- Machine Learning enables network security solutions to enhance their ability to detect advanced, stealthy threats
- Bitdefender NTSA relies on semi-supervised machine learning to identify key patterns and trends in live data flows, with minimal human input
- New, specialized ML algorithms help detect attacks that use DNS and FTP services
Despite increased cybersecurity budgets and complex security architectures, most organizations still struggle to maintain the right level of threat visibility and the ability to detect advanced attacks.
A gap obviously lies somewhere between overlapping next-gen firewalls, intrusion detection/prevention systems, network sandboxing, endpoint security and other tools in the hand of security operations today. The challenge is aggravated by a growing number of devices outside traditional IT control, like BYOD, IOT and shadow IT devices. The number of these unmanaged devices grows year after year.
The common denominator of all devices in the enterprise environment is network traffic, making network-centric security the most effective approach in defending modern heterogenous enterprise environments. There are 2 major approaches to network security: flow analysis and content analysis. Although appealing at first, content analysis (also known as deep packet inspection) proves complicated and expensive, mainly because of computational and storage resources requirements combined with the challenge of strong traffic encryption. Flow-data analysis leverages traffic meta-data (source, destination, protocols, packet count, etc) and focuses on traffic patterns and subtle changes in network communication behavior to detect advanced attacks and compromised endpoints.
Semi-Supervised Machine Learning
Applying Machine Learning to network traffic enables network security solutions to improve detection of advanced threats that might target the entire range of network-connected devices. Out of the three base Machine Learning models (supervised, unsupervised and semi-supervised learning), Bitdefender Network Traffic Security Analytics (NTSA) relies on semi-supervised learning to provide real-time, accurate threat detection.
Unlike strictly supervised approaches, NTSA’s semi-supervised machine learning doesn’t rely on labeled training data alone. Besides samples of labeled data, it identifies key patterns and trends in live data flows, without the need for human input. Instead of fully relying on knowledge of specific past threats, it independently classifies data and detects compelling patterns. From this, it forms an understanding of the normal behaviors across the network and detects any deviation from this baseline that may point to a developing threat.
The core principles of NTSA’s machine learning are:
- Continuous learning about what is normal network behavior within the customer’s context
- No dependence on knowledge of previous attacks
- Visibility into any unusual activity or anomalies
- Automatic fine-tuning of behavioral analytics
- Always up to date and informed by global threat intelligence
New specialized ML detections for DNS and FTP services
With the July release, Bitdefender NTSA gets a new set of ML algorithms specialized in detecting anomalies related to DNS and FTP traffic flows.
Over the years, DNS has proven to be a protocol of choice for cyber attackers, often redirecting legitimate network traffic to destinations they control. As a result of DNS attacks, organizations suffer downtime for applications, compromised websites, business downtime or theft of sensitive information. Industry reports show an increase in specific types of DNS attacks, like phishing, DNS-based malware, DDoS attacks, and DNS tunneling. FTP, on the other hand, is one of the oldest methods of sharing data, and is still often used. Although familiar to all IT teams, FTP lacks crucial security elements and has been used in countless cases to wreak havoc.
The new, specialized ML algorithms will further enhance early detection of threats that leverage DNS and FTP protocols and services.