了解Introspect的模块化，数据不可替代和可扩展的UEBA体系结构

In a recent blog,我为选择用户和实体行为分析（UEBA）解决方案而制定了一个过程。只需评估沿三个轴量表，多维分析以及人与机器智能之间的集成的解决方案即可。

Guided by these considerations, Aruba has designedUEBA解决方案with a flexible architecture that delivers varying levels of machine assistance to complement analysts' needs for behavioral analytics.

四层抽象

如图1所示，Intospect的Ueba具有四层抽象 - 使用案例定义，特征选择，基线分析和异常检测。

• 用例定义。The first layer defines a behavioral use case (e.g., suspicious access to critical servers) that generally requires local context.

• Feature Selection。第二层是关于每个用例的有意义的特征类别（例如，时间，数据量或计数器）的选择。尽管特征选择主要是人为驱动的努力，但深入学习算法（例如，卷积神经网络）可以自动提取区分特征from a large volume of unlabeled training data also can be used.

• Baseline Profiling。The third layer learns the "normal baseline" for each entity (i.e., user or host) for each use case along two dimensions of behavior: historical and peer group. The former uses the entity's own historical behavior, while the latter uses common behaviors across a peer group, which can be flexibly defined (e.g. from Active Directory or user-provided input) or derived through self-learning. IntroSpect also uses adaptive learning to incorporate analyst feedback into its behavioral models.

• Anomaly Detection。第四层通过偏离基准来检测每个实体的行为异常。该部分是完全自动化的，并由机器驱动。给定每个行为用例中选择的不同维度和特征向量的类型，Aruba建立了不同的无监督机器学习模型distance(i.e., deviation) calculations to automatically detect anomalies.

Three Critical Design Choices

Building a flexible behavioral analytics solution requires deliberate design choices and significant investment during product implementation. It's well worth it as IntroSpect's analytics identify threats that evade other simplistic approaches. This payoff is enabled by three critical design choices.

模块化的

如上所述，阿鲁巴（Aruba）从检测层（第三和第四层）中抽象和解耦，这些用例（第一层和第二层）是由机器学习驱动的。此外，我们已经完成了所有繁重的举重来预先调整和自我调整这些机器学习模型，以便安全分析师可以在不深入了解机器学习的情况下从解决方案中受益。

All four layers are built in a totally modular fashion, so that security analysts – no matter whether they come with security or data science backgrounds – always can interact and influence the results of UEBA with their own expertise to improve its overall accuracy.

数据不可能

As explained in my "选择UEBA解决方案时的三个考虑因素" blog, a multi-dimensional UEBA solution that combines anomalous signals from different data sources can highly improve its effectiveness. IntroSpect's UEBA solution is built in a data-agnostic way. This means an analyst can add UEBA support for a new use case from existing or new data sources with some simple schema and use case-specific configurations.

如果您比较上述图片中的这两个不同的行为用例 - 对关键服务器的可疑访问（图1）和对建筑物的可疑访问（图2），您会发现它们之间的主要区别是数据源，即第一个是来自服务器日志或网络数据包，第二个是来自徽章读取器日志。除了两个用例都在监视相同的时间特征（加上其他特定于行为的特征）并检测相似的行为异常。

Scalable

内省's behavior analytics platform is built using a big data architecture, leveragingApache Hadoopand火花基于基于技术。对于数据持久性，我们使用NoSQL key-value，柱子和时间序列数据库将大量的原始数据和派生数据以最有效的格式存储在不同的分析用途中。

分层数据处理方法使我们能够打破并嵌入不同的分析要求，例如功能提取和聚合，流和批处理处理层，从而最大程度地减少了数据写入成本以实现最佳可扩展性。

Achieving Automatability

在 ”情报驱动的安全操作中心的五个特征，，，，“加特纳的尼尔·麦克唐纳和奥利弗·罗奇福德对他们如何看待企业提出了核心观点security operations center (SOC)evolving.

“与其寻求所有SOC活动的充分自动化，不如寻求'自动性'，而是随着更高的信心水平而自动化的能力。即使到那时，分析驱动的，由分析，人为启动的安全决策支持系统也将用于提供SOC分析师具有推荐行动的背景，以及判决和推荐行动背后的细节。”

This is the foundation of IntroSpect's product vision. By designing a behavioral analytics solution that's modular, data-agnostic and scalable, we enable organizations to achieve that "automatability."

由我们自己的安全专家开发的，具有广泛行为用例的内省船，利用模块化体系结构。这使组织能够在部署后立即从内省获得价值。分析师还可以以许多不同的方式影响和改善行为检测的质量。另外，他们可以定义自己的行为用例，从而使他们可以扩展内省以适合其特定要求。

With IntroSpect, it's not about replacing security analysts with automated systems (which is what resonated with德鲁·康里·穆雷（Drew Conry-Murray）of Packet Pushers who wrote this关于内省的文章). Rather, it's about enabling organizations to make optimal use of scarce SOC resources.

准备了解更多吗？Get the CISO's guide to machine learning and user and entity behavioral analytics.

Jisheng Wang is the senior director of data science in the office of the CTO for Aruba, a Hewlett Packard Enterprise company.