Anomaly detection in cybersecurity

AI Thread Summary
The discussion centers on enhancing cybersecurity data analytics, particularly through anomaly detection using Splunk. The focus is on developing custom anomaly detection logic rather than relying on Splunk's SIEM package. Key methods being utilized include volume, commonality, frequency, and variance detection. The conversation highlights the importance of tailoring data analysis to specific problems, with examples of data sources such as web server logs, firewall logs, and netflow data. Machine learning has been explored, particularly for identifying anomalies in network behavior and detecting data exfiltration, but achieving high accuracy has been challenging. Effective features for machine learning identified include connection count and data transfer metrics. The ongoing challenge is to model data exfiltration realistically while ensuring the analysis is adaptable and efficient.
stoomart
Messages
392
Reaction score
132
This question is primarily directed to @bapowell, but I encourage others to please add any thoughts or suggestions.

Brian, I just saw your bio while reading the CMB primers, and thought you may have some ideas on cybersecurity data analytics.

Some background: I've been in cybersecurity since 2000, and have been using Splunk for anomaly detection and investigation for just over a year now. Instead of opting for Splunk's SIEM package, I've been developing our anomaly detection logic from scratch, which has evolved over time to include any combination of the following:

volume (count)
commonality (count distinct entities)
frequency (relative time comparison)
variance (entity or population z-score)​

Am I missing any ways of looking at the data?

Variance detection was the last major evolution in my efforts, and now I am looking for the next one. I will say my reseach and testing in machine learning was a bit of a dud, since I could only ever achieve ~80% accuracy instead of high 90s like I was hoping for, but this may have been a limitation of my abilities.
 
Computer science news on Phys.org
Hi there. What kinds of events/activities are you analyzing? What is an example of an "entity"? My experience so far has been that the necessary data and interesting features are very much determined by the specific problem you're trying to tackle. I hesitate to make a generic list of metrics for this reason.

What kinds of problems have you tried to solve with machine learning? What's your background, if you don't mind my asking?
 
Last edited:
bapowell said:
Hi there. What kinds of events/activities are you analyzing?
Logs from web servers, perimeter security devices (fw, waf, ips), internal netflow, server logons, database access/audit/alert, endpoint security, software/hardware installs, and others in line with the CIS top 20 controls.
What is an example of an "entity"?
This would be the actor in an event such as an internal user/machine, or external client.

My experience so far has been that the necessary data and interesting features are very much determined by the specific problem you're trying to tackle. I hesitate to make a generic list of metrics for this reason.
I agree, all my triggers are built around the individual data variables and what kind of anomaly I'm interested in. Sorry for the generic nature of this question, I'm hoping I've missed something obvious, but have a sense machine learning is the only way to really jump forward from this point.
What kinds of problems have you tried to solve with machine learning?
Most of my experience with machine learning was training DLP to identify proprietary source code files unique to the company running it, this product worked very well. My own efforts were focused on identifying anomalies in network behavior from netflow data using Splunk's machine learning engine.
What's your background, if you don't mind my asking?
I got started in security in high school with a major security vendor (big yellow), supported and administered every type of security product you can think of, got my CISSP somewhere in there, and am now the technical lead on a security team of 4 at an independent state agency.
 
One project I'm working on currently is using a learning algorithm to detect data exfiltration. The data that we're feeding to the classifier are suitably transformed netflows; it's currently not clear which features we need to sufficiently (and minimally) characterize a given flow record, but I'm hoping to make it port/protocol agnostic and perhaps independent of actual amounts of traffic per connection. Preliminary results are promising, but a big part of the challenge is realistically modeling the exfiltration.
 
The features I found most helpful in machine learning were connection count, upload bytes, and download bytes. My variance triggers calculate these three values for each entity (user, client) or object (port, webhost) in their target data set by time buckets (1h, 6h, 1d); the latest bucket for each entity/object is then compared to previous buckets to identify sigma spikes in any of the calculated fields.
 
Last edited:

Thread 'Google DeepMind, AI/ML and ALPHA-fold'

I came across a video regarding the use of AI/ML to work through complex datasets to determine complicated protein structures. It is a promising and beneficial use of AI/ML. AlphaFold - The Most Useful Thing AI Has Ever Done https://www.ebi.ac.uk/training/online/courses/alphafold/an-introductory-guide-to-its-strengths-and-limitations/what-is-alphafold/ https://en.wikipedia.org/wiki/AlphaFold https://deepmind.google/about/ Edit/update: The AlphaFold article in Nature John Jumper...
View full post »
Thread 'Urgent: Physically repair - or bypass - power button on Asus laptop'

Thread 'Urgent: Physically repair - or bypass - power button on Asus laptop'

Asus Vivobook S14 flip. The power button is wrecked. Unable to turn it on AT ALL. We can get into how and why it got wrecked later, but suffice to say a kitchen knife was involved: These buttons do want to NOT come off, not like other lappies, where they can snap in and out. And they sure don't go back on. So, in the absence of a longer-term solution that might involve a replacement, is there any way I can activate the power button, like with a paperclip or wire or something? It looks...
View full post »

Similar threads

Using entropy to discover visually salient features
Replies
7
Views
1K
I Could we detect an intrinsic change in the flow of time?
Replies
42
Views
4K
Data analysis by guessing, checking and fixing
Replies
5
Views
3K
Suggestion for a gas discharge lamp
Replies
18
Views
2K
I Help Needed with Tracker Physics Program Measuring Acceleration
Replies
10
Views
2K
Current and Future AI Threats to Humanity and the Human Response
Replies
10
Views
4K
MATLAB Can't get tutorial to work with new data
Replies
8
Views
2K
I Is there a fine structure constant running anomaly?
Replies
2
Views
3K
Securely Erase Data to Effective Techniques and Tools
Replies
23
Views
3K
I Detecting Entanglement in the Inflationary Potential: Is it Possible?
Replies
1
Views
1K

Hot Threads

Recent Insights

Back
Top