Behavioural Clustering is a ThreatIQ component that groups entities utilizing attributes such as proximity and similarity by behaviour (collection of MOREAL aggregated metrics) and extracts information from those groups about the severity of each entity based on security events associated with the group.
How behavioural clustering works
- The entities that behavioural clustering creates group of, are assets (behaviours of internal IPs) and services (behaviour of internal IPs in specific services). MOREAL metrics are used and transformed in a way that the underlying algorithms can easily understand.
- Groups are extracted based on similar traffic profiles and for each group, a threat risk indicator is calculated and assigned, based on the count and metrics of the entities that are associated with threat events.
- Initially each entity inherits the threat risk indicator of its group.
- A temporal decay scheme is applied to threat risk indicators according to statistically determined parameters approaching a half-life attenuation function.
- A recent profile of behaviors and threat severity scores are also stored and utilized by each instance of the model.
Behavioural clustering advantages
Behavioural clustering extrapolates suspicious communications based on recent information across networks, by utilizing state-of-the-art unsupervised machine learning algorithms that can scale efficiently up to millions of entities.
An automated feature selection framework is also used taking advantage of dimensionality reduction techniques and qualitative entity embeddings.