As described in earlier posts, a Next Generation Network Intrusion Detection System (NG-NIDS) is a software- or appliance-based solution that monitors network traffic for indications of cyber-attacks or intrusions that have evaded the firewall or endpoint controls. Once identified, high priority attacks can be contained by the NG-NIDS via integration with existing infrastructure or by forwarding contextualized alerts to an SOC team for forensic analysis.
What makes NG-NIDS successful is the integration of machine learning-based technology to power core detection capabilities. Machine learning is an algorithmic method by which an application automatically learns from input and uses feedback to improve performance.
One of the original and more commonly marketed methods of machine learning as applied to cybersecurity is based upon the Bayesian network model. Bayesian network is a model that identifies a probabilistic relationship between variables based on profiling over time. This model has been prototypically used for detection of anomalous behaviors, such as DDoS attacks or data exfiltration in a post-breach scenario.
While these technologies can be extremely effective in meeting these use cases, application of this technology to a broad range of network malware-based threats is limited. The volume and changeability of network traffic makes it difficult to understand what activity is normal. This gives threat actors opportunities to “hide in plain sight” or fool the system that their activity is normal.
The next evolution of this behavioral-based approach, applied specifically to fileless and file-based malware attacks, can be found in speculative code execution (SCE), also known as “network emulation.” This application of machine learning operates on any network stream and emulates how malware will behave when it is executed. Operating at line speeds, SCE determines what an input can do if executed and to what extent these behaviors might initiate a security breach. By covering all potential execution chains and focusing on malicious capacity rather than malicious behavior, this analytic technology vastly reduces the number of execution environments and the quantity of analytic results — often to just two or three — that must be investigated.
The last and rarest machine learning technique leverages supervised machine learning. With this technique, the algorithms are exposed to data, called training instances, which are labeled to produce highly accurate models. While the concept of training and labelling may seem trivial, it is a difficult, expensive and time-consuming process to attain enough training instances of each label to produce models with low false positive/negative rates. In fact, within the network attack detection context, subject matter experts must be used to manually look at every training instance to determine its label, with the number of training instances required in the trillions. The resultant algorithms can be applied to detect aberrations at a binary level, enabling the detection engine to statically identify malware attacks via the presence or absence of particular code features.
Use of machine learning – particularly speculative execution and supervised machine learning – as the technological core of a NG-NIDS makes it possible to once again fulfill the promise that the traditional NIDS was intended to deliver – to identify network attacks with low rates of false positives and negatives. A word of warning, however: Machine learning has become a “buzzword.” For those interested in a machine learning powered NG-NIDS, it is critical to “try before buying.” Only then can you truly evaluate whether the technology meets your use case.