ML algorithms
in Titan can detect and stop threats by scanning the traffic
for anomalies. Amazingly it can self-train itself to thwart
an attack that's unknown to today's cyber intelligence 
DNS Titan
from TCPWave reduces the time taken to contain a DNS tunnel
by 60%
The DNS Titan
from TCPWave is a perfect solution for enterprises to prevent
damages from malware or ransomware
The DNS Titan
from TCPWave transforms information security at the core
network services layer into a simple task
The DNS Titan's machine learning, mathematical models used for entropy calculations are extremely powerful in detecting activity that is abnormal
TCPWave TITAN is the one-stop solution for all your DNS security needs. It uses advanced technologies where AI/ML plays a significant role. One of the solutions that TITAN provides is DNS Tunnel Detection. These tunnel detection ML algorithms are trained using massive and varied DNS data, thereby helping it detect the malicious DNS traffic flowing through the DNS pathways in your organization.
Supervised learning is the machine learning task of learning a function that maps an input to an output based on input-output pairs given in the training phase. It infers a function from labeled training data consisting of training examples. In supervised learning, each example is a pair consisting of an input object (typically a multidimensional vector) and the desired output value (also called the supervisory signal). A supervised learning algorithm analyzes the training data and produces an inferred function, which can be used for mapping new examples. An optimal scenario allows the algorithm to determine the class labels for unseen instances correctly. It requires the learning algorithm to generalize from the training data to unseen situations in a "reasonable" way.
A random forest classifier is used as a classification algorithm. A random forest classifier is a bootstrapping algorithm with multiple decision trees acting in the model. The fundamental concept behind the random forest is the wisdom of crowds. Many relatively uncorrelated models (trees) operating as a committee outperforms any of the individual constituent models if we have 1000 samples of data with ten variables. Random forest tries to build multiple decision tree models with different samples and different initial variables. For instance, a random sample of 100 rows and 5 randomly chosen initial variables were used to build a decision tree model. It repeats the process (say) 10 times and then makes a final prediction on each observation. This final prediction can be the mean of each prediction.
The trained machine learning model to classify anomalous DNS queries uses a powerful Random Forest Classifier. Ability to retrain the model from the UI using organization-specific whitelisted data.
TThe queries filtered by the ML model pass through the set of rules defined by the network administrators. The rules can be query count threshold from a host, query count threshold for a domain, and other critical parameters.
Queries for the top 1000 public domains are whitelisted and are filtered before sending to the ML model for detection.
The machine learning model is applied to the contiguous live packets taken at the regular time interval. The detected queries by this model are passed to the traffic analysis rule-based model.
Various charts such as top 10 domains queried, top 10 hosts queried, top 10 successfully queried domains, top 10 failed domains, top 10 FQDN lengths, and many other charts give insight to the admin and help to define realistic rules.
The network administrator receives a notification on the Dashboard generated by the monitoring engine when malicious domains are detected. Admin can then block the domain in RPZ from the UI. Administrators can also whitelist domains. Admin can import domain reputation data for the system to remember while making decisions.
