Page 52 - Cyber Warnings
P. 52
a needle in a haystack. Furthermore, it is unrealistic to expect that training with
anomalous data points in one industry, say eCommerce, is applicable to another one
such as a healthcare datacenter. Additionally, modern attacks are more sophisticated
and they hide themselves among many false attacks to defeat threat detection systems.
Such complexity makes identifying anomalous training data points for all target
industries a huge uphill battle. Lack of or difficulties in obtaining training data points
make unsupervised learning a necessity in the world of cyber defense.
Given that unsupervised learning is required for such environments, one has to think
through its pitfalls, recognizing that the prediction of the anomalies does not increase
false positives or compromise accuracy. Various measures are used to assess the
confusion matrix for accuracy, sensitivity etc., such as the Matthews Correlation
Coefficient, however, it is not easy to consistently get good measures from the matrix in
practice, demonstrating that more than just Machine Learning is needed to get to the
desired results. There are various approaches that one can take, but the end result has
to be the actionable outcome from the algorithms with minimal noise. This is where AI
comes into play.
In April 2016, researchers from MIT’s Computer Science and Artificial Intelligence
2
Laboratory (CSAIL) demonstrated an artificial intelligence platform called AI that
predicts cyber-attacks significantly better than existing systems by continuously
incorporating input from human experts. The premise behind the finding is that it only
needs an unsupervised suite of algorithms with feedback from expert security analysts
to develop an AI-based algorithm that will detect the threats accurately. This too is a
good approach, but these expert security analysts’ services come at a significant cost,
both in terms of time and money.
Furthermore, many of the ML algorithms indicate the threats long after they have been
introduced and have taken advantage of the vulnerability. For example, a clustering
algorithm may detect a threat after analyzing a history of patterns and indicate that the
anomaly that occurred has been introduced in the network or a subnet sometime back
in history. These threat findings are useful once you deploy an army of security ops staff
to then hone in on the root cause for the anomaly and then address it. This sounds well
and good, but the anomaly may already have spread by the time the security ops staff
identify the root cause, requiring much wider investigation with increasing budget and
delayed response time.
Clearly, it is desirable to identify the threat that occurred in real-time as soon as it
happens, as well as provide the specificity about where it occurred. Furthermore, the
method of arriving at this conclusion should also be provided for added benefit of
52 Cyber Warnings E-Magazine – April 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide