Machine Learning

When performing Advanced Analysis in SecurITree it can be a challenge to understand which scenarios are similar, and to select countermeasures that will prove effective against multiple scenarios. SecurITree v5.4 introduces a new machine learning feature that groups scenarios based on analyst chosen criteria - automatically!

After Advanced Analysis has been performed on the tree, further analysis can be done to better understand the results. Machine learning classifies attack scenarios into groups that have similar characteristics. You need to specify the number of groups, the criteria used for evaluation and the range of attack scenarios to be considered.

The clustering algorithm iteratively works to perform the grouping.  In most cases, SecurITree will determine a good number of iterations automatically.  However, you can override this if desired.

The criteria used for evaluation are chosen from the various indicator functions.  Although any number of criteria can be selected, increasing the number greatly increases the number of calculations that must be performed!  It is recommended to start with basic parameters such as feasibility, desirability and victim impact.  Avoid selecting criteria that overlap.  For example., Technical Ability is used to estimate Feasibility, so selecting both of those may not make sense.

The machine learning algorithm that clusters the scenarios is an iterative process.  The algorithm makes an initial guess as to which scenarios belong to each of the specified number of clusters.  The initial guess at groupings is seldom optimal, but serves as a starting point for the algorithm.  The algorithm then attempts to improve on the cluster groupings by moving scenarios between groups based on similarity of the user's selected criteria.  The learning algorithm may require numerous iterations to successfully cluster the scenarios into groups of similar characteristics.  Generally, fewer scenarios will move on each successive iteration as clustering improves.  Clustering is considered successful when the number of scenarios moved drops below a specified threshold.

SecurITree allows the analyst to specify the threshold value used to consider clustering to have been successful (default is 1%).  Depending on the data set and the criteria chosen it is possible (though rare) that the number of scenarios moving between clusters will never drop below the specified threshold.  That is, scenarios will endlessly move back and forth between clusters.  To prevent the algorithm from iterating forever, SecurITree limits the number iterations to a maximum value (default is 25).    If the maximum number of iterations is reached before the percentage of scenarios moving between clusters falls below the threshold value, SecurITree will give the user the opportunity to perform additional iterations and manually decide whether the algorithm is converging or not.


If you have specific questions in this area, please contact Amenaza Technologies Limited for further information.