Unsupervised Learning for Cyber

Supervised learning requires humans. But this is not the only way for machines to learn. Algorithms can also differentiate objects in an unsupervised way, without need for humans. In simple examples of unsupervised learning, observed objects are clustered based on features. For example, six humans can be clustered into two groups of men and women, or three groups of tall, medium, and short. Such determination does not require human help.

When such unsupervised learning methods are applied to the common types of problems encountered in the cyber security community, the clusters will correspond to factors deemed relevant to the detection of malware or other cyber threat indicators. Using algorithmic techniques such as K-means clustering, for example, unsupervised learning creates averages for each grouping to model normal versus malicious activity in a target environment.

When applied to a network, the clustering, modeling, and analysis are done for captured traffic. Since the characteristics of typical modern enterprise network change so often, static clustering unsupervised algorithms are left somewhat wanting. Instead, a true generative dynamic model is needed, created by unsupervised learning, and capable of predicting the state of the network from past observations, without the assistance of humans.

This past week, TAG Cyber analyst Katie Teitler and I spent some quality time with the principals of Santa Barbara-based MixMode, which you might recognize by its legal name PacketSled. The team shared their approach to using unsupervised learning (which they refer to as autonomous AI) for network visibility and advanced threat detection. The solution looked exciting, and the discussion was rich and technical. Here is what I learned:

“Our use of unsupervised learning is designed to help teams detect zero-day attacks that are not easily identified based on threat intelligence feeds,” explained Igor Mezic, Professor at the University of California at Santa Barbara and also the Chief Scientist for MixMode. “We also address both the alert fatigue found so often in security operations centers, as well as the lack of visibility so prevalent in enterprise security contexts.”

The MixMode Traffic Analysis Platform was conceived in projects funded by DARPA and the DoD as part of the so-called Third-Wave AI approach to autonomous situational adaptation. The goal is for the AI to use adaptive reasoning and contextual analysis to discern the difference between objects. MixMode’s generative model-based AI was built to apply this adaptive approach to problems of creating security indicators on a data network.

The platform works by ingesting network feeds from tools such as from Snort, Bro, AWS netflow, and CloudTrail logs. I asked Mezic how this differs from a SIEM: “An enterprise SIEM is limited in the data it can collect from system logs and is also tough to configure as new devices and systems are added,” he replied. “We focus instead on pulling live data from the wire so that we see exactly what is present on the network at all times.”

The MixMode AI works on data using methods that Mezic has been working on for over twenty years. A baseline behavioral model is created in about a week, and useful security indicators are then autonomously generated. MixMode workflow management supports both proactive alerting and reactive investigations, and is easily integrated via REST API with existing SOAR or other tools such as Splunk, ServiceNow, Demisto, and LogRhythm.

I asked about the typical installation form factor and Mezic was clear about the company’s direction: “We see ourselves as a software company,” he replied. “So, while we certainly can support on-premise deployments with an appliance, we generally see virtualized integration as the best means for using MixMode. This is certainly the trend we see for most enterprise and government customers of all sizes.”

With all the AI-based tools being marketed of late, it is becoming all-too-easy to miss the wheat for the chaff. But I can assure you that Mezic and the MixMode team are the real deal. Their application of Third-Wave AI is technically sound, and built on a strong, foundational research base. I suspect that with growing deployments, the platform will only grow more accurate and effective – especially for hybrid cloud architectures.

My recommendation is to be in touch with MixMode and to ask for a demo (see the pic at the top of this article). If you are lucky, you’ll get Dr. Mezic himself, and you can ask him to explain the basis for their artificial intelligence algorithms. I suspect you’ll find his narrative to be both helpful and interesting. We all knew that AI was going to eventually help the defenders start catching up with the bad guys. This platform is part of that equation.

I hope you’ll share your experience and insight with us after you’ve looked into this platform. I hope to hear from you.