Transformative Approach of Darktrace: A technical overview.
Darktrace’s transformative approach to cyber defence relies on probabilistic methods developed by Cambridge mathematicians. Employing multiple unsupervised, supervised and deep learning techniques in a Bayesian framework, the enterprise immune system can integrate a vast number of weak indicators of anomalous behaviour to produce a single clear measure of threat probabilities.
For each unique environment, Darktrace generates millions of interrelated mathematical models which are correlated to ensure that only truly anomalous behaviour is detected without a profusion of false positives. Unlike rules-based computation, the results that probabilistic mathematics generate cannot simply be categorized as ‘yes’ or ‘no’ but instead indicate degrees of certainty, reflecting the ambiguities that inevitably exist in dynamic data environments.
Darktrace & Deep Learning
Darktrace also uses deep learning to enhance modelling processes. Deep learning is a subset of machine learning that uses the cascading interactions of layered mathematical processes known as neural nets – to give intelligent systems a higher degree of insight. Multi-layered neural nets can improve the detection and remediation of certain threats, for example, in the identification of DNS anomalies, which are less effectively tracked by other machine learning methods. Darktrace’s deep learning system assigns a score to all DNS data from a device, with the purpose of identifying suspicious activity even faster.
Darktrace also clusters devices into peer groups, based on its own understanding of how those devices behave and uses supervised learning to uncover sequences of breaches, unusual patterns, or to detect aberrant activity at a higher more holistic level. For example, the WannaCry ransomware was easily detected by Darktrace as it breaches a number of different ‘pattern of life’ models. Using supervised learning Darktrace can replicate the process of a human interpreting various sets of breaches for a device or network over time and so present correlated alerts instead of a multitude.
Supervised learning is also used by Darktrace to understand more about the environment, without a human having to label it. For example by observing millions of different smartphones Darktrace gets faster and faster at identifying a new device as a ‘smartphone’ and even what type of smartphone it is.
Using deep and supervised techniques to complement its core unsupervised machine learning algorithms, Darktrace builds up unique, contextual knowledge about network activity and integrates the insights of our global deployments to improve threat detection.
Finally, Darktrace also uses deep learning techniques to automate repetitive and time-consuming tasks carried out during investigation workflows. By analyzing how seasoned cyber analysts interact with the threath visualizer, triage alerts, and leverage third-party sources, Darktrace is able to replicate those expert behaviours and automate certain analyst functions. This allows for increasingly efficient and simplified investigations for analysts of all maturity levels. It also gives security teams the crucial time they need to focus on higher-value strategic work, such as managing risk and focusing on broader improvements to the business.