The importance of traffic threat detection goes without saying.
Looking back on the development process, the traffic threat detection technology has gone through technical routes such as regular matching to syntactic and semantic matching, and then to machine learning small models combining statistical analysis and behavioral analysis.
We can take a peek at the upgrade and iteration of the attack methods that reflect it: from the beginning with obvious characteristics, gradually become weak characteristics, and even systematic attack methods that are used in combination, and then to the latest intelligent methods.
According to the World Internet Development Report 2023, cyber attack and defense have entered the era of intelligent confrontation, and new forms of cyber attacks with low cost automation are emerging one after another.
Attackers are already using large AI models to quickly build attack tools and generate obfuscation attacks** in batches, combined with all-round three-dimensional attack methods (such as 0-day vulnerability attacks, targeted phishing, C2 encrypted communication, etc.). Many people are still obsessed with making traditional detection engines respond to new threats by continuously stacking rules, including incorporating cloud-based intelligence, but this is tantamount to hitting a stone with an egg.
Sangfor does not follow the old path, and uses the idea of Game Changer to create a unique way - using large models to empower traffic detection.
Explode traditional detection engines
Six capabilities go beyond the general model
Sangfor Security GPT can be used as a detection engine to empower traditional security devices such as situational awareness, with the ability to understand the intent of unknown attacks, anomaly determination, and obfuscation reduction, and has completed the standardization of detection models.
Based on the accumulated high-quality training data of tens of millions of corpus and hundreds of billions of tokens, as early as April this year, the effect of the secure GPT detection large model has significantly surpassed that of many traffic detection engines based on rules and small models in the industry. After internal data testing of 50 million samples, compared with traditional flow detection equipment, the detection rate of safe GPT has increased from an average of 574% to 924%, and the false positive rate increased by 426% to just 43%。
From practice to practice, the safety GPT detection model has proved its strength again and again:
1.Multi-party continuous verification of the detection effect
In August, in the 2023 large-scale actual combat attack and defense drill, the security GPT detection model found 50+ 0-day vulnerability exploit attacks in the field without any prior knowledge.
From September to November, based on the research and judgment results of the detection model, Sangfor Blues captured 32 zero-day vulnerabilities exploited in the wild, and reported the details of the vulnerabilities to the regulators.
From October to November, the security GPT model was verified by a number of users, and the results showed that the detection rate of secure GPT was 100% for 25 highly confused packets (which can bypass the traditional engine and the general large model GPT-4), and neither the traditional engine nor the general large model GPT-4 was detected for the three-layer obfuscation samplesIn the actual network environment, the detection rate of traditional SoC and NDR products in the industry is 125%, and the detection rate of safe GPT is as high as 974%。
2.All six capabilities surpass the general model
Combined with the experience of security experts, we believe that obeying six latitudes evaluates the effect of security GPT detection large models, which are the best understanding ability, the ability to understand the offensive and defensive confrontation, the ability to reason about the model, the ability to know the basic knowledge of security, the ability to orchestrate tasks, and the ability to adverse the illusion of the model.
The results show that the six capabilities of the security GPT detection model are better than those of the general model.
We know that detection is highly dependent on the ability to understand attacks**. The parameters of the general large model are at least one billion, and its ability to understand, generalize, and express is far beyond that of the traditional machine learning small model, and it is not comparable to the traditional rule engine.
Nowadays, the general large model can interpret a complex attack at a high level and accurately, which is no less than that of a high-level human expert. However, Sangfor has truly applied the ability of large models to real-time traffic detection and judgment, and has achieved better results.
The security GPT detection model is like a traffic research and judgment expert who understands attack and defense, understanding the best and understanding the protocol, and continuously detects and analyzes the traffic, so as to find high confrontation and high bypass traffic attacks that cannot be found by traditional detection engines.
Why can the large model of security GPT detection reduce dimensionality?
Through knowledge distillation, model quantization, model pruning, and attention mechanism optimization, Sangfor improves the inference performance of secure GPT by 50 times, and realizes real-time detection of real-time traffic in the actual network environment.
Therefore, in the face of actual combat tests, the safety GPT has achieved a crushing victory, from the following three aspects, almost to the traditional detection engine dimensionality reduction attack.
1.A small number of samples Detect new threats without samples
Traditional semantic analysis technology is expensive to develop and cannot cope with new languages, resulting in the inability of traditional detection engines to defend against zero-day vulnerabilities and high-adverse attacks.
By learning a large number of open source features, the security GPT detection model has a deep understanding of the semantics of the first place, and has evolved from the traditional GAP Payload feature detection to the dimension of comprehensive analysis of the whole packet, which can mine the real attack purpose in the weak feature attack, so as to achieve accurate detection and reduce false positives.
The large security GPT detection model can also bypass the class to achieve stronger generalization ability, and can even detect new threats based on the Zero Few-Shot technology when there are no samples in a small number of samples, thus greatly improving the detection rate of zero-day vulnerability attacks.
2.Solve the industry's problems in the analysis of attack results
As we all know, determining whether an attack is successful or not is a difficult problem in the industry, and it is also a major part of security operations work. Traditional attack success detection engines mainly face three major problems: no echo of attack success, unfixed success characteristics, and difficult to understand payload confusion.
The security GPT detection model can not only restore the obfuscated payload in the attack, but also dynamically identify whether there are characteristics of successful attack in the response packets. In the figure below, by restoring the obfuscated payload to the simplest mode, Whoami, the security GPT can accurately identify the attack intent, and further correlate and analyze the content of the response, so as to determine the success of the attack.
At the same time, for successful attack scenarios, different commands have different echoes, and some command echoes cannot mention rules (for example, whoami echoes zhangsan). After being trained on a large amount of vertical domain data, the security GPT detection model can find out the characteristics of potential attack success echoes.
3.Natural language assists effective alarm research and judgment
Traditional detection engines can only highlight malicious points when providing evidence of threat events. However, the capabilities of security operators are uneven, and this method cannot directly and effectively assist their alarm research and judgment, which often leads to missed judgment and misjudgment of high-risk events.
The security GPT detection model can use natural language to analyze messages in multiple dimensions, assist operation personnel to efficiently study and judge alarms, break through the bottleneck of personnel ability and energy, and truly realize "1 ordinary engineer + security GPT detection model = N security experts".
How is the safety GPT detection model made?
As one of the earliest cybersecurity vendors to apply AI in China, as early as 2015, Sangfor invested in the research and application of decision-making AI technology. In 2016, Sangfor continued to increase AI technology and established the AI FIRST R&D strategy, and has made practical and effective AI technology breakthroughs in the fields of network security and cloud computing.
As a result, Sangfor has accumulated the necessary elements for refining a safe GPT:
1.High-quality data and computing power for AI model training
Continuously accumulated 100 billion-level token security corpus.
Automated training data generation and quality management platform.
55W+ security devices and components are connected to the cloud.
Tens of millions of training samples are updated every day.
A distributed computing platform based on managed cloud.
2.Cloud-network-side intelligent product architecture
Data collection, model training, and deployment of security products throughout the implementation process.
China took the lead in launching cloud-based products and services such as SASE and MSS.
The model training speed of the Genius AI R&D platform has been increased by 35 times.
100+ nodes across the country host the cloud, supporting the deployment of secure GPT close to users.
3.A four-in-one team of experts
Quickly build a professional team that understands both security and AI.
Sangfor believes that the flywheel effect formed by "large model + data + security and algorithm experts" will continue to bring great potential for the improvement of security GPT in threat detection.
There is no road in the world", Sangfor will embark on a unique road of security GPT detection model, continue to lead the pioneer experience, and is committed to every user being one step ahead of safety.