Anomaly detection

Unlike most conventional security solutions, which alert users to a breach after discovering indications that one has occurred, Plixer’s ML-Engine-based platforms actively monitor network behavior to alert its users to anomalous traffic and activity in real time. This intelligent threat detection allows the PSI and PNI platforms to send notifications much sooner, greatly reducing the time it takes for NetOps and SecOps teams to respond to unauthorized or suspicious activity.

The Plixer ML Engine Engine enables this level of proactive anomaly detection and reporting through several key machine learning-based capabilities.

Full network visualization

Once deployed as part of either the PSI or PNI platform, the Plixer ML Engine begins ingesting data from collected flows to start compiling a dataset that represents the network’s typical, expected behavior. This dataset will cover the full range of activity on the network, including applications being used and communications to and from external hosts.

When a sufficient volume of data has been acquired, the engine identifies the data patterns indicating expected behavior and models a visualization of network behavior during normal operations. This baseline visualization is then used detect anomalous behavior, such as data accumulation/exfiltration, tunneling, and lateral movement, that may indicate that an attack is taking place.

Granular ML model adaptability

Because no two modern networks are alike, the Plixer ML Engine has been designed to account for the unique characteristics that define various network configurations, including subnet activity, threat sensitivity thresholds, and seasonality, when modeling a network’s expected behavior.

The engine also supports user-configured ML definitions, so both Plixer ML-Engine-based platforms can be deployed to virtually any type of scenario or environment without compromising its ability to detect threats.

Continuous observation and learning

As it continues to process network flow data, the Plixer ML Engine regularly re-models (every 24 hours) its visualizations for typical traffic to account for any additional patterns observed. This, in turn, refines the definitions used by the PSI or PNI platform to detect unauthorized or anomalous behavior.

In addition, the patterns discovered by the engine are used to refine a multi-layered analysis scheme that allows the system to detect more sophisticated threats that attempt to disguise their behavior as normal activity.

Note

For further details on how the Plixer ML Engine leverages deep learning to continuously improve its ability to detect potential threats, see the deep learning topic under the Plixer ML Engine section.

Pre-trained malware detection

In order to provide more comprehensive threat detection functions, the Plixer ML Engine has been pre-trained to recognize the characteristics of common classes of malware, including command and control, remote access trojans, and exploit kits.

This adds another layer of threat detection to the PSI and PNI platforms and further reduces both the risk of breaches and the mean time to resolution (MTTR) once threats are detected.

Note

For additional information on how the engine is able to differentiate between anomalous network behavior and actual threats, see the threat classification topic under the Plixer ML Engine section.