Introduction:
The purpose of this technical note is to clarify certain aspects related to the behavior of the CyberAssistant (CA) and its analysis of behavioral pattern of alerts and the analyst's response to it. The CA is an AI-powered system designed to analyze and learn from existing behavioral pattern by examining existing data. It operates independently of many factors, mainly focusing on behavior similarity to determine the maliciousness or benign nature of an alert.
Behavioral Analysis:
The CA learns from past behavior and adapts to specific environments by identifying the pattern. The analysis involves comparing the behavior of the suspicious event and labeling them as either benign or malicious based on analyst input. The CA not specifically considers the trigger type when it evaluates alerts but other factors as well.
Environment Considerations:
The CA is engineered to operate in production environments where multiple alerts and events with varying degrees of similarity exist. The mentioned examples are from the environment used for Proof of Concept (PoC) and demos features a significant number of identical or highly similar recurring alerts from the past. Such environment, especially when there is similar alerts history, that analyst might not be aware of, might generate uncertainty in the CA's evaluations.
Example Alerts
The following examples illustrate the CA's behavior and its response:
-
Alert 1:
- Uncertainty Degree: 50/50
- Past Similarity Overlap: 85.69% with a previously identified token stealing alerts.
- The CA exhibits uncertainty due to the significant overlap with a previously analyzed history of alerts.
-
Alert 2:
- Uncertainty Degree: None
- Behavioral Analysis: The general behavior in this alert is noticeably different from others.
- The CA marks this alert as malicious without uncertainty due to significant dissimilarity.
- The CA now considers all alerts and their respective behavior.
- The system is capable of processing much higher number of alerts than ever before.
- Environments with similar or recurring behavior might experience increased uncertainty initially.
- The CA tends to match highly similar behavior, such as token stealing, in this case.
- In production environments, the actual differentiation between alerts helps the CA automatically distinguish between them more effectively.
Suggestions for Improving CA Performance
To enhance the CA's performance in production or (PoC turned Production) environments, the following actions are recommended:
-
Generation of Alerts with Visually Different Behavior:
- Introduce diversification by creating alerts with visually distinct behavior. (In PoC to get rid of initial uncertainties)
- Diversification helps the CA adapt to a standard production environment where similar behavior might be less pronounced.
-
Continued Labeling of Alerts as "Malicious":
- Consistently label alerts that analysts consider malicious as "malicious".
- This labeling assists the CA in recognizing and classifying similar threats accurately.
Conclusion
The CyberAssistant (CA) operates by analyzing behavior of the alerts and learning from the analyst's response to them. It adapts to specific environments and evaluates alerts without considering trigger types. In environments with recurring behavior, an initial increase in uncertainty and matching with highly similar behavior might be observed. By generating alerts with visual different behavioral pattern and maintaining consistent labeling, the CA's response in production environments(or PoC turned production) can be improved.
If you have any further questions or require additional information, do not hesitate to contact IBM ReaQta Support.