Artificial Intelligence in Enterprise Network Security
TrustPort THREAT INTELLIGENCE is a unique technology for monitoring and analysis of advanced security issues in network traffic.
Faster Incident Response
By detecting atomic symptoms of malicious behavior and anomalies in network traffic it identifies cyber attacks in a very early stage, decreases incident response time and prevents further damage. Thereby, it helps to decrease overall cyber security risks.
Detailed Network Monitoring
TrustPort Threat Intelligence offers an overview of the monitored network so that it is elementary to understand who and how uses individual network elements, bandwidth and other resources as requests, services, and how they are interconnected.
& Easy Administration
Threat Intelligence was developed to provide expert security capabilities while remaining little demanding to use and administer. It is a passive solution which makes its deployment very easy and fast without any integration problems. You can rely on the system and its long-term stability.
Machine learning saves time and decreases administration costs
Unlike most anomaly detection and network behavior analysis systems Threat Intelligence is not dependent on manually set rules. Instead, it automatically generates self-adapting adapt as the network traffic and threat landscape evolve. This saves much time of IT security professionals in maintenance and administration.
Threat Intelligence integrates its main detection engine (network behavior analysis) with other built-in engines: intrusion detection system (IDS) and honeypots. Not only will you see their outputs on a single screen, but above all they provide a further analysis with an additional level of artificial intelligence.
As a result, working with Threat Intelligence is more efficient, decreases the false positive rate and increases the sensitivity and effectiveness of detection.
Additionally, you can integrate reports of antimalware from endpoints into the analysis (in case of using antimalware with central management capability).
Hardware acceleration is used to cope with real-time processing of network traffic of 10Gbps to 40Gbps by a single probe and collector without any loss of sensitivity.
For corporate networks with complicated topology or for higher-speed networks a distributed deployment is used. Threat Intelligence is then able to employ up to 100 collectors and 10 probes per collector.
Threat Intelligence records information about all network data flows in one-minute intervals. Therefore, you can easily gain an overview of the monitored network and find out who and how uses individual network elements, bandwidth and other resources as requests, services, and how are they interconnected.
It can be used for the purpose of
- forensic analysis,
- creating network statistics,
- visualization of network traffic
- regulatory compliance.
Powerful & Handy
Threat Intelligence is built using comprehensive database processing. That brings several benefits.
Elementary Browsing and Searching
Browsing and searching in the web graphical interface is very easy and intuitive.
High Granularity of User Permissions
You can create user permissions that allow access to a range of or just one IP address, a report or a view of the managerial dashboard.
You can filter and sort security events and data flows by anything and everything: source and host IPs, protocol, service, event severity, count of events, amount of data transferred, etc.
The Threat Intelligence recognizes attacks by atomic behavioral characteristics typical for a broad range of advanced malware and attacks. It means that it focuses on symptoms of attack, instead of its method or a particular code signature.
The network behavior analysis in Threat Intelligence does not depend on manually set rules. Instead it uses automatically generated self-adapting rules that change gradually as the network traffic and threat landscape evolve.
Therefore, it is able to detect attacks without previous knowledge of the attack vector:
- Repetitive flows (password crackers, trojans, viruses, command and control, …)
- DoS and DDoS (identification of sources of attacks based on autonomous systems, country, subnetworks, proxies, ...)
- Horizontal and vertical port scans
- P2P network behavior
- Data leaks
- Other anomalous and outlier network behavior
The Most Recent Technology
Threat Intelligence is based on five years of university research of the Faculty of Information Technology, University of Technology Brno, Czech Republic. The faculty has specialized in IT security since 1994. It is well established in network security and voice & video recognition (repeated success at the NIST challenge).
At the moment Threat Intelligence utilizes tens of latest and purposely researched technologies: the advanced protocol for attack processing, unique NBA engine, tainted honeypots, advanced machine learning etc. The cooperation with the university means Threat Intelligence is going to stay ahead of its competitors in the future.
& Rapid Detection
Threat Intelligence is unique as it is based on technologies that go beyond NetFlow, deep packet inspection and do not depend on signatures.
Enhanced Protocol for Sensitive Detection
A newly developed Advanced Security Network Metrics protocol monitors close to a hundred features (attributes) of each individual data flow (NetFlow uses just 10). Therefore, the detection of malicious and other unwanted behavior is much more sensitive than can ever be achieved with NetFlow. It recognizes security incidents by atomic behavioral characteristics typical for a broad range of advanced malware and attacks: port scans, SSH and other types of access, periodical flows, high volume and high value data traffic, dictionary attacks, buffer overflows, ...
The fact that Threat Intelligence processes 10 times more features for each flow does by no means make Threat Intelligence slow. On the contrary, optimized data mining techniques are used so that a single probe with a collector processes 200,000 flows per second (more can be achieved with deployment of more probes).
The Most Modern Machine Learning
The most modern methods of machine learning are used so that Threat Intelligence will learn automatically a specific network from its past traffic and detect all anomalous and outlier behavior. These methods are based on supervised and unsupervised methods of classification, clustering and outlier analysis:
- Entropy models of the network, subnetworks, hosts, services and individual data flows
- Bayes‘ analysis of transformed features
- Probabilistic mixture models (Gaussian EM)
- Various ad hoc reasoning techniques
Samotný detekční stroj pro analýzu chování se skládá z několika modulů založených na moderních metodách umělé inteligence. Nástroj využívá desítky v poslední době publikovaných i nově vyvinutých detekčních algoritmů, které jsou doplněny o metody zpětného učení z reportovaných chyb (false positive detekce).
Rozšířený protokol pro
Rozšířený protokol pro zaznamenávání toků Pro analýzu toků se nevyužívá NetFlow protokol, ale vlastní protokol ASNM (Advance Security Network Metrics), který obsahuje aktuálně 60 parametrů oproti 9 parametrům, které obsahují běžné NetFlow aplikace. Díky takto rozšířené detekční sadě jsou možnosti detekce výrazně vyšší a především efektivnější.
Main Advantages of Threat Intelligence
The first protocol for attack detection that goes far beyond NetFlow or packet inspection, the most modern machine learning, fast data mining... There are tens of innovations used in Threat Intelligence. Why? Because that makes it an excellent security solution.
Network Behavior Analysis
The behavioral analysis module (NBA, NBAD) has been developed in order to detect advanced malware which is immune to detection based on signatures (IDS, AntiVirus). That makes it possible to detect common as well as advanced, known as well as unknown threats.
The NBA engine clearly distinguishes machine behavior from human behavior, therefore, it particularly effective at detection of tailor-made attacks, such as::
- Advance Persistent Threats (APT)
- Remote Access Trojans (RAT)
- Targeted Attacks
- Polymorphic malware
- And more
The detection mechanism uses an array of advanced techniques of artificial intelligence. Additionally it comprises tens of detection algorithms which are partly taken from academic researches, whilst other parts have been developed internally. The aim of each detection algorithm is to recognize a certain type of attack based on a specific behavioral pattern (e.g. repetitiveness).
Unique Detection Protocol
The NBA engine is unique not only for its detection algorithms in use, but also for its own set of detection metrics (protocol). Unlike all other NBA engines, it does not use NetFlow, but its own protocol called ASNM – Advanced Security Network Metrics. The main advantage lies in a much more detailed and accurate description of each data flow and, consequently, in sensitivity of detection. The ASNM protocol was created on the basis of tests of more than 800 different parameters describing the two-way network flow, out of which the 60 most useful parameters were selected.
Intrusion Detection System
Signature-based detection of known attacks (Intrusion Detection System, IDS) is an important complement of the unique network behavior analysis engine. Highly optimized architecture of the NBA engine allows for using the remaining capacity of the HW appliance for this purpose.
The IDS in Threat Intelligence uses multi-threaded detection processing that takes up less computing capacity than competing systems. The IDS may be used in a passive mode or an active blocking mode.
High quality of the detection and close-to-zero false positive rate is guaranteed by several different sources of signature databases and optimization of detection rules. The system enables keeping full historical data of several months with detailed filtering of the stored data.
The honeypots in Threat Intelligence have been designed as a tool for automated detection of unknown attacks (zero-day attacks) directed at network services and for automated generation of new signatures of these attacks.
There have been more solutions with similar technology in the past. However, they mostly share a common flaw – a great amount of false positive alerts, i.e. interpreting legitimate network traffic as illegitimate.
The honeypots in Threat Intelligence do not focus on attacks caused by exploiting misconfigured services but rather on advanced attacks exploiting code vulnerabilities such as buffer-overflows. The honeypot does not focus on payload but the exploit itself. In other words, the honeypot is able to detect what particular code is exploiting a vulnerability but it does not further analyze what follows a successful attack.
The honeypots detects if inbound data from the internet are exploited for an attack (i.e. launched as programs). These data are then transferred to the application and at the same time recorded into a database for extraction in case of an attack. When the data start to be copied into the operating memory the method of Dynamic Taint Analysis is used to detect the attack. In case an attack is detected, the honeypot records the attack and automatically creates a detection signature and a behavioral profile of the attack.
Network Flow Monitoring
Threat Intelligence stores data on all network flows for the possibility of later analysis. The data can be filtered and sorted according to any flow parameter.
It visualizes network traffic of the whole network, any subnetworks, hosts, services or individual flows.
New Technology, Without a Parallel on the Market
Threat Intelligence utilizes synergies among several detection engines. The main one (NBA) is based on very recently published and newly developed detection algorithms and advanced artificial intelligence and machine learning.
Visualization and statistics of current and past traffic and individual flows.more info
Reported incidents from the third-party endpoint security central management are integrated into the analysis.
Basic info about Threat Intelligence and its technologies
Scheme of single-port and distributed deployment.
Risk mgmt. dashboard
Aggregated output for quick network health overview.
Detection with NBA
Overview of all incidents within the network.
Event detail - NBA
Communication of a trojanized IP to a malware server.
Detection with IDS
Overview of all incidents within the network.
Event detail - IDS
Possible breach of internal IT security policy.
Network flow monitoring
Aggregated traffic for a specific subnet.
Network traffic of a user
One-day network traffic of a single user.
TrustPort keeps your IT secure
TrustPort is a major producer of software solutions for secure communication and reliable data protection. TrustPort products protect home and enterprise customers against known as well as unknown threats. According to several benchmarks they excel in antivirus technology, antispam methods, and encryption technology.
TrustPort products have been highly rated in multiple third party tests such as Virus Bulletin that confirmed the prominent position of TrustPort in the antivirus industry. TrustPort Antivirus has toped the latest several Virus Bulletin comparatives (Aug, 2013 to Feb, 2014) and has proved to have the best malware detection in the world.
The core of Threat Intelligence technology was developed within a research project. This project has been realized with a financial support from the Czech Republic state budget through the Ministry of Industry and Trade.
- TrustPort a.s., Purkynova 101, 612 00 Brno, Czech Republic
- +420 541 244 471