Democratizing ML for Enterprise Security: A Self-Sustained Attack Detection Framework

TL;DR

This paper introduces a hybrid ML-based threat detection framework that combines rule-based filtering with active learning and synthetic data generation, enabling scalable, low-maintenance security in enterprise environments.

Contribution

It presents a novel two-stage hybrid detection system with synthetic data and active learning, making ML-based security accessible and sustainable for enterprises.

Findings

Reduces raw log data from 250 billion events to manageable tickets daily.

Improves model precision over time through active learning.

Operates effectively in large-scale, real-world enterprise settings.

Abstract

Despite advancements in machine learning for security, rule-based detection remains prevalent in Security Operations Centers due to the resource intensiveness and skill gap associated with ML solutions. While traditional rule-based methods offer efficiency, their rigidity leads to high false positives or negatives and requires continuous manual maintenance. This paper proposes a novel, two-stage hybrid framework to democratize ML-based threat detection. The first stage employs intentionally loose YARA rules for coarse-grained filtering, optimized for high recall. The second stage utilizes an ML classifier to filter out false positives from the first stage's output. To overcome data scarcity, the system leverages Simula, a seedless synthetic data generation framework, enabling security analysts to create high-quality training datasets without extensive data science expertise or pre-labeled examples. A continuous feedback loop incorporates real-time investigation results to adaptively tune the ML model, preventing rule degradation. This proposed model with active learning has been rigorously tested for a prolonged time in a production environment spanning tens of thousands of systems. The system handles initial raw log volumes often reaching 250 billion events per day, significantly reducing them through filtering and ML inference to a handful of daily tickets for human investigation. Live experiments over an extended timeline demonstrate a general improvement in the model's precision over time due to the active learning feature. This approach offers a self-sustained, low-overhead, and low-maintenance solution, allowing security professionals to guide model learning as expert ``teachers''.