This is the second article in a three part series on Network Baselining. See part 1, An Introduction to Baselining Technology, here.
How is This Baseline Recorded?
Remember that 9 a.m. to 6 p.m. average, if you can imagine that as a wave that goes up and goes down, deterministically, it is always going to happen in a very similar way. However, there’s this stochastic part around it which is reflective of sending emails at arbitrary times, and the Koopman Mode Decomposition Theorem that our algorithm is based on allows us to separate those parts out.
We separate the parts that are wavelike and we separate the parts that are stochastic. Then, five minutes later we look again and compare what we’ve seen historically and what the AI has predicted to happen to the current state of the network. If they are different, that’s an anomaly detected.
How Long Does It Take To Create a Baseline?
The MixMode algorithm starts working in the first five minutes and it learns those waves and stochastic components as it goes. Because those can be different on a Tuesday than they are on a Friday the AI needs about seven days to complete the baseline recording and creation process.
If a breach were to happen in those first seven days, the AI would in fact notice, but customers do need to watch their system for the first week because it doesn’t have a lot of confidence while building the initial baseline.
Soon we will put another component in that will allow for the program to continue through a breach without restarting with a self-correcting mechanism. Because the AI does have predictive capability, it knows what should have happened in the last five minutes opposed to what happened in the case of a breach, so we are working on being able to excise the attack and replace it with what should have happened in the hack time slot.
At this point in time it is also valuable for the customer to watch the process and to interact if the AI shows something is wrong.The AI does not put out too many alerts, only about 4 or 5 a day, so if something really bad is happening the customer will very easily be able to see that so long as they are monitoring it.
MixMode had a situation where the customer didn’t get any alerts on their usual intel feeds about something really bad happening, but the AI told them it was going on. Unfortunately, this was discovered post-fact, meaning the bad thing happened, and the AI caught it… they just didn’t look fast enough.
Next week we will share how to use your baseline for network security.