When launching an attack against an organization, cybercriminals can face defensive systems that are part human and part machine.
The human part corresponds to security analysts who scrutinize the server logs and identify anomalies that correlate to malicious intent. The machine part consists of data analysis run by unsupervised learning systems.
Especially, clustering the data with an unsupervised learning algorithm can be an effective way to focus the analyst’s attention on the data points that are representative of larger classes of activities. Those systems excel at processing large quantities of information and at identifying new correlations but may produce an unacceptable number of false alarms. On the opposite, human analysts accurately discern existing or new forms of malicious activity but are unable to cope with large amounts of information.
To address those challenges, the authors conducted a security analysis of human and machine approaches for detecting known and potentially unknown attacks. They used attacks against a real-world website as a vehicle for exploring strengths and limitations of the two approaches and the opportunities for combining them. They compared the most useful features for human analysts and for an automated clustering system.
Humans excel at recognizing patterns and abnormalities in these patterns, which gives them the ability to detect unusual and previously unseen behavior. Automated systems can potentially help human analysts by:
- Minimizing the number of suspicious activities that humans must investigate.
- Improving the quality and completeness of the recorded data.
- Increasing training for analysts to set aside past biases and examine new behaviours.
- Keeping a history of traffic that helps an analyst compare a selected block of unusual behaviour against normal traffic patterns.
Human analysis and automated tools serve complementary purposes, and hybrid detection systems could provide the best of both the human and machine worlds when it comes to attack detection.
Cite: Sabottke, C. ,Chen, D., Layman, L. and Dumitras, T (2019). How to trick the Borg: threat models against manual and automated techniques for detecting network attacks. Computer & Security, 81, 25-40.