Corporate leaders face complex challenges in balancing security spending against evolving Internet risks. This has resulted in advanced levels of protection needed to facilitate future strategic objectives. Expert Security addresses the need to implement a more robust and cost-effective level of expertise, and help bridge the gap to culturally adverse corporate solutions such as Managed Security Services (MSS). As companies expand, their need for additional layers of protection is paramount to ensure asset protection. Network Behavior Analysis (NBA) offers a new building block to Expert Security. NBA offers a viable solution to modern sophisticated cyber-attacks. This presentation outlines our corporate overview and market positioning for Network Behaviour Analysis and their products and services.
As mobile data is expected to grow 16 fold over the next four years*, mobile providers are facing new challenges in balancing subscriber ease-of-use and cyber-protection. The explosion in cellular usage and mobile commerce will require advanced levels of protection for mobile users, as hackers continue to find new vulnerabilities. A dual strategy including end-point and infrastructure security will provide robust and cost-effective levels of protection. It will expand provider revenue streams to enhanced services, and increase their ARPU through value-added security. Network Behavior Analysis is a viable building block to infrastructure security, and helps protects a collective subscriber base against sophisticated mobile cyber-attacks.
• *Cisco – Visual Networking Index Global Mobile Data ’11
• ARPU – Average Revenue Per User
Bank managers face complex challenges in balancing security spending against evolving internet commerce risks. Criminals have managed to change the battlefield in the war on cyber-crime under the noses of the enterprise community. Highly intelligent exploit kits and trojans bypass layers of security with ease. To prepare for these new adversaries, new and advanced levels of protection are needed to facilitate current and future security objectives. Expert Security addresses the need to implement a more robust and cost effective level of expertise, and bridge the gap to Managed Security Services which are based on a cloud-based model. It’s no longer about adding never-ending layers of protection that fits within a security budget – it’s ensuring that the layers that exist are clever enough to mitigate against modern attacks. This is paramount in ensure asset protection. Network Behavior Analysis is a new building block in Expert Security, and offers a viable solution for state-of-the-art cyber-attacks. This presentation outlines some of these threats and how companies are protecting their clients from modern and sophisticated attacks.
Cognitive Security offers a suite of solutions focused on protecting clients against network attacks. This is achieved through a range of products and services called Cognitive Analyst, using Network Behavior Analysis (NBA) and Anomaly Detection (AD). Our goal is to close the vulnerability gap of today’s security limitations that only concentrate on identifying known threats. NBA can detect modern threats such as zero day attacks, advanced persistent threats, and polymorphic malware – all of which are not traditionally detected by signature based solutions. Modern attack vectors require a higher level of security expertise to provide the necessary information that mitigates threats before damages is caused. Cognitive Analyst is not a replacement solution to existing security devices. Instead, it complements existing protection strategies by enhancing the intelligence necessary for detecting future hackers. Our platform serves to discover unique threats that breach a company’s perimeter. Artificial intelligence and gaming theory methods are used to “catch criminals in the act”.
Figure i. Introducing the Cognitive Analyst Platform
Cognitive1 is ideal for enterprise clients looking for a robust and cost effective network behavior analysis platform. This includes any finance sector client who needs to protect their environment from fraud. Cognitive1 is also suitable for vertical markets that need to protect their sensitive data from intellectual property (IP) theft. The design goal of Cognitive1 is to ensure that clients have an easy to deploy platform that self-configures and auto-tunes to any network environment. The features of Cognitive1 include:
Software Support & Maintenance – The Cognitive Security support team is proactive in helping clients receive the maximum benefit from Cognitive Analyst.
Regular Software Updates – Cognitive Security provides clients with software development expertise, with updates issued quarterly. Cognitive Analyst updates maintain a much higher level of protection from threats – and over a longer timeframe – compared to signature based solutions like antivirus or firewalls. Our mission in is to stay ahead of threats, whereby signature based solutions continually play catchup with attackers.
Cognitive1 is designed for Networks up to 2.5 Gbps
Cognitive10 targets clients with high speed networks and traffic volumes. This includes telecom providers, mobile operators, network service providers (NSPs or ISPs), or data hosting providers. Cognitive10 is specifically designed to handle high-throughput networks, while maintaining accuracy in detecting modern sophisticated attacks. The features of Cognitive10 include those of Cognitive1 and expand with these additional capabilities:
Cognitive10 is designed for networks up to 10 Gbps – This ensures compatibility with clients that have a higher demand in data throughput.
Adaptive sampling for high-speed networks – This feature ensures that data classification remains accurate as higher volumes of data are processed and analyzed.
Adaptive sensitivity – Cognitive10 has the ability to adapt to the severity of data classification over a longer period of time, based on the type and volume of data flow. This provide administrators with higher accuracy in threat classification across their client base.
CognitiveExpert focuses on clients who have requirements for high resolution and data analysis sensitivity. CognitiveExpert is offered to a select group of clients who require bespoke security, such as government organizations, non-governmental organizations (NGO), and critical infrastructure providers. These clients may have smaller data throughput requirements, but need a highly accurate platform for detecting attacks. CognitiveExpert requires a mandatory hardware probe and user-based Deep Packet Inspection (DPI) module for data provisioning. Capabilities of CognitiveExpert include:
User Data analysis – Using deep packet inspection (DPI), user data greatly enhances accuracy in threat detection and in understanding the attacker’s methods.
MAC address analysis – By analyzing details at OSI layer 2, further levels of granularity can be analyzed in specific attack vectors that utilize these methods to penetrate a company’s network.
Dedicated Account Management – As an option for CognitiveExpert clients, Cognitive Security offers expertise and analyst resources to help clients understand the severity of events at a granular level.
Experts in Network Behavior Analysis
Cognitive Analyst is a Network Behavior Analysis platform designed to identify a wide range of threats inside a client’s network. It differentiates itself through a low rate of false positives, a low overhead installation, and a unique self-adaptating feature that monitors and improves the system’s accuracy over time. Our competitive advantage is based on the use of advanced artificial intelligence and specialized anomaly detection technologies that ensures highly accurate detection. The intelligence collected by Cognitive Analyst results in an easy-to-integrate reliable system with long-term stability.
The system processes standard NetFlow v5/9/IPFIX data, available from a wide range of network devices. NetFlow does not contain the contents (ie. payload) of a communication, therefore data privacy is maintained. Simplicity and efficiency enables the analysis of high-speed links. NetFlow and IPFIX is provided by widely available Cisco, HP, and Juniper switches, routers, and dedicated hardware or software probes.
Cognitive Technology
Figure ii. Cognitive Analyst Architecture
Data received by Cognitive Analyst establishes a baseline for network behavior, then analyzes any deviations that may occur against this baseline. Deviations may be potential security breaches. These anomalies are then processed in a self-organized, multi-stage process that is designed to reduce the number of false alarms, and retain a high level of threat sensitivity. Incidents discovered are categorized into a number of broad classes and is checked against established threat models and security policies. Any findings are reported to the user through a flexible array of data formats (such as via WEB, email, syslog, or to a Security Information and Event Management platform. Cognitive Analyst supports standard IDMEF reporting and a variety of other formats).
The initial stage of processing is with NetFlow or IPFIX data[1]. This information goes through a “Core Processing” module, consisting of algorithms and agents. Individually these algorithms create a trustfulness score from the data, and output their results to ‘Knowledge Fusion’ to determine which score is the most accurate.
Then the “Self-Monitoring” module introduces various synthetic attacks back into the system to enhance the resiliency of the algorithms. The algorithms are not aware that this is is simulated data. This is analogous to airport security staff that need to detect false representations of guns or knives that are periodically displayed on monitors, to ensure the officer is paying attention.
The game-theoretical model provides an aspect of randomness to the system. It ensures that the attacker can never predict the behavior of Cognitive Analyst. The key to high performance is in the combined strengths of the individual detection algorithms, while at the same time eliminating any inherent weaknesses.
In addition ‘Policies and Models’ are introduced into the platform, to allow conformance to corporate security mandates, and to have the system focus on specific parameters, such as particular attacks, key assets, or custom challenges.
Finally, the ‘Reporting and Dashboard’ module collects results into a database and is parsed into an easy-to-understand user dashboard. Users can navigate to various screens and select an appropriate level of detail to analyze and diagnose threats. Data can also be written into various formats such as syslog, email, sms, and can also be sent to SIEM or Managed Security Service (MSS) correlation engines for further examination.
Cognitive Architecture
CognitiveSecurity’s product range offers an unprecedented level of visibility into an intruder’s activities. It is analogous to ‘turning on the light, and surprising the cat burglar’. With the use of artificial intelligence, and game theory, this platform provides administrators and security practitioners the ability to quickly assess and mitigate attacks that have traversed their perimeter. These core competencies are offered through a range of products and services called Cognitive Analyst.
Cognitive Analyst provides a highly-interactive web interface that allows an administrator to continuously monitor the status of their network. By using artificial intelligence, Cognitive Security accelerates the identification of zero day exploits, botnets, or modern malware attacks, that may be used to steal corporate assets, intellectual property, or commit fraud. The user interface supports an in-depth investigation of individual security incidents or network anomalies, allowing appropriate actions against attackers. Cognitive Analyst is based on a state-of-the-art anomaly detection methodology, and utilizing the Cooperative Adaptive Mechanism for Network Protection (CAMNEP) algorithm. CAMNEP is based on the latest advances in the field of trust modeling and reputation handling. The platform utilizes standard NetFlow/IPFIX data, and does not require the need for supplementary information (i.e. such as application data, user content, etc.). Data privacy and data protection is maintained throughout the security monitoring process.
Cognitive Analyst’s products and services utilize a multi-stage detection algorithm to generate a Cognitive Trust Score (CTS), that measures the overall ”Trustfulness’ of the data. Eight algorithms are used to increase the accuracy of threats, and these collectively generate CTS for the subsequently mitigate of an attack. A selection of these algorithms are summarized as follows:
MINDS algorithm [Ertoz et al, 2004] The Minnesota Intrusion Detection System (MINDS) processes data from a number of flows: 1. Data from a single source IP to multiple destinations, 2. Flows from multiple sources to a single destination, or 3. A series of flows between a single source to a single destination.
Xu et al. algorithm [Xu, Zhang et al, 2005] This algorithm serves to classify traffic sources. A normalized entropy is assessed (i.e. establishing meaning to the apparent randomness of the data), determined by applying static classification rules to the established normalized states.
Volume prediction algorithm [Lakhina et al, 2004] This uses a methodology called Principal Components Analysis (PCA). It is a a mathematical procedure used to formulate predictive models. In order to build a model of traffic volumes from individual sources, values are determined based on the number of flows, bytes, and packets generated from each source. The PCA method then identifies the complex relationships between traffic originating from distinct sources.
Entropy prediction algorithm [Lakhina et al, 2005] This algorithm is similar to the PCA model, but uses different features than just predicting volume. Entropy prediction aggregates traffic from source IPs, but instead of processing traffic volume, it predicts the entropy of source and destination ports, and destination IPs.
TAPS algorithm [Sridharan et al, 2006] This targets a specific class of attacks by classifying a subset of suspicious sources and characterizing them by three features: 1. The number of destination IP addresses, 2. The number of ports in the set of flows from the source, and 3. The entropy of the flow size. The anomaly of the source is based on the ratio between these values.
Cognitive Analyst implements seven agents, summarized into the following groups:
Detection agents encapsulate the above listed detection algorithms by process all flows from the local probe and use all of the anomaly and trust models to assign a trustfulness score to all flows. This score establishes flow legitimacy from a given agent.
Theses scores are then processed by Aggregation Agents that integrate the opinions of all local detection agents, thus building a consolidated trustfulness value. Each aggregation agent embodies one or more averaging functions (such as arithmetic average or best ordered weighted average). The Reporting and Interface Agents export the CTS in an external industry-standard alert formats (IETF IDMEF/TEXT) such as email, ticket reporting, file logs, or syslog.
Cognitive Features
Figure iii. The First Hour of Operation
Self-Adaptive & Self-Tuning
From the moment that Cognitive Analyst connects to the network, it begins to capture traffic. Within the first five minutes the self-initialization step begins, and the system captures its first traffic samples and begins analyzing data using two agents. After ten minutes a third agent is live and after thirty minutes all agents are active and processing their own trustfulness score. At the thirty minute mark the system begins self-configuration, and ‘agent replacement’ begins. This is where the Knowledge Fusion function decides which agent data will be utilized in determining the final Cognitive Trust Score (CTS). After one hour Cognitive Analyst is fully operational, and begins self-optimization and improved accuracy as time progresses. Discovering threats increase in accuracy as the system optimizes throughout its lifetime.
Management Dashboard
Figure iv. Cognitive Analyst – Main Dashboard
The main dashboard depicts an overview of the flows categorized by overall trustfulness (the Cognitive Trust Score, or CTS). Green indicates the lowest risk (ie. highest trust). Red means high risk. Various grades of risk are displayed in between. The table also shows an overview of trustfulness based on a selected timeframe (this could span minutes, days or even weeks. as specified by the administrator). An events overview tab summarizes all of the categorized traffic and provides details such as source and destination IP addresses, the type of events associated with the traffic, and total bytes, flows and events linked to those events.
The main dashboard also allows the user to quickly select the top IP address of concern, or the top ten IP targets in the given timeframe. An events list provides further details into the top events that can be analyzed by the user.
Figure v – Cognitive Analyst – Filters
Applying Filters
An overview graph can be configured using filters selected by the user. This graphical representation of filtered events allows users to quickly retrieve detailed information, and to drill down to finer details associated with an attacker’s activities and their behavior.
URL Customization
The state of the Dashboard screen has now been integrated into the URL itself. This allows users to modify the URL in their browser to customize the dashboard and save this in their browser favorites for future access. Or it could be shared with another security administrator. The URL can be edited to include pre-set filters, displayed tab, and time period.
Cognitive Deployment
Cognitive Security offers the Analyst platform in the following configurations:
Delivered as a pre-installed virtual appliance
Corporate appliance with traffic capture and analysis including a NetFlow probe
OEM software module – Our development capabilities offer custom solutions for OEM or third-party product vendors.
Cognitive Analyst can be deployed as an appliance, or in combination with a monitoring service. As a service offering, Cognitive Security’s expert analysts provide security monitoring to supplement to a client security team. Several service levels are offered to address the mosaic of needs of vertical and horizontal markets. Our analysts provide the needed flexibility to an existing security department, and help them to regulate the fine balance between budgets and the need for new security layers.
Deployment options for the Cognitive Analyst enjoys a high level of flexibility, in order to enhance a client’s threat detection capabilities:
Corporate Extranet – To detect firewall breaches, polymorphic malware, custom attacks, botnet command & control, or unauthorized access.
Corporate Intranet – To monitor malicious behavior such as malware that is trying to circumvent the perimeter, insider attacks. Or to protect against disgruntled employees who are misusing assets, or violating security or corporate policies.
Government, CERT, Education Institutions can benefit from specific terms and pricing. Contact us for details.
Figure vi. Cognitive Analyst – Installation Options
Cognitive Differentiation
Cognitive Analyst detects modern attacks against corporations through intelligent, self-learning analysis of network traffic:
Figure vii. Cognitive Dashboard – Top Targets
Strength of Eight Anomaly Detection Algorithms – This achieves a High sensitivity rate in detecting attacks at the granular level, and Low false alarms, by using artificial intelligence in the core processing engine
Peer-Reviewed Detection Algorithms – Cognitive Analyst is based on tried-and-tested algorithms that have been continually recognized and researched by the scientific community.
Self-Monitoring & Self-Adaptation – Cognitive Analyst automatically configures itself without human intervention, and is able to begin detecting attacks in less than an hour once it has been turned on.
Low integration and management cost – Cognitive Analyst complements an existing security infrastructures and provides the necessary intelligence to address the growing complexity of future threats.
Seamless Integration – To minimize client overhead for integration and deployment, Cognitive Analyst has been architected as a passive self-monitoring and self-adaptive system and provides the necessary intelligence to address the growing complexity of future threats.
Resistance to Hacker Circumvention – Cognitive Analyst uses solid Game Theory Principles, to ensure that hackers cannot predict or manipulate the system’s outcome.
Long-Duration Trust Modeling – Cognitive Analyst compares current data with past assessments (called trust models) to maintain a high level of sensitively.
Cognitive Analyst has been actively developed with the support of the Department of Defense, in the USA.
Cognitive Highlights
The Cognitive Analyst is not only used to complement an existing intrusion detection deployment, but to also add a critical new layer in a security ecosystem. Below are some key differentiators of the Cognitive Analyst series:
Figure viii. Cognitive Dashboard – Netflow Categorized by Threat Severity
Artificial intelligence – Cognitive Analyst is a self-learning and self-adapting platform, to ensure that the normal behavior of a network can be distinguished from attacks. Our solution overcomes the challenge of detecting these anomalies amongst the chaos of network traffic. A.I. also frees the administrator from manually managing network security on a 24×7 basis, and relying on human resources to find ‘needles in the haystack’. The moment that Cognitive Analyst is installed it begins a continuous tuning processes, resulting in increased accuracy of threat detection as time progresses.
Cognitive Analyst does not use signatures! Our product uses a dynamically created set of adaptive anomaly detection models to provide the best performance in a client’s network environment. It is not subject to the limitations and timeliness of signatures updates that may negatively affect other security devices. Namely, hackers will exploit the timeliness of a company’s delay in implementing signature updates. They will “sneak in under the radar” before a system is patched with new signatures. For this very reason, Zero Day attacks have continued to proliferate in modern exploits. When taken from the perspective of criminal logic – why tell a supplier that they discovered a vulnerability and give them time to patch it, when the criminal could spend that time to create an exploit, and enjoy a window to deploy their attack? Such criminality can result in the theft of millions of dollars. Suppliers then panic and try to patch their vulnerabilities in the midst of an attack.
Eight independent anomaly detection algorithms are used for optimal coverage of the full threat spectrum. Key algorithms have been peer reviewed and independently validated.
Multiple levels of decision-making agents are deployed to ensure that the system can automatically adapt to the dynamics of a deployed network, and its organically changing environment. This reduces operational and integration costs.
Game Theory methods – As some of the implemented algorithms are available to public research communities and are peer-reviewed, the game theory approach is necessary to ensures that the system always stays one step ahead of the attackers, and never allows them to predict the behavior of Cognitive Analyst.
Low CostsIntegration – Cognitive Analyst uses readily available NetFlow data and does not require integration with any other data sources, or neighboring security products. The Cognitive Analyst allows for easy system integration, and management through an easy-to-use dashboard.
Maintaining Privacy – Since only NetFlow data is used, a client’s private data traversing the network is protected. Cognitive Analyst does not perform content analysis thus addressing client concerns regarding data protection or privacy, corporate policy, or regulatory compliance
Data availability – Network flow, or NetFlow data specification is a de-facto standard and has been extended and codified as IPFIX by RFC 5101. NetFlow is available from a wide range of network appliances from all major vendors. It is provided by most enterprise grade Cisco routers, network switches (Enterasys, HP ProCurve) and by dedicated hardware and software probes provided by independent vendors. NetFlow is aggregated over the period of several minutes, before being transferred to the Cognitive Analyst system for investigation.
Mode of operation – The Cognitive Analyst processes NetFlow data in an on-line mode, with a small delay due to the network flow aggregation process. Each batch of data is processed immediately and the suspected malicious activity is then discovered and reported to the network administrators via e-mail, alert reporting protocols, logged, and/or displayed in the web interface. Alerts are available in a standard IDMEF format, text format, or a rich web format for easy analysis and quick mitigation.
Self-management – Cognitive Analyst minimizes operational costs by using a self-managing paradigm. This allows the system to perform run-time estimate of its expected sensitivity and false positive rate and to optimize its configuration to ensure peak performance. This process can be optionally coupled with network security policies and threat models, in order to maximize system effectiveness against the latest attack methodologies.
Development Expertise & Flexibility – Cognitive Security’s team of developers are now in their fourth generation of Cognitive Analyst. This is a culmination of four years of product advancement and solidity. We have built a self-repair mechanism that transparently restores individual components in case of any failure, protecting the rest of the system from degradation. Our relative size allows us to be flexible to client needs, and quickly turn-around tailored software features.
Synopsis
Virtually every corporate, non-profit institution, or government organization in the world is dependent on network access and information services. Securing these networks and systems against automated and hacker-driven attacks is becoming critically important with the growing number of information and asset misuse. Current security solutions are surprisingly fragile when facing today’s sophisticated adversaries. Cognitive Security differentiates itself by providing clients with an advanced platform built on artificial intelligence, and sophisticated modules for auto-configuration and self-tuning.
The Cognitive Analyst has been actively developed with the support of the Department of Defense, in the USA.
About Cognitive Security
Cognitive Security specializes in Network Behavior Analysis, allowing businesses to identify and protect themselves against sophisticated network attacks. Cognitive Security offers solutions designed to fill the security gaps left by the current generation of network security tools. Our expertise in Network Behavior Analysis allows us the ability to accurately exposes both known and unknown attacks. Our solution is ideally suited for the detection, prioritization and handling of modern-day attack patterns that would typically bypass or evade a client’s defenses.
Gabriel Dusil oversees the global sales & marketing strategies of Cognitive Security, with a mandate to expand the company’s presence across Europe, the USA, and beyond.
Before joining Cognitive Security, Gabriel was the Director of Alliances at SecureWorks, responsible for partnerships across Europe, Middle East, and Africa (EMEA). Previous to SecureWorks, Gabriel worked at VeriSign and Motorola in a combination of senior marketing and sales roles.
Over nearly two decades, Gabriel’s experience has encompassed the development and management of international partner programs, EMEA marketing & sales, and business development. Gabriel has also lectured in security, authentication, and data communications, as well as speaking in several prominent IT symposiums.
Gabriel obtained a Degree in Engineering Physics from the University of McMaster, in Canada and has advanced knowledge in Cloud Computing, SaaS (Security as a Service), Managed Security Services (MSS), Identity and Access Management (IAM), and Security Best Practices.
Tags
Network Behavior Analysis, NBA, Cyber Attacks, Forensics Analysis, Normal vs. Abnormal Behavior, Anomaly Detection, NetFlow, Incident Response, Security as a Service, SaaS, Managed Security Services, MSS, Monitoring & Management, Advanced Persistent Threats, APT, Zero-Day attacks, Zero Day attacks, polymorphic malware, Modern Sophisticated Attacks, MSA, Non-Signature Detection, Artificial Intelligence, A.I., AI, Security Innovation, Mobile security, Cognitive Security, Cognitive Analyst, Forensics analysis, Gabriel Dusil
[1] Internet Protocol Flow Information Export, IPFIX RFC 5101 and RFC 5102 are derived from the NetFlow version 9 RFC, were created due to the need for a universal standard of exporting for IP flow information from routers, and other network connected devices.
“Advanced Persistent Threats”, or APTs, involve low-level reconnaissance and exploitation of security perimeters in order to collectively launch a targeted & prolonged attack. The goal is to gain maximum control into the target organization. APTs pose serious concerns to a security management team, especially as APT tool-kits become commercially and globally available. Today’s threats involve polymorphic malware and other techniques that are designed to evade traditional security measures. Best-in-class security solutions now require controls that do not rely on signature-based detection, since APTs are “signature-aware”, and designed to bypass traditional security layers. New methods are needed to combat these new threats such as Behavioral Analysis. Network Behavior Analysis proactively detects and blocks suspicious behavior before significant damage can be done by the perpetrator. This presentation provides some valuable statistics in the growing threat of APTs.