Technology

Arrow up

Muninn Cyber-AI - The Next Generation of Cyber Security

Artificial Intelligence has fundamentally changed the task of safeguarding critical digital infrastructure. Armed with the Muninn AI-Platform, security teams now have the tools to neutralize even the most Advanced Persistent Threats (APTs).

Muninn’s threat detection engine leverages data from historical attacks to detect known threats, but it also uses your organization’s real-time data to build a sophisticated model of normal network behaviors. This approach to AI-based cyber security enables Muninn to identify and stop zero-day attack as well as previously identified threats.

AI-based response

Security teams are working harder than ever to regain control of their digital estate. Today’s cyber-threats are sophisticated, fast-moving, and devastating. With digital business infrastructure getting more complex, human teams cannot respond to attacks fast enough.

Muninn uses AI to instantly mount the most effective response to cyber-threats. Because Muninn autonomously learns normal network behaviors and has a highly developed understanding of your organization’s legitimate traffic patterns, the AI can respond to novel threats that have never been seen before – buying security teams the time they need to catch up.

Muninn's AI-based response capability integrates with your organization's infrastructure in multiple ways:

1) Muninn acts as the hub of the entire security stack. Through integrations, Muninn seamlessly adds AI power to your existing defense infrastructure. In this scenario, Muninn AI responds through software defined networks (SDN), interacting with managed services that provide a block / unblock API, e.g. Unifi SDN.

2) Muninn autonomously neutralizes attacks in seconds – without relying on third-party security tools or network devices. By mounting a TCP reset attack, Muninn effectively quarantines the compromised device by interrupting and resetting connections between devices.

Machine learning methods

Muninn Cyber AI consists of advanced proprietary algorithms that work together to build an accurate model of every user and device and enables the anomaly detection module to precisely discover abnormal, and potentially malicious behavior. Model and methods are carefully chosen to provide maximal explainability such that anomalies are accompanied by useful and actionable information, helping the operator understand what why an event is considered anomalous.

Muninn leverages two distinct machine learning engines to detect the most subtle threats;

1) The clustering machine learning engine uses unsupervised machine learning and probabilistic methods to autonomously baseline network traffic, and from that distinguish abnormal and potentially malicious behavior. When, for instance, a host has received or sent more data than is normal for the monitored network, Muninn will instantly detect the anomaly.

2) The Dyadic machine learning engine (Dyadic ML) represents and processes data in a profoundly novel way. By building and continuously updating a model based on interactions between all observed originators and responders (therefore dyadic), Dyadic ML obtains a very precise understanding of normal traffic patterns, looking months back in time. The vast amount of data is transformed into a stochastic model using high dimensional tensor factorization, enabling the ML engine to evaluate real time events, detect anomalies, and provide a score and probability of how unusual the anomaly is.

Onboard users with minimal false positives

Muninn Cyber-AI uses its detailed model of normal behavior and traffic patterns to determine whether a particular device is behaving unusually compared to other devices that tend to behave similarly – allowing the technology to distinguish between users adopting new habits from coworkers, versus users stepping outside their domain entirely.

Muninn’s approach to computing user similarity adopts the Bray-Curtis Dissimilarity measure, developed by ecologists to "quantify the compositional dissimilarity between two different sites". The measure takes into account species present at either or both sites, such that similar sites are those with many species in common in roughly the same amounts.

Importantly however, the measure appropriately ignores all the species in the world which is found at neither site. This is critical, since the number of species not present will outnumber ones present by many orders of magnitude. Failure to do so would make any site 99% similar to any other site, based only on the abundance of species not present at either site.

Applying the Bray-Curtis measure of wildlife similarity, to Muninn's task of computing user/device similarity, we consider every device a site and every traffic pattern a species of animal. The resulting measure quantifies how much behaviour they have in common versus how much behaviour is unique to either host, whilst completely ignoring all possible behaviour exhibited by neither device. The equation for the Bray-Curtis dissimilarity is shown below.

This approach yields similarity values between 0-1 that scale well as more components / traffic patterns are introduced to the matrix. The result is a model that allows devices to engage in new patterns of behaviour over time, as long as new adopted behaviour is considered normal by other, otherwise similar devices.

We consider this similarity algorithm a crucial element of our Anomaly Detection model, as it greatly reduces false positives related to adding new servers and users on the network, whilst still reacting to 1) Completely novel behaviour exhibited by no existing device, and 2) Existing users and devices engaging in behaviour completely outside their normal domain.

Read the full Muninn Whitepaper