Not all Artificial Intelligence is created equal. As we move towards a future where we lean on cybersecurity much more in our daily lives, it’s important to be aware of the differences in the types of AI being used for network security.
Dr. Igor, Chief Scientist and CTO at MixMode explains:
Over the last decade, Machine Learning has made huge progress in technology with Supervised and Reinforcement learning, in everything from photo recognition to self-driving cars.
However, Supervised Learning is limited in its network security abilities like finding threats because it only looks for specifics that it has seen or labeled before, whereas Unsupervised Learning is constantly searching the network to find anomalies.
Machine Learning comes in a few forms: Supervised, Reinforcement, Unsupervised and Semi-Supervised (also known as Active Learning).
Labeling VS Learning
Supervised Learning relies on a process of labeling in order to “understand” information.
The machine learns from labeling lots of data and is able to “recognize” something only after someone, most likely a security professional, has already labeled it, as it can not do so on its own.
This is beneficial only when you know exactly what you’re looking for, which is definitely not commonly the case in cybersecurity. Most often, hackers are using a method of attack that the security program has not seen before in which case a supervised system would be totally useless.
The Benefit of Unsupervised Learning
This is where Unsupervised Learning comes in. Unsupervised Learning draws inferences from datasets without labels. It is best used if you want to find patterns but don’t know exactly what you’re looking for.
This makes it useful in cybersecurity where the attacker is always changing methods. It’s not looking for a specific label, but rather any pattern that is out of the norm will be flagged as dangerous, which is a much better method in a situation where the attacker is always changing forms.
Unsupervised Learning will first create a baseline for your network that shows what everything should look like on a regular day. This way, if some file transfer breaks the pattern of regular behavior by being too large or sent at an odd time, it will be flagged as possibly dangerous by the Unsupervised system.
A Supervised Learning program will miss an attack if it has never seen it before because it hasn’t yet labeled that activity as dangerous, whereas with Unsupervised Learning security, the program only has to know that the action is abnormal in order to flag it as a potential threat.
Generative and Discriminative Models of Unsupervised Learning
There are two types of Unsupervised Learning: discriminative models and generative models. Discriminative models are only capable of telling you, if you give it X then the consequence is Y. Whereas the generative model can tell you the total probability that you’re going to see X and Y at the same time.
So the difference is as follows: the discriminative model assigns labels to inputs, and has no predictive capability. If you gave it a different X that it has never seen before it can’t tell what the Y is going to be because it simply hasn’t learned that. With generative models, once you set it up and find the baseline you can give it any input and ask it for an answer. Thus, it has predictive ability – for example it can generate a possible network behavior that has never been seen before.
So let’s say some person sends a 30 megabyte file at noon, what is the probability that he would do that? If you asked a discriminative model whether this is normal, it would check to see if the person had ever sent such a file at noon before… but only specifically at noon. Whereas a generative model would look at the context of the situation and check if they had ever sent a file like that at 11:59 a.m. and 12:30 p.m. too, and base its conclusions off of surrounding circumstances in order to be more accurate with its predictions.
How Mixmode Uses Generative Unsupervised Learning
The Artificial Intelligence that we are using at MixMode now is what is in the class of generative models in Unsupervised Learning, that basically gives it this predictive ability. It collects data to form a baseline of the network and will be able to predict what will happen over time because of its knowledge of what a day of the week looks like for the network.
If anything strays from this baseline, the platform will alert whichever security team oversees it that there has been an irregularity detected in network performance that should be adhering to the baseline standard.
For example, It collects data as it goes and then it says I know what’s going to happen on monday at 9: People are going to come in and network volume will grow, then at noon they gonna go for lunch so the network level will drop a bit, then they’ll continue working until six and go home and the network level will go down to the level it is during the night.
Because of its predictive power, the Generative Unsupervised learning model is capable of preventing Zero-Day attacks, which makes it the best security method out there and has the fastest response time to any breach.
Active Learning is the Future
MixMode plans to add Semi-Supervised or Active Learning to the platform in the near future, which takes the best of both unsupervised and supervised learning and puts them together in order to make predictions on how a network should behave.
Active learning starts with unsupervised learning by looking for any patterns on a network that deviate from the norm, then once it finds one it can label it as a threat, which is the supervised learning portion.
An active learning platform will be extremely useful because not only is it constantly scanning for any deviations on the network, but it is also constantly labeling and adding metadata to the abnormalities it does find which makes it a very strong detection and response system.