There is a new security tool in development that uses advanced machine learning to counter cyber threats.
Development of this new tool really stepped up after last year when the Oak Ridge National Lab became the victim of a breach. A successful phishing attack infected its network with what a spokesperson called a “very sophisticated” piece of malware designed to steal information from the lab’s network. Email and Internet access at the lab shut down for over a week until they could identify the infection and then remove it.
The tool under development looks for data sent from inside an enterprise by insiders, leveraging data from each host on the network to identify bad behavior. Profiles of normal user behavior is easy to create and signatures for exfiltrating data can be understood. Behavior flagged as suspicious or malicious can divert to a honeypot environment where that user ends up isolated but so they can study the user’s actions.
A team of three researchers with expertise in machine learning have worked on and off for three years to produce the Attack Variant Detector (AVD). The AVD tool builds on existing algorithms to detect malicious patterns, using machine learning to determine what types of behavior are normal and what is anomalous. “It’s not a complete build from the ground up,” said Oak Ridge Researcher Robert Gillen.
AVD operates on a large scale, looking for malicious activity directed at the enterprise from the outside. Because it is working in an expanded environment, scale and speed become more important. Gillen said the team is confident of its ability to ramp up its speed.
“Our biggest problem right now is false positives,” he said — wrongly identifying traffic as possibly malicious. This is a critical metric of success because in order for a tool to produce intelligence, it must severely limit the amount of legitimate activity blocked.
AVD is capable of detecting 80 percent of bad traffic missed by other tools, “which we are very pleased with,” Gillen said. “But we’re trying to get the false positives down to 10 percent or lower.”
Although the AVD project still is in the prototyping stage and they are still working on some basic engineering, advances in its capabilities at this point are coming more from tweaking the software rather than making substantial changes. “It’s a matter of tuning the features we want, doing a lot of work on the triage,” that will let a variety of algorithms produce a consensus conclusion about behavior, he said.
Oak Ridge is not building commercial products, but when the technology advances beyond the prototype stage, they will then be able to license the product out to commercial companies.
AVD would operate much like a more traditional Intrusion Detection System, gathering its data for analysis at a single point in the network. The analysis of larger amounts of data could, however, scale up with increased computing power.