Performance and detection: AI expertise applied to cybersecurity

How to optimize detection and remediation capabilities with Artificial Intelligence, while enabling users to benefit from continuous innovation and new features.
4 min

In addition to detecting known threats, an EDR can also identify unknown threats that are not listed in virus databases, thanks in particular to the contribution of Artificial Intelligence (AI).  

In fact, AI is designed to complement the detection work carried out by Indicators of Compromise, signature-based and behavioral engines…   

The contribution of AI to cybersecurity has now been proven, and as an Infrastructure Manager, CISO or CIO, you may be asking yourself a number of questions, for example, about : 

  • resource consumption induced by the use of AI;  
  • updates to keep pace with evolving threats;  
  • coverage by endpoint and OS type. 

In 3 points, here are some answers in the light of the work carried out by HarfangLab’s technical teams

We’ll see that security, detection capacity and user experience are indeed compatible; and also how HarfangLab’s EDR enables to protect information system from evolving threats, while preserving the performance of workstations and servers. 

Miniaturization of AI models

for optimum resource consumption and detection capability.

An agent installation package weighs several dozen MB. If further weight were added to include an AI model, endpoint performance would necessarily be degraded.   

To avoid this problem, in addition to the agent’s ability to consume very few resources (only 90MB of RAM and less than 0,5% of CPU), the libraries and models used by HarfangLab are optimized: the neural network designed to detect malware weighs a maximum of 5MB, including dependencies!   

This feat means that the solution can run even on low-powered devices.  

The lightness of the models also means that they can be integrated directly into the agent for optimum responsiveness. This means that threats can be detected as early as possible, without having to be sent to a cloud.   

In short, the lightweight nature of AI models means that they can be integrated into the agent both to ensure that the endpoints remain high-performance, but also to provide the earliest possible detection capability.  

As we pointed out earlier, attackers are constantly innovating to break into an information system and steal data, demand ransom… So how can we use Artificial Intelligence to ensure that an information system always benefits from protection adapted to an organization’s cyber context?

Automated rollout

for regular, rapid deployment of re-trained models, to keep pace with changing threats.

In the face of a constantly adapting threat landscape, AI models need to be re-trained regularly and updated as quickly as possible.  

With this in mind, by automating the release of learning models, the level of endpoint protection is continuously ensured, and keeps pace with the evolving cyber threat landscape.  

For users, this agent update is transparent, requiring no restart of the workstation. In fact, the way our AI models are deployed is identical to that adopted for agent updates: simple and frictionless.  

The process is as quick to say as it is to do: replace the binary and restart the service, all in a few seconds!  

Finally, bearing in mind that not all OS are likely to be affected by the same threats, how is this diversity of environments covered? 

Shared development between operating systems

Two families of algorithms are used in HarfangLab’s EDR AI engine, regularly retrained as we have seen. These algorithms distinguish malicious files as follows:  

  • one is based on extracting variables from the executable file;  
  • another takes the file as a whole (apart from a few transformations).  

Algorithms are developed with all OS in mind, and are designed to be ported from one to another. Generally speaking, algorithms are initially developed for Windows, and their porting is facilitated by our development practices in Rust.

In this way, miniaturization, automated production and development pooling promote short production launch times.   

It’s also thanks to this approach that HarfangLab’s EDR users can benefit from continuous innovation and new features!  

Indeed, the rapid transition to production means that we can quickly confront reality, and iterate to improve the solution’s detection and remediation capabilities. 

These AI algorithms have proven their worth in the detection of malicious files and processes, notably for advanced malware such as Neuron or Carbon, or even classic attacker tools such as Mimikatz and its variants, which may seek to obfuscate…    

AI applied to EDR also offers prospects for detection outside the agent, for example backend, as does one of the algorithms available since version 3.1 of HarfangLab, which identifies malicious PowerShell scripts. 

Speaking of detection, if a cybersecurity incident occurs,   
do you know who should do what in the crisis unit?