IsoEx – An AI-based approach to cyber investigation23 May 2023

39 seconds. That’s the timelapse between two consecutive cyber-attacks as of 2023. Meaning that by the time you’re done reading these few sentences, about 1 or 2 additional cyber-attacks would have occurred somewhere in the world.

In this context of highly increased frequency of cyber threats, Security Operation Centers (SOC) and Computer Emergency Response Teams (CERT) can be overwhelmed. In order to relieve the cybersecurity teams in their investigative effort and help them focus on more added-value tasks, machine learning approaches and methods started to emerge.

IsoEx is a novel method built -by Ismaïl ALAOUI and Pierre LAVIEILLE (two consultants from our team )- for detecting anomalous and potentially problematic command lines during the investigation of contaminated devices. IsoEx is built around a set of features that leverages the log structure of the command line, as well as its parent/child relationship, to achieve a greater accuracy than traditional methods.

To detect anomalies, IsoEx resorts to an unsupervised anomaly detection technique that is both highly sensitive and lightweight. A key feature of the method is its emphasis on interpretability, achieved through the features themselves and the application of eXplainable Artificial Intelligence (XAI) techniques and visualizations. This is critical to ensure the adoption of the method by SOC and CERT teams, as Ismaïl and Pierre argue in their research that the current literature on machine learning for log investigation has not adequately addressed the issue of explainability. This method was proven efficient in a real-life environment as it was built to support a company’s SOC and CERT.

To find out more about this method, you can access the full paper by clicking here.