Close this search box.

We are creating some awesome events for you. Kindly bear with us.

Fighting back against low and slow attacks through machine learning technology

Fighting back against low and slow attacks through machine learning technology

Created by mathematicians and machine learning experts from
the University of Cambridge, Darktrace’s Enterprise Immune System uses AI
algorithms that mimic the human immune system to defend enterprise networks of
all types and sizes.

OpenGov recently spoke to Sanjay Aurora, MD, Asia Pacific at Darktrace, about how cyber-attacks are evolving and how artificial intelligence can help defend against increasingly sophisticated attacks.

A new era of low and
slow cyberattacks

Today cyber-attacks make headlines all the time. But these
are not the cyber-attacks of 15 -20 years ago, defacing websites, stealing
credit card information. Cyber-criminals are now doing significantly more
sophisticated and stealthy, low and slow pointed attacks.

Mr. Aurora said, “You look at the DNC email hack in the US.
They are still talking about was there an attack, was there an attempt. Their
trust in the information is getting lost. This is the new generation of
cyberattacks that we are dealing with. People and organisations, from the
largest of the large to the smallest, are unable to trust information.”

He gave another example of a client, a laboratory in
Australia, which deals with a lot of confidential information about patients. They
are worried about somebody stealing that information. But they are even more
worried about somebody coming in without getting caught and tweaking some of
the information, so that the company cannot understand what is real and what is
fake. These low and slow pointed attacks reside in organisations for a long
time. The attackers are not going after organisations randomly. Sometimes, they
are after a particular piece of information from a specific organisation.

“But organisations, unfortunately, still rely on finding
‘good’ and ‘bad’. They build walls. Like how did you enter this building? You
showed your ID to the gatekeeper, the gatekeeper checked your ID, gave you a
pass. You tap the pass and you are in,” Mr. Aurora said.

He continued, “Or I could have tapped you in. then I would
have become an insider threat. Cyber security till recently was heavily relying
on rules and signatures, on locks and walls. Whereas the attackers are using so
many mechanisms to get inside. If you have the tallest of firewalls, attackers
will get even higher ladders. Notwithstanding policies, compliance and
training, all of us sitting here, are insider threats to our respective

Other than the reliance on locks and walls, the second issue
is the lack of visibility. Today everything connected with an IP is a
point-of-entry. It could be a printer, the audio/ video conference facilities
residing in the corporate boardrooms or even a connected coffee machine. Any of
these could be an easy point of entry. And they are not even on the radar of
many organisations.

Defining the normal
to detect the abnormal

Mr. Aurora compared an organisation to the human body. The human
body is being attacked by unknown unknowns every second. Yet, we have thrived
and survived for millions of years. The skin is our firewall. There are still
things that get in. The body’s immune system reacts and fights by firstly
understanding what is normal and detecting what is abnormal on the basis of

“Around four years ago Cambridge University’s mathematicians
came up with a concept largely based on this principle. If the human body can
understand and fight back autonomously, why would an organisation not be able
to do it? Because there is information. The information is in the data. By
using mathematics and unsupervised machine learning, if you are able to
establish a pattern of life, then anything abnormal which disturbs that normal
pattern will be detected,” explained Mr. Aurora.

The abnormal could be a device talking to a certain server
at 2 in the morning, which it has never done before. Or a user downloading huge
amounts of information which he has never been done before. It is a very subtle
change in the behaviour of a device, a user or a network. That user or the
device have not broken any rules. Using only rules, an organisation would not
be able to detect that anomalous behaviour.

The organisation can mathematically deduce that if this is
happening here, and the other parts of the network are doing this, this anomaly
is a leading indicator (Mr. Aurora stressed that leading indicator is key here)
of a much larger problem that might be brewing in the organisation. This approach
allows organisations to take proactive measures.

‘The battle at the
border is over’

Sitting inside the network and using the principle of the
immune system, Darktrace establishes a pattern of life, within a week. We asked
if the system is previously trained on datasets.

Mr. Aurora replied, “We don’t even tell the system if this
is a bank or a law firm or a government entity. Because the moment you start
putting some rules, it starts with presumptions and the learning goes learn
wrong. Every entity operates differently. Even a Bank A will be different from
a Bank B.”

Within a week the system understands how the organisation
works, how users and devices behave and is able to alert the organisation to anything
abnormal that they should investigate.

Frequently, it is found that most of the large attacks we
read about, are the culmination of several leading indicators that existed for
a long time. For instance, employees using VPN to hide their activity, such as
shopping or browsing prohibited websites pose a naive insider threat.
Unknowingly they present massive risks.

Mr. Aurora said, “That is a result of these leading
indicators which are already present in the organisation and were going

“The battle at the border is over. You cannot defend the
border any more. The real battle is inside. The battle now is how do you deduce
from the leading indicators and pro-actively stop them early in the tracks
before they become headlines.”

The system gets wiser as it processes more and more traffic.
This is being taken a step further now. Machines are autonomously responding to
threats. Deducing the real issue from the threats, the machines are able to
take very precise action, like slowing down the progress, or allowing the human
to intervene and giving that little extra time to stop the threat. This is
particularly handy for fast moving threats like ransomware. During the WannaCry
attack in May this year, Darktrace’s Enterprise Immune System successfully detected and
the attacks for a number of its customers, including an NHS
(National Health Service) agency.

This is accomplished by Darktrace’s Antigena solution. Its autonomous
response capability allows organisations to directly fight back, and networks
to self-defend against specific threats, without any disruptions.

Mr. Aurora said, “This is a cyber arms race. You cannot
fight those machine or AI led attacks using conventional security teams, who
will raise a ticket and try to understand from logs as to what is going on. Traditional
security people are like firefighters. They solve problems. We have shifted the
paradigm. Instead of just firefighting the known issues, you discover the
unknown issues and take action.”


Qlik’s vision is a data-literate world, where everyone can use data and analytics to improve decision-making and solve their most challenging problems. A private company, Qlik offers real-time data integration and analytics solutions, powered by Qlik Cloud, to close the gaps between data, insights and action. By transforming data into Active Intelligence, businesses can drive better decisions, improve revenue and profitability, and optimize customer relationships. Qlik serves more than 38,000 active customers in over 100 countries.


CTC Global Singapore, a premier end-to-end IT solutions provider, is a fully owned subsidiary of ITOCHU Techno-Solutions Corporation (CTC) and ITOCHU Corporation.

Since 1972, CTC has established itself as one of the country’s top IT solutions providers. With 50 years of experience, headed by an experienced management team and staffed by over 200 qualified IT professionals, we support organizations with integrated IT solutions expertise in Autonomous IT, Cyber Security, Digital Transformation, Enterprise Cloud Infrastructure, Workplace Modernization and Professional Services.

Well-known for our strengths in system integration and consultation, CTC Global proves to be the preferred IT outsourcing destination for organizations all over Singapore today.


Planview has one mission: to build the future of connected work. Our solutions enable organizations to connect the business from ideas to impact, empowering companies to accelerate the achievement of what matters most. Planview’s full spectrum of Portfolio Management and Work Management solutions creates an organizational focus on the strategic outcomes that matter and empowers teams to deliver their best work, no matter how they work. The comprehensive Planview platform and enterprise success model enables customers to deliver innovative, competitive products, services, and customer experiences. Headquartered in Austin, Texas, with locations around the world, Planview has more than 1,300 employees supporting 4,500 customers and 2.6 million users worldwide. For more information, visit


SIRIM is a premier industrial research and technology organisation in Malaysia, wholly-owned by the Minister​ of Finance Incorporated. With over forty years of experience and expertise, SIRIM is mandated as the machinery for research and technology development, and the national champion of quality. SIRIM has always played a major role in the development of the country’s private sector. By tapping into our expertise and knowledge base, we focus on developing new technologies and improvements in the manufacturing, technology and services sectors. We nurture Small Medium Enterprises (SME) growth with solutions for technology penetration and upgrading, making it an ideal technology partner for SMEs.


HashiCorp provides infrastructure automation software for multi-cloud environments, enabling enterprises to unlock a common cloud operating model to provision, secure, connect, and run any application on any infrastructure. HashiCorp tools allow organizations to deliver applications faster by helping enterprises transition from manual processes and ITIL practices to self-service automation and DevOps practices. 


IBM is a leading global hybrid cloud and AI, and business services provider. We help clients in more than 175 countries capitalize on insights from their data, streamline business processes, reduce costs and gain the competitive edge in their industries. Nearly 3,000 government and corporate entities in critical infrastructure areas such as financial services, telecommunications and healthcare rely on IBM’s hybrid cloud platform and Red Hat OpenShift to affect their digital transformations quickly, efficiently and securely. IBM’s breakthrough innovations in AI, quantum computing, industry-specific cloud solutions and business services deliver open and flexible options to our clients. All of this is backed by IBM’s legendary commitment to trust, transparency, responsibility, inclusivity and service.