Machine Learning in Azure Security Center

已于 一月 28, 2016 发布

Principal Product Manager, Azure

At Microsoft, we analyze 300 billion user authentications and check 200 billion emails for spam and malware monthly. We also have unprecedented visibility into cloud infrastructure choices, platforms and the activity therein. Such visibility has no precedent in the on-premises world.

Sounds great, right? But, how do you make sense of so much data and turn it into cyber security?

With Azure Security Center, we deeply analyze a wealth of data, from a variety of Microsoft and partner solutions to help you achieve greater security. To make use of all this data, we extensively leverage data science, in particular Machine Learning, for threat prevention, detection and eventually investigation.

Broadly speaking, we use Machine Learning to achieve two outcomes:

  1. Next-generation detection
  2. Simplified security management

Next-generation detection

Attackers are increasingly automated and sophisticated. They use data science too. They reverse-engineer protections and build systems that support mutations in behavior. They masquerade their activities as noise, and learn quickly from mistakes. Machine learning helps us respond to these developments.

Machine Learning strengthens rule-based detections

Take, for example, a security rules that locks an account after X failed logins. For a developer machine, X should be low, but for a busy server, it should be high. Machine Learning helps us automatically determine the right X a given resource should tolerate, without developing custom analysis for each individual resource.

Supervised Machine Learning models

We train supervised Machine Learning models by presenting them with malicious and benign examples. The model then generalizes the examples into an algorithm. These examples are very hard to find and analyze. However, Microsoft can take advantage of its vast global threat intelligence and security expertise to develop highly tuned models using a wealth of analyzed examples.

Machine Learning quickly adapts to moving targets

Once blocked, attackers will slightly change their behavior in order to go under the radar. Our machine learning models react to these changes automatically.

Unsupervised Machine Learning models can work in the absence of examples

For example, if a database typically exhibits a certain network imprint, but one day we see something else, Azure Security Center can flag the activity as suspicious.

Simplifying security

Making effective security decisions is not easy. It requires security experience and expertise. While some large organizations have such experts on staff, many companies don’t. We use Machine Learning to enable customers to benefit from the wisdom of other organizations when making security decisions.

Actionable recommendations

We can give customers actionable recommendations based on Machine Learning models that compare them to a reference group with similar needs, deployments, security events, etc.—without compromising privacy. Our aim is to help customers know what their security performance is and what to do in order to address their own pain points.

Noise reduction

Security appliances are notoriously noisy. It can take an expert to distinguish important alerts from noise. We employ several mechanisms to automate noise reduction as much as possible, providing better security insights to the non-expert.


We are incredibly excited about the potential that Machine Learning has to help you improve the security of your resources in Azure—both today and in the future as we develop increasingly advanced models. If the techniques I described here have piqued your interest, try Azure Security Center today by clicking Browse and typing “security” in your Azure portal.