AI and ML-based IPS detection

As cyber threats become increasingly sophisticated, traditional signature-based detection is struggling to keep up. To improve it, AI and machine learning-based models are trained on features extracted during protocol decoding, such as HTTP traffic. These models act as classifiers, distinguishing exploits from clean traffic through supervised learning.

Instead of applying machine learning (ML) models blindly across all traffic, we will first use signatures for preliminary filtering, allowing AI-based detection to be more targeted and efficient. This hybrid approach will reduce false positives while maintaining high performance.

CLI syntax

The setting is enabled by default at the IPS global setting level:

config ips global
    set machine-learning-detection {enable | disable}
end

The AI/Machine Learning IPS Definitions package is downloaded by FortiOS from FortiGuard through FortiGuard updates. Devices with active IPS subscription can download this package. The package can be viewing in the diagnose autoupdate versions output.

# diagnose autoupdate versions | grep -A 7 AI

AI/Machine Learning IPS Definitions
---------
Version: 2503.00100 signed
Contract Expiry Date: Thu Jan  1 2032
Last Updated using manual update on Thu Mar 13 18:01:37 2025
Last Update Attempt: Thu Mar 13 18:01:37 2025
Result: Updates Installed

The IPS machine learning database version is displayed in the output of get system status command.

# get system status

Version: FortiGate-1101E v7.6.3,build3495,250313 (interim)
First GA patch build date: 240724
Security Level: Low
...
IPS-MLDB: 2503.00100(2025-03-13 03:43)
...

The IPS machine learning rules can be displayed in the output of get ips rule status command. For example, looking up rule 57293 returns the following:

# get ips rule status | grep -B 2 -A 16 57293 

rule-name: "Backdoor.Cobalt.Strike"
rule-id: 57293
rev: 0.000
date: 2025-03-12 09:00:00
action: pass
status: enable
log: disable
log-packet: disable
severity: 3.high
service: TCP, HTTP
location: client
os: All
application: All
rate-count: 0
rate-duration: 0
rate-track: none
rate-mode: continuous

Example

In the following example, AI and ML-based IPS detection is implemented on a regular firewall policy. As the IPS machine learning detection runs alongside traditional IPS signature detection, the configuration of the IPS sensor remains the same.

To add AI and ML-based IPS detection:

1. Configure an IPS sensor with machine learning signature Backdoor.Cobalt.Strike set to block:

   config ips sensor
       edit "MI-test"
           config entries
               edit 1
                   set rule 57293 
                   set status enable
                   set action block
               next
           end
       next
   end

2. Apply the IPS sensory to a firewall policy:

   config firewall policy
       edit 1
           set name "test"
           set srcintf "port2"
           set dstintf "port1"
           set action accept
           set srcaddr "all"
           set dstaddr "all"
           set schedule "always"
           set service "ALL"
           set utm-status enable
           set ssl-ssh-profile "certificate-inspection"
           set ips-sensor "MI-test"
       next
   end

3. Generate traffic from the client.

4. Review the IPS event logs:

   # execute log filter category 4
   
   date=2025-03-14 time=11:46:12 eventtime=1741977972028174920 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="high" srcip=10.1.100.240 srccountry="Reserved" dstip=172.16.200.240 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=4012 action="dropped" proto=6 service="HTTP" policyid=1 poluuid="9d827014-00fa-51f0-e5af-640cfd149b4a" policytype="policy" attack="Backdoor.Cobalt.Strike" srcport=52294 dstport=80 hostname="10.0.2.78" url="/understand/CYBERDOCS31/S4IR30UL" agent="Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" httpmethod="GET" direction="incoming" attackid=57293 profile="MI-test" ref="http://www.fortinet.com/ids/VID57293" incidentserialno=181403686 msg="backdoor: Backdoor.Cobalt.Strike" forwardedfor="IK_Z9RMF9GQECAZ5RZZ5CMHSUZZD4YTH6K8=\x07\x10Z%at=Icr>Gav=Jas?Nav?Coy?Lb<B`u?Baz=Jas<Bb~>Ga{2Laz<Maz2Oaz>Fcz>G`t<M`}>Ca{>Fcr>F`r" crscore=30 craction=8192 crlevel="high"

5. Review the IPS debug logs:

   # diagnose ips debug enable all
   # diagnose debug enable
   
   ...
   [699@214]ips_process_event: ctx 14: 6 => 2
   [699@214]ips_process_event: ctx 14: 2 => 4
   [699@214]ips_ml_classify_internal: model=0 labels=[0.9960013, 0.0]@0=0.9960013
   [699@214]ips_match_rule: pattern matched 57293,99455: Backdoor.Cobalt.Strike
   [699@214]ips_match_rule: matched rule 57293 99455 Backdoor.Cobalt.Strike (weight:0)
   [699@214]ips_match_candidates: set best rule 57293 99455 Backdoor.Cobalt.Strike
   [699@214]ips_set_pkt_verdict: action=DROP
   [699@214]ips_set_pkt_verdict: turn tcp drop to DROP_SESSION
   [699@214]ips_report_alert_va_internal: v_id=57293, a_id=99455, log=1, log_pkt=1
   [699@214]ips_log: id=57293 conf=0x44, action=1
   [699@214]ips_log_packet: aid=99455 log=0xb
   [699@214]match_ips: disarm ftgd queries when request is to be blocked.
   [699@214]ips_process_event: ctx 14: 4 => 3
   [699@214]ips_handle_pkt_verdict: drop a session, size=296
   [699@214]ips_session_sched_release: serial=7429 close session 0x7f8a84751018, reason 0
   [699@214]ips_process_event: ctx 14: 3 => 5
   [699@-1]ips_dsct_http_prep_release_sess: sess 214: http release proxy layer

   To filter the debug logs to only display the bolded results, enter diagnose ips debug enable ml instead.