What We Launched: Industry’s First Real-Time Deep Learning Platform for Network Threat Protection


Balaji Prasad

In one of our previous blogs, we discussed the deficiencies of signature based detection systems and malware sandboxes against the new threat landscape of malicious, morphing malware.

Last Tuesday, we launched industry’s first network threat protection platform powered by deep learning to address these automated attacks. Specifically, our key features include:

  • Threat detection verdicts in less than a second, with low false positives
  • Deep learning inspection of the complete network flow including payloads, headers, C2 communications and URLs
  • Real-time threat categorization and kill chain analysis of detected threats
  • Near real-time prevention via seamless integration with key vendors
    • Endpoint – Crowdstrike, Carbon Black, Comodo
    • Firewall – Palo Alto Networks
    • Proxies – A10, Squid
  • A robust dashboard with details on threats and network traffic inspected

Here’s what guided the development of our platform:

1. Threat detection must be at the speed malware is unleashed, in less than a second

If you take the example of an unknown malware variant, the current time to detect using existing defenses may involve the time needed for malware sandboxing followed by a threat signature update, and then the time it takes for the signature to be updated on the security device. This entire process may take 12-24 hours. We believed we could do better, using deep learning, and we did. Our average threat detection rates are in subseconds.

2. Harnessing deep learning will deliver the speed and efficacy needed

Using the vast amounts of threat data and processing power now available, deep learning can be applied to more effectively address the threats that are facing today’s enterprises.

But first, let’s be clear on the differences between deep learning and machine learning: deep learning is a subset of machine learning, but deep learning learns from data itself, and requires no human-engineered features. This means that for threat detection, deep learning learns to represent what “mal-intent” actually looks like based on the data it is trained on. Watch Arri Ciptadi, our Principal Machine Learning Scientist explain this in a lightboard video.

There are several reasons why deep learning technology is the right one for network threat detection today:

  • Architecture and deep learning models have evolved significantly
  • Hardware and software processing power and optimization is now available, particularly because of processing resources available.
  • Massive threat data is available for deep learning training and validation of models

3. The best place to deploy a real-time deep learning platform is at the network

We know that 73% of attacks are caused by external attackers (see Verizon DBIR 2018). Therefore, if we can stop a threat at the network as it enters the enterprise, we can stop Patient Zero and prevent the attack from moving laterally inside the network. Additionally, the processing power needed for deep learning is more easily available on a network security appliance.. This allows for larger models with greater coverage and efficacy to be deployed, unconstrained by CPU and memory as one would find on an endpoint.. Our deployment at the network perimeter also enables us to inspect the complete network flow, and provide high efficacy verdicts on threats.

4. Prevention is possible (and important)

Security teams are overwhelmed enough that just detecting and alerting on threats isn’t good enough. We support near real-time prevention to all network and endpoint devices that can terminate malicious traffic. Our choices for our integration were dictated by our customers.