Machine Learning

Improving detection and categorization of anomalous events

More Traffic, More Threats

Network traffic is generating an ever growing amount of metadata and behavioral patterns that are vital for rapid detection of many kinds of malicious and anomalous behavior and forensic analysis. These include modern, zero-day and morphing malware, vulnerabilities in IoT devices misused by hackers or network misconfiguration causing data leaks and losses. Analysis of these big data sets an enormous for IT security teams and IT security vendors.

GreyCortex Mendel uses a variety of techniques of artificial intelligence, machine learning and advanced mathematical analysis to describe behavior of the entire network, each subnetwork, hosts and services to create a model of normal network behavior. This behavioral model is then gradually and automatically adapted as traffic and threats in the network evolve to effectively pinpoint malicious and anomalous behavior. Then, hundreds and thousands of these security incidents are categorized and clustered so that IT security teams can decide if and how to react to them.

More Advanced, More Intelligent

The behavioral detection engine of GreyCortex Mendel efficiently processes the metrics including internal (packet) features that are crucial for security focused applications. Mendel's data mining techniques use the following machine learning algorithms, based on Mendel's ASNM features of each flow:

  • Feature selection of individual data metrics and their transformation to gain detection efficiency and performance
  • Bayes’ analysis of transformed features for baselining and outlier detection
  • Probabilistic Gaussian Mixture Models for advanced malware detection (e.g. buffer overflow or password attacks)

These are complemented by several ad hoc detection methods to reveal of both known and unknown modern threats. We use the following types of learning and data mining techniques:

  • Unsupervised learning marks the flows as legitimate or anomalous by the clustering of similar behavior patterns
  • Outlier (anomaly) analysis
  • Supervised learning for classification of events based on past detections
  • Combination of supervised and unsupervised techniques to classify clusters of patterns and events
  • Characterization of attacks and their classes used by the above learning methods; explains events to a supervisor

GreyCortex launch

Why Machine Learning

  • Faster detection of unknown threats and anomalies
  • Reduction of time-to-response security incidents
  • More sensitive and reliable behavioral detection
  • Behavioral detection adapts to changing environment
  • Less time demanding administration