IT Brief Australia - Technology news for CIOs & IT decision-makers
Story image
Cato Networks identifies 6x more malicious domains using AI
Wed, 28th Jun 2023

Cato Networks has announced that it has utilised AI to identify six times more malicious domains than reputation feeds alone - and prevent access to them in real time. The single-vendor SASE platform provider announced this two weeks after it broke the SASE speed record with 5Gbps encrypted tunnels. Previously, Cato's held the record at 3 Gbps.

Both recent announcements - improved threat prevention and higher capacity secured tunnels - reflect the importance cloud-native architectures will play in SASE.

AI technologies and large language models (ChatGPT, for example) have made it easier for cybercriminals to generate malicious code. Data scientists from Cato Networks developed deep learning algorithms that leverage Cato's cloud-native platform and large data lake to accurately identify malicious domains that often go undetected by reputation and security feeds alone.

Detection by reputation feeds alone is unreliable due to the continued click-through by users to malicious domains that mimic well-known brands.

The algorithms from Cato prevent access to DGA-registered domains by identifying those new domains infrequently visited by users and with letter patterns common to DGAs. The algorithms also stop brand impersonation by examining parts of the webpage, such as the favicon, images and text.

Cato Research Labs routinely observes tens of millions of network connection attempts to DGA domains across over 1700 enterprises using the Cato SASE Cloud. As an example, of the 457,220 network connection attempts to DGA domains made in a sample period, only 66,675 (15%) were listed in the 250+ threat intelligence feeds consumed by Cato. By contrast, Cato algorithms identified the rest, over 390,000 additional DGA domains, a nearly six-fold improvement.

Running a deep learning algorithm in real-time takes significant computation resources to avoid disrupting the UX. Appliance-based architectures lack those resources, and copying data to the cloud for offline analysis introduces too much latency for the algorithms to be run in real-time. 

Cato SASE Cloud provides both of those resources. Cato's Single Pass Cloud Engine (SPACE) is a cloud-native architecture that shifts packet and security processing to the cloud, where compute resources are more ubiquitous than in edge appliances. In milliseconds, Cato inspects flows, extracts their destination domain, measures the domain's risk, and infers the necessary results from the traffic without disrupting the user experience. 

"ML and AI are essential to defending against the ever-evolving, sophisticated, and evasive cyber-attacks. But that's easier marketed than done," says Elad Menahem, Senior Director of Security, Cato Networks. 

"ML algorithms must be trained and re-trained on high-quality data to provide value. Cato's data lake provides an enormous advantage in that area. Its convergence of rich networking data and security sources, coupled with its sheer scale, enables Cato to train algorithms in unique ways. Our current work is only the start of AI and ML innovation." 

Beyond its work with AI, Cato is also delivering 5Gbps connections to other cloud providers. The new Cato cross-connect will enable private, high-speed layer-2 connections between Cato and any other cloud provider connecting to the Equinix Cloud Exchange (ECX) or Digital Reality. A high availability (HA) option will also be available for additional reliability.