Machine Learning Analysis Applied to Cyber Threat Hunt Data
Description
The Use Case addresses the problem of how to maximally assess available data to identify anomalies and other patterns that may inform the cyber threat hunt process.
Detailed example
Currently it is a list of potential anomalies or outliers within the system, but development is still ongoing.
AI / analytics pattern
Classical/Predictive Machine Learning: Models trained on data to make predictions or classifications based on identified patterns or relationships.
Automation level / stage
a) Pre-deployment – The use case is in a development or acquisition status.
Expected benefit
Cyber threat hunts typically involve a vast amount of data. Machine learning models can quickly and efficiently process this data as well as more effectively identify anomalous activity than humans. This could improve the efficiency and quality of cyber threat hunts by detecting suspicious behavior more quickly and increasing the amount of data that can be analyzed during a hunt.
Audit / financial statement impact
The AI outputs do not produce an action or serve as a principal basis for a decision that has the potential to significantly impact the safety of human-life or well-being, climate or environment, critical infrastructure, or strategic assets or resources. This use case detects anomalies or outliers, and also may be used to classify or categorize certain activity within data that has already been collected during an authorized cyber threat hunt operation within TSA’s networks. The AI outputs are reviewed by a human analyst team to determine if any of the patterns might be associated with unusual activity. The analyst would then continue to investigate further as during normal threat hunt operations.
Controls / human review
ATO: Not reported; PIA: Not published