Applying Machine Learning to Network Centric Security

Applying Machine Learning to Network Centric Security


Author: Bogdan Carlescu

  • Machine Learning enables network security solutions to enhance their ability to detect advanced, stealthy threats
  • Bitdefender NTSA relies on semi-supervised machine learning to identify key patterns and trends in live data flows, with minimal human input
  • New, specialised ML algorithms help detect attacks that use DNS and FTP services

Despite increased cybersecurity budgets and complex security architectures, most organisations still struggle to maintain the right level of threat visibility and the ability to detect advanced attacks.

A gap obviously lies somewhere between overlapping next-gen firewalls, intrusion detection/prevention systems, network sandboxing, endpoint security and other tools in the hand of security operations today. The challenge is aggravated by a growing number of devices outside traditional IT control, like BYOD, IoT and shadow IT devices. The number of these unmanaged devices grows year after year.

The common denominator of all devices in the enterprise environment is network traffic, making network-centric security the most effective approach in defending modern heterogenous enterprise environments. There are 2 major approaches to network security: flow analysis and content analysis.

Although appealing at first, content analysis (also known as deep packet inspection) proves complicated and expensive, mainly because of computational and storage resources requirements combined with the challenge of strong traffic encryption. Flow-data analysis leverages traffic meta-data (source, destination, protocols, packet count, etc) and focuses on traffic patterns and subtle changes in network communication behaviour to detect advanced attacks and compromised endpoints.

Semi-Supervised Machine Learning

Applying Machine Learning to network traffic enables network security solutions to improve detection of advanced threats that might target the entire range of network-connected devices. Out of the three base Machine Learning models (supervised, unsupervised and semi-supervised learning), Bitdefender Network Traffic Security Analytics (NTSA) relies on semi-supervised learning to provide real-time, accurate threat detection.

Unlike strictly supervised approaches, NTSA’s semi-supervised machine learning doesn’t rely on labelled training data alone. Besides samples of labelled data, it identifies key patterns and trends in live data flows, without the need for human input. Instead of fully relying on knowledge of specific past threats, it independently classifies data and detects compelling patterns. From this, it forms an understanding of the normal behaviours across the network and detects any deviation from this baseline that may point to a developing threat.

The core principles of NTSA’s machine learning are:

  • Continuous learning about what is normal network behaviour within the customer’s context
  • No dependence on knowledge of previous attacks • Visibility into any unusual activity or anomalies
  • Automatic fine-tuning of behavioural analytics
  • Always up to date and informed by global threat intelligence

New specialised ML detections for DNS and FTP services

With the July release, Bitdefender NTSA gets a new set of ML algorithms specialised in detecting anomalies related to DNS and FTP traffic flows.

Over the years, DNS has proven to be a protocol of choice for cyber attackers, often redirecting legitimate network traffic to destinations they control. As a result of DNS attacks, organisations suffer downtime for applications, compromised websites, business downtime or theft of sensitive information.

Industry reports show an increase in specific types of DNS attacks, like phishing, DNS-based malware, DDoS attacks, and DNS tunnelling. FTP, on the other hand, is one of the oldest methods of sharing data, and is still often used. Although familiar to all IT teams, FTP lacks crucial security elements and has been used in countless cases to wreak havoc.

The new, specialised ML algorithms will further enhance early detection of threats that leverage DNS and FTP protocols and services.


To discover more about network security and ML, why not register for Digital Transformation EXPO Europe, Register free now! ___________________________________________________________________________________________________________________________________

View more articles here