An Abnormal Approach to Machine Learning: Feature Systems and Language Models

Discover how the Abnormal attack detection team utilizes feature systems, advanced language models, and per-customer understanding in our approach to machine learning in cybersecurity.
January 8, 2023

Lately, it seems like every cybersecurity marketing campaign talks about AI and machine learning. This terminology has become so overused that it can be difficult for CISOs and security leaders to differentiate between the noise and the technology that really works.

At Abnormal, our approach to AI and ML is not just marketing speak. In fact, we put a tremendous amount of resources into building a methodical solution that allows our platform to prevent email attacks and helps security leaders understand what exactly is targeting them. Our attack detection team is continually solving problems to make our groundbreaking technology even more effective at stopping the most advanced threats.

Machine learning is a critical component of how we detect and stop sophisticated attacks against our customers. It allows us to learn about normal customer behavior and understand new attack techniques in order to continuously evolve our customer protection.

Let’s take a deeper look at some of Abnormal’s key machine learning competencies that set us apart from other vendors including our powerful feature systems, advanced language models, and per-customer understanding.

Abnormal Feature Systems

The performance of the Abnormal machine learning models consists of two components— the signals themselves and the labels they’re trained with. Our experts have put substantial effort into developing extremely powerful feature systems that enable us to represent data through our models in a very rich way. These systems enable our models to understand and develop a deep multi-layered representation of data across long periods of time. These models allow us to represent potential threats in terms of how they compare to the normal baseline of customers' patterns of communication.


Advanced Language Models

The infrastructure we've built to incorporate large language models into our detection stack is something that Abnormal continues to build on as we protect more and more organizations. In fact, we recently deployed a BERT Large Language Model (LLM), pre-trained from Google on a large corpus of data, and applied it to stop new classes of attacks. Since then, we've continued to improve how we incorporate large language models in our detection stack, including new systems to recognize attacker intent and unify our understanding of email bodies and email headers.


Per-Customer Understanding

Another unique aspect of Abnormal’s machine learning model is our in-depth, per-customer understanding. The history systems we have in place enable us to understand the behavioral communications patterns of each customer. With this information, Abnormal can build up a representation of what is normal for each user within that customer environment. Then, we can spot attacks, not only from the perspective of what indicates the attack but at a very specific level of what does and does not fit in this customer's normal business environment.


This information allows us to build more specific and powerful kinds of models. Abnormal can confidently flag anything that stands out from normal business traffic without relying solely on our ability to anticipate what the attacker is likely to conceal. We can stay one step ahead of attackers because we understand the customer's environment better than the attacker does. Rather than trying to anticipate the attacker’s next move, Abnormal focuses its efforts on better understanding the customer and the user.

The Future of Machine Learning at Abnormal

At Abnormal, we're continually making significant improvements to improve our predictions as we obtain additional information. Each email that flows through our system teaches our machine learning models to better understand the distribution of email data. This enables us to confidently detect on-the-edge attacks that are extremely difficult to identify by legacy systems—ensuring that Abnormal catches the never-before-seen attacks that others miss.

What Our Customers Have to Say

And you don’t have to take our word for it. Abnormal customers find our machine learning to be adaptive to their environments. Recent reviews from Gartner Peer Insights include the following:

Excellent Email Security Platform That Catches More Than Traditional SEGs.”

We had a great evaluation process with the sales team, and the MSA and pricing negotiations were very easy. The team understood we were in a long sales cycle, but wanted to make sure we didn't lose any of the ML training that had already occurred so they left us running in monitor mode until we could get the PO cut. Really great service so far with the deployment as well. —CISO (Industry: Provider)

“Innovative and Capable Email Security Solution”

The Abnormal Security offering has proven to be easy to use and tangibly improves our e-mail security posture. The solution is innovative and modern, and a marked improvement over our older approach. The company is also very responsive both with communication and addressing questions or requests. This is great to see in light of their recent growth. We have been customers for over one year and still see great customer service.

—Director of IT (Industry: Carriers)

“Abnormal, An Email Security App That Truly Delivers On What They Promise”

The product truly delivers on using ML for detecting malicious and well crafted emails that make it past a SEG and into a user's inbox, remediates these threats without any admin oversight or threat-hunting. This product has saved countless hours I would spend manually remediating phishing messages sent from fake user accounts hosted by free email providers.

—Cybersecurity Engineer (Industry: Education)

So What Does All of this Mean for You?

Attackers are always advancing, inventing new tactics to outsmart security technology and better trick victims. Unlike most machine learning problems, this problem is adversarial. The Abnormal platform is constantly learning and adapting so our team of engineers and security analysts can add new features, new models, and new approaches to stay ahead of ever-changing threats. Protecting our customers from these increasingly sophisticated attacks is our top priority and you can count on us to provide the most advanced detection for your organization.

Interested in learning more about machine learning at Abnormal?

Schedule a Demo
An Abnormal Approach to Machine Learning: Feature Systems and Language Models

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B Convergence S2 Recap Blog
Season 2 of our web series has come to a close. Explore a few of the biggest takeaways and learn how to watch all three chapters on demand.
Read More
B 1500x1500 Adobe Acrobat Sign Attack Blog
Attackers attempt to steal sensitive information using a fraudulent electronic signature request for a nonexistent NDA and branded phishing pages.
Read More
B 4 15 24 RBAC
Discover how a security-driven RBAC design pattern allows Abnormal customers to maximize their user setup with minimum hurdles.
Read More
B 4 10 24 Zoom
Learn about the techniques cybercriminals use to steal Zoom accounts, including phishing, information stealers, and credential stuffing.
Read More
Social Images for next Cyber Savvy Blog
Explore how Alex Green, the CISO of Delta Dental, safeguards over 80 million customers against modern cyber threats, and gain valuable insights into the cybersecurity landscape.
Read More
B Images for EDB Blog from Sanjay
Abnormal is excited to announce the establishment of a strategic partnership with the Singapore Economic Development Board (EDB).
Read More