FortiAI Partner Technical Enablement

FortiAI
Next Generation Network Security

Artificial Intelligence in Cyber Security
Agenda
01 02
FortiAI Evolution of Malware
Product Vision
03 04
FortiAI introduction Virtual Security AnalystTM
Capabilities
05 06
How FortiAI works Demo
© Fortinet Inc. All Rights Reserved. 2

FortiAI
Product Vision
FortiAI Product Vision / Goal
“Uses ML/AI to mimic human intensive functions,
with Virtual Security AnalystTM to assist SecOps in breach protection.”
Breach Reduced
Investigation Detection Time
Use ML/AI to mimic some Reduce detection time from
intense human functions minutes to sub-second verdict
• Incident analysis
• On average 3-5 years
experience with 1 week+
to trace source of attack
• Outbreak Search
• Malware Analyst

Fortinet Cybersecurity Platform
Enterprise Security Fabric
Zero-Trust Network Security-driven Dynamic Cloud AI-driven Security

Access Networking Security Operations Fabric
Management
Center
Endpoint Network Firewall Applications Endpoint Security

Access
NAC SD-WAN Platform Breach Prevention FortiAI
Secure WLAN/LAN
Identity Network Incident Response
SASE/SWG
© Fortinet Inc. All Rights Reserved. Revised as of August 30, 2020 5

Threat Landscape Over Two Decades
AI-driven attacks requires AI-driven detection
5B 5B+
4.7B
39M* 826M 1B+

604M
67M 147M 259M 3.2M
4M 4.37M* 7.47M
Cumulative Records Stolen Annual # of Ransomware Attacks
Significant
Threat
Incidents Sasser VPNFilter
Melissa Code Red Slammer Zeus Conficker Stuxnet Cryptolocker Wannacry COVID-19
Timeline 1990–1999 2000–2001 2002–2003 2004–2005 2006–2007 2008–2009 2010–2011 2012–2014 2015–2017 2018–2019 2020+
© Fortinet Inc. All Rights Reserved. *many undisclosed | Record Stolen Reference—Breach Level Index | Ransomware stats—Statista 6
An overview of
Malware Evolution
History of Artificial Intelligence
Nearing a Century of AI
Turing, Kleene AI research The First AI applied to data Deep learning IBM Watson Fortinet Fortinet
and Church formally founded AI Winter mining, medical is achieved using application for AutoCPRL – using introduce AI in
propose machine as a discipline at Difficulty resulted diagnosis with faster computing, management ML for malware Web application
learning solution Dartmouth in funding cuts in increased CPU large data decisions of lung detection i.e. Security
College US and Britain power structures cancer treatment machine
generated CRPL
Fortinet
acquires Zonefox
1943 1960s 1980s 1997 2012 2015 2017 2020
1930s 1956 1974 1990s 2003 2013 2016 2018
Fortinet started
product research
McCullouch and IBM Deep Blue in AI technology, Elon Musk calls Fortinet
Pitts create formal AI research Proliferation of beats Grand first iteration of for the regulation FortiAI Ready to
design of Turing’s heavily funded by Expert Systems Master Kasparov machine learning 2,700+ AI projects of AI before we hit launch as a
‘artificial neurons’ the U. S. military Lisp vs. PC in chess in Cybersecurity in place at Google 100 years product
Use of AI in CyberSecurity

Evolution of Malware Detection
Methods & Problems
“We create new technology

to solve problems that
Artificial
existing technology 3
rd
Gen
Intelligence
cannot solve today.” • Machine Learning
M. Xie, CTO Fortinet • Virtual Security Analyst TM
ATP
2 • Sub-second Verdict
nd
Gen
Toolkit
• Malware evolves
• Time to detect – minutes
Signature
1
st
• Automated malware analysis
Gen
Based
• Detection Delay
• Intense Compute
• Static Analysis
Evolution

Malicious Code Detection
Advance Threat Protection (ATP) products at a glance
AV engine FortiSandbox FortiAI FortiDeceptor
Inspect core of apple… Let me take a bite… Let me describe it - Let me place
rotten, smells... more apples…
Um, it’s bad. Um, it’s bad.
Um, it’s bad. …with traps.

FortiAI
Introduction
AI / Machine Learning: what do we expect?
• Machine Learning to find PATTERN

• Identify and Grouping of FEATURES
(aka the ‘dots’)
• FortiAI is ‘trained’ with Clean
and Malicious and other features
(e.g. Ransomware), 20+ more
malware types
Dim2
• Supervised Learning –
Feeding it with “right” data from
FortiGuard
Result
• Patent pending Neural Network for
sub-second detection, with analyst
logic
Dim1

FortiAI at a GlanceTM
Virtual Security AnalystTM powered by Deep Neural Networks that identifies and

classifies, and investigates, and blocks sophisticated threats in sub-second.
99.9%* <100 ms 100K

Detection Rate* Sub-Second Detection Files / hour
10G 20+ 200 Billion

Network Throughput Attack Scenarios Exposed Features
© Fortinet Inc. All Rights Reserved. * Measured by Breaking Point malware strike pack 13
FortiAI Key Benefits
Virtual Security Breach Fabric

AnalystTM Prevention Integration
• Trace Source on infection • Sub-second Verdict • Blocking & Quarantine with

FortiGate(s)
• Outbreak Search • Threat Investigation
• STIXv2 / JSON output
• Personal Malware Analyst • Big Picture analysis
• REST API for submission
• On Prem Learning • Attack Scenarios
• FortiAnalyzer/FortiSIEM support
• FortiSandbox integration (increase
coverage)
• SYSLOG / ICAP for 3rd party
Cost of a Security Analyst
Solution ROI
Cost of a Security Analyst*

in USD
• 60-95K USD annually
• 5-6 years of experience
Skillset Required
• Malware research experience
• Breach investigation analysis
Consider
• Cost of a Breach, Reputation
Damage
• Offload current SA / Human Errors
• Human + AI analyst
* Based on https://www.salary.com/research/salary/benchmark/information-security-analyst-ii-salary

FortiAI Deployment Diagram
FortiGuard Neural
Network Updates
Virtual
Security
AnalystTM
HQ FortiGate
(Inline Blocking)
Infected
Source
Worms /
Integrated / Encrypted submissions Lateral
Movement
Malicious File FortiAI

(ICAP Server)
Remote
Protected
FortiGate(s)
endpoints
File submission Verdict
FortiSIEM & FortiAnalyzer FortiSOAR File FortiSandbox Sniffer / SPAN SMB

v2, Web and Email Fortiweb Web servers
Logging and Reporting submission Integration DMZ servers
Traffic (ICAP client)
Virtual Security Analyst TM
Capabilities
FortiAI Virtual Security Analyst TM
Tracing the source of attack
Attack Scenario
How malware was spread
through the network
Scenario Finding “Patient Zero”
based engine linking infections by time
Sub-second verdict
Ability to quarantine with FortiGates
SMB
Patient Zero Worm Spread

FAI GUI: kill chain analysis
Malware Analyst Function
Your malware analyst –

identify 20+ Attack Downloader Redirector Dropper Ransomware Worm
Scenarios
• Such as Ransomware, Dropper, Password Banking
RootKit InfoStealer Exploit
PWS Stealer Trojan
(Password Stealing Trojan),
CoinMiner,
Banking Trojan, Fileless attack etc Clicker Virus Application CoinMiner DoS
• Answers the questions:

• What type of malware attacks am I Search
under? BackDoor WebShell Engine Proxy Trojan
Poisioning
• What is the intent of malware?
• Why is it malicious?
Phishing Fileless Wiper Industroyer
• Feature “Tagging” in logs

Outbreak Search & Similarity Engine
Allows searching of malware & its variants on network
Outbreak FortiAI
Search Similarity Engine
CIO FAI VSATM
Variant 1 Hash DEF
WannaCry
Variant 2 Hash GHI
Hash ABC
Variant…N Hash JKL
Q: Are we infected A: Let me search!
by this headline
malware? e.g.
Similarity
WannaCry Engine

“On- Prem” Self Learning
Learning from Customers’ Traffic
FortiAI – On Prem Learning

Purpose: Feature Extraction
1. Reduce False Positive CLEAN and MALICIOUS
2. Increase Detection Rate
Detection Rate
FortiAI –
PRE-trained
On-Prem
(6mil+ features)
Detection! learning Features
(feedback)
Time

A closer look at how
FortiAI works
FortiAI - Under the Hood
Patent pending # U.S. Serial No.: 16/053,479
Single Layer of Neural Network

• Pre-trained with 20mil+ clean and malicious files
• Billions of clean and malicious features learnt
Each node (middle circles)

represents an “Analyst”
• Job function - to determine if they match a single
malware feature
• Current features DB consists:
• PE features (Portable Executables) & Non-PE features
• Via techniques such as file analysis of registry values, stack Input layer Output layer
status, execution flow etc.
Does not require to ‘run’ the file

(vs Sandboxing)
• hence speed (sub-second)
1 Layer of ANN
• Identify good/bad instantly 6 mii+ nodes

FortiAI
Malware Detection Workflow
Files Code Verdict

Blocks
Binary Scripts Downloader
Input layer Output layer

Feature Code Blocks Feature Result = Malicious
Extraction • Average 3000+ Matching (or Clean)
• Text Parser (script), per file • Match Features Detected # e.g.
Disassembler (PE) • Count • Downloader = 26
• De-obfuscate • Prioritize • Trojan features = 5
• Unpack • Ransomware = 2
Neural Networks
• Features DB
• 6mil+ Features
• GPU/hardware accelerated

Training in Action – Human vs Machines
Human vs Machines detection over training period
FortiAI Artificial Neural Network Detection Rate Comparison*

• Pretrained before ship
Training phase(s) Goal

• Highest detection rate
• Lowest false +ve rate
FortiGuard Updates
• ANN update
• Keep up with latest threats
Further learning
• On Customer Premises
© Fortinet Inc. All Rights Reserved. *Detection Rate on FortiGuard QA samples 25

Summary
Understand FortiAI VSATM value

breach detection analysis
How FortiAI fits into in Security Fabric

fabric and 3rd party integration options
Use Cases FortiAI solves

outbreak analysis, sub-second analysis, trace source

FortiAI
demo
https://fortiai.fortidemo.com
demo / demo
V1.3
Virtual Security Analyst TM
Report
Verdict & Confidence
Level
Feature
Breakdown
Malware
Classification &
Description
Hash / Type / Time /

Appearance on Similarity Engine Virus Family / Source
Network (History) Search

V1.4
FortAI - AI-driven Security Operations
MITRE ATT&CK Mapping
• Investigator View
• Map malware into MITRE ATT&CK Tactics Techniques and Procedures (TTPs)
• Click any to Filter
Investigator View
VSA Risk analysis
Lite/Full Matrix Toggle

V1.4
FortiAI - AI-driven Security Operations
Enhanced Attack Timeline
New Logos for each

attack type
Clear Attack and

Victim IP
Worm Spreading
Scenario

V1.4
STIX v2 and JSON support
3rd Party Threat Intelligence platform integration

• STIX v2 Output
• JSON Output
STIXv2 / JSON
Output

V1.3
AI-driven Security Operations Search by Exact Hash or
Similar files (variants)
FortiAI Outbreak Search
Search by Exact Hashm /

Outbreak name e.g. WannaCry
VSATM Manual
History of Malware on network

V1.3
VSA TM
Threat Investigation – “Big Picture” analysis
Filter on File/Malware
types
Shows timeline for

infection
Threat Investigation

V1.3
AI-driven Security Operations FortiGate Configuration
Security Fabric Integration – FortiGate Quarantine
FortiAI Security Fabric Configuration:
Source of Fabric
Device or Sniffer
Specify which
FortiGate VDOM to
target

V1.3
AI-driven Security Operations
Express Malware Analysis – Manual & API Upload
• REST API upload & Manual GUI Upload

• Compress File Support (tar, gz, tgz, zip, bz2, rar)
• Password Support (e.g. infected)
• VSATM Sub-Second verdict

FortiAI - What’s New v1.5.1
V1
.54
Security Fabric Pairing
• Appears in FortiOS topology
• FOS widgets to display type of malware
on network (e.g. Ransomware, Banking
Trojan)
• FortiAI Security Fabric Connector

FOS 7.0.1
Background:
- FAI v1.4 uses ICAP and OFTP (FortiSandbox Field) with FOS
integration (FOS v6.4)
- Customer cannot run FSA/FAI at same time
What’s New:
- In FOS 7.0.1 / FortiAI v1.5.1 will have ’inline’ blocking feature, where
web/email traffic’s session will ‘hold’ and wait for FAI’s verdict
- Goal of this is to block “patient zero”, utilizing FortiAI’s sub-second
verdict Inline blocking of Multiple files over
threats encrypted &
- This is configured under FortiGate AV profile (CLI, not FSA field) optimized protocol
- FortiAI is “one of” the AV profile scanning options. E.g. AV engine

and/or FortiAI verdict

V1
.5
.1
FortiAnalyzer 7.0.1 Log View
• FAZ 7.0.1 Support (Fabric ADOM)
Log View
• Event Log (including performance,
file summary statistics)
• Attack Log (including kill chain logs)
• Default dataset and reports in future
release

V1
.5
.1
FortiSIEM Integration
• FortiSIEM v6.3
support
• Log Parsing
• FortiAI Dashboard
• New prefilter rule –
attack killchain –
block
• Shows victim
IP/Malware family

V1
.5
FortiAI - AI-driven Security Operations .1
FortiSandbox Integration (FSA v4.0.1)
• Goal 1: To reduce load for FSA dynamic scan (VM)

• How: FortiAI returns verdict of ‘absolute clean’ back to FSA, FSA “entrust FAI” and optionally
skip dynamic (VM) scan
• Goal 2: Add coverage & context of malware

• How: Utilise both technology to increase coverage of malware detection. FortiAI provides
features and malware type (e.g. Banking Trojan) back to FSA’s report
• Goal 3: Flexible integration options

• How: Allow existing FSA customers and new customers options for integration. E.g.
FAI (ICAP server)
FGT FAI (inline blocking/ OFTP) FWB
FWB
FGT
FSA FAI (reduce FSA load, FSA FAI (reduce FSA load,
increase coverage)
© Fortinet Inc. All Rights Reserved. increase coverage)
41
V1
.5
FortiAI - AI-driven Security Operations .1
FortiSandbox Integration (FSA v4.0.1) - Configuration

Figure – FSA Scan profile with “FortAI entrust”
1. Generate FAI user token (CLI or GUI)
2. Configure FSA <-> FAI pairing
3. Configure FSA Scan profile
4. View results in FAI logs / Device Input *
Figure – FSA FortiAI system settings * FSA device only appears after file is submitted

FortiAI Partner Technical Enablement

Uploaded by

Copyright:

Available Formats

FortiAI Partner Technical Enablement

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiAI Partner Technical Enablement

Uploaded by

Copyright:

Available Formats

FortiAI

Next Generation Network Security

© Fortinet Inc. All Rights Reserved. 2

© Fortinet Inc. All Rights Reserved. 4

Zero-Trust Network Security-driven Dynamic Cloud AI-driven Security

Endpoint Network Firewall Applications Endpoint Security

NAC SD-WAN Platform Breach Prevention FortiAI

© Fortinet Inc. All Rights Reserved. Revised as of August 30, 2020 5

39M* 826M 1B+

Cumulative Records Stolen Annual # of Ransomware Attacks

1943 1960s 1980s 1997 2012 2015 2017 2020

1930s 1956 1974 1990s 2003 2013 2016 2018

© Fortinet Inc. All Rights Reserved. 8

“We create new technology

© Fortinet Inc. All Rights Reserved. 9

AV engine FortiSandbox FortiAI FortiDeceptor

© Fortinet Inc. All Rights Reserved. 10

• Machine Learning to find PATTERN

© Fortinet Inc. All Rights Reserved. 12

Virtual Security AnalystTM powered by Deep Neural Networks that identifies and

99.9%* <100 ms 100K

10G 20+ 200 Billion

Virtual Security Breach Fabric

• Trace Source on infection • Sub-second Verdict • Blocking & Quarantine with

Cost of a Security Analyst*

© Fortinet Inc. All Rights Reserved. 15

Malicious File FortiAI

FortiSIEM & FortiAnalyzer FortiSOAR File FortiSandbox Sniffer / SPAN SMB

© Fortinet Inc. All Rights Reserved. 18

Your malware analyst –

• Answers the questions:

© Fortinet Inc. All Rights Reserved. 19

Allows searching of malware & its variants on network

© Fortinet Inc. All Rights Reserved. 20

FortiAI – On Prem Learning

© Fortinet Inc. All Rights Reserved. 21

Single Layer of Neural Network

Each node (middle circles)

Does not require to ‘run’ the file

© Fortinet Inc. All Rights Reserved. 23

Files Code Verdict

Binary Scripts Downloader

Input layer Output layer

© Fortinet Inc. All Rights Reserved. 24

FortiAI Artificial Neural Network Detection Rate Comparison*

Training phase(s) Goal

© Fortinet Inc. All Rights Reserved. *Detection Rate on FortiGuard QA samples 25

Understand FortiAI VSATM value

How FortiAI fits into in Security Fabric

Use Cases FortiAI solves

© Fortinet Inc. All Rights Reserved. 26

Hash / Type / Time /

© Fortinet Inc. All Rights Reserved. 28

VSA Risk analysis

Lite/Full Matrix Toggle

© Fortinet Inc. All Rights Reserved. 29

New Logos for each

Clear Attack and

© Fortinet Inc. All Rights Reserved. 30

3rd Party Threat Intelligence platform integration