Stop training your security ML on labeled attack data

⚡ What Makes Energy-Based Models So Effective for Anomaly Detection? – John Menerick | Security Engineer --> Mastodon ⚡ What Makes Energy-Based Models So Effective for Anomaly Detection? John W8MEJ Menerick · April 3, 2025 Energy-Based Models Anomaly Detection AI Security Cybersecurity Automation Unsupervised Learning Behavioral Analytics Threat Detection Autoencoders Security Machine Learning SOC Innovation Signature-based detection only sees what it’s trained to recognize. But energy-based models can sense when something just doesn’t feel right. In security, the unknown is your biggest threat. It’s not the malware that’s already in your threat feed—it’s the behavior that doesn’t show up in any feed at all. Lateral movement in odd hours. A privileged login with strange parameters. Data exfiltration that almost looks normal. Traditional detection systems—rules, heuristics, even many ML classifiers—struggle in this gray zone. But energy-based models (EBMs) were built for it. 🧠 The EBM Mental Model: Anomaly ≈ Energy Think of it like this: You train an autoencoder to reconstruct normal behavior. The better it reconstructs something, the lower its “energy.” When a new input results in poor reconstruction—i.e., the model doesn’t “understand” it—it returns a high energy score. In other words: Energy = uncertainty . And uncertainty = risk. Unlike classifiers, EBMs don’t need labeled attack data. They just need enough “normal” to learn what the baseline looks like—then they flag everything that deviates from it. 🔍 Example: What an EBM Sees That You Might Miss In one field test, a simple PyTorch autoencoder EBM was trained on 40PB+ typical authentication logs from cloud infrastructure. Once deployed, it caught several subtle anomalies that weren’t flagged by rules: SSH logins from expected regions, but at unusual times Correct login credentials with minor behavioral deviations Scripted service account activity that mimicked normal logins—but slightly off These events didn’t match any known threat signature. But they scored high energy—because they didn’t fit the learned pattern. ROC-AUC for those detections? 0.97 . ⚔️ Why EBMs Outperform Static Rules Feature Traditional Rules Energy-Based Models Detect known threats ✅ ✅ Detect unknown behavior ❌ ✅ Requires labeled attack data ✅ ❌ Learns from normal behavior only ❌ ✅ Easy to explain/analyze ⚠️ ⚠️ Yes, EBMs can be harder to explain—but when paired with feature attribution (like SHAP or LIME), you can give analysts a clear story: “This event triggered because its behavior was unlike anything seen before.” 🛠️ When Should You Use an EBM? Use EBMs when: You’re drowning in false positives from static rules You want anomaly detection but lack labeled attack data You need to catch novel behaviors—fast to reduce mean time to detection metrics tracked by Board members They’re especially powerful in environments like: Cloud IAM activity Endpoint telemetry DevOps CI/CD pipelines Lateral movement detection 🎯 Your Move If your current system is only catching what you’ve already seen—you’re flying blind to the next threat. 👉 Try building an EBM today. Start with a Colab notebook. Use normal logs. Watch what scores high. Then ask: why? You might uncover something your rules never would. 👉 Explore how autonomous detection and response loops can transform your SOC. Read the full white paper or dive into the latest podcast episode to learn more. Share on: Written on April 3, 2025 --> Enable dark mode