Machine Learning: Preventing Network Abnormalities
The Department of Defense (DoD) developed and published multiple zero trust documents describing the zero trust principles that DoD organizations should achieve. The documents state that organizations will need to rely on Artificial Intelligence, machine learning, and automation to reduce the time a security practitioner needs to monitor, detect, and prevent unauthorized user and device access to network resources. The DoD operates endpoint devices and networks disconnected from the public internet, driving a need for disconnected machine learning models. The research paper outlines the potential for an on-premises machine learning algorithm at the endpoint device to analyze normal and abnormal network traffic and automatically implement Windows Defender Firewall rulesets. The research outlines the challenges to implementing this concept at the endpoint device instead of relying on centralized or cloud-based machine learning platforms.
SANS_Machine_Learning_Preventing_Network_Abnormalities (PDF, 0.57MB)
30 Aug 2024Related Content
USB: Universal Security Breach or Uniquely Secured Bus? Assessing the Effectiveness of Windows 11 Group Policy at Controlling USB Device Installation for Budget-Constrained Security Teams
Research PaperThis study evaluates three progressively granular Windows 11 Group Policy (GPO) configurations—class-based blocking, VID/PID allowlisting, and Device Instance ID allowlisting—against legitimate business peripherals and a Hak5 USB Rubber Ducky configured as a composite BadUSB device, using the Windows 11 v25H2 Security Baseline as the unmodified reference state.
- 22 Jun 2026
- Kire Jacobson
Investigating Operating System Variations in IPv6 Implementations
Research PaperThis research tested the four most common operating system families, Windows, Linux, macOS, and BSD, for RFC compliance and behavioral differences across a controlled set of IPv6 test cases. Because RFC specifications leave many implementation details to the developer, behavior was expected to diverge, and the testing confirmed that it did.
- 22 Jun 2026
- Donovan Rodriguez
macOS Infostealer Exfiltration Techniques via Native Tooling: Behavioral Analysis and Defenses
Research PaperThis paper analyzes macOS infostealers and their reliance on native system utilities. The use of specific command-line options and arguments should be predictable and detectable with proper analysis.
- 22 Jun 2026
- Cory Findley
From Alert to Evidence: Evaluating AI Agents for Cyber Forensic Triage
Research PaperCyber defense teams are beginning to experiment with large language models in security operations, but their usefulness in digital forensics and incident triage is still uncertain.
- 11 Jun 2026
- Connor Blackard
Risk-Adaptive Data Loss Prevention: Behavioral Intelligence with DLP
Research PaperRisk-Adaptive Data Loss Prevention: Behavioral Intelligence with DLP
- 4 Jun 2026
- Matt Bromiley
Bridging the Gap Between Threat Intelligence and Business Risk
Research PaperThe importance of the threat intelligence function has grown significantly over the years to become a cornerstone of any cybersecurity group.
- 29 May 2026
- Kevin Garvey
Secure By Design: An Exploration of the Application of Generative AI in Threat Modeling Technical Design Documents
Research PaperThis paper explores the efficacy of large language models (LLMs) for creating comprehensive threat models by analyzing technical design documents, particularly when provided with additional contextual information about the product's underlying infrastructure and deployment environment.
- 27 May 2026
- Mark Oswald
2026 SANS Cyber Threat Intelligence (CTI) Survey Insights
Research PaperEvery year, the SANS CTI Survey gets sharper. This year, it takes a step the field has needed for a while. For the first time, the 2026 survey includes a dedicated module for security executives, capturing responses from 67 CISOs and CSOs.
- 15 May 2026
- Rebekah Brown, Andreas Sfakianakis
Leveraging Large Language Models for Cross-Vendor Firewall Configuration Migration: A Comparative Case Study of Claude and ChatGPT
Research PaperThis paper investigates how two current-generation large language models (LLMs) perform on a single, representative firewall migration task.
- 12 May 2026
- Omar Zaman
Autonomous Defense Induced Disruption: How AI-Driven Automated Response Can Be Manipulated to Disrupt Enterprise Operations
Research PaperThe research highlights the need for governance controls, privilege-aware safeguards, and system-level constraints to prevent autonomous containment from causing operational disruption.
- 12 May 2026
- Marcio Enriquez
Your Sensitive Data Has Left the Chat: LLMs as Sensitive Data Detectors
Research PaperThis paper seeks to evaluate the hypothesis that language models, large and small, can perform well at sensitive data classification and to offer a solution for companies trying to detect contextually sensitive data in their AI workflows.
- 12 May 2026
- Colten Davis
Untested: An Overlooked Link in the Software Supply Chain
Research PaperThis research explores test code as an attack surface and takes a first step toward creating a tool to help analysts detect and mitigate malware lurking in test libraries.
- 16 Apr 2026
- Evan Ottinger
Cyber Risk Intelligence and Security Posture (CRISP): From Compliance to Threat-Informed Intelligence
Research PaperThis paper presents CRISP (Cyber Risk Intelligence & Security Posture), a platform that automates the transformation of STIG compliance data into threat-informed security intelligence.
- 7 Apr 2026
- Eric Kaden
Leveraging Generative AI for Password Cracking Efficiency Under Resource Constraints
Research PaperThe purpose of this research is to investigate whether generative AI can alleviate the hardware and financial burdens of password cracking (password recovery) while maintaining or even improving cracking success rates.
- 20 Mar 2026
- Wesley Keller
Enhancing Linux Threat Detection: A Sysmon - Based Approach to Identifying Sandworm TTPs
Research PaperLinux systems have become foundational across modern IT enterprises. Threat actors are increasingly targeting Linux systems, including well - known advanced persistent threats (APTs) such as Sandworm.
- 20 Mar 2026
- Joshua Keller
Open-Source National Security Infrastructure for Sweden’s National Security Apparatus
Research PaperThis paper investigates whether core IT infrastructure implemented using open-source software and infrastructure-as-code techniques can achieve compliance with selected information security requirements defined in Chapter 4 of PMFS 2022:1.
- 18 Mar 2026
- Fredrik Bolinder
AI-Human Collaboration in Modern SOCs
Research PaperEnterprises face upwards of 3,000 security alerts daily, and according to the SANS 2025 SOC Survey, two-thirds of security operations center (SOC) teams cannot keep pace.
- 17 Mar 2026
- Mathias Fuchs
Detecting AI Pickling
Research PaperThis study examines whether static analysis is a dependable "certification gate" for ingesting third-party, pickle-based AI model artifacts from open-source model hubs into a trusted internal registry.
- 12 Mar 2026
- Bryan Nice
How Many LLMs Does it Take to Classify a Suspicious Email?
Research PaperThis study examines the accuracy, reliability, and operational behavior of three widely available LLMs using a dataset of 2000 human-written emails containing both legitimate and suspicious messages.
- 12 Mar 2026
- Bridget Bartell
Autonomous Threat Emulation and Detection Using Agentic AI
Research PaperTraditional threat emulation frameworks struggle to capture the dynamic and adaptive behaviours of modern Advanced Persistent Threats (APTs), leaving defenders reliant on static tests that quickly become obsolete.
- 10 Mar 2026
- Marcus Dillion Yin