A human-machine collaboration to defend against cyberattacks

PatternEx merges human and machine expertise to spot and respond to hacks.

PatternEx's Virtual Analyst Platform uses machine learning models to detect suspicious activity on a network. That activity is then presented to human analysts for feedback that improves the systems' ability to flag activity analysts care about.

PatternEx’s Virtual Analyst Platform uses machine learning models to detect suspicious activity on a network. That activity is then presented to human analysts for feedback that improves the systems’ ability to flag activity analysts care about.

Being a cybersecurity analyst at a large company today is a bit like looking for a needle in a haystack – if that haystack were hurtling toward you at fiber optic speed.

Every day, employees and customers generate loads of data that establish a normal set of behaviors. An attacker will also generate data while using any number of techniques to infiltrate the system; the goal is to find that “needle” and stop it before it does any damage.

The data-heavy nature of that task lends itself well to the number-crunching prowess of machine learning, and an influx of AI-powered systems have indeed flooded the cybersecurity market over the years. But such systems can come with their own problems, namely a never-ending stream of false positives that can make them more of a time suck than a time saver for security analysts.

MIT startup PatternEx starts with the assumption that algorithms can’t protect a system on their own. The company has developed a closed loop approach whereby machine-learning models flag possible attacks and human experts provide feedback. The feedback is then incorporated into the models, improving their ability to flag only the activity analysts care about in the future.

“Most machine learning systems in cybersecurity have been doing anomaly detection,” says Kalyan Veeramachaneni, a co-founder of PatternEx and a principal research scientist at MIT. “The problem with that, first, is you need a baseline [of normal activity]. Also, the model is usually unsupervised, so it ends up showing a lot of alerts, and people end up shutting it down. The big difference is that PatternEx allows the analyst to inform the system and then it uses that feedback to filter out false positives.”

The result is an increase in analyst productivity. When compared to a generic anomaly detection software program, PatternEx’s Virtual Analyst Platform successfully identified 10 times more threats through the same number of daily alerts, and its advantage persisted even when the generic system gave analysts five times more alerts per day.

First deployed in 2016, today the company’s system is being used by security analysts at large companies in a variety of industries along with firms that offer cybersecurity as a service.

Merging human and machine approaches to cybersecurity

/University Release. View in full here.