FortiAI

Next Generation Network Security

Artificial Intelligence in Cyber Security
Agenda

01 02
FortiAI Evolution of Malware
Product Vision

03 04
FortiAI introduction Virtual Security AnalystTM
Capabilities

05 06
How FortiAI works Demo

© Fortinet Inc. All Rights Reserved. 2

FortiAI
Product Vision
 FortiAI Product Vision / Goal
“Uses ML/AI to mimic human intensive functions,
with Virtual Security AnalystTM to assist SecOps in breach protection.”

Breach Reduced
Investigation Detection Time
Use ML/AI to mimic some Reduce detection time from
intense human functions minutes to sub-second verdict
• Incident analysis
• On average 3-5 years
experience with 1 week+
to trace source of attack
• Outbreak Search
• Malware Analyst

© Fortinet Inc. All Rights Reserved. 4

© Fortinet Inc. All Rights Reserved. 4
Fortinet Cybersecurity Platform
Enterprise Security Fabric

Zero-Trust Network Security-driven Dynamic Cloud AI-driven Security

Access Networking Security Operations Fabric
Management
Center

Endpoint Network Firewall Applications Endpoint Security

Access

NAC SD-WAN Platform Breach Prevention FortiAI

Secure WLAN/LAN
Identity Network Incident Response

SASE/SWG

© Fortinet Inc. All Rights Reserved. Revised as of August 30, 2020 5

Threat Landscape Over Two Decades
AI-driven attacks requires AI-driven detection

5B 5B+
4.7B

39M* 826M 1B+

604M
67M 147M 259M 3.2M
4M 4.37M* 7.47M

Cumulative Records Stolen Annual # of Ransomware Attacks

Significant
Threat
Incidents Sasser VPNFilter
Melissa Code Red Slammer Zeus Conficker Stuxnet Cryptolocker Wannacry COVID-19

Timeline 1990–1999 2000–2001 2002–2003 2004–2005 2006–2007 2008–2009 2010–2011 2012–2014 2015–2017 2018–2019 2020+

© Fortinet Inc. All Rights Reserved. *many undisclosed | Record Stolen Reference—Breach Level Index | Ransomware stats—Statista 6
An overview of
Malware Evolution
History of Artificial Intelligence
Nearing a Century of AI

Turing, Kleene AI research The First AI applied to data Deep learning IBM Watson Fortinet Fortinet
and Church formally founded AI Winter mining, medical is achieved using application for AutoCPRL – using introduce AI in
propose machine as a discipline at Difficulty resulted diagnosis with faster computing, management ML for malware Web application
learning solution Dartmouth in funding cuts in increased CPU large data decisions of lung detection i.e. Security
College US and Britain power structures cancer treatment machine
generated CRPL
Fortinet
acquires Zonefox

1943 1960s 1980s 1997 2012 2015 2017 2020

1930s 1956 1974 1990s 2003 2013 2016 2018

Fortinet started
product research
McCullouch and IBM Deep Blue in AI technology, Elon Musk calls Fortinet
Pitts create formal AI research Proliferation of beats Grand first iteration of for the regulation FortiAI Ready to
design of Turing’s heavily funded by Expert Systems Master Kasparov machine learning 2,700+ AI projects of AI before we hit launch as a
‘artificial neurons’ the U. S. military Lisp vs. PC in chess in Cybersecurity in place at Google 100 years product

Use of AI in CyberSecurity

© Fortinet Inc. All Rights Reserved. 8

Evolution of Malware Detection
Methods & Problems

“We create new technology

to solve problems that
Artificial
existing technology 3
rd

Gen
Intelligence
cannot solve today.” • Machine Learning
M. Xie, CTO Fortinet • Virtual Security Analyst TM

ATP
2 • Sub-second Verdict
nd

Gen
Toolkit
• Malware evolves
• Time to detect – minutes
Signature
1
st
• Automated malware analysis
Gen
Based
• Detection Delay
• Intense Compute
• Static Analysis

Evolution

© Fortinet Inc. All Rights Reserved. 9

Malicious Code Detection
Advance Threat Protection (ATP) products at a glance

AV engine FortiSandbox FortiAI FortiDeceptor

Inspect core of apple… Let me take a bite… Let me describe it - Let me place
rotten, smells... more apples…
Um, it’s bad. Um, it’s bad.
Um, it’s bad. …with traps.

© Fortinet Inc. All Rights Reserved. 10

FortiAI
Introduction
AI / Machine Learning: what do we expect?

• Machine Learning to find PATTERN

• Identify and Grouping of FEATURES
(aka the ‘dots’)
• FortiAI is ‘trained’ with Clean
and Malicious and other features
(e.g. Ransomware), 20+ more
malware types
Dim2
• Supervised Learning –
Feeding it with “right” data from
FortiGuard
Result
• Patent pending Neural Network for
sub-second detection, with analyst
logic
Dim1

© Fortinet Inc. All Rights Reserved. 12

FortiAI at a GlanceTM

Virtual Security AnalystTM powered by Deep Neural Networks that identifies and

classifies, and investigates, and blocks sophisticated threats in sub-second.

99.9%* <100 ms 100K

Detection Rate* Sub-Second Detection Files / hour

10G 20+ 200 Billion

Network Throughput Attack Scenarios Exposed Features

© Fortinet Inc. All Rights Reserved. * Measured by Breaking Point malware strike pack 13
FortiAI Key Benefits
Virtual Security
AnalystTM
• Trace Source on infection
• Outbreak Search
• Personal Malware Analyst
• On Prem Learning
Breach Fabric
Prevention Integration
• Sub-second Verdict • Blocking & Quarantine with
FortiGate(s)
• Threat Investigation
• STIXv2 / JSON output
• Big Picture analysis
• REST API for submission
• Attack Scenarios
• FortiAnalyzer/FortiSIEM support
• FortiSandbox integration (increase
coverage)
• SYSLOG / ICAP for 3rd party
© Fortinet Inc. All Rights Reserved. 14
Cost of a Security Analyst
Solution ROI

Cost of a Security Analyst*

in USD
• 60-95K USD annually
• 5-6 years of experience

Skillset Required
• Malware research experience
• Breach investigation analysis

Consider
• Cost of a Breach, Reputation
Damage
• Offload current SA / Human Errors
• Human + AI analyst
* Based on https://www.salary.com/research/salary/benchmark/information-security-analyst-ii-salary

© Fortinet Inc. All Rights Reserved. 15

FortiAI Deployment Diagram
FortiGuard Neural
Network Updates
Virtual
Security
AnalystTM

HQ FortiGate
(Inline Blocking)
Infected
Source
Worms /
Integrated / Encrypted submissions Lateral
Movement

Malicious File FortiAI

(ICAP Server)
Remote
Protected
FortiGate(s)
endpoints
File submission Verdict

FortiSIEM & FortiAnalyzer FortiSOAR File FortiSandbox Sniffer / SPAN SMB

v2, Web and Email Fortiweb Web servers
Logging and Reporting submission Integration DMZ servers
Traffic (ICAP client)
© Fortinet Inc. All Rights Reserved. 16
Virtual Security Analyst TM
Capabilities
FortiAI Virtual Security Analyst TM
Tracing the source of attack

Attack Scenario
How malware was spread
through the network
Scenario Finding “Patient Zero”
based engine linking infections by time
Sub-second verdict
Ability to quarantine with FortiGates

SMB
Patient Zero Worm Spread

© Fortinet Inc. All Rights Reserved. 18

FAI GUI: kill chain analysis
FortiAI Virtual Security Analyst TM
Malware Analyst Function

Your malware analyst –

identify 20+ Attack Downloader Redirector Dropper Ransomware Worm
Scenarios
• Such as Ransomware, Dropper, Password Banking
RootKit InfoStealer Exploit
PWS Stealer Trojan
(Password Stealing Trojan),
CoinMiner,
Banking Trojan, Fileless attack etc Clicker Virus Application CoinMiner DoS

• Answers the questions:

• What type of malware attacks am I Search
under? BackDoor WebShell Engine Proxy Trojan
Poisioning
• What is the intent of malware?
• Why is it malicious?
Phishing Fileless Wiper Industroyer
• Feature “Tagging” in logs

© Fortinet Inc. All Rights Reserved. 19

FortiAI Virtual Security Analyst TM
Outbreak Search & Similarity Engine

Allows searching of malware & its variants on network

Outbreak FortiAI
Search Similarity Engine
CIO FAI VSATM
Variant 1 Hash DEF
WannaCry
Variant 2 Hash GHI
Hash ABC
Variant…N Hash JKL
Q: Are we infected A: Let me search!
by this headline
malware? e.g.
Similarity
WannaCry Engine

© Fortinet Inc. All Rights Reserved. 20

“On- Prem” Self Learning
Learning from Customers’ Traffic

FortiAI – On Prem Learning

Purpose: Feature Extraction
1. Reduce False Positive CLEAN and MALICIOUS
2. Increase Detection Rate
Detection Rate

FortiAI –
PRE-trained
On-Prem
(6mil+ features)
Detection! learning Features
(feedback)

Time

© Fortinet Inc. All Rights Reserved. 21

A closer look at how
FortiAI works
FortiAI - Under the Hood
Patent pending # U.S. Serial No.: 16/053,479

Single Layer of Neural Network

• Pre-trained with 20mil+ clean and malicious files
• Billions of clean and malicious features learnt

Each node (middle circles)

represents an “Analyst”
• Job function - to determine if they match a single
malware feature
• Current features DB consists:
• PE features (Portable Executables) & Non-PE features
• Via techniques such as file analysis of registry values, stack Input layer Output layer
status, execution flow etc.

Does not require to ‘run’ the file

(vs Sandboxing)
• hence speed (sub-second)
1 Layer of ANN
• Identify good/bad instantly 6 mii+ nodes

© Fortinet Inc. All Rights Reserved. 23

FortiAI
Malware Detection Workflow

Files Code Verdict

Blocks

Binary Scripts Downloader

Input layer Output layer

Feature Code Blocks Feature Result = Malicious
Extraction • Average 3000+ Matching (or Clean)
• Text Parser (script), per file • Match Features Detected # e.g.
Disassembler (PE) • Count • Downloader = 26
• De-obfuscate • Prioritize • Trojan features = 5
• Unpack • Ransomware = 2

Neural Networks
• Features DB
• 6mil+ Features
• GPU/hardware accelerated

© Fortinet Inc. All Rights Reserved. 24

Training in Action – Human vs Machines
Human vs Machines detection over training period

FortiAI Artificial Neural Network Detection Rate Comparison*

• Pretrained before ship

Training phase(s) Goal

• Highest detection rate
• Lowest false +ve rate

FortiGuard Updates
• ANN update
• Keep up with latest threats

Further learning
• On Customer Premises

© Fortinet Inc. All Rights Reserved. *Detection Rate on FortiGuard QA samples 25

Summary

Understand FortiAI VSATM value

breach detection analysis

How FortiAI fits into in Security Fabric

fabric and 3rd party integration options

Use Cases FortiAI solves

outbreak analysis, sub-second analysis, trace source

© Fortinet Inc. All Rights Reserved. 26

 FortiAI
demo
https://fortiai.fortidemo.com
demo / demo
 V1.3
Virtual Security Analyst TM
Report
Verdict & Confidence
Level

Feature
Breakdown

Malware
Classification &
Description

Hash / Type / Time /

Appearance on Similarity Engine Virus Family / Source
Network (History) Search

© Fortinet Inc. All Rights Reserved. 28

 V1.4
FortAI - AI-driven Security Operations
MITRE ATT&CK Mapping
• Investigator View
• Map malware into MITRE ATT&CK Tactics Techniques and Procedures (TTPs)
• Click any to Filter

Investigator View

VSA Risk analysis

Lite/Full Matrix Toggle

© Fortinet Inc. All Rights Reserved. 29

 V1.4
FortiAI - AI-driven Security Operations
Enhanced Attack Timeline

New Logos for each

attack type

Clear Attack and

Victim IP

Worm Spreading
Scenario

© Fortinet Inc. All Rights Reserved. 30

 V1.4
FortiAI - AI-driven Security Operations
STIX v2 and JSON support

3rd Party Threat Intelligence platform integration

• STIX v2 Output
• JSON Output

STIXv2 / JSON
Output

© Fortinet Inc. All Rights Reserved. 31

 V1.3
AI-driven Security Operations Search by Exact Hash or
Similar files (variants)
FortiAI Outbreak Search

Search by Exact Hashm /

Outbreak name e.g. WannaCry

VSATM Manual

History of Malware on network

© Fortinet Inc. All Rights Reserved. 32

 V1.3
VSA TM

Threat Investigation – “Big Picture” analysis

Filter on File/Malware
types

Shows timeline for

infection

Threat Investigation

© Fortinet Inc. All Rights Reserved. 33

 V1.3
AI-driven Security Operations FortiGate Configuration

Security Fabric Integration – FortiGate Quarantine

FortiAI Security Fabric Configuration:

Source of Fabric
Device or Sniffer

Specify which
FortiGate VDOM to
target

© Fortinet Inc. All Rights Reserved. 34

 V1.3
AI-driven Security Operations
Express Malware Analysis – Manual & API Upload

• REST API upload & Manual GUI Upload

• Compress File Support (tar, gz, tgz, zip, bz2, rar)
• Password Support (e.g. infected)
• VSATM Sub-Second verdict

© Fortinet Inc. All Rights Reserved. 35

FortiAI - What’s New v1.5.1
 V1
.54
FortAI - AI-driven Security Operations
Security Fabric Pairing
• Appears in FortiOS topology
• FOS widgets to display type of malware
on network (e.g. Ransomware, Banking
Trojan)
• FortiAI Security Fabric Connector

© Fortinet Inc. All Rights Reserved. 37

FortAI - AI-driven Security Operations
FOS 7.0.1
Background:
- FAI v1.4 uses ICAP and OFTP (FortiSandbox Field) with FOS
integration (FOS v6.4)
- Customer cannot run FSA/FAI at same time
What’s New:
- In FOS 7.0.1 / FortiAI v1.5.1 will have ’inline’ blocking feature, where
web/email traffic’s session will ‘hold’ and wait for FAI’s verdict
- Goal of this is to block “patient zero”, utilizing FortiAI’s sub-second
verdict Inline blocking of Multiple files over
threats encrypted &
- This is configured under FortiGate AV profile (CLI, not FSA field) optimized protocol

- FortiAI is “one of” the AV profile scanning options. E.g. AV engine

and/or FortiAI verdict

© Fortinet Inc. All Rights Reserved. 38

 V1
.5
.1
FortiAI - AI-driven Security Operations
FortiAnalyzer 7.0.1 Log View
• FAZ 7.0.1 Support (Fabric ADOM)
Log View
• Event Log (including performance,
file summary statistics)
• Attack Log (including kill chain logs)
• Default dataset and reports in future
release

© Fortinet Inc. All Rights Reserved. 39

 V1
.5
.1
FortiAI - AI-driven Security Operations
FortiSIEM Integration
• FortiSIEM v6.3
support
• Log Parsing
• FortiAI Dashboard
• New prefilter rule –
attack killchain –
block
• Shows victim
IP/Malware family

© Fortinet Inc. All Rights Reserved. 40

 V1
.5
FortiAI - AI-driven Security Operations .1

FortiSandbox Integration (FSA v4.0.1)

• Goal 1: To reduce load for FSA dynamic scan (VM)

• How: FortiAI returns verdict of ‘absolute clean’ back to FSA, FSA “entrust FAI” and optionally
skip dynamic (VM) scan

• Goal 2: Add coverage & context of malware

• How: Utilise both technology to increase coverage of malware detection. FortiAI provides
features and malware type (e.g. Banking Trojan) back to FSA’s report

• Goal 3: Flexible integration options

• How: Allow existing FSA customers and new customers options for integration. E.g.
FAI (ICAP server)
FGT FAI (inline blocking/ OFTP) FWB

FWB
FGT
FSA FAI (reduce FSA load, FSA FAI (reduce FSA load,
increase coverage)
© Fortinet Inc. All Rights Reserved. increase coverage)
41
 V1
.5
FortiAI - AI-driven Security Operations .1

FortiSandbox Integration (FSA v4.0.1) - Configuration

Figure – FSA Scan profile with “FortAI entrust”
1. Generate FAI user token (CLI or GUI)
2. Configure FSA <-> FAI pairing
3. Configure FSA Scan profile
4. View results in FAI logs / Device Input *

Figure – FSA FortiAI system settings * FSA device only appears after file is submitted

© Fortinet Inc. All Rights Reserved. 42