By Ulrica de Fort-Menares, Vice President of Product Management for Infrastructure Assurance at BlueCat Networks
Artificial intelligence (AI) has the power to reshape how you operate your network security infrastructure.
Firewalls have been a first line of defense in network security for many years and must always be operational. Maintaining five nines, or service availability 99.999% of the time, requires skilled network security practitioners. However, many enterprises have a limited number of security experts and struggle to find enough skilled expertise to manage their increasingly complex network infrastructure.
An AI-powered, knowledge-based expert system can expand team skills so that they’re available around the clock and can help your enterprise more easily manage highly complex network security infrastructure.
In this article, we’ll explore three ways that AI can boost your network security operations and augment limited resources. Specifically, we’ll look at how you can:
- Use a knowledge-based expert system to find hidden issues in your security infrastructure before they become bigger problems
- Combine that system with automation to automatically troubleshoot complex problems, much like a human would
- Utilize machine learning models to detect anomalies in an enterprise environment
Find hidden issues with a knowledge-based expert system
A knowledge-based system is a form of AI that encodes the collected knowledge of human experts to detect and solve difficult problems. Knowledge-based systems generally consist of a data repository or knowledge base, an inference or rules engine to locate and process data, and a user interface. Knowledge-based systems can assist with expert decision-making, easily process large quantities of data, and reveal insights or create new knowledge from existing information.
When applied to network security, a knowledge-based system contains in-depth knowledge, culled from human experts’ technical practices and experiences, of how security infrastructure should work and behave. Like a firewall engineer, it can analyze data, detect issues, and prioritize alerts, just with much greater speed and at a much larger scale than what a human is capable of. A system based on the knowledge of human experts can assist with identifying problems and can help network security teams troubleshoot technical issues. It can augment team skills, allowing teams to do more with less.
Let’s look at a specific example of a network security application:
A knowledge-based system can know how important a Border Gateway Protocol (BGP) peer is to route traffic to the internet and that detecting BGP issues is more than just monitoring the peer state. It can also ensure that the routing process learns routes from its BGP peer and passes the information to the secure gateway’s routing table. Further, it can alert you the moment it detects a hidden route condition.
Another benefit of a knowledge-based system is its sophisticated rule engine, which can detect complex problems. Building on the same BGP example, the system has knowledge about a clustered environment. If the passive member of the cluster does not have any active routes, it is OK. But if the active member of the cluster has zero active routes, it is not OK. The system operates on more than just a simple if-then-else construct.
Auto-triage with a knowledge-based expert system
Perhaps one of the most important uses of AI is to help us automate tasks. By coupling a knowledge-based expert system with an automation engine, we can perform automated troubleshooting. The system applies a broad base of domain-specific expertise and makes intelligent decisions about the situation. Much like a human would, it walks down a decision tree to diagnose a complex problem.
Let’s explore this further using the example of a BGP peer going down. The system runs investigative steps. It follows a troubleshooting workflow with branches gathered from industry experts and fed into the system. Applying domain knowledge is key to determining what relevant information to analyze.
In this example, multiple conditions and scenarios are considered, as the troubleshooting steps have different branches based on the configuration. The steps to troubleshoot a Layer 2 BGP connectivity issue are very different from one in Layer 3. As you can see from this workflow, troubleshooting a down BGP peer isn’t exactly a straightforward task.
Using a knowledge-based expert system to automatically diagnose a problem augments IT teams and improves mean time to resolution.
Detect anomalies with machine learning models
Any nuances in the operational conditions of security infrastructure can signal unacceptable levels of business risk. Therefore, anomaly detection is an important tool for identifying rare events or outliers that may be significant.
For example, if a firewall is receiving a sudden increase in “non-syn-tcp” first packets, it may be indicative of an asymmetric routing issue in the network environment. The ability to detect these rare conditions or outliers can avoid bigger problems.
While machine learning is one of many kinds of AI, it is typically most used for detecting anomalies. One of the simplest and oldest ways to detect anomalies is to use statistical methods, such as standard deviation or z-score. However, these methods have some limitations, such as being sensitive to outliers, assuming a fixed distribution, and not capturing complex patterns in the data.
In this chart, we are looking at the number of concurrent connections over four months. A human can easily identify the three outliers, but a machine needs to be trained. The outliers are:
- A dramatic increase in the number of connection counts in late October
- A similar increase in the middle of November
- Then, a dramatic decrease of connection counts over the Christmas holidays
Deep learning for anomaly detection can apply to security infrastructure in novel ways. For example, we can examine data relating connection counts with CPU usage to find common patterns. With deep learning methods, we can provide even higher fidelity alerts around anomalies.
The autoregressive integrated moving average model is known for forecasting stock market returns. But we can leverage this algorithm and machine learning to make predictions about your security infrastructure based on historical data. For example, the system can determine at what point your device needs upgrading to support your number of concurrent connections. This can greatly simplify capacity planning.
Summary
Without automation, security teams would spend countless hours gathering diagnostics and data just to keep firewalls and other security infrastructure up and running. Still, a typical security engineer can spend a notable portion of their time identifying and remediating known errors. Security teams often have limited resources, resulting in an even greater need for automated diagnostics and issue detection.
With an AI-powered solution, you can leverage machine learning models and a knowledge-based expert system to detect potential issues before they become bigger problems and troubleshoot these anomalies in your environment like a human would. And it can serve up recommended remediations that security engineers would otherwise have to find and implement manually.
While its capabilities are relatively nascent, even today’s AI has the power to transform the way you operate your network security infrastructure.