MSSP, Generative AI, Encryption, Network Security

Corero Uses AI to Close a Gap in DDoS Protections

Corero Network Security is adding AI-assisted detection and real-time intelligence to its SmartWall ONE platform to address what the company officials call a blind spot in protection against distributed denial-of-services (DDoS) caused by the widespread use of encryption in internet traffic.

Encryption enables organizations to keep the data they’re sending across the internet protected and private, which is critical considering the massive amounts of private, sensitive, and corporate data that are running across it.

However, threat actors are able to use secure channels to launch their DDoS attacks that can bypass traditional defenses, according to the London-based company. The new detection and intelligence features in SmartWall ONE allow security teams to leverage AI to avoid false positives while ensuring performance and privacy.

They also do away with the need for more infrastructure, decryption, or added latency, while giving service providers like MSSPs the ability to deliver high-end DDoS protection across network Layers 3 through 7 for encrypted traffic while avoiding more complexity, according to Corero. For their enterprise clients, they get real-time protection for public-facing applications while ensuring privacy and compliance.

DDoS Attacks are Evolving

The new capabilities in Corero’s SmartWall ONE come as DDoS attacks not only become faster and larger, but also more sophisticated. According to Cloudflare officials, the company in the first half of the year had blocked 27.8 million DDoS attacks, about 130% of all the attacks it blocked during all of 2024.

However, security teams need to think of DDoS in terms beyond simply the number of them, according to Akamai researchers. They’re becoming more sophisticated.

“It is undeniable that DDoS attacks have only grown into a more potent form of cyber nuisance, and DDoS threats continue to be a persistent cybersecurity challenge for businesses, governments, and public infrastructure,” they wrote earlier this year. “The old technique of measuring DDoS attacks in terms of size — gigabits per second (Gbps), terabits per second (Tbps) or million packets per second (Mpps) — is often not relevant or sufficient today.”

Bad actors are increasingly leveraging AI tools to target multiple IP addresses and internet-facing applications and services. Such 'horizontal DDoS attacks’ have become fairly common with the wide availability of AI tools that can cast a wide net, systematically check for defense vulnerabilities, identify weak points, and then pool resources to go after the weakest points in an organization’s defense posture,” they wrote.

They’re also using more DDoS vectors and becoming longer in duration, according to Akamai.

Encryption a Challenge for Defenders

And, as Corero pointed out, they can use the decryption in internet traffic to evade traditional defenses.

“Encryption is used to make data and information unreadable to protect it,” Boris Cipot, senior security engineer at cybersecurity firm Black Duck, told MSSP Alert. “In this case. However, encryption hides traffic content and therefore makes it harder to detect malicious requests, especially at Layer 7. On one hand, the defenders lose visibility. On the other hand, it is hard to recognize attacks as they can mimic legitimate behavior. Because of this, it’s then easy to overwhelm the servers as malicious attacks are not easily flagged.”

This is where AI can make a difference, according to Cequence Security CISO Randolph Barr, noting that, rather than decrypting data or using static signatures, AI models look at behavioral and metadata like handshake timing, packet size distributions, and concurrency rates to determine what normal encrypted traffic looks like and then detect problems as they occur.

It’s similar to how Cequence’s technology works to protect APIs, Barr told MSSP Alert.

“When payloads are available in the clear, our platform analyzes both the content and the behavior, understanding what’s being requested, how it’s being used, and whether that activity aligns with normal patterns,” he said. “But the key is that we don’t rely solely on reading payloads to detect threats. Even when traffic is encrypted or obfuscated, we can still infer risk through metadata, behavioral anomalies, and client context. It’s about learning intent through behavior rather than depending entirely on visibility into the content.”

The challenge is that many security tools haven’t kept up with the changes, so a lot of security teams continue to work on frameworks and use rules created before encryption was widely used. Meanwhile, adversaries are using automation, AI, and encrypted communications to bypass such static defense, Barr said.

'A Chance and a Duty for MSSPs'

MSSPs, just like corporate security teams, need to address these new challenges, Cipot said, adding that a tool like SmartWall ONE can help them offer the best low-latency protection for encrypted traffic while reducing complexity and creating a new revenue stream via differentiated service offerings.

The changing threat environment “is both a chance and a duty for MSSPs,” Barr said. “As businesses rely more on service providers to handle complicated and encrypted environments, the success of these collaborations relies on more than just technology; it also depends on trust and integration. The MSSP may be very good at finding things, but it can only do its job well if it works well with its customers.”

For DDoS prevention in an encrypted world, MSSPs need to be part of the client’s security system, he said. That includes shared visibility, agreed-upon response playbooks, and regular contact.

“When consumers see their MSSP as an extension of their own SOC instead of an outside company operating alone, they get the best results,” Barr said.

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.
Jeffrey Burt

Jeffrey Burt has been a journalist for almost 40 years, moving from general-circulation newspapers to IT news sites in 2000. He’s an expert analyst and writer on cybersecurity, data center infrastructure, AI, and a host of other subjects for a range of organizations, including CyberRisk Alliance, eWEEK, Techstrong Group, The Next Platform, and The Register.

You can skip this ad in 5 seconds