Promptly detecting and exposing malicious domains and IPs is crucial in combatting cyber threats like phishing and ransomware. That said, the conventional method (which relies on domain reputation feeds for classifying and pinpointing malicious domains) has proven ineffective due to the emergence of domain generation algorithms. These algorithms allow attackers to swiftly create new domains that lack any established reputation.
Users also frequently fall prey to malicious domains that imitate reputable brands, and the absence of reputation associated with these domains renders them undependable for detection based solely on reputation feeds.
Cato, provider of a single-vendor SASE platform, is addressing both problems with the introduction of real-time, deep learning algorithms for threat prevention as part of Cato IPS.
These algorithms counteract access to domains registered by domain generation algorithms (DGAs) by detecting newly created domains that receive limited user visits and exhibit letter patterns commonly associated with DGAs. They thwart cybersquatting attempts by identifying domains with letter patterns resembling those of renowned brands. Cato's algorithms also counter brand impersonation by scrutinizing various webpage elements such as favicons, images, and text.
The results of real-time deep learning are there, too. Cato Research Labs routinely observes tens of millions of network connection attempts to DGA domains from across the enterprises using the Cato SASE Cloud. According to Cato, for example, of the 457,220 network connection attempts to DGA domains made in a sample period, only 66,675, or about 15%, were listed in the 250-plus threat intelligence feeds consumed by Cato. By contrast, Cato algorithms identified the rest, over 390,000 additional DGA domains, a nearly six-fold improvement.
So, what’s enabling these network security advancements by Cato?
Cato's technology leverages a cloud-native architecture. To ensure seamless user experiences, significant computational resources are required for real-time deep learning algorithms. Cato's SASE Cloud provides the necessary resources, enabling rapid inspection of flows, extraction of destination domains, assessment of domain risk and inference of results without causing disruptions.
Meanwhile, the training of deep learning models necessitates vast amounts of training data. Cato's SASE Cloud draws upon a colossal data lake, which is comprised of metadata from all flows passing through the system. This data is enriched by over 250 threat intelligence feeds. By analyzing patterns across all Cato customers, the deep learning algorithms gain valuable insights. Additionally, custom analyses derived from customers' traffic further enhance these insights, resulting in precise and algorithmic identification of suspicious domains.
"ML algorithms must be trained and re-trained on high-quality data to provide value. Cato's data lake provides an enormous advantage in that area,” said Elad Menahem, Senior Director of Security at Cato Networks. “Its convergence of rich networking data and security sources, coupled with its sheer scale, enables Cato to train algorithms in unique ways. Our current work is only the start of AI and ML innovation."
The deep learning algorithms are the latest AI and ML additions to the Cato SASE Cloud. Other additions included machine learning for offline analysis to solve problems at scale, client classification, automatic application identification and ChatGPT.
Edited by
Alex Passett
