Machine Learning and Analytics Overview

Stellar Cyber uses a robust machine learning (ML) system to both detect possible threats to your network, and to reduce the number of false positive indicators for common events. Stellar Cyber also uses analytics to identify threats. Use this topic to understand concepts before delving deeper into related topics.

Machine Learning Models

Stellar Cyber uses both supervised and unsupervised ML models. Supervised ML models are trained with a large number of labeled samples and directly applied for certain analytic alert types. The DNS Tunneling alert type is an example. Unsupervised ML models learn the data distribution in your network automatically. They use two weeks of historical data as an approximation of the real distribution, and update themselves every 24 hours.

Most ML Alert Types use one of 5 models:

  • Rare Event
  • Time Series Analytic
  • Population-Based Time Series Analytic
  • Graph
  • Threshold Random Walk

Rare Event Model

The rare event model looks for events that suddenly appear after a long time without appearing. The threshold is typically the number of days silent.

Time Series Analytic Model

The time series analytic model learns from historical event data and looks for anomalies. It typically detects spikes in activity, anomalously low values, and rare values.

Population-Based Time Series Analytic Model

The population-based time series analytic model learns from historical peer data, and looks for deviations from typical peer behavior.

Graph Model

The graph model looks for changes in relationships between two entities. It uses stability and diversity to detect anomalies.

Threshold Random Walk Model

The threshold random walk model looks for anomalous changes in the ratio between two measurements, such as a significant increase in login failures.

Analytics Alert Types

Analytic alert types use rules. They scan the data at a fixed interval (usually every 5 minutes), and if they find an anomaly, an alert is triggered.

Alert Types

The Stellar Cyber alert types details are displayed here in a full page by name , or grouped by index, or in a summary format.