topic Re: about Active Learning in steathwatch in Security Analytics

about Active Learning in steathwatch

lin jia — Mon, 19 Mar 2018 06:30:39 GMT

as Cisco Stealthwatch Learning Network License Configuration Guide, Version 1.1 - Introduction [Cisco Stealthwatch Learning… says:"

Active Learning

As a user, you can review the reported anomalies from the controller web UI. You have the option of assigning relevance feedback to anomalies. The system incorporates this reinforcement into the DRL algorithms, allowing the system to learn based on your feedback. This improves anomaly detection, and allows the system to adapt to your needs, and better report relevant anomalies.

The system generates its initial baseline and identifies anomalies without user feedback. You do not need to provide relevance feedback, but providing this feedback improves the system's detection capabilities.

i think getting feedback by user through 'like' or 'dislike' is a manual tagging way, and it is not efficient. so i wonder can it works well

Re: about Active Learning in steathwatch

brford — Mon, 19 Mar 2018 19:13:26 GMT

Lin,

First you should know that Stealthwatch Learning Network was discontinued last year. This is not a product that you can buy anymore.

That said, it's important when any machine learning solution is deployed that there be feedback mechanisms in place that allow for users to 'score' findings. This is critical for the solution provider to be able to continuously train their machine learning algorithms and report on the accuracy of their solutions.

The Stealthwatch Learning Network product has been integrated back into Stealthwatch and the Engineers that developed this are working on incorporating this into Stealthwatch.

I hope this response is useful.

Brian

Re: about Active Learning in steathwatch

lin jia — Tue, 20 Mar 2018 01:45:48 GMT

Thank you for your reply,brford.

so you meant learning network is no longer sold independently but sold as a component of stealthwatch?

And i have another question,as mentioned in

https://clnv.s3.amazonaws.com/2015/usa/pdf/BRKSEC-3056.pdf

Anomaly detection in stealthwatch is (usually but not exclusively) implemented by unsupervised algorithm, more in detail, it model what is normal behaviour for some time(few days or few weeks in customer environment). But how does the user guarantee that the network environment is normal during this period, whether the network administrator must intervene to ensure that no abnormalities occur?

If my description is not clear enough, please let me know,thank you very much!

Re: about Active Learning in steathwatch

brford — Mon, 02 Apr 2018 15:33:39 GMT

This is a very common question raised when almost any security product is installed. How do we know what normal is? What if my site is under attack or has been compromised when the security product is installed?

The way that I address this question is that it is important that the security product be able to display information about the data that makes up it's baseline.

In Stealthwatch Enterprise the user has the capability of being able to drill down on an alarm to see where the data that contributes to that alarm is coming from. You can track backwards to see the exporter interface that contributed the data that drives a host alarm. From that interface you can investigate everything that the exporter reports. That gives the user the capability to assess that interface and compare it with another or compare the data exported at different points in time.

It's these comparisons that often yield issues to investigate. Sometimes these issues are non malicious. It could be a hardware fault in a network interface. But sometimes they result in taking actions; such as deploying an access control list (ACL) to temporarily block traffic to determine which, if any applications might be impacted.

Sometimes you investigate and you find evidence of known malware and you mitigate.