Introduction to Artificial Intelligence for

Security Professionals 1st Edition The Cylance

Data Science Team pdf download

https://textbookfull.com/product/introduction-to-artificial-
intelligence-for-security-professionals-1st-edition-the-cylance-
data-science-team/

Download more ebook from https://textbookfull.com

We believe these products will be a great fit for you. Click
the link to download now, or visit textbookfull.com
to discover even more!

Introduction to Artificial Intelligence Undergraduate

Topics in Computer Science Wolfgang Ertel

https://textbookfull.com/product/introduction-to-artificial-
intelligence-undergraduate-topics-in-computer-science-wolfgang-
ertel/

Artificial Intelligence for Big Data Complete guide to

automating Big Data solutions using Artificial
Intelligence techniques Anand Deshpande

https://textbookfull.com/product/artificial-intelligence-for-big-
data-complete-guide-to-automating-big-data-solutions-using-
artificial-intelligence-techniques-anand-deshpande/

AI for the Good: Artificial Intelligence and Ethics

(Management for Professionals) Stefan Vieweg

https://textbookfull.com/product/ai-for-the-good-artificial-
intelligence-and-ethics-management-for-professionals-stefan-
vieweg/

Analytics, data science, & artificial intelligence :

systems for decision support Eleventh Edition Dursun
Delen

https://textbookfull.com/product/analytics-data-science-
artificial-intelligence-systems-for-decision-support-eleventh-
edition-dursun-delen/
Scala Guide for Data Science Professionals 1st Edition
Pascal Bugnion

https://textbookfull.com/product/scala-guide-for-data-science-
professionals-1st-edition-pascal-bugnion/

Cracking the Code: Introduction to Machine Learning for

Novices: Building a Foundation for Artificial
Intelligence 1st Edition Sarah Parker

https://textbookfull.com/product/cracking-the-code-introduction-
to-machine-learning-for-novices-building-a-foundation-for-
artificial-intelligence-1st-edition-sarah-parker/

Artificial Intelligence for Fashion Industry in the Big

Data Era Sébastien Thomassey

https://textbookfull.com/product/artificial-intelligence-for-
fashion-industry-in-the-big-data-era-sebastien-thomassey/

Introduction to Deep Learning From Logical Calculus to

Artificial Intelligence 1st Edition Sandro Skansi

https://textbookfull.com/product/introduction-to-deep-learning-
from-logical-calculus-to-artificial-intelligence-1st-edition-
sandro-skansi/

Artificial Intelligence and Data Mining for Mergers and

Acquisitions 1st Edition Debasis Chanda

https://textbookfull.com/product/artificial-intelligence-and-
data-mining-for-mergers-and-acquisitions-1st-edition-debasis-
chanda/
The information security world is rich with information. From reviewing logs
to analyzing malware, information is everywhere and in vast quantities, more
than the workforce can cover. Artificial intelligence is a field of study that is
adept at applying intelligence to vast amounts of data and deriving meaningful
results. In this book, we will cover machine learning techniques in practical
situations to improve your ability to thrive in a data driven world. With
clustering, we will explore grouping items and identifying anomalies. With
classification, we’ll cover how to train a model to distinguish between classes
of inputs. In probability, we’ll answer the question “What are the odds?”
and make use of the results. With deep learning, we’ll dive into the powerful
biology inspired realms of AI that power some of the most effective methods
in machine learning today.

The Cylance Data Science team consists of experts in a variety of fields.

Contributing members from this team for this book include Brian Wallace, a
security researcher turned data scientist with a propensity for building tools
that merge the worlds of information security and data science. Sepehr
Akhavan-Masouleh is a data scientist who works on the application of
statistical and machine learning models in cyber-security with a Ph.D from
University of California, Irvine. Andrew Davis is a neural network wizard
wielding a Ph.D in computer engineering from University of Tennessee.
Mike Wojnowicz is a data scientist with a Ph.D. from Cornell University who
enjoys developing and deploying large-scale probabilistic models due to
their interpretability. Data scientist John H. Brock researches applications
of machine learning to static malware detection and analysis, holds an M.S.
in computer science from University of California, Irvine, and can usually be
found debugging Lovecraftian open source code while mumbling to himself
about the virtues of unit testing.
THE CYLANCE PRESS
IRVINE, CA
© 2017 The Cylance Data Science Team

All rights reserved. No part of this publication may be reproduced,

stored in a retrieval system, or transmitted in any form or by
any means electronic, mechanical, photocopying, recording or
otherwise, without the prior written permission of the publisher.

Published by
The Cylance Data Science Team.

Introduction to artificial intelligence for security

professionals / The Cylance Data Science Team. –
Irvine, CA : The Cylance Press, 2017.

p. ; cm.

Summary: Introducing information security

professionals to the world of artificial intelligence and
machine learning through explanation and examples.

ISBN13: 978-0-9980169-0-0

1. Artificial intelligence. 2. International security.

I. Title.

TA347.A78 C95 2017

006.3—dc23 2017943790

FIRST EDITION

Project coordination by Jenkins Group, Inc.

www.BookPublishing.com

Interior design by Brooke Camfield

Printed in the United States of America

21 20 19 18 17 • 5 4 3 2 1
Contents

Foreword v

Introduction
Artificial Intelligence: The Way Forward in Information Security ix

1 Clustering
Using the K-Means and DBSCAN Algorithms 1

2 Classification
Using the Logistic Regression and Decision Tree Algorithms 37

3 Probability 79

4 Deep Learning 115

Foreword
by Stuart McClure

My first exposure to applying a science to computers

came at the University of Colorado, Boulder, where, from 1987-
1991, I studied Psychology, Philosophy, and Computer Science
Applications. As part of the Computer Science program, we
studied Statistics and how to program a computer to do what we
as humans wanted them to do. I remember the pure euphoria
of controlling the machine with programming languages, and I
was in love.
In those computer science classes we were exposed to Alan
Turing and the quintessential “Turing Test.” The test is simple:
Ask two “people” (one being a computer) a set of written ques-
tions, and use the responses to them to make a determination.
If the computer is indistinguishable from the human, then it
has “passed” the test. This concept intrigued me. Could a com-
puter be just as natural as a human in its answers, actions, and
thoughts? I always thought, Why not?
Flash forward to 2010, two years after rejoining a tier 1 anti-
virus company. I was put on the road helping to explain our
roadmap and vision for the future. Unfortunately, every conver-
sation was the same one I had been having for over twenty years:
We need to get faster at detecting malware and cyberattacks.
Faster, we kept saying. So instead of monthly signature updates,
we would strive for weekly updates. And instead of weekly we
v
vi Introduction to Artificial Intelligence for Security Professionals

would fantasize about daily signature updates. But despite mil-

lions of dollars driving toward faster, we realized that there is
no such thing. The bad guys will always be faster. So what if we
could leap frog them? What if we could actually predict what
they would do before they did it?
Since 2004, I had been asked quite regularly on the road,
“Stuart, what do you run on your computer to protect your-
self?” Because I spent much of my 2000s as a senior executive
inside a global antivirus company, people always expected me
to say, “Well of course, I use the products from the company I
work for.” Instead, I couldn’t lie. I didn’t use any of their prod-
ucts. Why? Because I didn’t trust them. I was old school. I only
trusted my own decision making on what was bad and good.
So when I finally left that antivirus company, I asked myself,
“Why couldn’t I train a computer to think like me—just like a
security professional who knows what is bad and good? Rather
than rely on humans to build signatures of the past, couldn’t we
learn from the past so well that we could eliminate the need for
signatures, finally predicting attacks and preventing them in real
time?”
And so Cylance was born.
My Chief Scientist, Ryan Permeh, and I set off on this crazy
and formidable journey to completely usurp the powers that
be and rock the boat of the establishment—to apply math and
science into a field that had largely failed to adopt it in any
meaningful way. So with the outstanding and brilliant Cylance
Data Science team, we achieved our goal: protect every com-
puter, user, and thing under the sun with artificial intelligence
to predict and prevent cyberattacks.
So while many books have been written about artificial
intelligence and machine learning over the years, very few
have offered a down to earth and practical guide from a purely
 Foreword vii

cybersecurity perspective. What the Cylance Data Science

Team offers in these pages is the very real-world, practical, and
approachable instruction of how anyone in cybersecurity can
apply machine learning to the problems they struggle with every
day: hackers.
So begin your journey and always remember, trust yourself
and test for yourself.
Introduction
Artificial Intelligence: The Way
Forward in Information Security

Artificial Intelligence (AI) technologies are rapidly

moving beyond the realms of academia and speculative fiction
to enter the commercial mainstream. Innovative products such
as Apple’s Siri® digital assistant and the Google search engine,
among others, are utilizing AI to transform how we access and
utilize information online. According to a December 2016 report
by the Office of the President:

Advances in Artificial Intelligence (AI) technology

and related fields have opened up new markets and
new opportunities for progress in critical areas such
as health, education, energy, economic inclusion,
social welfare, and the environment.1

AI has also become strategically important to national

defense and securing our critical financial, energy, intelligence,
and communications infrastructures against state-sponsored
cyber-attacks. According to an October 2016 report2 issued
1. Executive Office of the President, Artificial Intelligence, Automation, and the
Economy, December 20, 2016. Available for download at https://www.whitehouse.
gov/sites/whitehouse.gov/files/images/EMBARGOED%20AI%20Economy%20Report.
pdf
2. National Science and Technology Council’s Subcommittee on Machine Learning
and Artificial Intelligence, Preparing for the Future of Artificial Intelligence,
October 2016. Available for download at https://obamawhitehouse.archives.gov/
sites/default/files/whitehouse_files/microsites/ostp/NSTC/preparing_for_the_
future_of_ai.pdf
ix
x Introduction to Artificial Intelligence for Security Professionals

by the federal government’s National Science and Technology

Council Committee on Technology (NSTCC):

AI has important applications in cybersecurity, and

is expected to play an increasing role for both defen-
sive and offensive cyber measures. . . . Using AI may
help maintain the rapid response required to detect
and react to the landscape of evolving threats.

Based on these projections, the NSTCC has issued a National

Artificial Intelligence Research and Development Strategic Plan3
to guide federally-funded research and development.
Like every important new technology, AI has occasioned
both excitement and apprehension among industry experts and
the popular media. We read about computers that beat Chess
and Go masters, about the imminent superiority of self-driving
cars, and about concerns by some ethicists that machines could
one day take over and make humans obsolete. We believe that
some of these fears are over-stated and that AI will play a pos-
itive role in our lives as long AI research and development is
guided by sound ethical principles that ensure the systems we
build now and in the future are fully transparent and account-
able to humans.
In the near-term however, we think it’s important for security
professionals to gain a practical understanding about what AI is,
what it can do, and why it’s becoming increasingly important to
our careers and the ways we approach real-world security prob-
lems. It’s this conviction that motivated us to write Introduction
to Artificial Intelligence for Security Professionals.

3. National Science and Technology Council’s Subcommittee on Machine Learning

and Artificial Intelligence, National Artificial Intelligence Research and
Development Strategic Plan, October 2016. Available for download at
https://www.nitrd.gov/PUBS/national_ai_rd_strategic_plan.pdf
 Artificial Intelligence: The Way Forward in Information Security xi

You can learn more about the clustering, classification, and

probabilistic modeling approaches described in this book from
numerous websites, as well as other methods, such as generative
models and reinforcement learning. Readers who are techni-
cally-inclined may also wish to educate themselves about the
mathematical principles and operations on which these meth-
ods are based. We intentionally excluded such material in order
to make this book a suitable starting point for readers who are
new to the AI field. For a list of recommended supplemental
materials, visit https://www.cylance.com/intro-to-ai.
It’s our sincere hope that this book will inspire you to begin
an ongoing program of self-learning that will enrich your skills,
improve your career prospects, and enhance your effectiveness
in your current and future roles as a security professional.

AI: Perception Vs. Reality

The field of AI actually encompasses three distinct areas of
research:

• Artificial Superintelligence (ASI) is the kind popularized

in speculative fiction and in movies such as The Matrix.
The goal of ASI research is to produce computers that
are superior to humans in virtually every way, possess-
ing what author and analyst William Bryk referred to as
“perfect memory and unlimited analytical power.”4
• Artificial General Intelligence (AGI) refers to a machine
that’s as intelligent as a human and equally capable of
solving the broad range of problems that require learning
and reasoning. One of the classic tests of AGI is the abil-
ity to pass what has come to be known as “The Turing
4. William Bryk, Artificial Intelligence: The Coming Revolution, Harvard Science
Review, Fall 2015 issue. Available for download at https://harvardsciencereview.
files.wordpress.com/2015/12/hsrfall15invadersanddefenders.pdf
xii Introduction to Artificial Intelligence for Security Professionals

Test,”5 in which a human evaluator reads a text-based

conversation occurring remotely between two unseen
entities, one known to be a human and the other a
machine. To pass the test, the AGI system’s side of the
conversation must be indistinguishable by the evaluator
from that of the human.
Most experts agree that we’re decades away from
achieving AGI and some maintain that ASI may ulti-
mately prove unattainable. According to the October
2016 NSTC report,6 “It is very unlikely that machines
will exhibit broadly-applicable intelligence comparable
to or exceeding that of humans in the next 20 years.”
• Artificial Narrow Intelligence (ANI) exploits a comput-
er’s superior ability to process vast quantities of data
and detect patterns and relationships that would oth-
erwise be difficult or impossible for a human to detect.
Such data-centric systems are capable of outperforming
humans only on specific tasks, such as playing chess or
detecting anomalies in network traffic that might merit
further analysis by a threat hunter or forensic team.
These are the kinds of approaches we’ll be focusing on
exclusively in the pages to come.

The field of Artificial Intelligence encompasses a broad

range of technologies intended to endow computers with
human-like capabilities for learning, reasoning, and drawing
useful insights. In recent years, most of the fruitful research

5. A.M. Turing (1950), Computing Machinery and Intelligence, Mind, 59, 433-460.
Available for download at http://www.loebner.net/Prizef/TuringArticle.html
6. National Science and Technology Council’s Subcommittee on Machine Learning
and Artificial Intelligence, Preparing for the Future of Artificial Intelligence,
October 2016. Available for download at https://obamawhitehouse.archives.gov/
sites/default/files/whitehouse_files/microsites/ostp/NSTC/preparing_for_the_
future_of_ai.pdf
 Artificial Intelligence: The Way Forward in Information Security xiii

and advancements have come from the sub-discipline of AI

named Machine Learning (ML), which focuses on teaching
machines to learn by applying algorithms to data. Often, the
terms AI and ML are used interchangeably. In this book, how-
ever, we’ll be focusing exclusively on methods that fall within
the machine learning space.
Not all problems in AI are candidates for a machine learning
solution. The problem must be one that can be solved with data; a
sufficient quantity of relevant data must exist and be acquirable;
and systems with sufficient computing power must be available
to perform the necessary processing within a reasonable time-
frame. As we shall see, many interesting security problems fit
this profile exceedingly well.

Machine Learning in the Security Domain

In order to pursue well-defined goals that maximize productiv-
ity, organizations invest in their system, information, network,
and human assets. Consequently, it’s neither practical nor desir-
able to simply close off every possible attack vector. Nor can we
prevent incursions by focusing exclusively on the value or prop-
erties of the assets we seek to protect. Instead, we must consider
the context in which these assets are being accessed and utilized.
With respect to an attack on a website, for example, it’s the con-
text of the connections that matters, not the fact that the attacker
is targeting a particular website asset or type of functionality.
Context is critical in the security domain. Fortunately, the
security domain generates huge quantities of data from logs,
network sensors, and endpoint agents, as well as from distrib-
uted directory and human resource systems that indicate which
user activities are permissible and which are not. Collectively,
this mass of data can provide the contextual clues we need to
identify and ameliorate threats, but only if we have tools capable
xiv Introduction to Artificial Intelligence for Security Professionals

of teasing them out. This is precisely the kind of processing in

which ML excels.
By acquiring a broad understanding of the activity sur-
rounding the assets under their control, ML systems make it
possible for analysts to discern how events widely dispersed in
time and across disparate hosts, users, and networks are related.
Properly applied, ML can provide the context we need to reduce
the risks of a breach while significantly increasing the “cost of
attack.”

The Future of Machine Learning

As ML proliferates across the security landscape, it’s already
raising the bar for attackers. It’s getting harder to penetrate
systems today than it was even a few years ago. In response,
attackers are likely to adopt ML techniques in order to find new
ways through. In turn, security professionals will have to utilize
ML defensively to protect network and information assets.
We can glean a hint of what’s to come from the March 2016
match between professional Go player Lee Sedol an eighteen-time
world Go champion, and AlphaGo a computer program devel-
oped at DeepMind, an AI lab based in London that has since
been acquired by Google. In the second game, AlphaGo made a
move that no one had ever seen before. The commentators and
experts observing the match were flummoxed. Sedol himself
was so stunned it took him nearly fifteen minutes to respond.
AlphaGo would go on to win the best-of-five game series.
In many ways, the security postures of attack and defense
are similar to the thrust and parry of complex games like Go
and Chess. With ML in the mix, completely new and unexpected
threats are sure to emerge. In a decade or so, we may see a
landscape in which “battling bots” attack and defend networks
 Artificial Intelligence: The Way Forward in Information Security xv

on a near real-time basis. ML will be needed on the defense side

simply to maintain parity.
Of course, any technology can be beaten on occasion with
sufficient effort and resources. However, ML-based defenses are
much harder to defeat because they address a much broader
region of the threat space than anything we’ve seen before and
because they possess human-like capabilities to learn from their
mistakes.

What AI Means to You

Enterprise systems are constantly being updated, modified, and
extended to serve new users and new business functions. In such
a fluid environment, it’s helpful to have ML-enabled “agents” that
can cut through the noise and point you to anomalies or other
indicators that provide forensic value. ML will serve as a produc-
tivity multiplier that enables security professionals to focus on
strategy and execution rather than on spending countless hours
poring over log and event data from applications, endpoint con-
trols, and perimeter defenses. ML will enable us to do our jobs
more efficiently and effectively than ever before.
The trend to incorporate ML capabilities into new and exist-
ing security products will continue apace. According to an April
2016 Gartner report7:

• By 2018, 25% of security products used for detection will

have some form of machine learning built into them.
• By 2018, prescriptive analytics will be deployed in at
least 10% of UEBA products to automate response to
incidents, up from zero today.

7. Gartner Core Security, The Fast-Evolving State of Security Analytics, April,

2016, Report ID: G00298030 accessed at https://hs.coresecurity.com/gartner-
reprint-2017
xvi Introduction to Artificial Intelligence for Security Professionals

In order to properly deploy and manage these products, you

will need to understand what the ML components are doing so
you can utilize them effectively and to their fullest potential. ML
systems are not omniscient nor do they always produce perfect
results. The best solutions will incorporate both machine learn-
ing systems and human operators. Thus, within the next three to
four years, an in-depth understanding of ML and its capabilities
will become a career requirement.

About This Book

This book is organized into four chapters:

1. Chapter One: Clustering Clustering encompasses a vari-

ety of techniques for sub-dividing samples into distinct
sub-groups or clusters based on similarities among their
key features and attributes. Clustering is particularly
useful in data exploration and forensic analysis thanks to
its ability to sift through vast quantities of data to identify
outliers and anomalies that require further investigation.
In this chapter, we examine:
• The step-by-step computations performed by the
k-means and DBSCAN clustering algorithms.
• How analysts progress through the typical stages of
a clustering procedure. These include data selection
and sampling, feature extraction, feature encoding
and vectorization, model computation and graphing,
and model validation and testing.
• Foundational concepts such as normalization, hyper-
parameters, and feature space.
• How to incorporate both continuous and categorical
types of data.
 Artificial Intelligence: The Way Forward in Information Security xvii

• We conclude with a hands-on learning section

showing how k-means and DBSCAN models can be
applied to identify exploits similar to those associ-
ated with the Panama Papers breach, which, in 2015,
was discovered to have resulted in the exfiltration of
some 11.5 million confidential documents and 2.6
terabytes of client data from Panamanian law firm
Mossack Fonseca.
2. Chapter Two: Classification Classification encompasses
a set of computational methods for predicting the likeli-
hood that a given sample belongs to a predefined class,
e.g., whether a given piece of email is spam or not. In this
chapter, we examine:
• The step-by-step computations performed by the
logistic regression and CART decision tree algorithms
to assign samples to classes.
• The differences between supervised and unsuper-
vised learning approaches.
• The difference between linear and non-linear
classifiers.
• The four phases of a typical supervised learning pro-
cedure, which include model training, validation,
testing, and deployment.
• For logistic regression—foundational concepts such
as regression weights, regularization and penalty
parameters, decision boundaries, fitting data, etc.
• For decision trees—foundational concepts concern-
ing node types, split variables, benefit scores, and
stopping criteria.
• How confusion matrices and metrics such as precision
and recall can be utilized to assess and validate the
accuracy of the models produced by both algorithms.
xviii Introduction to Artificial Intelligence for Security Professionals

• We conclude with a hands-on learning section show-

ing how logistic regression and decision tree models
can be applied to detect botnet command and con-
trol systems that are still in the wild today.
3. Chapter Three: Probability In this chapter, we consider
probability as a predictive modeling technique for classi-
fying and clustering samples. Topics include:
• The step-by-step computations performed by the
Naïve Bayes (NB) classifier and the Gaussian Mixture
Model (GMM) clustering algorithm.
• Foundational concepts, such as trial, outcome, and
event, along with the differences between the joint
and conditional types of probability.
• For NB—the role of posterior probability, class prior
probability, predictor prior probability, and likeli-
hood in solving a classification problem.
• For GMM—the characteristics of a normal distri-
bution and how each distribution can be uniquely
identified by its mean and variance parameters. We
also consider how GMM uses the two-step expecta-
tion maximization optimization technique to assign
samples to classes.
• We conclude with a hands-on learning section show-
ing how NB and GMM models can be applied to detect
spam messages sent via SMS text.
4. Chapter Four: Deep Learning This term encompasses a
wide range of learning methods primarily based on the
use of neural networks, a class of algorithms so named
because they simulate the ways densely interconnected
networks of neurons interact in the brain. In this chap-
ter, we consider how two types of neural networks can be
applied to solve a classification problem. This includes:
 Artificial Intelligence: The Way Forward in Information Security xix

• The step-by-step computations performed by the

Long Short-Term Memory (LSTM) and Convolutional
(CNN) types of neural networks.
• Foundational concepts, such as nodes, hidden layers,
hidden states, activation functions, context, learning
rates, dropout regularization, and increasing levels of
abstraction.
• The differences between feedforward and recurrent
neural network architectures and the significance of
incorporating fully-connected vs. partially-connected
layers.
• We conclude with a hands-on learning section show-
ing how LSTM and CNN models can be applied to
determine the length of the XOR key used to obfus-
cate a sample of text.

We strongly believe there’s no substitute for practical expe-

rience. Consequently, we’re making all the scripts and datasets
we demonstrate in the hands-on learning sections available for
download at:

https://www.cylance.com/intro-to-ai

For simplicity, all of these scripts have been hard-coded

with settings we know to be useful. However, we suggest you
experiment by modifying these scripts—and creating new ones
too—so you can fully appreciate how flexible and versatile these
methods truly are.
More importantly, we strongly encourage you to consider
how machine learning can be employed to address the kinds of
security problems you most commonly encounter at your own
workplace.
 1
Clustering
Using the K-Means and DBSCAN
Algorithms

The purpose of cluster analysis is to segregate data into

a set of discrete groups or clusters based on similarities among
their key features or attributes. Within a given cluster, data items
will be more similar to one another than they are to data items
within a different cluster. A variety of statistical, artificial intel-
ligence, and machine learning techniques can be used to create
these clusters, with the specific algorithm applied determined
by the nature of the data and the goals of the analyst.
Although cluster analysis first emerged roughly eighty-five
years ago in the social sciences, it has proven to be a robust
and broadly applicable method of exploring data and extracting
meaningful insights. Retail businesses of all stripes, for example,
have famously used cluster analysis to segment their customers
into groups with similar buying habits by analyzing terabytes
of transaction records stored in vast data warehouses. Retailers
can use the resulting customer segmentation models to make

1
2 Introduction to Artificial Intelligence for Security Professionals

personalized upsell and cross-sell offers that have a much higher

likelihood of being accepted. Clustering is also used frequently in
combination with other analytical techniques in tasks as diverse
as pattern recognition, analyzing research data, classifying
documents, and—here at Cylance—in detecting and blocking
malware before it can execute.
In the network security domain, cluster analysis typically
proceeds through a well-defined series of data preparation and
analysis operations. At the end of this chapter, you’ll find links
to a Cylance website with data and instructions for stepping
through this same procedure on your own.

Step 1: Data Selection and Sampling

Before we start with any machine learning approach, we need
to start with some data. Ideally, we might wish to subject all of
our network operations and system data to analysis to ensure our
results accurately reflect our network and computing environ-
ment. Often, however, this is neither possible nor practical due to
the sheer volume of the data and the difficulty in collecting and
consolidating data distributed across heterogeneous systems and
data sources. Consequently, we typically apply statistical sam-
pling techniques that allow us to create a more manageable subset
of the data for our analysis. The sample should reflect the charac-
teristics of the total dataset as closely as possible, or the accuracy
of our results may be compromised. For example, if we decided to
analyze Internet activity for ten different computers, our sample
should include representative log entries from all ten systems.

Step 2: Feature Extraction

In this stage, we decide which data elements within our samples
should be extracted and subjected to analysis. In machine learn-
ing, we refer to these data elements as “features,” i.e., attributes
 Clustering Using the K-Means and DBSCAN Algorithms 3

or properties of the data that can be analyzed to produce useful

insights.
In facial recognition analysis, for example, the relevant fea-
tures would likely include the shape, size and configuration of
the eyes, nose, and mouth. In the security domain, the relevant
features might include the percentage of ports that are open,
closed, or filtered, the application running on each of these
ports, and the application version numbers. If we’re investigat-
ing the possibility of data exfiltration, we might want to include
features for bandwidth utilization and login times.
Typically, we have thousands of features to choose from.
However, each feature we add increases the load on the proces-
sor and the time it takes to complete our analysis. Therefore,
it’s good practice to include as many features as we need while
excluding those that we know to be irrelevant based on our
prior experience interpreting such data and our overall domain
expertise. Statistical measures can also be used to automatically
remove useless or unimportant features.

Step 3: Feature Encoding and Vectorization

Most machine learning algorithms require data to be encoded or
represented in some mathematical fashion. One very common
way data can be encoded is by mapping each sample and its set
of features to a grid of rows and columns. Once structured in
this way, each sample is referred to as a “vector.” The entire set
of rows and columns is referred to as a “matrix.” The encoding
process we use depends on whether the data representing each
feature is continuous, categorical, or of some other type.
Data that is continuous can occupy any one of an infinite
number of values within a range of values. For example, CPU
utilization can range from 0 to 100 percent. Thus, we could
4 Introduction to Artificial Intelligence for Security Professionals

represent the average CPU usage for a server over an hour as a

set of simple vectors as shown below.

Sample (Hour) CPU Utilization %

2 AM 12
9 AM 76
1 PM 82
6 PM 20

Unlike continuous data, categorical data is typically rep-

resented by a small set of permissible values within a much
more limited range. Software name and release number are two
good examples. Categorical data is inherently useful in defining
groups. For example, we can use categorical features such as
the operating system and version number to identify a group of
systems with similar characteristics.
Categories like these must be encoded as numbers before
they can be subjected to mathematical analysis. One way to
do this is to create a space within each vector to accommodate
every permissible data value that maps to a category along with
a flag within each space to indicate whether that value is pres-
ent or not. For example, if we have three servers running one of
three different versions of Linux, we might encode the operating
system feature as follows:

Red Hat Enterprise SUSE Linux Enterprise

Host Ubuntu Linux Server
A 1 0 0
B 0 1 0
C 0 0 1

As we can see, Host A is running Ubuntu while Hosts B and

C are running Red Hat and SUSE versions of Linux respectively.
 Clustering Using the K-Means and DBSCAN Algorithms 5

Alternately, we can assign a value to each operating system

and vectorize our hosts accordingly:

Assigned
Operating System Value Host Vector
Ubuntu 1 A 1
Red Hat Enterprise Linux 2 B 2
SUSE Linux Enterprise Server 3 C 3

However, we must be careful to avoid arbitrary mappings

that may cause a machine learning operation, such as a clus-
tering algorithm, to mistakenly infer meaning to these values
where none actually exists. For example, using the mappings
above, an algorithm might learn that Ubuntu is “less than” Red
Hat because 1 is less than 2 or reach the opposite conclusion if
the values were reversed. In practice, analysts use a somewhat
more complicated encoding method that is often referred to as
“one-hot encoding.”
In many cases, continuous and categorical data are used in
combination. For example, we might include a set of continuous
features (e.g., the percentage of open, closed, and filtered ports)
in combination with a set of categorical features (e.g., the oper-
ating system and the services running on each port) to identify a
group of nodes with similar risk profiles. In situations like these,
it’s often necessary to compress the range of values in the con-
tinuous vectors through a process of “normalization” to ensure
that the features within each vector are given equal weight. The
k-means algorithm, for example, uses the average distance from
a central point to group vectors by similarity. Without normal-
ization, k-means may overweigh the effects of the categorical
data and skew the results accordingly.
6 Introduction to Artificial Intelligence for Security Professionals

Let’s consider the following example:

Sample (Server) Requests per Second CPU Utilization %

Alpha 200 67
Bravo 160 69
Charlie 120 60
Delta 240 72

Here, the values of the Requests per Second feature have

a range ten times larger than those of the CPU Utilization %
feature. If these values were not normalized, the distance cal-
culation would likely be skewed to overemphasize the effects of
this range disparity.
In the chart below, for example, we can see that the differ-
ence between server Alpha and server Bravo with respect to
Requests per Second is 40, while the difference between the
servers with respect to CPU Utilization % is only 2. In this case,
Requests per Second accounts for 95% of the difference between
the servers, a disparity that might strongly skew the subsequent
distance calculations.
We’ll address this skewing problem by normalizing both fea-
tures to the 0-1 range using the formula: x-xmin / xmax – xmin.

Sample (Name) Requests per Second CPU Utilization %

Alpha .66 .58
Bravo .33 .75
Charlie 0 0
Delta 1 1

After normalizing, the difference in Requests per Second

between servers Alpha and Bravo is .33, while the difference in
CPU Utilization % has been reduced to 17. Requests per Second
now accounts for only 66% of the difference.
 Clustering Using the K-Means and DBSCAN Algorithms 7

Step 4: Computation and Graphing

Once we finish converting features to vectors, we’re ready to
import the results into a suitable statistical analysis or data
mining application such as IBM SPSS Modeler and SAS Data
Mining Solution. Alternately we can utilize one of the hundreds
of software libraries available to perform such analysis. In the
examples that follow, we’ll be using scikit-learn, a library of free,
open source data mining and statistical functions built in the
Python programming language.
Once the data is loaded, we can choose which clustering
algorithm to apply first. In scikit-learn, for example, our options
include k-means, Affinity Propagation, Mean-Shift, Spectral
Clustering, Ward Hierarchical Clustering, Agglomerative
Clustering, DBSCAN, Gaussian Mixtures, and Birch. Let’s con-
sider two of the most popular clustering algorithms, k-means
and DBSCAN.

Clustering with K-Means

As humans, we experience the world as consisting of three
spatial dimensions, which allows us to determine the distance
between any two objects by measuring the length of the shortest
straight line connecting them. This “Euclidean distance” is what
we compute when we utilize the Pythagorean Theorem.
Clustering analysis introduces the concept of a “feature
space” that can contain thousands of dimensions, one each for
every feature in our sample set. Clustering algorithms assign
vectors to particular coordinates in this feature space and then
measure the distance between any two vectors to determine
whether they are sufficiently similar to be grouped together
in the same cluster. As we shall see, clustering algorithms
can employ a variety of distance metrics to do so. However,
k-means utilizes Euclidean distance alone. In k-means, and
8 Introduction to Artificial Intelligence for Security Professionals

most other clustering algorithms, the smaller the Euclidean

distance between two vectors, the more likely they are to be
assigned to the same cluster.

V1
Near V2
Feature 2

Far
V3

Feature 1
FIGURE 1.1:Vectors in Feature Space

K-Means is computationally efficient and broadly applicable

to a wide range of data analysis operations, albeit with a few
caveats:

• The version of k-means we’ll be discussing works with

continuous data only. (More sophisticated versions work
with categorical data as well.)
• The underlying patterns within the data must allow for
clusters to be defined by carving up feature space into
regions using straight lines and planes.
• The data can be meaningfully grouped into a set of simi-
larly sized clusters.

If these conditions are met, the clustering session proceeds

as follows:

1. A dataset is sampled, vectorized, normalized, and then

imported into scikit- learn.
Discovering Diverse Content Through
Random Scribd Documents
chill of foreboding entered her heart. And still she waited. She would
wait till half-past eleven, till a quarter of twelve, till midnight. She
knew now that she loved this man with a deep and consuming love;
it had begun lightly, as a kind of diversion, but the game had turned
to bitter earnest. And still she waited.
It was slack water now, and the river stood still, holding its breath.
Men passed singing along the towpath on the outer side; the song
floated over the water, in sentimental tones of exquisite melancholy.
From the Island a wild-duck rose with his mate, and bustled away
with a startling whir to some sweet haunt among the reeds. A cat
wailed at its wooing in a far garden—a sickly amorous sound. The
last pair of lovers rowed slowly past, murmuring gently. Then all was
still, and Muriel was left alone, alone of the world's lovers thwarted
and forgotten.
Midnight struck, and she crept into the house and into her bed, sick
with longing and the rage of shame.
Stephen at midnight went in contentment to his bed. He had written
a hundred lines.
 XIV
Lying in bed he made up his mind to go down to Margery the
following Tuesday. But Margery, too, had been making up her mind.
She wired at lunch time, and arrived herself at tea. She was tired,
she said, of living alone in her Paradise. But she did not scold or
question or worry him; so glad she was to be at home again with
her Stephen. Stephen also was very glad, astonishingly glad, he felt.
He greeted her and kissed her with a tender warmth which surprised
them both. This sudden home-coming of his wife, of chattering Joan
and bubbling Michael and comfortable old Nurse, and all that
atmosphere of staid domesticity which they brought with them into
the house seemed to set an opportune seal on his new resolutions,
on the final renunciation which he had made last night. It was the
one thing he wanted, he felt, to confirm him in virtue.
He took little Joan into the garden to see the rabbits. She was two
and a half now, a bright and spirited child, with her mother's fairness
and fragile grace, and something of Stephen's vitality. She greeted
with delighted cries her old friends among the bunnies, Peter and
Maud and Henry, and all their endless progeny, little grey bunnies
and yellow bunnies and black bunnies and tiny little brown bunnies
that were mere scurrying balls of fur, coloured like a chestnut mare.
The rabbit Peter and the rabbit Maud ran out of their corners and
sniffed at her ankles, their noses twitching, as she stood in the sun.
She stroked them and squeezed them and kissed them, and they
bore it patiently in the expectation of food. But when they saw that
she had no food, they stamped petulantly with their hind legs and
ran off. Then she laughed her perfect inimitable laugh, and tried to
coax the tiniest bunnies to come to her with a piece of decayed
cabbage; and they pattered towards her in a doubtful crescent, their
tiny noses twitching with the precise velocity of their parents' noses,
their ears cocked forward in suspicion. When they had eddied back
and forth for a little, like playful children defying the sea, they saw
that the bait was indeed a rotten one, unworthy of the deed of
daring which was asked of them, and they scuttled finally away into
corners, where they lay heaving with their eyes slewed back, looking
for danger. The rabbit Maud was annoyed by the clatter they made,
and, chased them impatiently about the run, nipping them viciously
at the back of their necks; and the rabbit Peter, excited beyond
bearing by the commotion, pursued the rabbit Maud as she pursued
their young. Then they all stopped suddenly to nibble inconsequently
at old bits of cabbage, or scratch their bellies, or scrabble vainly on
the stone floor, or stamp with venom in the hutches, or lie full length
and operate their noses. Little Joan loved them whatever they did,
and Stephen, listening and watching while she gurgled and
exclaimed, was sensible as he had never been before of the pride
and privilege of being a father. The sight of his daughter playing with
the young rabbits, young and playful and innocent as they, stirred
him to an appropriate and almost mawkish remorse. For the great
writer who, by his gifts of selection and restraint, can keep out from
his writings all sentimentality and false emotion, cannot by the same
powers keep them from his mind. Stephen Byrne, looking at
innocence and thinking of his own wickedness, forgot his
proportions, forgot the balanced realism which he put into
everything he wrote, and swore to himself that by this sight he was
converted, that by this revelation of innocence, he, too, would be
innocent again.
So they began again the quiet routine of domestic content, and
Margery was very happy, putting out of her mind as an artist's
madness the strange failure of Stephen to join her in the country. In
the third week of September there were printed in the autumn
number of a literary Quarterly "Six Love-Songs," by Stephen Byrne,
which he had sent in hot haste to the editor on the morning of the
Greenwich expedition. There was printed above them the dedication
"To M.," and Margery as she read them was touched and melted
with a great tenderness and pride. She would not speak of them to
him, but she looked up, blushing, at the end of them and said only
"Stephen!" And Stephen cursed himself in a hot shame for having
thought them and written them and sent them to the paper. But
since she liked them so well, and appreciated them as Muriel had
never done, and since he persuaded himself that at this moment he
might have written the same songs to his wife, so tenderly did he
think of her now, he slowly came to forget the vicious squalor of
their origin; and in time, when literary friends spoke of them and
congratulated him (for they made a great stir) the shame had all
gone, and he answered with a virtuous and modest pride, as if
indeed they had been written to his wife—and so in fact he almost
believed.
All September he worked steadily at the new poem. Very soon
Margery asked if she might read as much as he had written. And
first he hesitated, and then he said she might not.
Not till that moment did he realize the true character of what he was
doing. The idea of the poem was very simple. He had taken the base
history of his own life in this amazing summer, and was making of it
a romantic and glorious poem. Everything was there—Emily and his
cruelty to Emily and the chivalry of John Egerton and his treachery
to John, Margery, and Muriel, and his betrayal of both of them, and
the second treachery to John in the stealing of Muriel. They were all
there, and the deeds were there. But the names they bore were the
names of old knights and fine ladies, moving generously through an
age of chivalry and gallant ways; and the deeds he had done were
invested with so rich a romance by the grace of and imagery and
humanity of his verse, and by the gracious atmosphere of
knighthood and adventure and forest battles which he wrapped
about them, that they were beautiful. They were poetry. Himself in
the story was a brave and legendary figure, Gelert by name, and
Margery, the Princess, was his fair lady. And he had slain Emily by
mischance in a forest encounter with another knight. He had hidden
her body in a dark mysterious lake in the heart of the forest; this
lake was beautifully described. John, his faithful companion, was
present and helped him, and because of the honour in which he held
the Princess, he engaged to stay in the forest and do battle with the
people of Emily if they should discover the crime, while Gelert rode
off on some secret venture of an urgent and noble character. So
John stayed, and was grievously wounded. But Gelert rode off to the
castle of John's love and poisoned her mind against John, and
wooed her and won her and flung her away when he was tired of
her; but she loved him still too well to love any other from that day;
and when John came to her she cast him out. More, because he was
the companion-at-arms of Gelert, and she would do anything to
wound Gelert, she sent word to the people of Emily that it was John
indeed who had slain Emily, and they sought him out and slew him.
But Gelert went home to his castle and swore great vows in
passages of amazing dignity, and was absolved from his sins, and
ruled the land for a long time in godly virtue, helping the weak and
succouring the oppressed. And so finely was all this presented that
at the end of it you felt but a conventional sympathy for the
unfortunate John, while Gelert remained in the mind as a mixed, but
on the whole a knightly character.
It was a lunatic excess of self-revelation, and Stephen was afraid of
it. Nothing would have persuaded him to modify in any way his
artistic purpose, and in his heart he flattered himself that the
romantic disguise of his story was strong enough to protect it from
the suggestion of reality. It would stand that test, he was sure. Yet
he was not sure—not at any rate just now, with the sordid facts still
fresh in his mind. Later, no doubt, when the thing was complete, and
he could polish and prune it as a whole, he would be able to make
himself absolutely safe. But just now, while the work was still
shadowy and formless, he shrank from risking the revelations it
might convey. To Margery most of all. Also, maybe, he was a little
afraid that she would laugh at him.
And Margery said nothing, but wondered to herself what it might
mean.
John came home in the middle of September, and called the same
evening at the Tarrants' house. But he was told after a long wait that
they were not at home.
The next morning, as he walked to the station, he passed in the
street a parcel delivery van. On the front of it were the twin red
posters of I Say, a weekly organ of the sensational patriotic type. It
was a paper which did in fact a great deal of good in championing
the cause of the under-dog, yet at the same time impressing upon
the under-dog the highest constitutional principles. But it had to live.
And it lived by the weekly promises of sensation which blazed at the
public from the red posters all over England, and travelled
everywhere on the front of delivery vans and the backs of buses.
There was seldom more than a single sensation to each issue. But
the very most was made of it by an ingenious contrivance of the
editor, who himself arranged the wording of the posters; for each
sensation he composed two and sometimes three quite different
posters, cunningly devised so that any man who saw all three of
them was as likely as not to buy the paper in the confident belief
that he was getting for his penny three separate sensations.
The two posters that John saw ran as follows: one "A Civil Servant's
Name," and the other "Our Rotten Detectives." At the station he saw
another one specially issued to the West London paper stalls
—"Mystery of Hammerton Chase." And at Charing Cross there was yet
another—"Who ought to be Hanged?"
John had no doubt of what he would find in the paper. He had
wondered often at the long quiescence of the Gaunt family. Clearly
they had taken their tale to the editor of I Say, and had probably
been suitably compensated for their trouble and expense in bringing
to the notice of the people's champion a shameful case of
oppression and wrong.
So John walked on to the station with a strange feeling of lightness
in the head and pain in his heart. At Hammersmith there was no
copy of I Say to be had; at Charing Cross he bought two. The week's
sensation was dealt with in a double-page article by the editor,
diabolically clever. It set out at length the sparse facts of "The
Hammerton Mystery" as revealed at the inquest, with obsequious
references to "the genius of Stephen Byrne, the poet and prophet of
Younger England"; and it contained some scathing comments on
"the crass ineptitude of our detective organization." But it attacked
no person, it imputed nothing. The sole concern of the editor was
that "months have passed and a hideous crime is yet unpunished.
This poor girl went forth from her father and mother, and the young
man who had promised to share her life; she went out into the
world, innocent and fresh, to help her family in the battle of life with
the few poor shillings she could earn by menial services in a strange
house. It was not her fault that she was attractive to a certain type
of man; but that attraction was no doubt her undoing. She took the
fancy of some amorous profligate; she resisted his unknightly
attentions; she was done to death. Her body was consigned in
circumstances of the foulest indignity to a filthy grave in the river
ooze.
"We are entitled to ask—What are the police doing? The matter has
faded now from the public memory—has it faded from theirs? It is
certain that it has not faded in the loyal hearts of the Gaunt family.
At the time of the inquest the public were preoccupied with national
events of the first importance, and the murder did not excite the
attention it deserved. We have only too good reason to believe that
our Criminal Investigation mandarins, supine as ever until they are
goaded to activity by the spur of popular opinion, are taking
advantage of that circumstance to allow this piece of blackguardly
wickedness to sink for ever into oblivion. We do not intend that it
should sink into oblivion, etc. etc."
But in the tail of the article lay the personal sting, cleverly concealed.
"But there is another aspect of this vile affair which we are
compelled to notice. While the family of the murdered girl are
nursing silently their broken hearts; while our inspectors and chief
inspectors and criminal investigators are enjoying their comfortable
salaries, there is a young man in Hammerton, a public servant of
high character and irreproachable antecedents, over whom a black
cloud of suspicion is hanging in connection with this crime. We
cannot pretend that his evidence at the inquest was wholly
satisfactory either in substance or in manner; it was shiftily given,
and in the mind of any men less incompetent than the local coroner
and the local dunderheads who composed the jury, would have
raised questions of fundamental importance. But we are confident
that John Egerton is innocent; and we say that it is a reproach to the
whole system of British justice that he should still be an object of
ignorant suspicion owing to the failure of the police-force to hound
down the villain responsible for the crime.
"The fair name of a good citizen is at stake. It must be cleared."
At the office there were whisperings and curious looks; and John's
chiefs conferred in dismay on a position of delicacy that was
unexampled in their official experience.
John went home early, with his I Say's crumpled in his pocket. And
there he found the Rev. Peter Tarrant striding about impatiently with
a copy open on the table before him. His head moved about like a
great bat just under the low roof; his jolly red face was as full of
anger as it could ever be.
"Look here, John," he roared, "what are you going to do about this—
this Muck?"
"Nothing."
In truth he had thought little of what he was going to do; he had
been too angry and bewildered and ashamed. Only he had sworn
vaguely to himself that whatever happened he would stand by his
old determination to keep this business from Margery. And, now that
the question was put to him, the best way of doing that was clearly
to do nothing. He began to think of reasons for doing nothing.
The Rev. Peter thundered again, "Nothing? But you must—you must
do—something." He stuttered with impotent rage and brought his
fist down on I Say with a titanic force, so that the table jumped and
the wedgwood plate clattered on the dresser. "You can't sit down
under this sort of thing—you must bring an action—"
"Can't afford it; it would cost me a thousand if I won—and five
thousand if—if I lost."
"If you lost!" The Rev. Peter looked at him in wonder. John tried to
look him straight in the face, but his glance wavered in the shy
distress of an innocent man who suspects the beginnings of doubt in
a friend's mind.
"Yes—you know what a Law Court is—anything may happen—and I
should never make a good show in the witness box, if I stood there
for ever."
"I don't care—you can't sit down under it. You'll lose your job, won't
you—for one thing?"
"No—I don't know—I can't help it if I do."
"Well, if you don't lose that you'll lose Muriel." The Rev. Peter
lowered his voice. "Look here, I want you two to fix things up. I've
just been to see her—she looks unhappy—she's lonely, I believe,
with that damned old mother of hers. But you can't expect her to
marry you with this sort of thing going about uncontradicted."
And at that John wavered. But he thought of Margery and his
knightly vow, and he thought of the witness box; of himself
stammering and shifting hour after hour in that box; of pictures in
the Press; of columns in the Press; of day after day of public
wretchedness—the inquest over again infinitely enlarged. And he
thought of the open, perhaps inevitable, ignominy of losing a libel
action. And he was sure that he was right.
They argued about this for a long time, and the Rev. Peter yielded at
last.
But he bellowed then, "Well, you must write them a letter at once.
Sit down now, and I'll dictate it. Sit down, will you? By God, it makes
me sweat, this!"
John sat down meekly and wrote to the editor of I Say, as the Rev.
Peter commanded. The Rev. Peter dictated in round tones of a man
practising a speech:

"'Dear Sir:
"'I have seen your infamous article. It is a cruel and disgusting
libel. I wish to state publicly that I had nothing to do with the
death of Emily Gaunt; that so far as I know no suspicion does
rest upon me here or elsewhere; and that, if indeed there is
suspicion, it is not in the minds of any one whose opinion I
value, and I can therefore ignore it. In any case I should prefer
to do without your dirty assistance.'"

"Can't say 'dirty'—can we?" said John.

"Why not? They are dirt—filth—muck! Well, then—put
'dishonouring'—'your dishonouring assistance.' Go on:

"'I am not a rich man, and I cannot afford to bring an action for
libel against you. A successful suit would cost me far more
money and trouble than I should like to waste upon it. You, on
the other hand, could easily afford to lose and would probably
be actually benefited by a substantial increase in your
circulation.
"'I must ask you to print this letter in your next issue and insist
also on an unqualified apology for your use of my name.
"'I am sending this letter to the local Press.'"

The editor of I Say did not print this letter, as the Rev. Peter had
fondly imagined he would, but he referred in his second article,
which was similar to the first, only more outspoken, to "the receipt
of an abusive letter from the suspected person."
Slowly that week a copy of I Say found its way into every house in
The Chase; and the article was read and discussed and argued
about, and the whole controversy of May, which had been almost
forgotten, sprang into life again. And the following week the local
papers were bought and borrowed and devoured, and John's spirited
and courageous letter was admired and laughed at and condemned.
The Chase fell again into factions, though now the Whittaker (pro-
John) faction was the stronger. For nobody liked I Say, though it was
always exciting to read when there was some special excuse for
bringing it into the house. Besides, the honour of The Chase was
now at stake.
John and the Rev. Peter had reckoned without the generosity and
communal feeling of the people of The Chase. They were never so
happy as when they had some communal enterprise on foot, a
communal kitchen, or a communal crèche or a communal lawsuit,
some joint original venture which offered reasonable opportunities
for friendly argument and committee meetings and small
subscriptions. This spirit had of course unlimited scope during the
war, and perhaps it was the communal Emergency Food-Kitchen that
had been its most ambitious and perfect expression. But it lived on
vigorously after the war. Several of the busiest and earliest workers
among the men shared a communal taxi into town every day. There
was a communal governess, and one or two semi-communal boats.
There was also a kind of communal Housing Council, which met
whenever a house in The Chase was to be let or sold, and exerted
pressure on the outgoing tenant as to his choice of a successor.
Outside friends of The Chase who desired and were desired to come
into residence were placed upon a roster by the Housing Council,
and when the Council's edict had once gone forth, the outgoing
tenant was expected at all costs to see that the chosen person was
enabled to succeed him, and if he did not, or if he allowed the
owner of the house to enter into some secret arrangement with an
outsider, unknown and unapproved by the Council, it was a sin
against the solidarity of The Chase.
And there had already been a communal lawsuit, that great case of
Stimpson and Others versus The Quick Boat Company—an action for
nuisance brought by the entire Chase, because of the endless and
intolerable noise and smell of the defendant company's motor-boats,
which they manufactured half a mile up the river and exercised all
day snorting and phutting and dashing about with loud and startling
reports in the narrow reach between the Island and The Chase.
Nine gallant champions had stood forward with Stimpson for
freedom and The Chase. But all The Chase had attended the
preliminary meetings; all The Chase had subscribed; all The Chase
and all their wives had given evidence in Court; and before this
unbroken, or almost unbroken, front (for there were a few black
sheep) the Quick Boat Company had gone down heavily. Judgment
for the plaintiffs had been given in the early spring.
So that when it was widely understood that for lack of money John
Egerton, a member of The Chase, was unable to defend himself
from a scurrilous libel in a vulgar paper, the deepest instincts of the
neighbourhood were aroused. A small informal Committee met at
once at the Whittakers' house—Whittaker and Mr. Dimple (for legal
advice) and Andrews and Tatham and Henry Stimpson. Stephen
Byrne was asked to come, but had an engagement.
Mr. Dimple's advice was simple. He said that subject to certain
reservations—as to which he would not bother the Committee, since
they related rather to the incalculable niceties of the law, and
lawyers, as they knew, were always on the nice side (laughter—but
not much)—and assuming that Mr. Egerton won his case, as to
which he would express no opinion, though as a man he might
venture to say that he knew of no one in The Chase—he had almost
said no one in London—of whom it would be more unfair—he would
not put it stronger than that, for he liked to assume that even a
paper such as I Say was sincere and honest at heart—to make the
kind of suggestion which he knew and they all knew had been made
in that paper, about Mr. Egerton—a quiet, God-fearing, honest citizen
—but they all knew him as well as he did, so he would say no more
about that—subject then to what he had said first and assuming
what he had just said—and bearing in mind the proverbial—he
thought he might say proverbial (Dickens, after all, was almost a
proverb) uncertainties and surprises of his own profession, he
thought they would not be wildly optimistic or unduly despondent—
and for himself he wanted to be neither—if they estimated the costs
of the action at a thousand pounds, but of course—
Waking up at the word "pounds"—the kind of word for which they
had been subconsciously waiting—the Committee began the process
of unravelling which was always necessary after one of Mr. Dimple's
discourses. And their conclusion was that it was up to The Chase to
subscribe as much of the money as possible, as much at any rate as
would enable John Egerton to issue a writ without the risk of
financial ruin.
Henry Stimpson was naturally deputed to collect the money.
Stimpson was an indefatigable man, a laborious Civil Servant who
worked from 10 till 7.30 every day (and took his lunch at the office),
yet was not only ready but pleased to spend his evenings and his
week-ends, canvassing for subscriptions, writing whips for meetings,
or working out elaborate calculations of the amount due to Mrs.
Ambrose in money and kind on her resigning from the communal
kitchen after paying the full subscription and depositing a ham in the
Committee's charge which had been cooked by mistake and sent to
Mrs. Vincent. He genuinely enjoyed this kind of task, and he did it
very, very well.
Henry Stimpson duly waited on the Byrnes and explained the
position. Stephen Byrne had read the articles in I Say, and Margery
had read them. And a gloom had fallen upon Stephen, for which
Margery was unable wholly to account as a symptom of solicitude for
his friend's troubles—especially as they never seemed to see each
other nowadays. To her knowledge they had not met at all since the
summer holidays.
Nor had they. They avoided each other. This resurrection of the
Emily affair, these articles and the new publicity, and now on top of
that the prospect of a libel action, was to Stephen like a slap in the
face. He had almost forgotten his old anxieties in the absorption of
work and the soothing atmosphere of his new resolutions. But he
would not go to John; he had been lucky before; he might be lucky
again; he would wait. Old John might be trusted to do nothing
precipitate.
So he promised to subscribe to the fund for the defence of John
Egerton's good name, and Stimpson went away. The money was to
be collected by that day week, and on the following Thursday there
would be a general meeting to consider a plan of campaign.
Stimpson's eyes as he spoke of "a general meeting" were full of
quiet joy.
And Stephen went on with his work—very slowly now, but he went
on. The poem was nearly finished; he had only to polish it a little.
But he sat now for long minutes glowering and frowning over his
paper, staring out of the window, staring at nothing. Margery,
watching him, wondered yet more what work he was at, and what
was the secret of this gloom. She began to think that the two things
might be connected; he might be attempting some impossible task;
he might be overworked and stale. This had happened before. But in
his worst hours of artistic depression he had never looked so black
as sometimes she saw him now. And she noticed that he tried to
conceal this mood from her; he would manufacture a smile if he
caught her watching him. And that, too, was unusual.
Then one evening when she went to her table for some small thing
she saw there the unmistakable manuscript of this new work lying in
an irregular heap on the blotter. Her eyes were caught by the title
—"The Death in the Wood"—written in large capitals at the head;
and almost without thinking she read the first line. And she read the
few following lines. Then, urged on by an uncontrollable curiosity
and excitement, she read on. She sat down at the table and read,
threading a slow way through a maze of alterations and erasions,
and jumbles of words enclosed in circles on the margin or at the
bottom or at the top and wafted with arrows and squiggly lines into
their intended positions. But she understood the strange language of
creative manuscript, and she read through the whole of the first
section—Gelert riding through the forest, the battle in the forest, and
the death of the maiden. And as she read she was deeply moved.
She forgot the problem of Stephen's gloom in her admiration and
affectionate pride.
At the end of it Gelert stood sorrowing over the body and made a
speech of intense dignity and poetic feeling. And at that point she
heard the voice of Stephen at the front door, and started away,
remembering suddenly that this reading was a breach of confidence.
But why—why was she not allowed to see it?
Yet that, after all, was a small thing; and she went to bed very
happy, dreaming such golden dreams of the success of the poem as
she might have dreamed if she had written it herself.
 XV
The Chase was true to its highest traditions. Before the week was
over it was known that the sum determined on by the Egerton
Defence Fund Committee had been already promised, and more.
Stephen Byrne, with a heavy heart, went to the "general meeting"
on Tuesday evening. To have stayed away would have looked odd;
also he was anxious to know the worst. He walked there as most
men go to a battle, full of secret foreboding, yet dubiously glad of
the near necessity for action. If, indeed, there was to be a libel
action, backed by all the meddlesome resources of The Chase,
things would have to come to a head. This was a development which
had never been provided for in his calculations and plans. It would
have been easier, somehow, if John had been arrested, charged by
the Crown with murder. He would have known then what to do—or
he thought he would. He wished now that he had been to see John,
found out what he was thinking. But he was nervous of John now, or
rather he was nervous of himself. He could not trust himself not to
do something silly if he met John in private again; the only thing to
do was to try to forget him, laugh at him if possible. And that was
the devil of this libel business. He would have to be there himself, he
would have to give evidence again, and sit there probably while poor
old John was stammering and mumbling in the box. Yet he had done
it before—why not again? Somehow he felt that he could not do it
again. It all seemed different now.
And that poem! Why the hell had he written it? Why had he sent it
to The Argus. He had had it typed on Thursday, and sent it off by
special messenger on Friday, just in time for the October number.
The Argus liked long poems. What a fool he had been! Or had he?
He knew very well himself what it all meant—but how could any one
else connect it with life—with Emily Gaunt? No, that was all right.
And it was damned good stuff! He was glad he had sent it. It would
go down well. And another day would have meant missing the
October number.
Yes, it was damned good stuff! He stood at the Whittakers' door,
turning over in his head some favourite lines from Gelert's speech in
the forest. Damned good! As he thought how excellent it was, there
was a curious sensation of tingling and contraction in the flesh of his
body and the back of his legs.
When he came out, an hour later, he was a happier man. He was
almost happy. For it had been announced at the meeting, with all
the solemnity of shocked amazement, that Mr. Egerton had refused
to avail himself of the generous undertakings of The Chase and
neighbourhood. The money promised would enable him to sue with
an easy mind. But he would not sue.
There was nothing to be done, then, but put and carry votes of
thanks to the unofficial Committee for their labour and enterprise, to
Whittaker for the use of his house, to Henry Stimpson for his wasted
efforts. The last of these votes was felt by most to be effort equally
wasted, since they knew well that Henry Stimpson had in fact
thoroughly enjoyed collecting promises and cash, and had now the
further unlooked-for delight of having to return the money already
subscribed.
This done, the meeting broke up with a sense that they had been
thwarted, or at any rate unreasonably debarred from a legitimate
exercise of their communal instincts.
But apart from this intelligible disappointment there was a good deal
of head-shaking, and plain, if not outspoken, disapproval of
Egerton's conduct. Stephen, moving among the crowd, gathered
easily the sense of The Chase, and it had veered surprisingly since
Whittaker's announcement. For John Egerton had advanced, it
seemed, the astounding reason that he might lose the case. To the
simple people of The Chase—as indeed to the simple population of
England—there was only one test to a libel action. Either you won or
you lost. The complex cross-possibilities of justification and privilege
and fair comment and the rest of it, which Mr. Dimple was heard to
be apologetically explaining in a corner to a deaf lady, were lost
upon them. If you failed to win your case, what the other man said
was true, and if you were not confident of winning, your conscience
could not be absolutely clear. The meeting rather felt that John
Egerton had let them down, but they were certain that he had let
himself down. And it was clear that even his staunchest supporters,
men like Whittaker and Tatham, were shaken in their allegiance.
But Stephen Byrne was happy. He had trusted to luck again, and
luck, or rather the quixotic lunacy of John Egerton, had saved him
again. It was wonderful. It was all over now. John had finally made
his bed, and he must lie on it. He thought little of what this must
mean to John, this aggravation of the local suspicions. He saw only
one thing, that yet another wall had been raised between himself
and exposure, that once more his anxieties might be thrust into the
background. That he might settle down again with a comfortable
mind to literature and domestic calm. He had forgotten with his fears
his compunction of an hour ago; he had forgotten even to feel
grateful to John; and if he thought of him with pity, it was a
contemptuous pity. He saw John now as a kind of literary figure of
high but laughable virtue, a man so virtuous as to be ridiculous, a
mere foil to the heroic dare-devils of life—such as Gelert and
Stephen Byrne.
So he came to his own house, thinking again of those excellent lines
of Gelert's speech. In the hall he composed in his mind the
description of the meeting which he would give to Margery.
But Margery, too, was thinking of Gelert. She was reading the
manuscript of "The Death in the Wood." She had watched Stephen
go out in a slow gloom to the meeting, and then she had hurried to
the table and taken guiltily the bundle from the special manuscript
drawer. For Stephen, with the sentimental fondness of many writers
for the original work of their own hands, preserved his manuscripts
long after they had been copied in type and printed and published.
Twice during the last week she had gone to that drawer, but each
time she had been interrupted. And at each reading her curiosity
and admiration had grown.
She had suspected nothing—had imagined no sort of relation
between Stephen's life and Gelert's adventures. There was no
reason why she should. For she detested—as she had been taught
by Stephen to detest—the conception of art as a vast autobiography.
Stephen's personality was in the feeling and in the phrasing of his
work; and that was enough for her; the substance was a small
matter.
Even the incident of the maiden in the wood, her death and her
concealment in the lake, had scarcely stirred the memory of Emily.
For the reverent and idyllic scene in which the two knights had "laid"
the body of the maiden among the reeds and water lilies of the lake,
to be discovered by her kinsmen peeping through the tangled
thickets of wild rose, was as remote as possible from the sordid
ugliness of Emily's disposal and discovery in a muddy sack near
Barnes.
But now she had finished. And she did suspect. When she came to
the passage describing Gelert's remorse for the betrayal of his old
companion-at-arms, his gloomy bearing and penitent vows, she
thought suddenly of Stephen's late extravagant gloom, which she
was still unable to understand. And then she suspected. Idly the
thought came, and idly she put it away. But it returned, and she
hated herself because of it. It grew to a stark suspicion, and she sat
for a moment in an icy terror, frozen with pain by her imaginations.
Then in a fever of anxiety she went back to the beginning of the
manuscript, and hurried through it again, noting every incident of
the story in the hideous light of her suspicions. And as she turned
over the untidy pages, the terror grew.
In the light of this dreadful theory so many things were explained—
little odd things which had puzzled her and been forgotten—
Stephen's surprising anxiety when Michael was born (and Emily
disappeared), and that evening in the summer, when they had all
been so silent and awkward together, and the drifting apart of
Stephen and John, and John's extraordinary evidence, and Stephen's
present depression. It was all so terribly clear, and the incidents of
the poem so terribly fitted in. Margery moaned helplessly to herself,
"Oh, Stephen!" When he came in, she was almost sure.
It was curious that at first she thought nothing of Gelert's illicit
amours in the castle, the stealing of his own friend's lady. That part
of the poem, of course, was a piece of romantic imagination, with
which she had no personal concern. But while she waited for
Stephen, turning over the leaves once more, the thought did come
to her, "If one part is true—why not all?" But this thought she firmly
thrust out. She was sure of him in that way, at any rate. She flung a
cushion over the manuscript and waited.
He came in slowly as he had gone out, but she saw at once that his
gloom was somehow relieved. And as he told her in studied accents
of distress the story of the meeting, there came to her a sick
certainty that he was acting. He was not really sorry that John had
thought it best not to take any action; he was glad.
When he had finished, she said, in a hard voice which startled her,
"What do you make of it, Stephen? Do you think he really did it?"
Stephen looked at the fire, the first fire of late September, and he
said, "God knows, Margery; God knows. He's a funny fellow, John."
He sighed heavily and stared into the fire.
And then she was quite sure.
She stood up from the sofa, the manuscript in her hand, and came
towards him.
"Stephen," she said, "I've been reading this—You—I—oh, Stephen!"
The last word came with a little wail, and she burst suddenly into
tears, hiding her face against his shoulder. She stood there sobbing,
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

textbookfull.com