By John Maddison, Executive Vice President, Products and Solutions of Fortinet
As the threat landscape continues to evolve rapidly, it now includes increasingly sophisticated, zero-day malware that traditional security approaches can no longer keep pace with. As a result, security researchers estimate that the cost of cybercrime will outpace security spend by over 16X, reaching $2.1 trillion by the end of 2019. Staying ahead of today’s accelerated cybercrime trends requires adding artificial intelligence (AI) to an organization’s network security strategy.
The rise of artificial intelligence
The goal of AI is to replicate the analytical processes of human intelligence but to enable decision making at machine speeds. The most effective AI uses a deep-learning model built around an artificial neural network (ANN). This network is comprised of hardware and software configured after the neuron patterns in the human brain. This design not only accelerates data analysis and decision making but also enables the network to adapt and evolve based on new information.
To accomplish this, an ANN goes through a machine learning (ML) training process where implanted learning models are carefully fed vast and increasingly complex amounts of information on an ongoing basis. Once the system has identified patterns and problem-solving strategies, it is then provided with new information that enables it to adjust its algorithms so that it can adapt to and identify new tactics and capabilities adopted by malware or an attack vector.
Fortinet and AI
As an early adopter of AI, Fortinet began developing a self-evolving threat detection system over six years ago. This system leverages a custom-designed ANN comprised of billions of nodes, and we have been meticulously training it with new threat data every day since, giving us a significant competitive threat intelligence advantage over every other vendor in the security marketplace.
Our FortiGuard Labs team now uses this advanced AI technology to analyze files and URLs and label them as clean or malicious—at machine speeds and with a high degree of accuracy. And because of those years of careful preparation, the threat intelligence produced by FortiGuard AI has become so fast and reliable that it has now been included as a fundamental cloud-based component of every solution in the Fortinet Security Fabric, and even as an in-line component of the FortiWeb web application firewall.
Training an AI
The most crucial element of any AI solution is the methodology used to train its analysis and decision-making algorithms. The ML model used to train FortiGuard AI leverages the three essential learning model strategies endorsed by the AI community:
- Supervised learning. This initial model begins the training of the AI by feeding it a vast amount of labeled data, clearly identifying the characteristics of each labeled data set, and then repeatedly applying those characteristics to unlabeled data.
- Unsupervised learning. In this next phase, the algorithm has no known solution set to follow. Instead, it recognizes patterns learned in phase one that enable it to label data without human help. At this point, new data can be slowly introduced to force it to deal with data it hasn’t seen before and make new decisions.
- Reinforcement learning. The results of supervised and unsupervised learning are then “tested,” by scoring the system’s performance with unlabeled files and “rewarding” the system for good results. Training then continues to cycle between these three learning strategies on an ongoing basis.
Because of the recursive requirements of machine learning, any AI system that does not use all three of these learning models is incomplete. Each learning model helps refine results and improve accuracy.
Delivering true AI to customers
Many cybersecurity companies claim to have introduced AI capabilities into their solutions. But the reality is, most fall short of true AI because their underlying infrastructure is too small or their learning models are incomplete. Others refuse to divulge the methods that they use, which raises concerns about the reliability of their AI. Fortinet instead opts to be more transparent about its methodology so that customers know the breadth and depth of the analysis involved.
To start, the best learning requires data, so to address a problem as complex as the current threat landscape, massive amounts of data are needed on an ongoing basis to give the ANN what it needs to adapt and reinforce rules over time. This is another area where Fortinet excels. Fortinet gathers intelligence from over 4 million global security sensors. That intelligence is then processed through our artificial neural network (ANN) where files are scanned against more than 5 billion nodes to identify unique clean or malicious features. This allows us to create detection capabilities that are then fed to products across our portfolio. Likewise, our web filtering AI/ML program processes over 100 billion web queries every day, and uses that data to block over 2,600 malicious URLS every second.
In addition to supervised, unsupervised, and reinforcement learning, FortiGuard AI also uses the following essential elements of a true AI:
- User and Entity Behavior Analytics (UEBA) is used in conjunction with several solutions. FortiSIEM 5.0, FortiAnalyzer, and FortiWeb, for example, all use UEBA to uncover patterns in typical user behavior—such as location, time of day, devices or applications used, and specific servers or websites accessed. When anomalous activity is detected, UEBA can trigger applications to take automatic action, as well as notify security operations teams.
- Proprietary unpackers perform deep inspection and analysis of the packaging and wrappers used to encrypt malicious code, allowing us to stop malware at the perimeter before it becomes a threat to the network.
Sharing intelligence across the Security Fabric
Intelligence in isolation is useless. The more it is shared, the more effective your defensive systems can become. This is why every time a threat is identified, FortiGuard AI generates threat intelligence that automatically updates defensive signatures for every solution across the entire Fortinet Security Fabric, enabling security tools to work together to defend customers with advanced threat detection and protection solutions.
And because AI powers it, all of this happens seamlessly and behind the scenes—requiring no staff time from an organization’s security analysts. This allows the Fortinet Security Fabric to integrate, collaborate, and automate threat detection, prevention, and remediation capabilities through sandboxing by sharing threat intelligence across each security element in real time.
Because Fortinet covers the network from end to end, we have a unique and comprehensive view that includes every component needed to protect an organization’s ecosystem—from the data center to multiple clouds. This approach, unique in the industry, improves operational efficiencies while dramatically mitigating risks. And because FortiGuard AI threat detection is incorporated into the Security Fabric’s centralized visibility and controls, it also enables the network security team to work proactively based on the most accurate and timely information possible.