AI May Create the Attack. Observable Behaviour Still Gives It Away.

The rise of Frontier AI models has sparked growing discussion around their potential role in cybersecurity. While much of the conversation has focused on how AI might help discover new vulnerabilities or create increasingly sophisticated attack techniques, many organisations are asking a more practical question:

‍

How do you defend against attacks that have never been seen before?

‍

It’s a valid concern. After all, if AI can help attackers move faster, identify weaknesses more efficiently, or generate entirely new attack patterns, traditional signature-based approaches alone may no longer be sufficient.

‍

However, from a defender’s perspective, the more relevant question is often not how an attack was created, but how it manifests itself on the network and application layers.

‍

Whether an attack was generated by a human, a script, or an advanced AI model, it must ultimately interact with infrastructure in observable ways. It must consume resources, abuse protocols, exploit application behaviour, or generate traffic patterns that differ from legitimate user activity.

‍

This raises a more practical question:

‍

How do we detect and mitigate previously unseen or zero-day attack patterns?

‍

The good news is that defenders have been dealing with “unknown” attacks long before AI entered the picture. Understanding how modern detection works helps explain why.

‍

But first: The Fundamental Principles of Attack Detection

At the most fundamental level, attack detection typically relies on a combination of three approaches.

‍

1. Threshold-Based Detection

The simplest form of detection is thresholding.

‍

For example:

• A server normally receives 10,000 HTTP requests per minute.
• Suddenly it receives 500,000 requests per minute.

Even if the attack technique has never been seen before, the resulting resource consumption becomes observable.

‍

Thresholds can be based on:

• Traffic volume
• Packets per second
• Requests per second
• Session creation rates
• DNS query rates
• API transaction rates

This remains one of the most effective ways to identify volumetric and resource exhaustion attacks. While effective, threshold-based detection alone is not sufficient for every scenario. That brings us to the second pillar of modern attack detection.

‍

2. Threat Intelligence

The second approach relies on threat intelligence.

‍

Nexusguard’s Threat Intelligence Framework (NTIF) continuously tracks:

• Known botnet infrastructure
• Malicious IP addresses
• Attack infrastructure reputation
• Previously observed attack sources
• Threat intelligence feeds

If traffic originates from known malicious infrastructure, mitigation can begin much earlier and with higher confidence. The challenge, of course, is that attackers continuously evolve their infrastructure. New botnets and previously unseen attack sources may not yet exist in reputation databases. 

‍

3. Signature-Based Detection

The third approach relies on signatures.

‍

Examples include:

• TCP SYN floods
• TCP protocol abuse
• DNS amplification attacks
• Malformed packets
• Known exploit payloads
• Known application attack patterns

When a signature is available and confidence is high, mitigation can occur immediately.

‍

In simple terms:

‍

If we know for certain it is an attack, we block it.

‍

If we are not yet certain, we observe behaviour, analyse impact, and build confidence before taking action.

‍

These approaches often operate simultaneously.

‍

Where AI Fits Into The Equation

AI does not magically detect attacks that leave no observable signals.

‍

Instead, AI helps Nexusguard solve two practical problems:

1. Detection Accuracy

Reducing:

• False Positives (FP)
• False Negatives (FN)

2. Detection Speed

Reducing the time required for:

• Detection
• Analysis
• Mitigation
• Operational response

In other words, AI helps systems and SOC teams make better decisions, faster.

‍

Improving Detection Accuracy

NBTD – ML-Based Behavioural Baselining

The process begins with telemetry collection.

‍

For network-layer protection, Nexusguard collects:

• Netflow
• IPFIX
• sFlow

For application-layer protection, Nexusguard observes:

• HTTP/S requests
• DNS traffic
• API behaviour
• Session characteristics
• Resource targeting patterns

NBTD (Network Behaviour Threat Detection) uses machine-learning techniques to establish behavioural baselines for protected environments.

‍

These baselines continuously adapt to:

• Seasonal traffic patterns
• Time-of-day variations
• Natural traffic growth
• Protocol-specific behaviour

This allows the platform to distinguish legitimate growth from attack activity and significantly reduces false positives.

Three Detection Modes

Nexusguard currently supports three detection approaches.

Normal Mode

• Time-based threshold detection
• Optimised for sustained attacks
• Administrator-defined thresholds

Rapid Mode

• Volume-based detection
• Optimised for burst attacks and hit-and-run attacks
• Faster detection of short-duration attack patterns

SMART Mode

• AI-assisted adaptive thresholding
• Learns from historical traffic behaviour
• Dynamically adjusts thresholds
• Improves detection accuracy
• Reduces false positives

At this stage, the platform is not attempting to determine whether an attack originated from a human or a Frontier-AI model.

‍

Instead, it focuses on identifying abnormal behaviour.

Accelerating Detection and Response

NTIF – Threat Intelligence Correlation

In parallel with behavioural analysis, traffic is continuously evaluated against NTIF.

This includes:

• Known malicious IPs
• Botnet intelligence
• Infrastructure reputation
• Historical attack observations

‍

Under NTIF, the Adaptive Threat Module continuously learns from attack activity and SOC feedback to improve detection confidence and accelerate response.

SMART Filter – Dynamic Mitigation

Once malicious activity is detected, mitigation begins.

‍

For known attack patterns:

• Existing signatures
• Existing mitigation policies
• Existing filters

can be applied immediately.

‍

For previously unseen attack patterns:

SMART Filter automatically generates temporary mitigation rules based on observed attack characteristics and behavioural deviations.

‍

These rules are continuously monitored using the SMART Accuracy indicator and can be:

• Inserted
• Modified
• Refined
• Removed

as attack conditions evolve.

‍

This allows mitigation to begin before permanent signatures are developed.

AI-Assisted SOC Analysis

Technology alone is not the final answer. The final layer remains Nexusguard’s Security Operations Center.

‍

To support analysts, Nexusguard operates an internal agentic AI platform using Retrieval-Augmented Generation (RAG).

‍

The platform can reason across:

• Historical attack data
• Product knowledge bases
• Operational documentation
• Engineering repositories
• Support knowledge

This enables analysts to:

• Identify similar historical attacks
• Correlate attack activity across large datasets
• Analyse attack characteristics
• Understand previous mitigation effectiveness
• Generate mitigation recommendations

The objective is not autonomous mitigation.

‍

The objective is to accelerate analysis and improve operational response.

Putting It All Together

For a previously unseen or AI-generated attack, the workflow:

‍

Telemetry Collection

→ Behavioural Baselining (NBTD)

→ Detection (Normal / Rapid / SMART)

→ Threat Intelligence Correlation (NTIF)

→ Dynamic Mitigation (SMART Filter)

→ SOC Analysis/Intervention & Continuous Improvement

‍

Ultimately, Nexusguard does not attempt to identify whether an attack was generated by a Frontier-AI model.

‍

Instead, it focuses on identifying the observable behaviour that the attack creates.

‍

Whether the attack was generated by a human, a script, or an advanced AI model, it must ultimately consume resources, abuse protocols, exploit application behaviour, or generate abnormal traffic patterns.

‍

Those are the signals Nexusguard is designed to detect and mitigate.

‍

As AI continues to accelerate the pace at which new attack techniques can be developed, the challenge for defenders remains fundamentally unchanged. The objective is not to determine whether an attack originated from a human or an AI model, but to identify malicious behaviour quickly, accurately, and with sufficient confidence to take action.

‍

By combining behavioural baselining, threat intelligence, adaptive mitigation and human expertise, Nexusguard focuses on the observable signals that every attack ultimately generates. Regardless of how an attack is created, those signals remain the foundation of effective detection and mitigation.

(Image: Gemini)