Darktrace uses Machine Learning and AI algorithms based upon “patterns of life/normality”.

At this point in time at my current location we have detected 1.5 million patterns of normal life, these patterns are used by Darktrace to evaluate possible security threats.

Darktrace claims not to use rules or signatures but it does use “models” developed by Darktrace humans. The models look very much like rules. Model updates are required to make Darktrace useful in an environment and to update the system about issues from the wild. To the human user operating the Darktrace system, we can see that it uses standard models based upon predefined rules to determine threats.

Recursive Bayesian Estimation (RBE) is the technology that Darktrace uses to calculate the probability of multiple beliefs to allow an artificial intelligence to infer its position and orientation. It is a recursive method to estimate an observed variable evolving over time so it can be used to determine threats inside a network especially when combined with deep packet inspection.

Darktrace has to be given information defining hardware types or else it does make mistakes and this can cause problems when relying upon the information provided. We have to add our input to improve the understanding of Darktrace about the business impact of a possible security issue.

Business impacts may differ between businesses and organisations.

It would be unfair to ask Darktrace to understand the industry it has been placed in and to prioritise threats on security issues that arise based upon that specific industry. Over time and with human configuration Darktrace does become more accurate.

During a training session with Darktrace we discovered that a file repository service was being used by staff. Darktrace marked this repository service as being a medium level threat. To our security team this was classed as a high level threat.

Darktrace is a useful tool in the growing arsenal of a monitoring engineers toolset and in common with any monitoring tool it does require instruction about what it should consider important to the organisation utilising it and to some degree interpretation of the data presented.

What I like about Darktrace :

  1. The ability to map out a potential threat from the point where it occurs.
  2. The user who is carrying out the activity.
  3. The device that triggered the event.
  4. The time of the event.
  5. The type of activity with a high level of detail, including an event detailing the suspicious activity.
  6. Darktrace appliances support SNMP V3 so they can be easily monitored.

This deployment of Darktrace has access to corporate VLAN’s so access to customer data isn’t possible. If we were to span the customer wireless VLAN’s adding them to our existing trunk port going into our Darktrace probes allowing us to examine that data, we would have access to customer data.

Imagine if this level of packet inspection and examination was available on every corporate WIFI network that you connect your devices to. Every file, every site, every infringement, alerting the network owner about your activity?

AI based upon Recursive Bayesian Estimation models may be watching your every move.

A useful tool for network owners and security engineers too.

Let me know about your experiences with artificially intelligent network devices in the comments below.

The Darktrace interface.
Darktrace probe about to be deployed into the server room.