Startup mimics security analyst’s decision making, learns from humans

03.02.2016
Startup PatternEx with roots in MIT’s artificial intelligence lab is launching a security platform it says employs artificial intelligence by learning from input it gets from human security analysts about data exfiltration and bank fraud incidents that it flags.

It monitors firewall logs and traffic in and out of the network and alerts customer analysts of suspicious traffic that might represent malware connecting to command and control servers or transferring data out of the network, says PatternEx CEO Uday Veeramachaneni, a co-founder of the company.

The AI engine is fed information about how the analyst responds to each notification and the algorithm running it incorporates that input into refining its predictive model of how the analyst will react. That way, over time, it sends fewer false positives, Veeramachaneni says.

As the company gains customers it will use feedback from across deployments of the PatternEx platform to improve the accuracy of the algorithm’s modeling.

The algorithm and its predictive models will be an improvement over what happens now, with analysts having to figure out what represents a breach and often figuring it out too late.

Eric Ogren, an analyst with 451 Group, says this type of machine learning can be useful to corporations having a tough time finding enough qualified analysts because they are in such high demand. He says Exabeam, Securonix and Red Owl among others are trying to address the same problem with User and Entity Behavior Analytics (UEBA).

The company says its technology is different from machine learning/anomaly detection technology in that it doesn’t rely on rule sets and seeks to mimic analyst intuition. The company says its Active Contextual Modeling technology catches 10 times the threats with a fifth of the false positives.

The PatternEx algorithm uses input such as number of bytes sent and received, source and destination IP addresses, duration of connections, intervals between connections and other factors in its calculations. If the algorithm comes up with a model that makes 10 predictions that an analyst will find flagged activity to be a botnet but is wrong on four of them, it will create a new model, Veeramachaneni says.

Data is gathered by lightweight agents on individual machines and the data is collected and analyzed on a server that can be in PatternEx’s cloud or on customers’ premises. The technology can sit alongside security information and event management devices as an add-on.

Over time the company expects to be able to detect more categories of attacks. Tapping Active Directory data and storage repositories where valuable data sits are two possibilities, he says.

He says he’d like to turn the engine loose on Web applications to seek odd behavior by them.

The company is formally launching today and the product is available tomorrow. Pricing is based on the volume of data the analysis engine processes and the type of predictions it is making. At launch, the platform can predict exfiltrations and Web fraud.

The 2-year-old company is backed by $2 million in seed money and is based in San Jose. It has six customers in late-stage trials, five of them Fortune 500 companies, Veeramachaneni says.

(www.networkworld.com)

Tim Greene