How we implement machine learning in Positive Technologies products

How we implement machine learning in Positive Technologies products

Greeting! Contact Mykola Lyfenko and Artem Pronychev, we are engaged in the development and implementation of models machine learning to Positive Technologies products. Today we will tell you how ML helps to automate the actions of security specialists and detect cyber attacks. First, we will analyze the theoretical basis, and then we will support it with cases from our work.

Why we use ML

Before talking about the need to use machine learning models, it is important to understand the concept of how protection tools work. It all starts with receiving primary data: logs, traffic, executable files, and more. This information needs to be brought into a single format, on the basis of which it is already possible to detect attacks, compile security incidents and conduct investigations. Machine learning can and should be applied at every stage – from working with raw data to creating incident cards.

The concept of information protection tools

Thanks to machine learning technologies, we can automate routine operator actions, find new attacks that cannot be detected using a classic rule-based approach, and generally continue to develop the expertise of Positive Technologies, which is at the heart of each of our products.

ML models take security to a new level

Machine learning models solve many product problems. For example, we use ML to detect code obfuscation, detect malware (malware) in encrypted traffic, analyze behavioral traces, and find web shells.

Web application security

When working, products that analyze HTTP traffic receive a large amount of payload, which may include command shells for remote web server management. We have solved the task of separating correct data from malicious ones. For this, ML models were built based on the detection of web shells. One model is aimed at preventing the download of an illegitimate script, and the other – at the detection of web shell activity. For their training, we took webshell data from open sources and added interesting examples encountered in Standoff cyber battles. Such diversity allowed to increase the completeness of the detect and to discover new web shells that cannot be found using the rule-based approach due to its concept.

Data from our projects and delayed samples prepared by experts were used to assess the accuracy of the activations. Initial quality assessment occurs during CI/CD. Yes, after training the model, the CML (continuous machine learning) process is started – this helps us see the difference in how the models work on the deferred data in the merge request.

At Standoff, the model was used in logging mode – the following analysis of the results showed a low level of false positives (less than 0.01%). All this allowed us to reduce the number of such triggers compared to the classic rule-based approach.

An example of a web shell detected using ML models

Infrastructure security

It is often necessary to analyze user behavior to ensure the security of the corporate infrastructure. This task is handled by the module, the main purpose of which is to detect intruders. The module searches for cybercriminals by the number of a kind of risk glasses: each network user receives points for suspicious activities and gets into a ranked list of users according to the level of risk. A combination of machine learning models can be used to score points. One of these models is a recommender system that helps determine how typical user behavior is when working with processes.

To begin with, let’s understand the recommendation system: let’s say a programmer uses Visual Studio Code in his work, but at some point decides to switch to PyCharm. In this case, simpler analysis approaches would have recorded the anomaly, the event would have been recognized as a false positive: because the programmer usually used only one code editor. There is another example: it would be surprising to notice that an employee in the accounting department had run whoami.exe on his computer. Strict rules would record a positive event and would be right — true positive.

As two examples show, approaches based on strict logic (if-else) are poorly adapted to reality: they do not help the system understand the context. For a more accurate definition of anomalies, we built a user-process interaction matrix and trained a collaborative filtering model. This allows the system to recommend a set of running processes to the user, and provides the operator with vectors of users and individual processes. Anomalies in this case are recorded when the set of proposed processes does not match the actual ones. Our colleague Ihor Pestretsov previously told more about how recommender systems look for anomalies.

The principles of the recommendation system and the model based on the analysis of the chain of processes

As for the model based on the analysis of the chain of processes, it is still clearer here. The chain consists of links, the length of which can be changed, so for greater efficiency, we decided to break the classic AE chain into four pairs: AE, BE, CE, DE. This allowed us to construct an interaction matrix, where each cell corresponds to a pair. The presence of an anomaly in such a case is recorded with a small number of transitions from the intermediate process A – D to the final process E. For example, the transition from cmd.exe to whoami.exe is a standard situation, but the transition from outlook.exe to whoami.exe looks like for the model suspiciously.

Our products use a different technology stack, so in each individual case, the integration of the ML model takes place according to an individual scenario. For example, one of them has Python code and an ML model that we serialize using ONNX, and we use MLflow to track experiments and as an artifactor. Also, when training the ML model, we use a daily flow of examples and a reference sample (on which false positives are excluded), which allows us to achieve good results of implementation in information protection tools. You can read more in the article of our colleague Igor Kabanov.

The concept of ML-model operation in PT Sandbox for analyzing the behavior of IDPs

A large number of false positives and false positives will turn the life of any security specialist into hell: instead of doing real work, he will be forced to respond to all messages from an inaccurate ML model. We solve this task by setting high requirements for the quality of detectors already at the stage of creating the MVP, as well as at the stage of receiving feedback from early adopters. All this allows us not only to significantly improve the quality of machine learning models, but also to bring closer the moment when ML technologies will firmly enter the creation of information security products.

Who is responsible for using machine learning

We believe that the successful implementation of machine learning in information protection tools requires experts with ML, computer science, and domain knowledge.

On the left – the neural network’s view of the Positive Technologies team, on the right – the real state of affairs

The matrix structure of the ML team at Positive Technologies allows you to organize virtual teams to work on similar projects. Yes, even at the initial stage it is necessary to understand to what extent the task can be solved from the point of view of cyber security. The specialists of the Positive Technologies expert security center (PT Expert Security Center, PT ESC) help here: they give us the necessary knowledge about the types of attacks, principles and approaches of attackers, and also test our solutions. After that, we agree with the development team of the areas of responsibility for the implementation and support phases of the product.

The pipeline of works can be presented as follows:

  1. Problem statement – We receive the task in its raw form, after which the ML-leader responsible for the direction of machine learning development forms a technical task. We review the backlog several times a year: this allows us to prioritize the most urgent tasks.

  2. PoC (proof of concept) – We work together with PT ESC experts.

  3. MVP (minimum viable product) — ML engineers develop services that are as ready as possible for production.

  4. Production – We are finalizing the MVP: increasing productivity and connecting individual components into a single system.

Stages of the ML team’s work on the task

If you also love machine learning and dream of making this world safer, come and join our team. We are currently looking for ML engineers: we are looking for experienced specialists with a good knowledge of Python, an understanding of the basics of statistics, machine learning techniques and a desire to understand new modern solutions.

🔻You can learn more about the ML team at Positive Technologies and our tasks here.

Related posts