Machine Learning for More Effective Threat Detection

DarkSniper White Paper

July 23, 2021

Enterprises are looking for a powerful and effective solution for threat detection and response to fill their requirement of increased level of security and thus attaining business objectives. It is longer valid that the conventional approach of rule-based or signature-based analysis is adequate in discovering and detecting the ever-changing nature of threats. As attacks are getting smarter with even applying some smart technique, there is a necessary to use smarter approach to be ahead of attackers and hackers. This is the reason behind utilization of machine learning which is one class of artificial intelligence technology.

According to Gartner report2 , applying machine learning and other analytical techniques to network traffic is helping enterprises detect suspicious traffic that other security tools are missing. It is not surprising at all that one of Gartner recommendation is to implement behavioral-based NDR tools to complement signature-based detection solutions.

Because AI technology is able to learn its way around the network and record, measure and analyze normal activity on its own, it is perfectly suited to help monitor and notify against potential cyber-attacks. With its measure of normal network behavior (performance, bandwidth and availability, etc.), the AI could detect an unusual spike in requests or other data that represents attacks such as Denial-of-Service, ransomware, or other types of intrusions.

An AI-based solution can also measure and categorize normal network traffic, using predictive analytics to profile the typical user base and resource utilization. A cyber-attack may look like normal external network activity in some ways, but could have a few specific characteristics used to help mask its source or hide its intent. Machine learning is very useful for finding these very small differences between normal activity and activity that’s not normally seen on your network.

Overall, machine learning based on anomaly and behavioral detections improves Network Detection and Response NDR Solutions. Machine learning includes both anomaly and behavioral detections. It improves the detection of threats and provide better information to security operations center teams, enabling them to focus their attention where it is needed most. 

How DarkSniper best Utilize Machine Learning

The overall process shown the below Figure where the first step is to collect logs from the local network and extract the flow with its full details for each single connection. The stored Flows of each IP/Hostname will be an input for the “Cluster Construction” phase. This phase will be responsible to understand the normal behavior and identify the thresholding of abnormal traffics. Then, a “Behavior Profiling” will defined for each IP/Hostname and stored in a database. The DarkSniper will use the profiling details to monitor the live connection and build a right conclusion of the received traffic (Normal | Abnormal) and take the right decision to block or allow the IP/Hostname.