Administer Machine Learning Capabilities

To leverage deep learning capabilities from Oracle Management Cloud’s machine learning, you need to set your training stage with behavioral specifications.

Meet security requirements and stay compliant by managing and administering machine learning models. Perform tasks such as creating, updating, searching/inspecting, enabling/disabling model instances.

Topics:

• Machine Learning Capabilities Overview
• Create a Peer Group Analysis Model
• Create an SQL Analysis Model
• Additional Machine Learning Features for Administrators

Machine Learning Capabilities Overview

This section gives you a conceptual understanding of attributes and other components that make up each machine learning model.

Machine Learning-Based Anomaly Detection

In order to successfully detect anomalies based on learned behavioral patterns from users and assets across your IT enterprise, Security Monitoring and Analytics uses Peer Group Analysis models and SQL Analysis models. These models are currently the only user-defined models in machine learning-based anomaly detection.

Table 2-3 Detecting Anomalies Based on Machine Learning

Description	Multidimensional Anomaly Detection	Data Access Anomaly Detection
Security Monitoring and Analytics Machine learning model:	Peer Group Analysis model	SQL Analysis model
Learning components:	Authentication Event: Source and Destination IP	Data Access - SQL command executed
For example:	"Diane G., a US-based employee, exhibited unusual login behavior when her account was used to log into the network from Tunisia.	A SELECT * query was run against the finance database Customer table, and was detected as anomalous.
Security Monitoring and Analytics — machine learning model attributes:	Security Model: Authentication Username: Authentication user Source IP: IP address of the source machine Destination: IP address of the destination machine or asset name Event Category: Authentication Security Model: Data Access SQL Text: SQL command executed	Security Model: Data Access SQL Text: SQL command executed

What type of behavior do you need machine learning to learn about?

I need machine learning to learn about...	Create...
A group of users and their typical activity behavior.	A Peer Group Analysis model as described in Create a Peer Group Analysis Model
SQL execution patterns on a single database.	A SQL Analysis model as described in Create an SQL Analysis Model

Create a Peer Group Analysis Model

Create a Peer Group Analysis Model to better understand user behavioral patterns in your IT environment.

1. From Security Monitoring and Analytics, click the Menu icon , top-left under the product name.
2. Under Security Admin, select Machine Learning Models.
3. In the Machine Learning Models page, click Create Model, and then select Peer Group Analysis.
4. In the Model Attributes section:

   • Enter the name for your new model.

   • From the drop-down list, select a peer group.

     Peer groups are predefined based on your organization.
5. Click Learning Parameters.
6. Select a Security Model: Authentication or Data Access.

   Based on the security model selected, Security Monitoring and Analytics determines the appropriate set of attributes to be extracted from base events (log entries), and ingests them to learn behavioral patterns. These attribute values are compared and contrasted among users that belong to the same peer group in order to detect anomalous behavior.

7. If you’re creating a learning model based on an Authentication activity, then follow the steps in a. If you’re creating a learning model based on data access activity (SQL activity associated with the entire peer group, and may involve one or more databases), then follow the steps in b.
   1. Select Authentication as your Security Model, and then the following Learning Attributes are used to learn behavioral patterns:

      • Username: Authentication user

      • Destination: IP address of the destination machine or the asset name

      • Event Category: Authentication

      These attributes encompass all the user activity that machine learning needs to ingest in order to learn and start detecting anomalous behavior.

   2. Select Data Access as your Security Model, and then the following Learning Attributes are used to learn behavioral patterns:

      • SQL Text: SQL command executed

      This attribute encompasses all the user activity machine learning needs to ingest in order to learn and start detecting anomalous behavior.

8. For Frequency, select either Daily or Weekly.

   • The initial learning session begins immediately. Subsequent learning sessions begin at midnight. The duration of each learning session is 24 hours if Daily is selected, or 7 days if Weekly.

   • Learning sessions are repeated indefinitely, unless the model is disabled.

   • To enhance and expedite the learning process, up to 30 days of historical events are ingested as learning input, if sources are available.

9. For Learning Period, specify the value and select either Hours, Days, or Weeks from Time Unit   
    Note that learning will occur on the data gathered in the last x-amount of hours, days or weeks.
10. Click Save.

Create an SQL Analysis Model

Create new SQL analysis models and define parameters and attribute relevant to your needs.

To create a machine learning model that focuses on a specific database and its typical query execution activity, and the number and order of SQL executions performed by mobile apps, web browsers, direct users, and so on:

1. From Security Monitoring and Analytics, click the Menu icon , top-left under the product name.
2. Under Security Admin, select Machine Learning Models.
3. In the Machine Learning Models page, click Create Model, and then select SQL Analysis.
4. In the Model Attributes section:

   • Enter the name for your new model.

   • From the drop-down list, select a database.

     Note:

     Databases listed here must have auditing enabled, and have their audit logs collected by Log Analytics.

   • (Optional) Enter the description of your new model.

5. Click Learning Parameters.

   The Security Model is based on Data Access.

   Data Access attributes contain data related to events that read, modify, or delete data, such as the SQL commands executed and the sequential order of execution.

   The following Learning Attributes are used to learn behavioral patterns:

   • SQL Text: SQL command executed

6. For Frequency, select either Daily or Weekly.

   • The initial learning session begins immediately. Subsequent learning sessions begin at midnight. The duration of each learning session is 24 hours if Daily is selected, or 7 days if Weekly .

   • Learning sessions are repeated indefinitely, unless the model is disabled.

   • To enhance and expedite the learning process, up to 30 days of historical events are ingested as learning input, if sources are available.

7. For Learning Period, specify the value and select either Hours, Days, or Weeks from Time Unit   

    Learning will occur on the data gathered in the last x-amount of hours, days or weeks.

8. Click Save.

Additional Machine Learning Features for Administrators

This section provides a quick overview of other tasks in machine learning models.

• Enable and Disable Models
• Search and View Models

Enable and Disable Models

You can toggle enable/disable models based on their current status.

1. From the tree view on the left side, select the model you want to enable or disable. Additionally, you can use the Search field.
2. In the details section, on the top-right corner, click the toggle button to either Enable or Disable the selected model.

Search and View Models

Search and view existing machine learning models

In the Machine Learning Models page, use the Search field to find the existing models. Alternatively, you can select models by using the tree list.

Note:

You can add a search filter based on the models that are Enabled Only or Disabled Only.