The choice of algorithms needs to be thought out for the cybersecurity applications to clarify the machine’s decision-making process for analysts.
At the 2019 Mobile World Congress, Orange has unveiled three demonstrations linked to its DILAN (Data Intelligence for LAN) research project – or how to harness Artificial Intelligence to support cybersecurity and its experts’ day-to-day work.
Every day, billions of items of data travel across public and private networks around the world. Vast fleets of information that attract interest from hackers looking to steal this data and block or destroy the constantly growing number of applications that are based on these networks – in businesses, in governments and for consumers. To thwart these cybercriminals, cybersecurity analysts work tirelessly each day and carefully monitor the flows of data travelling on these networks. However, faced with the diversity and huge volumes of flows to be analysed, this work is incredibly complex and time-consuming. Well, until the arrival of DILAN…
Improving operational efficiency
“DILAN is the result of discussions between our researchers and the operational experts from Orange Cyberdefense,” explains the project’s manager, Stéphane Morucci. The experts at Orange Cyberdefense are in charge of data and network security for Orange Business Services’ many different private and public sector clients. “They have consulted us,” adds Stéphane Morucci, “for help in detecting certain threats that are particularly difficult to handle with current techniques: the spreading of viruses (such as the infamous WannaCry virus), the presence of exfiltration software targeting sensitive data (theft of banking data, identity, industrial secrets, identification of a company’s weaknesses, etc.) or even the existence of botnets (dormant networks of robots that wake up when activated by a hacker to simultaneously attack a specific target with often fatal consequences).
Our teams of researchers have taken the initiative to explore certain Machine Learning techniques that are particularly effective for detecting anomalies (and therefore potentially attacks) within very large volumes of data.”
A transversal project team has therefore been set up, bringing together Artificial Intelligence researchers (including PhD students, cybersecurity experts, Big Data specialists and developers), supported by contributions from marketing managers, data visualisation experts and other managers. What is the aim? To build an Artificial Intelligence that is specially trained to detect cyber threats thanks to algorithms that are at the forefront of innovation. “This AI is not intended to replace cybersecurity analysts,” notes Stéphane Morucci, “but instead aims to facilitate and accelerate their work.” Today, estimates show that security experts spend around 50% of their time analysing threats that turn out in the end to be “false positives” (i.e. unproven threats). The AI selects the threats that need to be looked at in priority in order to save valuable time for analysts and help improve operational efficiency.
Algorithms with leading-edge technology
With the experimental solution DILAN, the machine can look for the needle in the haystack on behalf of analysts. It is designed to interface simply with the most widely used SIEM – Security Information and Event Management – software, the core foundation for a managed security solution. Tuned into information escalated by the client’s IS, DILAN’s AI will analyse this and learn over time what should be considered as normal use or not. This automatic analysis can also be complemented with feedback from analysts to deliver further benefits. After a certain amount of time, DILAN will have learned enough to become independent and hunt down threats, while significantly limiting the number of false positives submitted for review by analysts. “The main innovation with this project,” explains Baptiste Olivier, who heads up the Artificial Intelligence section of the DILAN project, “concerns the choice and combination of learning algorithms. The deep neural network-based approach, which works particularly well for recognising images for instance, produces results that are difficult to interpret and therefore needs to be combined with algorithms that make it possible to facilitate interaction with security analysts. With this type of application where human expertise considerably improves AI performance, it is essential to have precise knowledge of how the machine has reached its decision, ideally step-by-step.”
AI, an experimental research field…
DILAN also offers another asset: transfer learning methods, i.e. the ability to reuse knowledge built up on another network in order to avoid having to relearn everything from the beginning. For example, after being trained on a client company’s IS for several weeks, this AI could be replicated on another company’s IS ‑ with virtually similar flows ‑ and be operational in just a few days (setting up the detection policy for an SIEM takes several weeks). DILAN can supplement current processes in this area as well to enable operational teams to perform more effectively, which represents a differentiating factor compared with the competition.
Lastly, for analysts’ convenience and to provide quality reports for end clients, the DILAN project is exploring new solutions for visualising the vast quantities of data handled and analysed: for instance, the interface presents each node on the network and shows its flows in real time – with traffic considered to be normal highlighted in green, suspicious flows in amber and the priority threats to be investigated in red.
“Thanks to the close cooperation between our researchers and our business experts, we have developed a ground-breaking and flexible solution that works perfectly in our labs,” concludes Stéphane Morucci. “We are now ready to launch DILAN on production data flows and we are looking for partners to carry out field tests, with real use cases, which may, if necessary, influence the project’s technological roadmap.” DILAN’s modular design makes it easy to adapt to different existing architectures: if required, its algorithms can even be pushed to locations where data are stored, which makes them compatible with the General Data Protection Regulation (GDPR).
DILAN can potentially make life easier for cybersecurity analysts in a number of sectors: IT services, operators, industry or even the Internet of Things, for both Business and Consumer markets. Calling all interested CIOs!