NEWS: Logpoint Acquires Muninn
Designed to think and act like a human, Artificial Intelligence (AI) is widely used across different application fields. In cybersecurity the use of AI has the potential to significantly improve an organization's ability to detect and respond to cyberattacks. A subfield of AI, machine learning (ML), involves training algorithms using data, allowing the machine to learn and improve over time without being explicitly programmed.
In general, AI systems perform tasks by processing vast amounts of data, recognizing patterns and making decisions based on those patterns, and unlike humans they do so 24/7. Through machine learning new data will improve the efficiency of the AI system even more.
Anomalies within ML can be divided into two categories: Point and Dyadic anomalies.
Point anomalies are instances or observations in a dataset that significantly deviate from the majority of the data. These anomalies can be due to errors in measurement, data entry or other reasons, or they can represent important events or observations.
In machine learning, point anomalies are often referred to as "outliers." The detection of point anomalies is important in various applications, such as fraud detection and network intrusion detection, among others. Various methods such as clustering and density-based methods can be used for detecting point anomalies. All with the aim of identifying data points that deviate significantly from the norm, so that they can be further analyzed and possibly explained.
Dyadic anomalies refer to anomalous relationships or interactions between hosts in a dataset. Unlike point anomalies, which focus on individual data points, dyadic anomalies focus on the relationships between pairs of data points.
Dyadic anomalies can arise in a variety of contexts, such as in social networks, where an anomalous relationship between two individuals might indicate a malicious connection, or in financial transactions, where an anomalous relationship between two entities might indicate fraudulent behavior.
The detection of these anomalies often involves analyzing the relationship between pairs of objects in a dataset and comparing it to some notion of normal behavior. There are various methods for detecting these anomalies, including dimensionality reduction and clustering.
The goal of dyadic anomaly detection is to identify unusual relationships or interactions between hosts on your network, so that they can be further analyzed and possibly explained.
Muninn AI Detect system, an advanced network traffic analysis tool, boasts 7 major categories of notifications, including:
• Anomaly - Unexpected Port
• Anomaly - Unexpected Interaction
• Anomaly - Unexpected Service
• Anomaly - Data Transfer
• Anomaly - Out of hours
• Anomaly - Unexpected Service and Port
• Anomaly - Unusual Context
The findings are based on 20,000+ unique notifications from a three-digit number of Muninn sensors in operation all over the world recorded the past 365 days. Uniqueness is defined as the notification only is triggered with a suppression of 3 hours. This means that a notification is only registered one time even if it occurs multiple times within the 3 hour suppression window.
Interaction between a client and a server was deemed anomalous on account of those two not having interacted using that port before. Had the port been different, it might not have been out of the ordinary for them to interact. This anomaly is worth looking deeply into since this port has never before been used between 2 machines. Potentially the service behind could be used as a say C2- communication channel.
Interaction between a client and a server was deemed anomalous on account of those two not having interacted before. This anomaly is potentially dangerous, and you need to verify the hosts are recognized as legal nodes in your network and that they are supposed to communicate with each other.
Interaction between a client and a server was deemed anomalous on account of those two not having interacted using that service before. This anomaly is also an event that should be watched out for. The two nodes are using a service or protocol not used between them before. This could be a malicious service used for C2 communication or data transferring.
Interaction between a client and a server was deemed anomalous on account of how much data was transferred during that interaction. This anomaly is triggered when two machines transfer data that is much larger than normal. It could be an indication of data being exfiltrated to an untrustworthy 3rd party entity, thus a digital theft is going on.
Interaction between a client and a server was deemed anomalous on account of when the interaction happened. This anomaly reacts to network activities taking place at odd hours and odd weekdays. Automated hacking tools and Script kiddies that may not have done their homework, will potentially carry out malicious activities with no consideration of the day or time of the environment they are attacking.
Interaction between a client and a server was deemed anomalous on account of those two not having interacted using that service on that port before. This anomaly is worth paying extra attention to since it is well-known that RAT (Remote Access Trojan) and other malicious frameworks are using special ports for various services.
Interaction between a client and a server was deemed anomalous on account of a mix of different circumstances. Had the circumstances been different, it might not have been out of the ordinary for them to interact. The description should give more details as to how the circumstances differed from the norm. This anomaly combines the amount of bytes received at a specific time. As with Unusual Context anomalies, this may indicate malicious behaviour.
The rise of Artificial Intelligence and Machine Learning has opened a new world of possibilities across various industries. With Muninn AI's ability to process vast amounts of data, recognize patterns, and make decisions based on those patterns, the potential for improving efficiency and accuracy is immense. Machine Learning, in particular, allows our algorithms to continuously learn and improve over time, without requiring explicit programming.
Within the field of cybersecurity, AI and Machine Learning offer an unprecedented opportunity to detect and respond to cyberattacks. As technology continues to evolve, it will be exciting to see how Artificial Intelligence will continue to impact our lives in unexpected ways. At Muninn we want to be a part of shaping these solutions for the future.
If you are interesting in exploring Muninn's NDR and AI technology further, please also see our technical whitepaper and other resources here.
