Cybersecurity firm Darktrace has announced new AI models for its agentic AI security tool, with the firm aiming to proactively investigate threats and prevent them from spreading inside a compromised network.
Cyber AI Analyst is Darktrace’s agentic AI system, capable of analyzing threat data using custom machine learning (ML), natural language processing (NLP), and neural network models.
Unlike many other agentic AI systems on the market, Cyber AI Analyst does not solely rely on generative AI. Darktrace said this is because large language models and other generative AI foundation models can produce hallucinations without the solid grounding in data provided by tailor-made models for cybersecurity.
Darktrace Incident Graph Evaluation for Security Threats (DIGEST) is a model intended to help Cyber AI Analyst prioritize its responses to security incidents. For example, the agent can now identify which incidents are unlikely to become significant threats over time and deprioritize these compared to those it predicts will escalate in severity.
DIGEST uses graph neural networks (GNNs), often used to detect patterns in unstructured datasets for purposes like fraud detection or drug discovery, and recurrent neural networks (RNNs), which can make detailed predictions based on available data.
The second model, Darktrace’s Embedding Model for Investigation of Security Threats (DEMIST-2), is a language model intended to analyze security patterns such as suspicious host or file names, as well as monitoring users on a given network, and create meaning out of this data to present to security teams.
DEMIST-2 is what’s known as an ‘embedding model’ intended to convert sparse data across a given environment into dense, mapped, contextual data that an ML model such as Cyber AI Analyst can use.
It was trained on a security-specific database, including 16,000 words centered around concepts such as file paths and command-line arguments and is just 95 million parameters in size.
As such, it can be deployed across cloud, edge, and on-premises environments with no network connection, with Darktrace stating the model will outperform general-purpose modes in any of these.
In practice, Darktrace showed how DEMIST-2 can identify specific attributes of a website’s structure that reveal the country it’s from, how that website connects to others, and use these to sort and contextualize host names. This data can then be used to inform security teams and actions that Cyber AI Analyst takes.
“Security teams are increasingly overwhelmed – facing not just a surge in alerts, but adversaries that are faster, stealthier, and more sophisticated,” said Tim Bazalgette, Chief AI Officer at Darktrace.
“To meet this challenge, we’ve augmented Cyber AI Analyst with two additional machine learning models. Unlike the foundational LLMs that underlie many generative and agentic systems, these models are purpose-built for cybersecurity and bring greater precision and depth of analysis into the SOC.
“By understanding how attacks evolve and predicting which threats are most likely to escalate, these models enable earlier detection, sharper prioritization, and faster, more confident decision-making,”
Darktrace pointed to customers such as software developer Meridian Cooperative, which has reduced the firm’s false positive alerts by 90% and Middle River Power, an operator of critical national infrastructure in the US.
“Prior to Darktrace, it could have taken several hours before a threat was even detected, much less investigated and triaged,” said Ahmed Ibrahim, director of operations at Middle River Power.
“Using Darktrace the entire detection and response process happens within a matter of minutes, if not seconds.”
AI in cybersecurity continues to expand
As cyber attacks grow around the world and AI-enabled threats present organizations with more sophisticated phishing, malware, and ransomware campaigns, security teams face huge volumes of work.
One of the benefits of AI agents is that they are capable of working autonomously and adapting to changing circumstances.
This means they can monitor enterprise networks during hours where few or no security workers are available and tackle threats as they arise, even if it’s a kind of threat they haven’t been given explicit instructions on.
Any role AI can play to reduce this burden is likely to be welcomed by cybersecurity professionals. But the concerns outlined by Darktrace, namely that generative AI can introduce unwanted errors or miss out on domain-specific context, align with common issues enterprises face when implementing generative AI at scale.
Darktrace said the proprietary language model it uses for DEMIST-2, for example, will avoid some of the common issues that more general models run into when trying to embed cybersecurity-specific data such as file names.
The focus on not just identifying suspicious activity but predicting exactly when it will begin to present a threat using DIGEST is also interesting. Darktrace noted that the tool can help to further reduce the amount of time security teams waste on incident response by leaning on its detailed understanding of threat lifecycles to help Cyber AI Assistant flag the most urgent tasks first.
Security teams will be aware that agentic AI can also empower threat actors, as attack and defense becomes more automated. With this in mind, any extra edge that AI can give them, such as richer information on how attacks are likely to progress or where their focus should be placed, will be welcome.
MORE FROM ITPRO
Source link
-
-
-
-
-
-
-
-
