Why use AI in network detection?

December 12, 2022
Cybersecurity - Artificial Intelligence - Security network

Artificial intelligence is at the heart of technological trends and is revolutionising the cybersecurity environment. It is perfectly suited to defend against the most complex and damaging cyber threats in a rapidly changing environment. It is a real support for cyber analysts as it allows them to stay one step ahead of attackers.

But how is it used in network detection? Why is it becoming essential to ensure effective detection?

Let’s take a closer look.

Artificial intelligence in a few words

Broadly speaking, we can define AI as “an agent capable of perceiving its environment and adapting to a specific objective”, explains William RITCHIE, CTO and Datascientist at Custocy.

In cybersecurity, AI mainly takes two forms: anomaly detection and threat classification.

Anomaly detection attempts to define normal behaviour from observed data and then highlight data that would fall outside of this normal behaviour. They are often associated with a category of AI called unsupervised AIs.

They are so named because they are not trained on data labelled by a human being.

They are capable of autonomously analysing statistics and defining what is normal behaviour. But in reality, these AIs still need some supervision. They often need help in defining thresholds, types of statistics and behaviours to optimise their detection and this is often done with data that is labelled.

However, once these parameters are optimised, these AIs are expected to be able to operate without human intervention.

Threat classification, on the other hand, uses data from proven attacks to train IAs. These AIs are trained on labelled data. They are therefore supervised AIs.

They are able to recognise and classify attacks they have trained on much more accurately than unsupervised AIs. However, they can hardly detect attacks on which they have not been trained, especially zero-day attacks.

Artificial intelligence, a powerful technology

By leveraging artificial intelligence to automate threat detection, organisations can respond to attackers faster and more effectively than they could using traditional software. More importantly, they can anticipate future attacks and stay one step ahead.

Firstly, AIs are able to relate a number of factors that are beyond the cognitive abilities of a human being.

A neural network, for example, is able to find hundreds of millions of links in data to make decisions. Decisions that are made in milliseconds. Where a human being is not able to do so.

Second, it is more difficult for a malicious actor to predict and circumvent the predictions of an artificial intelligence. This would require the actor to have access to the exact architecture of the AI, precise knowledge of the customer’s data and the entire training data set.  A task that is almost impossible to do.

Artificial intelligence can therefore go far beyond human capabilities and effectively detect next-generation threats.

Better detection of your IT network

The information exchanged in networks is heterogeneous and constantly changing. The many protocols in the network and application layers generate data with varying characteristics.

Traditionally, threats are detected by fixed rules. These rules may, for example, establish that a network flow on a specific protocol and whose size is below a certain threshold is suspicious. In this example we only consider the two factors “flow protocol” and “flow size”, whereas more complex relationships may involve a combination of dozens or even hundreds of other factors.

Finding these combinations is impossible for a human being but easy for an AI.

Furthermore, these rules are handwritten and cannot cover all possible malicious activities or evolve over time. Finally, it should not be forgotten that cybercriminals have access to these rules and can adapt their attacks accordingly. If we take the example above, the attacker only needs to adjust the size of the stream to go above the detection threshold of the rule.

Artificial intelligence, on the other hand, detects abnormal behaviour well beyond the rules.

Its integration into an NDR solution provides full visibility of its IT network, detecting active attacks in real time and sparing analysts from an avalanche of inconsequential and superfluous alerts. The AI will analyse malicious activity and alert only in case of dangerous threats, which saves a lot of time in security management.

A key advantage of AI-based threat detection in the network is the ability to follow all stages of an attack from the recognition phases to the final execution.  Artificial intelligence thus becomes a real support for cyber analysts.

Custocy uses a unique artificial intelligence technology

Attackers use a multitude of procedures and tactics to penetrate a system. These procedures can be very short, such as sending a malicious file, or very long, such as a data exfiltration that can last for weeks.

To detect these different cases, we have developed several AIs that are each specialised in detection at different time scales. They are orchestrated by our master AI, the METALEARNER, which centralises the responses of these specialised AIs to give a final answer to the analyst.

It is thanks to this grouping of multiple AIs that our Custocy solution generates fewer false alarms and that we have one of the most competitive AIs on the market.

This technology is unique and developed by our in-house teams

AI has no impact on the IT system

We are often asked whether the use of artificial intelligence tends to slow down the computer system. The answer is no.

AIs do their analysis on a cloud that can scale without slowdown or latency. Moreover, the data used by our Custocy solution is only a fraction of the data in the network flow, not even 1/100.

Thus, the data collection and analysis does not risk to impact the monitored network.

Curious to discover our NDR solution? Book your demo slot, it’s free 👉HERE.