AI Firewall

What Is an AI Firewall?

An artificial intelligence (AI) firewall, an advancement of the traditional next-generation firewall (NGFW), employs intelligent detection technologies to enhance the identification of advanced and unknown threats. Unlike NGFWs relying on static rule databases for threat detection, which struggle with advanced threat variants, AI firewalls utilize intelligent detection engines to train threat detection models using extensive samples and continuously refine them based on real-time traffic data, thus enhancing threat detection capabilities.

Why Do We Need the AI Firewall?

Initially defined by Gartner in 2009, NGFWs integrate basic firewall services with various security services, such as application identification, intrusion protection system (IPS), and antivirus for parallel processing and in-depth comprehensive traffic security detection. Over a decade later, with the rapid evolution of network cloudification, mobility, and the Internet of Things (IoT), NGFWs are faced with significant challenges, including the rise of advanced threats and a wide range of diverse variants. The static rule database-based detection of NGFWs falls short in addressing these challenges adequately.

In addition to conventional threats like viruses and Trojan horses, advanced threats such as advanced persistent threats (APTs) continue to evolve. Consequently, attacks like ransomware and machine-to-machine (M2M) attacks diversify, driven by substantial economic incentives. Advanced threats operate covertly and spread rapidly, with up to 70% of network attack traffic being encrypted. In the face of rapidly evolving threat landscapes, traditional NGFWs encounter challenges such as:

- Inadequacy in coping with advanced and unknown threats using signature-based threat detection

Signature-based threat detection relies on signature databases (static rule databases). Signatures in a signature database describe known threats and the database has a limited capacity. The signature database cannot detect unknown and variant advanced threats. This leads to the high false positive rate of threat detection and delayed threat response.

- Inability to mitigate entire attack chains via signature matching due to the multi-layered and covert threats

The rise of IoT leads to increased security risks. Intrusion incidents within internal networks are on the rise, suggesting that attacks extend beyond external networks. Hackers breach external defenses, gain remote control, penetrate internal networks, and compromise, steal, or destroy critical data, forming a complete attack chain. However, NGFWs, which rely on packet content signatures, fail to detect the entire attack chain, resulting in inadequate attack mitigation. Moreover, threats are becoming more covert, hiding within encrypted channels. Signature-based traffic matching cannot uncover features within encrypted traffic. Firewalls must analyze data comprehensively, including encrypted data, without decryption, to expose any potential threats.

- Complexity in threat detection and handling due to labor intensity and time consumption

As firewall deployment is not a one-time operation, follow-up O&M is critical. Administrators need to continuously tune policies to cope with changing threats, analyze attack logs, promptly handle threat events, and strengthen enterprise facilities. However, these tasks depend on the skill level of administrators and are complex, and the effect cannot be ensured. Firewalls must have automated data analysis and threat handling capabilities.

To address these challenges, NGFWs necessitate upgrades to adapt to evolving networks and threats. In this context, advancements in AI technology present new opportunities for firewall systems.

Differences Between AI Firewalls and NGFWs

The main NGFW capabilities defined by Gartner are application identification and IPS integration for in-depth traffic detection. As mentioned above, NGFWs need to be upgraded, and vendors are embracing new technologies to enhance firewall functions. Therefore, there is no standard industry definition of next-generation NGFW product. The following table lists the major differences between AI firewalls and NGFWs.

Capability comparison between NGFWs and AI firewalls

The primary advantage of AI firewalls lies in their intelligence. They not only utilize signatures for known threat identification but also employ extensive sample sets and algorithms to train threat detection models, enabling the detection of advanced and unknown threats. However, this introduces higher demands on computing hardware to maximize intelligent detection technology, necessitating dedicated hardware for optimal threat detection performance.

AI Firewall Detection of Advanced Threats

As mentioned above, AI firewalls can detect advanced threats. Well, what is the implementation? AI firewalls are intelligent, as evidenced by the embedded intelligent detection engine which detects advanced threats based on a threat detection model created through machine learning.

The detection models used by the intelligent detection engine come from the following:

• Cloud Sample Training (Supervised Learning): Utilizing supervised learning, the cloud trains millions of samples, extracts threat detection models, and delivers them to firewalls for detection.

• Local Learning (Unsupervised Learning): Unsupervised learning is conducted locally, continuously extracting data from live network traffic for ongoing learning.

Supervised learning and unsupervised learning can more effectively detect malicious files that are frequently mutated, detect compromised hosts and remotely controlled zombies, monitor encrypted data that is sent and stolen, and identify malicious behavior, such as slow and distributed brute force attacks. During the learning process, mass data analysis is leveraged to train and generate threat detection models, and the models are continuously optimized based on live network data for self-evolution. The updated model trained on the cloud is delivered directly to a firewall without the need to upgrade system software.

AI firewall intelligent detection engine

Advanced threats typically follow an organized and planned attack sequence. The AI firewall employs various technologies to target attacks on key kill chain nodes:

• External Penetration Phase: At the onset, attackers distribute malicious files within the intranet via phishing emails and USBs. Blocking the spread of malicious software at this stage disrupts the attack chain.

• The AI firewall employs an intelligent malicious-file detection algorithm to analyze file features, enhancing detection rates without relying on static rule databases.

• Interaction between Attacker and Compromised Host: Malware execution on a host renders it compromised. Attackers communicate with compromised hosts through a Command and Control (C&C) channel, exchanging instructions and data.

• The AI firewall detects C&C channels and Domain Generation Algorithms (DGAs) to prevent unauthorized communication. Despite encryption, the firewall identifies encrypted C&C traffic without decryption, ensuring its visibility and prevention.