SOLUTION BRIEF

THREAT INTELLIGENCE WITH INTEGRATED AI AND ML REDUCES RISK AND SUPPORTS PERFORMANCE

EXECUTIVE SUMMARY

In today’s landscape of increasingly sophisticated, zero-day malware, threat detection that uses artificial intelligence (AI) is no longer an optional part of an organization’s network security strategy. Fortinet was an early adopter of AI for threat analysis, setting up a self-evolving threat detection system over six years ago and training it with new data every day since then. Threat intelligence from FortiGuard AI is now a part of every solution in the Fortinet Security Fabric, and it is available in-line within the FortiWeb web application firewall. FortiGuard AI uses an artificial neural network (ANN) with billions of nodes to analyze each file or URL for features indicating it is clean or a potential threat. A binary decision then labels each file as clean or malicious with a high degree of accuracy and at machine speed.

TRANSFORMING NETWORK SECURITY WITH AI AND ML

With a threat landscape that is becoming increasingly complex and fast-moving, traditional security approaches no longer can keep pace. AI and machine learning (ML) are changing the game, however. The essence of AI is to replicate the analytical processes of human intelligence at machine speed, and machines are now able to detect malicious threats many times faster and more accurately than humans.1

AI is built around a deep learning model using ANNs, which use hardware and software to build a configuration that is patterned after the operation of neurons in the human brain. For example, humans’ perceptions adapt and evolve based on new information that they absorb. In an ML training process, which is a subset of AI, models are fed vast amounts of information on an ongoing basis, and the system analyzes that information and adjusts algorithms based on new tactics and capabilities adopted by malware or an attack vector.

It is not hyperbole to say that AI and ML are an indispensable part of an organization’s larger network security strategy, as there is no way that some of today’s most advanced threats can be detected and quarantined manually before they do damage. Zero-day attacks can only be identified by their behavior and characteristics, and the features of clean files versus threats can best be refined with billions of examples.

REFINING ALGORITHMS WITH EXTENSIVE TRAINING AND DATA

The ML model in FortiGuard AI uses three learning models:

nn Supervised learning. Model is trained by feeding it a vast amount of labeled data and then applying the characteristics found to unlabeled data.

nn Unsupervised learning. Algorithm has no known solution set to go by, but recognizes patterns that enable it to label the data without human help.

nn Reinforcement learning. Results of supervised and unsupervised learning are “tested,” with the machine’s performance with unlabeled files scored and the system “rewarded” for good results.

AI systems that do not use all three learning models are incomplete, as each model helps refine the results and improve their accuracy. And to solve a problem as complex as the current threat landscape, massive amounts of data are required on an ongoing basis to give the ANN what it needs to adapt and reinforce rules over time.2

Fortinet was an early adopter of AI for threat

analysis, setting up a self-evolving threat

detection system over six years ago and

training it with new data every day since then.

2

SOLUTION BRIEF: THREAT INTELLIGENCE WITH INTEGRATED AI AND ML REDUCES RISK AND SUPPORTS PERFORMANCE

BENEFITING FROM YEARS OF AI EXPERIENCE

Fortinet was early to recognize the realities of today’s advanced threat landscape. Over six years ago, FortiGuard Labs, Fortinet’s research and development organization, designed and launched a self-evolving threat detection system and used ML to train it with daily additions of new data.

Threat intelligence and signatures from FortiGuard AI are now a part of every element of the Fortinet Security Fabric, and its capabilities are now available in-line within the FortiWeb web application firewall to protect customers from threats impacting cloud-based solutions.

FortiGuard AI collects, analyzes, and classifies threats at machine speed with an extremely high degree of accuracy. Its comprehensive threat detection leverages AI and ML to write signatures for new malware in real time and publishes them across the entire Security Fabric. The technology behind FortiGuard AI is also used to scour the Internet for bad domains, enabling real-time domain reputation.

DELIVERING TRUE AI WITH CONTINUOUS TRAINING

A number of cybersecurity companies now claim to have introduced AI capabilities into their solutions, but many fall short of true AI while others simply do not divulge the methods that they use.3 Fortinet opts to be more transparent about its methodology so that customers know the breadth and depth of the analysis involved.

Fortinet’s ANNs consist of more than 3 million security sensors around the globe, each of which collects samples that are then processed by more than 5 billion nodes to identify unique malicious or clean features. The system now makes more than 100 billion web queries every day and blocks 2,600 malicious URLs every second.

FortiGuard AI uses the following essential elements of true AI:

nn Supervised, unsupervised, and reinforcement learning with massive amounts of new data added every day.

nn User and Entity Behavior Analytics (UEBA) in FortiSIEM 5.0, which learns patterns in typical user behavior such as location, time of day, devices used, and specific servers accessed. FortiSIEM then automatically notifies security operations teams when anomalous activity occurs.

nn Proprietary unpackers that perform deep inspection of packaging and wrappers used to encrypt malicious code, stopping malware at the perimeter through analysis of these features.

Each item in the knowledge base has been extensively analyzed to identify granular features, and the importance of each feature is weighted via probability analysis to assist in decision-making. Through ongoing ML, specific features can increase or decrease in their influence on the final decision based on the evolution of threats.

FIGURE 1: AN EXPERT SYSTEM USES ALL THE ELEMENTS OF AI—TRAINING

SYSTEMS USING ML, INCLUDING ADVANCED DEEP LEARNING TECHNIQUES.

FortiGuard AI collects, analyzes, and classifies

threats at machine speed with an extremely

high degree of accuracy. Its comprehensive

threat detection leverages AI and ML to write

signatures for new malware in real time

and publishes them across the entire

Security Fabric.

3

SOLUTION BRIEF: THREAT INTELLIGENCE WITH INTEGRATED AI AND ML REDUCES RISK AND SUPPORTS PERFORMANCE

USING MULTIPLE LAYERS AND MILLIONS OF NODES

The Multilayer Perception architecture of FortiGuard AI consists of four layers, which send different file types to different nodes within each layer and use advanced algorithms to proactively determine whether each new sample poses a threat:

nn The input layer processes the input file.

nn The malicious layer uses 2.3 million ANN nodes to analyze potential malicious features.

nn The clean layer uses 3.2 million ANN nodes to analyze files for clean features.

nn The output layer makes the decision and provides a weighted binary output.

SHARING INTELLIGENCE ACROSS THE SECURITY FABRIC

Every time a threat is identified, FortiGuard AI generates threat intelligence that automatically updates defensive signatures across the Fortinet Security Fabric to defend customers using Fortinet’s advanced threat detection and protection solutions. All of this happens seamlessly and behind the scenes—requiring no staff time from an organization’s security analysts.

This is especially advantageous for customers that have integrated their security architecture by deploying multiple Fortinet Security Fabric solutions. The Fortinet Security Fabric integrates and automates threat detection, prevention, and remediation capabilities through sandboxing and shares threat intelligence—including the advanced threat protection from FortiGuard AI—across each security element in real time, improving operational efficiencies while mitigating risks.

Because Fortinet covers the network from end to end, we have a unique and comprehensive view that covers every component needed to protect an organization’s ecosystem—from the data center to multiple clouds. And because FortiGuard AI threat detection is incorporated into the Security Fabric’s centralized visibility and controls, the network security team can work proactively based on accurate information.

FIGURE 2: FORTIGUARD AI USES A MULTILAYER PERCEPTION APPROACH TO

ANALYZE EACH NEW SAMPLE FOR MALICIOUS AND CLEAN FEATURES.

Every time a threat is identified, FortiGuard

AI generates threat intelligence that

automatically updates defensive signatures

across the Fortinet Security Fabric to defend

customers using Fortinet’s advanced threat

detection and protection solutions.FortiGuard AI analyzes each feature and assigns a score based on the current weighting of each feature in the malicious and clean layers. Although the result is a binary decision—clean or malicious—each file carries a specific score according to the probability that it represents a threat. After years of ML training, Fortinet’s binary conclusions are nearly 100% accurate.

SOLUTION BRIEF: THREAT INTELLIGENCE WITH INTEGRATED AI AND ML REDUCES RISK AND SUPPORTS PERFORMANCE

D:\Fortinet\Work\September 2018\092918\sb-threat-intelligence-integrated-ai-and-ml

Copyright © 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

GLOBAL HEADQUARTERSFortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: +1.408.235.7700www.fortinet.com/sales

EMEA SALES OFFICE905 rue Albert Einstein06560 ValbonneFranceTel: +33.4.8987.0500

APAC SALES OFFICE8 Temasek Boulevard #12-01Suntec Tower ThreeSingapore 038988Tel: +65-6395-7899Fax: +65-6295-0015

LATIN AMERICA HEADQUARTERSSawgrass Lakes Center13450 W. Sunrise Blvd., Suite 430Sunrise, FL 33323Tel: +1.954.368.9990

September 29, 2018 8:37 AM235423-0-0-EN

CONCLUSION

FortiGuard AI delivers automated threat analysis and detection to ensure that Fortinet customers are protected from the most recent threats at machine speed. Fortinet delivers true AI, with six years of ML training and a knowledge base of hundreds of billions of file samples—and almost 100% accuracy in identifying threats. Hundreds of thousands of Fortinet customers around the world already benefit from AI-derived threat intelligence across all their Fortinet solutions to keep their entire network protected.

1 Zeljka Zorz, “AI is key to speeding up threat detection and response,” Help Net Security, August 14, 2017.2 Ophir Tanz and Cambron Carter, “Why the future of deep learning depends on finding good data,” TechCrunch, July 21, 2017.3 Scot Finnie, “AI in cybersecurity: what works and what doesn’t,” CSO, August 15, 2018.

FIGURE 3: FORTINET’S ADVANCED THREAT INTELLIGENCE AUGMENTS PATTERN RECOGNITION AND AUTOMATIC SIGNATURE CREATION TECHNOLOGY,

IMPROVING ITS ACCURACY OVER TIME WITH CONTINUOUS LEARNING AND FEATURE IMPROVEMENT.