help protect them from similar threats.


Now implemented as HP ArcSight DMA, the service has analyzed the DNS traffic of one the world’s largest corporate Enterprises, showing a consistent DNS data reduction of 100 million times and false positive reduction of 20 times over other malware detection systems.


Looking ahead, Horne’s team will help evolve HP ArcSight DMA’s analytics to reflect the state-of-the-art. “What I really liked about this project,” adds Horne, “is that we solved a big, important security problem for HP.  Because of our size, if we can solve a problem for HP, then we can pretty much solve it for anyone. Now we’re looking for ways in which we can repeat that success.”



0 Kudos
About the Author


Shane Francis

How can I learn more about ArchSight and when will be available to general public?


Online Expert Days - 2020
Visit this forum and get the schedules for online Expert Days where you can talk to HPE product experts, R&D and support team members and get answers...
Read more
HPE at 2020 Technology Events
Learn about the technology events where Hewlett Packard Enterprise will have a presence in 2020
Read more
View all