Author: Zach Winn | MIT News Office
Being a cybersecurity analyst at a large company today is a bit like looking for a needle in a haystack — if that haystack were hurtling toward you at fiber optic speed.
Every day, employees and customers generate loads of data that establish a normal set of behaviors. An attacker will also generate data while using any number of techniques to infiltrate the system; the goal is to find that “needle” and stop it before it does any damage.
The data-heavy nature of that task lends itself well to the number-crunching prowess of machine learning, and an influx of AI-powered systems have indeed flooded the cybersecurity market over the years. But such systems can come with their own problems, namely a never-ending stream of false positives that can make them more of a time suck than a time saver for security analysts.
MIT startup PatternEx starts with the assumption that algorithms can’t protect a system on their own. The company has developed a closed loop approach whereby machine-learning models flag possible attacks and human experts provide feedback. The feedback is then incorporated into the models, improving their ability to flag only the activity analysts care about in the future.
“Most machine learning systems in cybersecurity have been doing anomaly detection,” says Kalyan Veeramachaneni, a co-founder of PatternEx and a principal research scientist at MIT. “The problem with that, first, is you need a baseline [of normal activity]. Also, the model is usually unsupervised, so it ends up showing a lot of alerts, and people end up shutting it down. The big difference is that PatternEx allows the analyst to inform the system and then it uses that feedback to filter out false positives.”
The result is an increase in analyst productivity. When compared to a generic anomaly detection software program, PatternEx’s Virtual Analyst Platform successfully identified 10 times more threats through the same number of daily alerts, and its advantage persisted even when the generic system gave analysts five times more alerts per day.
First deployed in 2016, today the company’s system is being used by security analysts at large companies in a variety of industries along with firms that offer cybersecurity as a service.
Merging human and machine approaches to cybersecurity
Veeramachaneni came to MIT in 2009 as a postdoc and now directs a research group in the Laboratory for Information and Decision Systems. His work at MIT primarily deals with big data science and machine learning, but he didn’t think deeply about applying those tools to cybersecurity until a brainstorming session with PatternEx co-founders Costas Bassias, Uday Veeramachaneni, and Vamsi Korrapati in 2013.
Ignacio Arnaldo, who worked with Veeramachaneni as a postdoc at MIT between 2013 and 2015, joined the company shortly after. Veeramachaneni and Arnaldo knew from their time building tools for machine-learning researchers at MIT that a successful solution would need to seamlessly integrate machine learning with human expertise.
“A lot of the problems people have with machine learning arise because the machine has to work side by side with the analyst,” Veeramachaneni says, noting that detected attacks still must be presented to humans in an understandable way for further investigation. “It can’t do everything by itself. Most systems, even for something as simple as giving out a loan, is augmentation, not machine learning just taking decisions away from humans.”
The company’s first partnership was with a large online retailer, which allowed the founders to train their models to identify potentially malicious behavior using real-world data. One by one, they trained their algorithms to flag different types of attacks using sources like Wi-Fi access logs, authentication logs, and other user behavior in the network.
The early models worked best in retail, but Veeramachaneni knew how much businesses in other industries were struggling to apply machine learning in their operations from his many conversations with company executives at MIT (a subject PatternEx recently published a paper on).
“MIT has done an incredible job since I got here 10 years ago bringing industry through the doors,” Veeramachaneni says. He estimates that in the past six years as a member of MIT’s Industrial Liaison Program he’s had 200 meetings with members of the private sector to talk about the problems they’re facing. He has also used those conversations to make sure his lab’s research is addressing relevant problems.
In addition to enterprise customers, the company began offering its platform to security service providers and teams that specialize in hunting for undetected cyberattacks in networks.
Today analysts can build machine learning models through PatternEx’s platform without writing a line of code, lowering the bar for people to use machine learning as part of a larger trend in the industry toward what Veeramachaneni calls the democratization of AI.
“There’s not enough time in cybersecurity; it can’t take hours or even days to understand why an attack is happening,” Veeramachaneni says. “That’s why getting the analyst the ability to build and tweak machine learning models is the most critical aspect of our system.”
Giving security analysts an army
PatternEx’s Virtual Analyst Platform is designed to make security analysts feel like they have an army of assistants combing through data logs and presenting them with the most suspicious behavior on their network.
The platform uses machine learning models to go through more than 50 streams of data and identify suspicious behavior. It then presents that information to the analyst for feedback, along with charts and other data visualizations that help the analyst decide how to proceed. After the analyst determines whether or not the behavior is an attack, that feedback is incorporated back into the models, which are updated across PatternEx’s entire customer base.
“Before machine learning, someone would catch an attack, probably a little late, they might name it, and then they’ll announce it, and all the other companies will call and find out about it and go in and check their data,” Veeramachaneni says. “For us, if there’s an attack, we take that data, and because we have multiple customers, we have to transfer that in real time to other customer’s data to see if it’s happening with them too. We do that very efficiently on a daily basis.”
The moment the system is up and running with new customers, it is able to identify 40 different types of cyberattacks using 170 different prepackaged machine learning models. Arnaldo notes that as the company works to grow those figures, customers are also adding to PatternEx’s model base by building solutions on the platform that address specific threats they’re facing.
Even if customers aren’t building their own models on the platform, they can deploy PatternEx’s system out of the box, without any machine learning expertise, and watch it get smarter automatically.
By providing that flexibility, PatternEx is bringing the latest tools in artificial intelligence to the people who understand their industries most intimately. It all goes back to the company’s founding principle of empowering humans with artificial intelligence instead of replacing them.
“The target users of the system are not skilled data scientists or machine learning experts — profiles that are hard for cybersecurity teams to hire — but rather domain experts already on their payroll that have the deepest understanding of their data and uses cases,” Arnaldo says.