Employing Artificial Intelligence and Machine Learning to Enhance Threat Intelligence Accuracy
How to employ threat intelligence accuracy to enhance DDoS defenses
The backbone of any DDoS defense is accurate, operationalized threat intelligence.
Without the properly vetted knowledge that world-class threat intelligence provides, your networks have the ability to identify and mitigate only a small percentage of the distributed denial-of-service (DDoS) attacks your organization will face daily.
The Importance of Accurate Threat Intelligence
Defending your network efficiently requires as much knowledge about your adversary as possible along with the ability to operationalize that knowledge so your DDoS solutions can adapt defenses to the ever-changing attackers’ challenges.
Artificial intelligence (AI) has come to encompass a wide range of technologies, although these days most people think of AI as a ChatGPT-style large language model (LLM). NETSCOUT does not use LLMs today in any of our products. The current state of LLM technology results in unpredictable output and in our view is unsuitable for use in automated cybersecurity applications responsible for handling live network traffic. Current LLMs are notorious for making up information (the so-called “hallucination” problem) to answer a question.
This means that their output cannot be fully trusted unless reviewed by a human being with domain knowledge of the subject. To provide reliable cybersecurity protection, we depend on having deterministic, predictable results from any algorithm used in our solutions without requiring manual human review. Therefore, we do not rely on these technologies currently. We are aware of competing cybersecurity products that do claim to use these technologies to “predict” attacks but have heard complaints that this results in those products frequently blocking large amounts of legitimate traffic.
That said, we do use automated algorithms that can fall under the umbrella of AI but that are deterministic and predictable in their analysis and output. These we can and do use to automate the process of detecting and blocking attacks in our products.
Value of Threat Intelligence Is Due to Visibility
Our Arbor Security Engineering Research Team (ASERT) has unprecedented global visibility into internet traffic and in particular DDoS attacks via our ATLAS data collection platform. We monitor, in real-time, 425Tbps or more of internet traffic across more than 500 internet service providers (ISPs), more than 1,200 enterprise sites, and networks within 93 countries. This represents between 40 and 50 percent of the internet at any given time. There is no other DDoS vendor in the market that can claim this extensive visibility to understand current DDoS attack activity.
We use this unprecedented visibility to provide DDoS and other threat intelligence to our products via our ATLAS Intelligence Feed (AIF). This enables our products to know in advance exactly where DDoS attacks are currently being sourced from in the internet and automatically block those attack sources instantly if and when they attack a protected network.
The Future: Adaptive DDoS Protection
Generating the AIF data requires us to ensure accuracy, mine useful attack sources out of such a large and noisy dataset, and minimize the risk of false positives. We are using AI/ML in this process—especially ML, which allows us to better ensure the accuracy of the data via automated real-time analysis. Because this is used to generate the AIF feed content, all customers using the AIF feed benefit from our use of AI/ML for this service.
These AI/ML algorithms run in our ATLAS cloud infrastructure as part of our data collection and analysis pipeline, meaning that we can update them at any time without requiring updates to the product software itself. For adaptive DDoS protection, we use automated traffic analysis algorithms that we consider to be AI to detect attacks, identify the nature of the attack, and recommend specific countermeasures or configurations of NETSCOUT Arbor Edge Defense (AED) to optimally block that attack.
We have a robust roadmap for continuing to add more uses of ML and AI to adaptive DDoS protection to further automate its analysis for new classes of attacks as well. This is the primary way that AI/ML will be delivered as part of the products themselves. But we will also do so in ways that provide reliable, predictable behavior that allows us to block malicious traffic without the significant risk of blocking legitimate user traffic that the naïve use of AI by some other vendors has generated.
Learn more about adaptive DDoS protection.