This article by David Balaban takes you through the use of AI in anomaly detection as well as the limitations of AI when it comes to network monitoring tools.
If one thing was apparent at the end of 2018, it was that modern organizations are still woefully unprepared for modern cyber attacks. When it takes an average of 191 days to identify data breaches, it is clear that business owners need to up their game to combat cybercriminals.
Unfortunately, ensuring that your network stays secure is no longer a case of setting up a Opens a new window network monitoring tool and waiting passively for notifications. Using advanced tools with artificial intelligence or AI is becoming increasingly important in address cyber attacks before they take root. In network monitors, AI is most commonly used for anomaly detection.
Anomaly detection is the process of scanning network behavior and distinguishing between legitimate activity and cyber attacks. Once events have been highlighted the human user can take action and start troubleshooting to find the root cause of the issue.
This particular tool allows users to double-click to access root cause mode “where suspected root causes will be ranked for quick investigationâ€. In this instance, anomaly detection not only helps to highlight a potential attack but points straight to the root cause of the issue as well.
When onboard and managed correctly such tools can be vital for managing large networks and developing with events as they occur. However, it is important to note that AI-based network monitors are not without their limitations.
The Limitations of AI-based Network Monitors
While network monitoring tools that utilize AI are often extremely useful, it is essential to be aware of their limitations. Software vendors take different approaches toward AI platforms so the effectiveness of a given tool will depend on the technical prowess of the manufacturer and the strategies they use to monitor data sets.
A simple breakdownOpens a new window of network monitoring tools is provided by W.J.B Beukema, who suggests that most AI tools can be divided into two categories’ misuse-based and anomaly-based. The difference between the two is that misuse-based approaches attempt to ‘extract signatures from known threats, whereas anomaly approaches try to detect substantial deviations from behavior that is considered to be normalâ€.
Each of these two approaches has their own strengths and weaknesses in terms of security. For instance, misuse-based approaches function well at finding existing threats but can fail to recognize unfamiliar types of attacks. On the other hand, anomaly-based approaches adapt well to new threats but ‘balancing the false positive and true positive rate’ is a consistent challenge.
In other others, the anomaly-based approach utilized by many network monitoring vendors is vulnerable to false positives which produce useless alerts. In smaller numbers, these false positives aren’t too much of an issue, but in larger numbers, they overwhelm the user’s ability to identify real threats.
One of the most well-known examples of a company being blinded by false positives occurred with the 2013 Target breachOpens a new window . A successful cyber attack leads to the details of over 70 million customers being stolen from the point of sale systems. Target’s monitoring platform managed to flag the attack, but the company failed to take action due to a wave of false alerts.
How to Onboard an AI Network Monitor and Stop False Positives?
Given the limitations of network monitoring tools, it is important not just to be careful about which tools you deploy but also to consider how you manage them from threat detection to response. If you’re considering using an AI-based network monitoring tool, it is a good idea to look for one that has a low rate of false positives. If the tool has a substantial rate of false positives, then you’re better off with another tool (especially if you’re part of a larger organization).
Beyond being more careful about the network monitoring tools you deploy, it is useful to implement new administrative policies to ensure that false positives have a minimal impact on your network monitoring practices. One way larger this can be done is to designate members of staff to react to certain alerts. For an extra level of security, you can designate a backup member of staff if the alert hasn’t been acted on or addressed.
The truth is that no AI tool is going to be able to completely eliminate the need for manual administration. Even tools with miniscule false positive rates need to be treated with caution in case one bogus alert sneaks through. So long as you deploy a tool with a low false positive rate, your network administrator will have the best chance of responding to a few false alerts every now and again.