FortiWeb Release 6.0: AI-based Machine Learning for Advanced Threat Detection

Cybercriminals are increasingly targeting public and internal web applications. Today, nearly half of all data breaches are caused by attacks targeting web application vulnerabilities. To protect your organization from such attacks, Web Application Firewalls (WAFs) are the gold standard. However, some organizations may be reluctant to use these devices as they have a reputation for being very resource-intensive, especially when it comes to quickly addressing false positive detections in order to ensure that legitimate users and applications don’t get blocked.

Traditional WAF Threat Detection

The primary reason for the high number of false positive detections generated by most WAF solutions is the underlying core behavioral threat detection method being used. That’s because modern WAFs in use today rely solely on an observational method for threat detection called application learning (AL).

Application learning (AL) automates the building of profiles for the structure and usage of any web-based applications it encounters. Once enough information is collected, AL then builds policies based on what it has monitored. Subsequent user activities must then adhere to these protection policies or they are identified as anomalies that trigger an action to be taken. These actions can include any combination of logging, alerting, and even the blocking of these detected activities. This detection and response method works to stop sophisticated hackers from attempting to exploit known vulnerabilities or launch zero day attacks.

The Limitations of Application Learning

While this first generation of WAF functionality has certainly improved our ability to identify and respond to web application threats, it still leaves much to be desired in terms of accuracy. Because a WAF solution can generate a high number of false positive detections that can potentially block critical, non-malicious traffic, many organizations have had to dedicate their limited resources to managing policies and exceptions. That’s because there is simply no good way for AL to account for every variation of normal application usage, or to easily adjust to changes in an application, without triggering an anomaly-based filter.

The fundamental problem lies with application learning (AL). Because AL is solely observational, it flags anomalies based only on what it has previously witnessed. This technology simply does not have the necessary intelligence to determine whether a detected anomaly is an attack or is simply benign.

Replacing AL with Machine Learning

FortiWeb’s new machine learning (ML) technology delivers a completely different approach to threat detection to the web security market. This new approach leverages probability to identify threats rather than running exacting matches against observed activities.

Similar to AL, ML collects data on each application element as users go about their normal application interactions. Unlike AL, however, ML uses a statistical model to determine whether an HTTP request varies significantly from previously observed requests. Only when a request has strayed too far what is considered “normal” does the FortiWeb ML flag that request as an anomaly.

Even better, this more intelligent and flexible approach is just the first of two of layers of machine learning function provided by this new ML strategy. Once an anomaly has been identified, it then uses a second layer of machine learning to determine if it is a threat or simply a benign variance, such as a typo, a new character that hadn’t been seen previously, or even a legitimate change to the application itself. It does this by running the detected anomaly through multiple, highly trained threat models to determine whether it is an attack. If it is, then like AL it can take actions such as logging, alerting, and/or blocking the anomaly.

To improve its threat detection efficiency even further, Fortinet has combined its advanced AI-based machine learning capabilities with its FortiWeb WAF to create a variety of specific threat models. Each model represents a specific attack category (SQL Injection, Cross-site Scripting, OS Injection, etc.) These threat models have been extensively trained and tested by the FortiWeb development team using thousands of real attack samples from various sources, including well-known third-party databases such as CVE and Exploit DB, threat intelligence from our own FortiGuard Labs, and data collected through leading third-party vulnerability scanners. These models are included as part of the FortiWeb solution, and constant updates are included as part of the FortiGuard WAF Security Service in order to provide real-time protection against new threats that require model retraining and testing.

Improved Accuracy and Reduced Overhead

Attack detection accuracy with ML is improved to nearly 100% using this two-step approach. Instead of flagging and blocking every anomaly, FortiWeb’s new machine learning technology is able to flag anomalies and then quickly and precisely determine whether they are a threat before taking action in order to ensure that critical applications and transactions are never interrupted. In addition to addressing the false positive detections caused by traditional AL-based WAF solutions, these advanced FortiWeb ML engines are also able to dramatically reduce “false negatives,” which are better known as attacks that are designed to evade WAFs that use application learning.

Securing application environments presents a unique challenge to IT teams, which is why, according to a recent IDG survey, 83-percent of enterprise IT executives believe that application security is critical to their IT strategy. Whether you are one of those organizations just now considering a WAF for your organization, want to replace an existing solution that is consuming too many critical IT resources, or even if you are a current FortiWeb customer, we encourage you to put the new FortiWeb 6.0 with machine learning to the test.