Rather than focus on attack signatures, these AI solutions look for anomalous network behavior, flagging when a machine goes rogue or if user activity or traffic patterns appear unusual. “A really simple example is someone with high privilege who attempts to get onto a system at a time of day or night that they never normally log in and potentially from a geolocation or a machine that they don't log in from,” said Kelley.
Another example would be a “really rapid transfer of a lot of data,” especially if that data consists of the “corporate crown jewels.”
Such red-flags allow admins to quickly catch high-priority malware infections and network compromises before they can cause irreparable damage.
IBM calls this kind of machine learning “cognitive with a little ‘c'” – which the company was already practicing prior to Watson. Despite its diminutive designation, “little c” can have some big benefits for one's network.
“A network really in its simplest form, is a data set,” one that changes with every millisecond, said Justin Fier, director of cyber intelligence and analysis at U.K.-based cybersecurity company Darktrace, whose network threat detection solution was created by mathematicians and machine-learning specialists from the University of Cambridge. “With… machine learning, we can analyze that data in a more efficient way.”
“We're not looking for malicious behavior, we're looking for anomalous behavior,” Fier continued, in an interview with SC Media. “And that can sometimes turn into malicious behavior and intent, or it can turn into configuration errors or it could just be vulnerable protocols. But we're looking for the things that just stand out.”
An advantage of these kinds of AI solutions is that they often run on unsupervised learning models – meaning they do not need to be fed scores of data in advance to help its algorithms define what constitutes a true threat.
