Artificial Intelligence and Network Security

Artificial Intelligence and Network Security

How can Network security systems learn to identify when network traffic deviates from 'normal'?

Artificial Intelligence (AI) and Machine Learning (ML) have been banded around as the way forward for computer security. The underlying principle is that any computer network will consist of a large volume of activity, alerts, emails and file access; the vast majority of which is the harmless flow of regular business. Monitoring systems such as SIEM (Security Information and Event Management) can collect and collate this information but struggle to pull the few kernels of wheat from the chaff. AI aims to build up a pattern of known (good) activity and then predict likely future activity. Events that lie outside this prediction can then be flagged as possibly harmful.

Any monitoring and reporting system could be described as possessing some degree of AI. For example a solution that collects computer log data, reports on trends and sends alerts where traffic falls outside expected parameters. These systems rely on building up a database and running queries at frequent intervals. Another element of AI might be the use of coded decision tables allowing a helpdesk system to filter tickets and choose their priority of action. Even more simply an Internet Firewall may block traffic from specific sites or only allow traffic to and from a whitelist of allowed sites. All these examples are better described as computer based decision makers rather than intelligent systems. They do save technical staff time and work by cutting through huge amounts of data to summarise key information. Their efficiency depends on the initial constraints programmed into the systems and any additional rules that the host organisation are able to add.

A more evolved system will use machine learning to manage an evolving set of rules. As data is collected and analysed a baseline of ‘known-good’ behaviour is built up and decisions are based on deviation from that baseline. This category of solution is beginning to hit the mainstream of computer security. Prospective purchasers still need to be careful when evaluating products to ensure that they can truly learn or if they are relying on older simpler solutions combined with clever marketing.

An example of evolving technology is Antigena from Darktrace. Traffic is monitored but together with the usual alerts an element of autonomous response is promised. The system will take the least aggressive action based on its interpretation of the threat. This can allow attacks such as ransomware to be detected and neutralised before the system users are exposed to their trigger messages. In a real world example the Antigena Email solution monitors email looking for messages and files that fall outside the usual pattern of activity. In an example case it was deployed in passive mode at an Australian company, detecting and analysing but not taking any actions. It was able to identify a fraudster sending links to a fake log-in page and using the harvested credentials to expose sensitive information. The attacker also used the information to send a further 1,600 tailored emails within 25 minutes in an attempt to expose additional accounts.

Outide Darktrace the concept of using Machine Learning in computer security  still largely remains a concept rather than an off the shelf solution. The huge variety within network traffic makes it hard to build up a picture of what is normal and hence identify the abnormal. In principle the concept has potential although as with many security initiatives it could equally apply to hackers as to security prevention. If malware can predict what is normal then it will become easier to insert harmful traffic into a network or even for known malware to adapt and become harder to track down. Kindus are constantly reviewing network security trends and new products.  We cut through the hype offering advice and support for products that deliver realistic results.

Leave a comment:

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.