Skip to main content
drawing the line — how machines separate threats from noise
  1. posts/

drawing the line — how machines separate threats from noise

·472 words·3 mins·
MindSecSet AIFundamentals
Author
Virtue of Vague
Table of Contents
AI Series · post 4 of 12 series index →

drawing the line — how machines separate threats from noise
#

classification is easy when the data is clean. it never is.

in the real world — malicious and benign behaviours overlap. a legitimate admin running powershell looks a lot like an attacker doing the same. a user downloading a large file looks a lot like data exfiltration. the line between threat and noise is rarely clean.

SVMs were built exactly for this problem.

the core idea
#

SVM — support vector machine — finds the optimal line that separates two classes. not just any line. the one with the maximum margin between the closest points of each class.

those closest points? called support vectors. they define the boundary. everything else is noise.

bigger margin = more confident separation = better generalisation to new data.

in security terms — the wider the gap between known malicious and known benign behaviour, the more confidently the model classifies new events.

maximum margin classifierDECISION BOUNDARYmarginsupport vectorsupport vectorBENIGNMALICIOUSbigger margin = more confident separation.

when data is linearly separable
#

sometimes you can draw a straight line and cleanly separate the classes. linear SVM handles this.

simple, fast, effective. works well when features are well defined and data is clean.

rarely the case in security. but good to understand as the foundation.

when it isn’t — the kernel trick
#

most security data is messy. classes overlap in complex ways.

non-linear SVMs use a kernel function to solve this. it maps the data into a higher dimensional space where a clean separation becomes possible. then maps the decision boundary back.

common kernels:

  • RBF — most popular, handles complex patterns well
  • polynomial — adds curves to the boundary
  • sigmoid — similar to logistic regression behaviour

think of it like this — you can’t separate a tangled mess of red and blue marbles on a table. but if you could lift some into the air, suddenly a flat plane separates them cleanly. that’s the kernel trick.

why this matters in security
#

SVMs are behind a lot of behavioural classification engines. malware vs benign. anomalous vs normal user behaviour. the kernel trick is what makes them powerful enough to handle real world data.

understanding this helps you ask better questions — what features is the model using to draw that line? and is the margin wide enough to trust the decision?

next up — unsupervised learning. no labels, no rules, just patterns. threat hunting territory.

what’s the messiest classification problem you’ve seen in your SOC environment? curious.

took ai help to clean up typos. my brain works faster than my fingers. xd

next up: AI Series #5 — “no labels, no problem — finding patterns in the chaos” back to series index