Blog :: NDR :: NPMD

Network intelligence with machine learning

Whether you’re monitoring an enterprise network for performance or security, you need a tool to help collect and process data. Data is good to have, but it’s really just documentation unless you can put it to use. Almost every organization wonders how they can use data to improve network performance or security. Machine learning helps provide an answer to that question.

The tech industry is full of acronyms and buzzwords, so it can be difficult to know when something is truly useful and not just a passing trend. In the case of machine learning, this technology provides immense value for monitoring and analyzing a network for security and performance. Before we get into how NetOps and SecOps teams can use machine learning, we need to dig a little into what exactly it is. 

What Is Machine Learning? 

A branch of artificial intelligence (AI), machine learning uses data algorithms to gradually learn over time to provide more accurate analysis of the data passing through those algorithms. The goal of machine learning (ML) is to imitate human learning, but in essence, it is a set of algorithms that change based on the data it processes. Unlike other forms of AI, which operate under fixed parameters, the algorithms in an ML engine change over time. The change comes from the data it ingests, making its data analysis more accurate.  

The “learning” comes in a few flavors. With supervised learning, you can feed labeled datasets into an ML engine to train it how to act in specific situations. Supervised learning is sort of like taking your ML engine to school. It conditions an ML engine to understand specific data more quickly. Unsupervised learning is more like on-the-job training. Rather than setting conditions around data, with unsupervised learning, you simply feed the ML engine unlabeled data and allow the engine’s algorithms to change independently of instruction. The ML engine ingests the unlabeled datasets and begins to detect patterns, groupings, and anomalies within each dataset.  

The final type of “learning” is referred to as deep learning. To quote IBM

“Deep” machine learning can leverage labeled datasets, also known as supervised learning, to inform its algorithm, but it doesn’t necessarily require a labeled dataset. It can ingest unstructured data in its raw form (e.g. text, images), and it can automatically determine the set of features which distinguish different categories of data from one another. Unlike machine learning, it doesn’t require human intervention to process data, allowing us to scale machine learning in more interesting ways. 

Most sophisticated ML engines use a combination of these three types of learning. That said, it’s not uncommon to come across ML engines that only harness one or two types of learning.  

How Can SecOps Use Machine Learning? 

For security teams, machine learning can be applied to a network detection and response (NDR) solution. An NDR solution can harness ML to weed out suspicious network behavior. The ML engine processes network flow data to set a baseline of normal behavior of each device. Then, rather than hunting for the often hidden or obscured signs of a hack, the ML engine uses unsupervised learning to detect anomalous behavior.  

This is important because the tactics, techniques, and procedures a bad actor must take to compromise the network may look normal to the human eye. But because an ML engine can process and analyze massive amounts of data, it quickly spots abnormal behaviors like data accumulation, data exfiltration, brute force, tunneling, worm detection, and lateral movements. By alerting you of suspicious behavior, you can more efficiently investigate and remediate any compromises to your network in a timely fashion.  

Additionally, you can train an ML engine to detect malware through supervised learning. Because most malware families share characteristics, you can plug in labeled datasets that help an ML engine better understand and recognize the presence of malware. This, again, helps teams more quickly detect threats on the network and act to prevent a breach.  

How Can NetOps Use Machine Learning? 

In a similar vein, you can apply ML to network performance, monitoring, and diagnostic (NPMD) solutions to ensure strong performance across your network. An ML engine will take in network flow data to determine a baseline for interface behavior across your network. By establishing this baseline, you can then forecast capacity in the future to identify future usage hotspots, forecast multiple classes of data, generate threshold boundaries, identify seasonal variances, and generate data in support of infrastructure planning. 

Additionally, you can extract business data from network performance data. Because you can forecast data, you can take a non-network-specific piece of data that crosses the network and see how it will perform in the future. For instance, say you have a point of sale (POS) application on your network. Because every credit card transaction triggers network activity from the POS, you can extract projected transactions for a desired timeframe. 

How Does Plixer Use Machine Learning?  

As a leader in the NDR & NPMD markets, we use ML to help provide insight and detect network anomalies. If you’re interested in learning more, read our latest white paper, the How Plixer Uses Machine Learning for Network Security and Performance whitepaper, or schedule a demo today.