The security industry has done a great job of creating a lot of noise around the rise of “machine learning” or “artificial intelligence.” The industry says that rules are the problem—too many missed attacks and false alarms—and that machine learning is the answer.
At a high level, it makes sense. Machine Learning operates without rules and it does catch previously unseen attacks. But, what does it fix? What are the trade-offs?
To explain this in detail, it is helpful to organize the Machine Learning universe into the three distinct types used in the security industry:
- Unsupervised Machine Learning
- Static Supervised learning
- Active Supervised Learning
Unsupervised Machine Learning
Most of what you hear being touted as “advanced threat detection” is Unsupervised Machine Learning or simply anomaly detection. This approach is used widely in many domains to organize data and find outliers in that data. In cyber security, Unsupervised Machine Learning crunches log or packet data and seeks to find outliers in the data. This makes sense because the vast majority of online behaviors are legitimate, and the malicious behaviors could be outliers.
Unfortunately the relationships between enterprises and their employees, partners, suppliers, and customers is astronomically complex. Behaviors vary widely and what seems to be an outlier is actually normal. You might find out there is a data leak to the Ukraine only to find there is a legitimate contractor working there for a different division.
The promise of Unsupervised Learning is tempered by an important nuance that illustrates the logical flaw in this approach—the definition of “outlier” is not the definition of “malicious.” We confuse the two and deal with many, many false positives.
Static Supervised Learning
Unlike unsupervised learning, supervised learning takes inputs from humans to create models. Think of supervised learning models as systems that “think” like humans and learn over time. Data scientists collect human feedback and then train a model with that feedback, and then deploy the model into production. This process-- learning to updating to deployment-- often takes months or even years depending on when and where the new human feedback is incorporated.
These kind of models work in static environments where what we are trying to predict is not changing. But “static” does not describe the world of cyber-security. Rather, our world is characterized by dynamism: it is fundamentally adversarial, where the attacker is motivated to cheat you to succeed. The attackers morph faster than supervised learning models can be trained.
So, how do you update the model in real time?
Active Supervised Learning
To bring AI into cybersecurity, active supervised learning is the most optimal approach. Active Learning is a way to train Supervised Learning models on the fly, without millions of training examples. Active Learning delivers on the promise of supervised learning with a massively reduced training period.
This system continuously engages human analysts to learn from them and to create new supervised learning models. We call these models Virtual Analysts because they can distinguish between malicious and normal behavior patterns with great precision-- like an analyst.
The term Virtual Analyst also implies that we need to think through how we are going to incorporate them into our security apparatus. Deployed right, they can tremendously benefit an organization to improve its ability to defend against attacks and act as an early warning system.