About the Plixer ML Engine¶
Unlike conventional security solutions that alert users only after indications of a breach are discovered, the Plixer ML Engine is designed to actively monitor network activity and alert its users to potential threats in real time.
The Plixer ML Engine relies on several key functions to enable intelligent, multi-layered threat detection in Plixer Scrutinizer:
- Comprehensive network behavior modeling
The Plixer ML Engine is capable of ingesting large volumes flow data through Plixer Scrutinizer, as defined by the configured inclusions and dimensions. This data can then be used to model network behavior at any given time.
Over time, the engine is able to identify typical activity patterns in these models and recognize deviations, such as data accumulation/exfiltration, tunneling, and lateral movement, that may indicate an attack on the network.
- Highly configurable ML modeling
To support a wider range of enterprise network scenarios, the Plixer ML Engine supports user-defined inclusions and dimensions. This allows for behavior modeling based on the most relevant hosts and traffic in a given environment.
When building its behavior models, the engine takes into account all characteristics that can make an environment unique, such as legitimate traffic patterns, host/group importance, and seasonality.
- ML-based malware detection
Plixer ML Engine uses pre-trained classification models to recognize generic network activity patterns that are associated with common classes of malware, including command and control, remote access trojans, and exploit kits.
When enabled, this provides another layer of protection that further reduces risk and mean time to resolution (MTTR) when threats are detected.
- Continuous observation and learning
As it continues to ingest flow data, the Plixer ML Engine updates its behavior models based on a schedule that defines weekdays, weeknights, and weekends.
This allows the engine to not only account for changes in legitimate activity patterns but also recognize more sophisticated threats that attempt to disguise their behavior as normal activity.
Tuning recommendations¶
The Plixer ML Engine ships with a factory configuration that will allow it to function in common environments out of the box. However, it’s detection and reporting functions can be further optimized by tailoring its configuration to the environment it has been deployed to.
To tune the engine to report more accurate and relevant Alarms and Events, the following steps are recommended after its deployment:
Review the Admin > Alarm Monitor > Manage ML Inclusions page to verify that the automatically selected hosts are the best suited for modeling the overall state of the environment.
Review the Admin > Alarm Monitor > Manage ML Dimensions page to verify that the default list of dimensions sufficiently covers the types of traffic expected in the environment.
When adding new inclusions or dimensions, leave the sensitivity setting at its default value and closely monitor all Alarms/events being reported by the engine for a period of at least 7 days. If too many anomalies/deviations are being reported, the sensitivity can be increased to improve accuracy.