Muninn’s threat detection engine leverages data from known attacks to detect threats, but it also uses your organization’s real-time data to build a sophisticated model of regular network behaviors. This approach to AI-based cybersecurity enables Muninn to identify and stop zero-day attack as well as previously identified threats.
Security teams are working harder than ever to regain control of their digital estate. Today’s cyberthreats are sophisticated, fast-moving, and devastating. With digital business infrastructure getting more complex, SOC teams cannot respond to attacks fast enough. Muninn uses unsupervised machine learning. This type of learning involves the use of unlabeled data, where the machine is given a dataset and must find patterns and relationships within this data on its own. This allows Muninn to instantly mount the most effective response to cyberthreats – buying your security team the time they need to catch up.
Anomaly detection is a significant aspect of machine learning, and crucial in the field of cybersecurity to identify a potential threat or attack. There are several types of anomalies:
Point Anomalies (ML1)
Point anomalies are single instances of data that are too far off from the rest. These are the simplest type of anomaly and are the easiest to detect. For example, if the normal range of a certain data parameter is between 1 and 10, and suddenly a value of 100 is recorded, that is considered a point anomaly.
In the context of cybersecurity, point anomalies could represent a single instance of suspicious activity, such as a user logging in from an unfamiliar location or a sudden large file download. Detecting point anomalies involves establishing a profile of what is "normal" behavior. This could be based on statistical measures such as the mean and standard deviation of the data. Any data points that deviate significantly from this normal profile cab be flagged as potential anomalies.
Dyadic Anomalies (ML2)
Dyadic anomalies, also known as contextual or conditional anomalies, are data instances that deviate significantly from the rest of the data in the same context. This context is often based on categorical data. For example, a temperature reading of -5 degrees Celsius might be normal in winter, but would be considered an anomaly in summer.
In cybersecurity, a dyadic anomaly might be a user performing a task that is unusual for their role or department. For instance, a marketing executive accessing server configuration files would be a dyadic anomaly as the context is defined by the user role. Detecting dyadic anomalies involves creating a profile of normal behavior for each context. This might involve segmenting the data based on categorical variables and then applying point anomaly detection techniques to each segment.
One key feature of Muninn is its choice of models and methods, which have been selected specifically for their high level of explainability. Meaning that the output can be explained in a way that “makes sense” to a human being at an acceptable level. Any anomalies or unusual patterns the system detects are not just simply flagged; but come with comprehensive and useful information.
This information helps your cybersecurity team managing the system to understand why a particular event or pattern is considered out of the ordinary. In other words, it doesn't just alert you to potential problems—it gives you the insights you need to understand what's going on, making it easier to take effective action.