"SOC Turns to Homegrown Machine Learning to Catch Cyber-Intruders"

The information security team at a French bank discovered that an internally developed Machine Learning (ML) model trained on log data could detect three new types of data exfiltration undetectable by rules-based security appliances. The team extracted features from daily summary data stored in log files and used them to find anomalies in the bank's web traffic. According to Carole Boijaud, a cybersecurity engineer with Credit Agricole Group Infrastructure Platform (CA-GIP), the study focused on how to better detect data exfiltration by attackers, and it resulted in the identification of attacks that the company's previous system had missed. In order to identify the most important features to track in their analysis, the cybersecurity engineering team used a data-analysis technique called clustering. The popularity of domains, the number of times systems reached out to specific domains, and whether the request used an IP address or a standard domain name were among the most important features. The team used an "isolation forest" technique to find outliers in the data after selecting the features that are most significant in classifications. The isolation forest algorithm divides data into several logical trees based on their values and then analyzes the trees to identify outliers. This method scales easily to handle many features and is relatively light in terms of processing. Initially, the model learned to detect three types of exfiltration attacks that the company would not have detected using existing security appliances. Overall, nearly half of the exfiltration attacks were detectable with a low false-positive rate. This article continues to discuss the ML system that helped a French bank detect three types of exfiltration attacks missed by current rules-based systems. 

Dark Reading reports "SOC Turns to Homegrown Machine Learning to Catch Cyber-Intruders"