A multitemporal AI architecture powers NDR Custody

New French software is entering the fray for next-generation network detection and response (NDR) solutions. Called Custody, the solution stands out from its competitors due to the intensive use of artificial intelligence (AI) to avoid the flood of false positives generated by the classic rule-based approach.

“Artificial Intelligence is a response to the increased volume of attacks and to one of the weaknesses of existing NDRs, false positives”, argues Sébastien Sivignon, CEO of Cyblex Technologies. “Although NDRs generate a lot of noise, we wanted to create a tool that was simple and generated fewer false positives.”

The challenge: detect weak signals without triggering an avalanche of false positives

For William Ritchie, CTO, former director of artificial intelligence research at CNRS, AI only has advantages in detection: attackers know the rules of security frameworks as well as RSSI and can develop bypass techniques. AI detection will therefore be much more complex to bypass because the AI ​​can constantly adapt to attack attempts.

The other virtue of AI would therefore be to contain the number of false positives. To deliver on that promise, the start-up worked with LAAS (CNRS Systems Analysis and Architecture Laboratory) to develop an AI that was accurate in detection but generated fewer false positives.

“Our approach is to use every source of information at our disposal to make NDR as relevant as possible in our customers’ cyber ecosystem. You cannot have complete visibility without a SIEM/EDR/NDR mix.”

Sebastien Sivignon, CEO of Cyblex Technologies.

The result of this research is the so-called multitemporal AI technology, which has the particularity of working simultaneously on several different timescales: from one millisecond to several weeks. “The Meta Learner consists of an AI that orchestrates 4 others, each working on a different time scale”, explains the CTO.

And to specify: “generally, the solutions work at the level of the network flow. We have an AI that works at this level, but with a much smaller granularity, on the order of milliseconds. This makes it possible to search for time signatures of arrival of packets and reveal Command & Control sequences. Another AI works on a scale of minutes to analyze network flows between IP addresses, and finally a last one works on a scale of several weeks. This allows you to analyze the behavior of a machine and identify a server that would suddenly do BitTorrent on a Sunday…”

The architecture imagined by the researchers consists of 3 supervised AIs (milliseconds, seconds and minutes) and an unsupervised AI that works on a weekly scale. Everything is orchestrated by the Meta-Learner who retains the important information in these different timescales. The publisher claims that this approach reduced the volume of false positives in its test datasets by 88 times compared to a mechanism that works only on network streams.

A hybrid technical architecture

Technically, a probe is installed on the company’s network and feeds a backend deployed on AWS. The hyperscaler was chosen for its ability to transport Custody AIs. “The first demonstration was held last September and the solution is ready to be implemented in each client”, guarantees the CTO. “The philosophy adopted is that each customer’s data feeds a separate Datalake and that there is no pooling of this data to drive AI training. However, we’ve mastered the technology to do federated learning; we tested. If the approach appeals to our customers, we can put that capability on our roadmap.”

Architectural diagram for implementing the Custody solution.

While choosing a US cloud provider to transport NDR data may raise questions for some customers, Sébastien Sivignon specifies that only the metadata is transferred to the cloud and that all network processing burdens remain with the customer. “We were at an impasse with the on-site approach,” he explains. “The choice of AWS was the result of a technical analysis and the availability of the services we needed. As soon as other sovereign cloud providers, such as OVHcloud, offer the same types of services, we will be able to offer a multi-cloud offering”.

In addition to the data collected by the network probe, the NDR can feed on third-party data. The publisher already has integrations for IDS Suricata and OpenCTI data. Threat Intelligence data is integrated at the Meta Learner level.

Custocy’s analysis architecture is based on 3 supervised AI models and 1 unsupervised AI that work on 3 different timescales, all orchestrated by Meta-Learner, a brick that you can feed with third-party data.

Finally, in addition to learning AI models, whitelisting can be performed at various levels to no longer report alerts about a certain type of behavior for a specific machine. Sébastien Sivignon adds: “we do not intend to enter the field of XDRs, but to provide a complementary NDR brick to EDRs, which will focus on the network and exploit multiple sources, in particular to detect the lateral movements of attackers” .

An NDR for SMEs and FTEs

The solution is designed for SMEs and ETIs with 500 IP addresses to 8,000 or even 10,000 IP addresses. The publisher is targeting ETIs directly, but is also deploying an indirect model through managed service providers (MSSP) seeking an NDR to enrich their managed SOC offerings.

The publisher is working to connect its NDR to a partner’s SIEM to enrich the data available to analysts. Another project concerns the integration of NDR into the XDR of an MSSP.

However, Cyblex Technologies does not seem to want to hunt in Thales or Gatewatcher lands and look for OIV customers who request ANSSI qualified rigs: “An ANSSI certification seems important to us, in particular to gain confidence in the French market”, explains Sébastien Sivignon, “We are targeting CSPN certification by the end of 2023”.

The qualification process is considered too heavy for this start-up still in the launch phase. Cyblex Technologies now has 14 people, 30% of whom are doctors and doctoral students. The publisher expects “controlled” growth in France in 2023.

the solution is in the implementation phase with a first customer. On the other hand, it was selected by the Swiss Tech4Trust acceleration program which should allow the start-up to mature and open up in parallel to the Swiss market.

Leave a Comment