Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
Anomaly-based threat detection: Behavioural fingerprinting versus self-learning AI
Cyber Security: A Peer-Reviewed Journal,
6
(1),
14-25
(2022)
Abstract
When a malicious actor has access to a digital estate, they control compromised devices and user accounts to achieve their objectives. Given that an attacker’s objectives are often at odds with devices’ normal patterns of life, identifying deviations from these patterns can be used to detect an ongoing attack. This paper outlines and compares two approaches to anomaly-based threat detection: behavioural fingerprinting and self-learning artificial intelligence (AI). It argues that the self-learning approach is significantly superior in several important ways due to the fact it provides a more complex and accurate understanding of what is normal. The paper explains the motivation behind anomaly-based threat hunting, describes the fingerprinting approach and the self-learning approach to anomaly detection, and details real-world examples that demonstrate the advantages of the self-learning approach.
Keywords: artificial intelligence; machine learning; anomaly detection; self-learning; behavioural fingerprinting
The full article is available to subscribers to the journal.
Author's Biography
Jeff Cornelius joined Darktrace in February 2015 as EVP and oversees Darktrace’s cyber-physical security solutions while serving as a subject matter expert around Darktrace’s solutions for operational technology/industrial control systems (OT/ICS) environments. Jeff has been the featured/keynote speaker at numerous international events and conferences and regularly shares insights at global events. Prior to joining Darktrace, Jeff held several C-level and executive commercial positions delivering subject matter expertise in the security, compliance and governance sectors. He holds advanced degrees in experimental psychology (social, cognition, perception) and experimental statistics and previously taught at the University of Texas and New Mexico State University where he held adjunct positions.
Simon Fellows is a Technical Director at Darktrace developing their cyber security platform and capabilities. He has particular interest in the endpoint and industrial domains, as well as self-healing artificial intelligence (AI) and resilient systems. He holds a Master’s degree in aeronautical and aerothermal engineering from the University of Cambridge and has professional experience as an information security leader and practitioner as well as a software developer.
Oakley Cox is Analyst Technical Director at Darktrace for the APAC region. Based in the Auckland office, he has over four years’ experience leading a team of cyber analysts at the Cambridge headquarters. At present, he oversees the defence of critical infrastructure and industrial control systems, helping to ensure that Darktrace’s AI stays one step ahead of attackers. Oakley is GIAC certified in Response and Industrial Defense (GRID) and also has a PhD from the University of Oxford.
Sam Lister is a SOC Analyst and Threat Researcher at Darktrace, based at the Cambridge headquarters. He investigates suspicious network behaviour across Darktrace’s client base, both in order to identify early warning signs of threat actor activity and to track threat actor tradecraft. He holds undergraduate and postgraduate qualifications in linguistics, logic and philosophy from University College London and the University of Amsterdam.
