How Cloud Defender's Machine Learning Improves Web Detection | Feature Education

In This Article


Alert Logic® Cloud Defender™ uses machine learning to achieve high accuracy in detecting multi-stage SQL-injection (SQLi) attacks on web applications.

A typical SQLi attack is performed through repeated trial and error by the attacker and can cover a long period of time. From a detection perspective, this creates a lot of noise and makes it difficult to identify successful attacks using traditional methods. With Cloud Defender’s machine learning capability, successful attacks are identified with 97% accuracy, providing you with confidence in incident creation.

In this article, you can learn more about why Alert Logic is focused on SQLi attacks, how our machine learning works, and how customers can view these incidents to get value.

Return to top

Why We Focus on SQL-Injection Attacks

SQLi is an exploit in which the attacker adds unexpected Structured Query Language (SQL) code to an input parameter of a web request, such as through a web form box intended for users to input search terms. The goal of this exploit is to gain unauthorized access to the application’s database, where data may be exfiltrated or changed.

These attacks are relatively easy for attackers to perform due to the ease of attack and abundance of sample exploits and tools. This makes them one of the most prevalent and successful forms of web application attacks. Further, detection of SQLi attacks is extremely noisy, so it is easy to miss successful attacks and hard to identify an attacker’s goal. When an attack is successful, attackers have immediate access to potentially sensitive data in your application all at once.

The prevalence, success rate, and detection challenges involved with these attacks are why Cloud Defender’s machine learning is focused on SQLi attacks. By providing better detection and high accuracy for SQLi attacks, you can sooner start performing incident response, assessing the damage done, and preventing the attacker from doing additional damage for the most common web attacks.

Return to top

How Our Machine Learning Works

Machine learning is a discipline that enables computers to learn without being programmed. It leverages large volumes of data to help the computers understand patterns and make decisions. Alert Logic leverages a machine learning technique called supervised learning to add value to the Cloud Defender service. We use the following process to leverage machine learning techniques at Alert Logic.

  1. Our data scientists curate and label the high volume of security data and machine telemetry that we collect from our customers. This serves as training data for the machine learning algorithms to produce high confidence security outcomes.

  2. Our cloud-based application security experts and SOC analysts guide the data scientists and help confirm and improve the findings.

  3. Our production engineering team develops scalable, production-quality detection for the techniques that our data scientists develop.

  4. We have a continuous feedback loop with our SOC team that evaluates and improves our algorithms on an ongoing basis.

Each part of our supervised machine learning is closely linked. Collecting high-quality, consistent data is critical. If the data is noisy, the system will train incorrectly and produce bad results. Once the algorithm is trained, the real-world data is measured and collected using own sensors in customer environments.

Trained by data scientists and security analysts, Cloud Defender algorithms learn by example to improve true positive accuracy. With the high volume of security data from Alert Logic customers, our machine learning can consume and learn from a large resource of consistent data.

Return to top

What Data We Use

The data used to train our machine learning is collected using our network intrusion detection capability that is part of your subscription. The detection algorithm runs daily against a multi-petabyte dataset aggregated across thousands of customers. It includes not only that day’s network data, but also many weeks before that. Our training data spans weeks from each breach and contains activity from several stages, including reconnaissance, command & control, and database enumerations, allowing it to identify attacks over time.

Return to top

How You Get the Results of Machine Learning

Since Cloud Defender’s machine learning is part of a managed service, every potential attack that is identified is verified by an ActiveWatch analyst. When a true positive is identified, customers are alerted to an incident in the Alert Logic console, as well as being notified by phone, text, or email, depending on the customer’s contact preferences. With this alert method, you can quickly take actions to remediate and prevent damage caused by attackers.

Return to top

Additional Information

In addition to machine learning, Alert Logic also provides deep HTTP inspection as part of our web detection capabilities. For more information on deep HTTP inspection, refer to our Deep HTTP Inspection for Cloud Defender | Feature Education article. 

For an overview of Alert Logic's detection techniques for web application attacks, you can also watch our Improvements for Web Application Attack webinar. This webinar covers the investments that Alert Logic has done to improve our ability to detect web application attacks with high confidence, including machine learning and deep HTTP inspection. 

Note: This webinar is available starting on June 6, 2017. 

Return to top

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Please sign in to leave a comment.