By automatically and incrementally learning those signatures, their nature, and their associated evolution over time using advanced analytics, machine learning-based solutions provide security organizations with a clear understanding of the five "Ws":" "What" (type of application)" "Why" (purpose of the application)" "Who" (the application owner/users)" "Where" (network addresses involved with these applications)" "When" (point at which new control policies are required to be enforced)
Breaking it Down: The Operational Life Cycle
With this background in mind, we can walk through a machine learning-based application discovery, signature extraction and white list generation solution's operational life cycle.
The process must begin by focusing on all the network traffic sessions for which security analysts want better visibility. Next, that traffic must be grouped cohesively to extract accurate signatures. Because the traffic seen on the wire does not lend itself to grouping based on protocols and applications (since they might not be known yet), multiple levels of filtering and clustering are required to create cohesive groups that can be used to generate reliable signatures.
Guaranteeing a high level of cohesiveness translates to more precise and reliable signatures. Once the solution processes each group independently using advanced statistical algorithms, it can extract precise signatures and their corresponding protocol/application labels (that is, names).
If validation is necessary, once these signatures (which now become a proxy for the identity of the protocol or the application) are known, the security analyst can assess, offline, the validity of the extracted signatures, apply any modifications if required, and run batteries of coverage and collision tests. When the security analyst is satisfied with the outcome, the signature can then be approved, and associated control policies can be exported to the DPI system in place.
Now that the signatures are known and the protocol or the application has been identified, the organization can use the information in a variety of ways — to set policy, gain visibility or prevent user access to those applications. The result is a more efficient and secure network, unaffected by the risks unauthorized applications can cause.
In order to maintain the integrity of networks, without limiting productivity or adding operational expenses, administrators and security analysts need a replacement for the formerly days-long manual reverse-engineering process. The only option that can meet the security threshold — while maintaining the flexibility and productivity afforded by modern-day devices and applications — is the use of machine learning to automate application discovery, signature extraction and white list generation. This approach delivers the visibility, context and control required to keep networks secure.
Sign up for Computerworld eNewsletters.