Cato Networks has introduced real-time, deep-learning algorithms for threat prevention as part of Cato IPS. The algorithms leverage Cato’s unique cloud-native platform and vast data lake to provide highly accurate identification of malicious domains, which are often used in phishing and ransomware attacks.

In testing, the deep learning algorithms identified nearly six times more malicious domains than reputation feeds alone. Cato’s Security Research Manager, Avidan Avraham, and Cato Data Scientist Asaf Fried presented on the use of machine learning to detect C2 communications at the AWS Summit in Tel Aviv.

Tapping deep learning to stop phishing and ransomware attacks

Real-time identification of malicious domains and IPs is essential to stopping phishing, ransomware, and other cyber threats. The traditional approach – relying on domain reputation feeds to categorise and identify malicious domains – has proven far too inaccurate as domain generation algorithms (DGAs) enable attackers to quickly generate new domains, which lack reputation.

At the same time, users continue to click through to malicious domains mimicking well-known brands (such as microsoftt[dot]com or amazonlink[dot]online) whose lack of reputation also makes detection by reputation feeds alone unreliable.

Cato’s real-time, deep-learning algorithms address both problems. The algorithms prevent access to DGA-registered domains by identifying those new domains infrequently visited by users and with letter patterns common to DGAs.

They block cybersquatting by hunting for domains with letter patterns similar to well-known brands. And the algorithms stop brand impersonation by examining parts of the webpage, such as the favicon, images, and text.

These radical advancements in network security are enabled by the cloud-native architecture of Cato’s technology. Real-time deep learning algorithms require significant compute resources to avoid disrupting the user experience.

The Cato SASE Cloud provides those resources. In milliseconds, Cato inspects flows, extracts their destination domain, measures the domain’s risk, and infers the necessary results from the traffic without disrupting the user experience.

At the same time, deep learning models need extensive training data. The massive data lake underlying Cato SASE Cloud provides that resource. Built from the metadata of every flow traversing Cato and further enriched by 250+ threat intelligence feeds, the deep learning algorithms benefit from analysing patterns across all Cato customers.

Those insights are further enhanced by custom analyses derived from customers’ traffic—the result: precise, algorithmic identification of suspicious domains.

Real-time deep learning yields 6x improvement in threat detection

Cato Research Labs routinely observes tens of millions of network connection attempts to DGA domains from across the 1700+ enterprises using the Cato SASE Cloud. For example, of the 457,220 network connection attempts to DGA domains made in a sample period, only 66,675 (15 per cent) were listed in the 250+ threat intelligence feeds consumed by Cato.

By contrast, Cato algorithms identified the rest, over 390,000 additional DGA domains, a nearly six-fold improvement.

Real-time, deep learning: just one part of Cato’s security protection

Cato’s real-time, deep learning algorithms are not the only way Cato detects and stops threats. The Cato SASE Cloud’s combination of SWG, NGFW, IPS, NGAM, CASB, DLP, RBI, and ZTNA provides multitiered protection against exploitations, disrupting cyberattacks at multiple points in MITRE’s ATT&CK Framework.

The deep learning algorithms are the latest AI and ML additions to the Cato SASE Cloud. Cato has long used machine learning for offline analysis to solve problems at scale, such as OS detection, client classification, and automatic application identification. ChatGPT is also used in various ways, including automatically generating descriptions of threats for Cato’s threat catalogue.

“ML and AI are essential to defending against the ever-evolving, sophisticated, and evasive cyber-attacks. But that’s easier marketed than done,” says Elad Menahem, senior director of security at Cato Networks. “ML algorithms must be trained and re-trained on high-quality data to provide value.

“Cato’s data lake provides an enormous advantage in that area. Its convergence of rich networking data and security sources, coupled with its sheer scale, enables Cato to train algorithms in unique ways. Our current work is only the start of AI and ML innovation.”

Asaf Fried, Data Scientist, Cato Networks, said; “Real-time ML must be continuously trained and updated to deal effectively with evasive attacks. A SASE cloud allows training on quality data at scale and continuous updates. Appliance-based solutions can’t offer either, making enterprises who rely on them for their network security an easier target.”