Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
DeepPhish
Simulating Malicious AI
IvanTorroledo – Lead Data Scientist
Alejandro Correa Bahnsen –VP, Research
Luis Camacho ...
CYXTERA TECHNOLOGIES 2
 Portfolio of cybersecurity software and services
 Intelligent and adaptive
 Cloud-native and hy...
CYXTERA TECHNOLOGIES 3
80 % of cyber
crimes are being
committed by
sophisticated
attackers
The total
USA market
for cyber
...
CYXTERA TECHNOLOGIES 4
CYXTERA TECHNOLOGIES 5
CYXTERA TECHNOLOGIES
AI to Classify Phishing URLs
6
 Identify & Classify Malicious URLs and Domains with
Prediction - Not...
CYXTERA TECHNOLOGIES
Long-Short Term Memory Networks
7
URL
h
t
t
p
:
/
/
w
w
w
.
p
a
p
a
y
a
.
c
o
m
One hot
Encoding
…
…
...
CYXTERA TECHNOLOGIES 8
CYXTERA TECHNOLOGIES 9
Asthreatactorsimprovetheirattacks,isAIthe
newtechnologytheywilluse?
CYXTERA TECHNOLOGIES
The Experiment
Process
Identify
individual
threat actors
Ran them through
our own AI
detection system...
CYXTERA TECHNOLOGIES
Uncovering Threat Actors
12
 Objective: We want to understand effective patterns of
each attacker to...
CYXTERA TECHNOLOGIES
Threat Actor 1
13
naylorantiques.com
406 URLs
http://naylorantiques.com/components/com_contact/vi
ews...
CYXTERA TECHNOLOGIES
Threat Actor 2
14
vopus.org
13 URLs
http://www.vopus.org/es/images/cursos/thumbs/tdcanadatr
ust
http:...
CYXTERA TECHNOLOGIES
Threat Actors Efficiency
15
0.24% 0.69%
4.91%
All Attacks (1,146,441) Threat Actor 1 (1,009) Threat A...
SimulatingMaliciousAI
CYXTERA TECHNOLOGIES
DeepPhish Algorithm - Training
17
Non Effective URLs
Effective URLs
Encoding
…
…
…
…
…
Model
Az
Rolli...
CYXTERA TECHNOLOGIES
DeepPhish LSTM Network
18
URL
h
t
t
p
:
/
/
w
w
w
.
p
a
p
a
y
a
.
c
o
m
One hot
Encoding
…
…
…
…
…
…
...
CYXTERA TECHNOLOGIES
DeepPhish Algorithm – Prediction
19
Compromised
Domains
Allowed
Paths
+
Model
Filterpaths
Predict
Nex...
CYXTERA TECHNOLOGIES
Simulating Malicious AI using DeepPhish
20
 We selected the two most effective threat
actors.With ea...
CYXTERA TECHNOLOGIES
TraditionalAttacksvs.AI-DrivenAttacks
21
0.69%
20.90%
Traditional DeepPhish
4.91%
36.28%
Traditional ...
CYXTERA TECHNOLOGIES
Takeaways!
22
AIenhancesattackersefficiencies
ML and AI driven
detection systems
Deep Adversarial
Lea...
CYXTERA TECHNOLOGIES 23
The Power of Adversary AI
 More & Better
Phishing
Attacks
Increasingly Powerful
Self-Spreading Ma...
CYXTERA TECHNOLOGIES 24
 1-Minute ResearchVideo Brief
 2 Page Research Summary
 Slides (Extended Version)
 Academic pa...
www.cyxtera.com
IvanTorroledo – ivan.torroledo@cyxtera.com
Alejandro Correa Bahnsen – alejandro.correa@cyxtera.com
Luis Ca...
Upcoming SlideShare
Loading in …5
×

DeepPhish: Simulating malicious AI

1,982 views

Published on

In this work we describe how threat actors may use AI algorithms to bypass AI phishing detection systems. We analyzed more than a million phishing URLs to understand the different strategies that threat actors use to create phishing URLs. Assuming the role of an attacker, we simulate how different threat actors may leverage Deep Neural Networks to enhance their effectiveness rate. Using Long Short-Term Memory Networks, we created DeepPhish, an algorithm that learns to create better phishing attacks. By training the DeepPhish algorithm for two different threat actors, they were able to increase their effectiveness from 0.69% to 20.9%, and 4.91% to 36.28%, respectively.

Published in: Data & Analytics
  • Be the first to comment

DeepPhish: Simulating malicious AI

  1. 1. DeepPhish Simulating Malicious AI IvanTorroledo – Lead Data Scientist Alejandro Correa Bahnsen –VP, Research Luis Camacho – Lead Research Data Architect
  2. 2. CYXTERA TECHNOLOGIES 2  Portfolio of cybersecurity software and services  Intelligent and adaptive  Cloud-native and hybrid-ready  Global colocation leader  57 data centers in 29 global markets  2.6M sq. feet of data center space  195 megawatts of power  3,500 customers  1,100 employees  Headquartered in Miami with offices globally  Experienced leadership in infrastructure and security CyxteraTechnologies
  3. 3. CYXTERA TECHNOLOGIES 3 80 % of cyber crimes are being committed by sophisticated attackers The total USA market for cyber insurance is 3B in 2017
  4. 4. CYXTERA TECHNOLOGIES 4
  5. 5. CYXTERA TECHNOLOGIES 5
  6. 6. CYXTERA TECHNOLOGIES AI to Classify Phishing URLs 6  Identify & Classify Malicious URLs and Domains with Prediction - Not Blacklists.  The system calculates the probability of a URL being used to host a phishing attacks using Deep Neural Networks. It correctly classify URLs with over 98% of accuracy.
  7. 7. CYXTERA TECHNOLOGIES Long-Short Term Memory Networks 7 URL h t t p : / / w w w . p a p a y a . c o m One hot Encoding … … … … … … … … … … … … … … … … … … … … … Embedding 3.2 1.2 … 1.7 6.4 2.3 … 2.6 6.4 3.0 … 1.7 3.4 2.6 … 3.4 2.6 3.8 … 2.6 3.5 3.2 … 6.4 1.7 4.2 … 6.4 8.6 2.4 … 6.4 4.3 2.9 … 6.4 2.2 3.4 … 3.4 3.2 2.6 … 2.6 4.2 2.2 … 3.5 2.4 3.2 … 1.7 2.9 1.7 … 8.6 3.0 6.4 … 2.6 2.6 6.4 … 3.8 3.8 3.4 … 3.2 3.3 2.6 … 2.2 3.1 2.2 … 2.9 1.8 3.2 … 3.0 2.5 6.4 … 2.6 LSTM LSTM LSTM LSTM Sigmoid …
  8. 8. CYXTERA TECHNOLOGIES 8
  9. 9. CYXTERA TECHNOLOGIES 9
  10. 10. Asthreatactorsimprovetheirattacks,isAIthe newtechnologytheywilluse?
  11. 11. CYXTERA TECHNOLOGIES The Experiment Process Identify individual threat actors Ran them through our own AI detection system Improved their attacks using AI
  12. 12. CYXTERA TECHNOLOGIES Uncovering Threat Actors 12  Objective: We want to understand effective patterns of each attacker to improve them through a AI model  As we can not know them directly, we must learn from them through their attacks  Database with 1.1M confirm phishing URLs collected from Phishtank
  13. 13. CYXTERA TECHNOLOGIES Threat Actor 1 13 naylorantiques.com 406 URLs http://naylorantiques.com/components/com_contact/vi ews/contact/tmpl/62 http://naylorantiques.com/docs/Auto/Atendimento/5BB ROPI6S3 http://naylorantiques.com/Atualizacao Segura/pictures/XG61YYMT_FXW0PWR8_5P2O7T2U_P9H NDPQR/ http://naylorantiques.com/zifn3p72bsifn9hx9ldecd8jzl2f0 xlwf8f http://www.naylorantiques.com/JavaScript/charset=iso- 8859-1/http-equiv/margin-bottom Keywords atendimento, jsf, identificacao, ponents, views, TV, mail, SHOW, COMPLETO, VILLA, MIX, ufi, pnref, story, tryy2ilr, Autentico 106 domains naylorantiques.com, netshelldemos.com, debbiebright.co.z, waldronfamilygppractice.co.uk , avea-vacances.com , psncodes2013.com uni5.net , 67.228.96.204, classificadosmaster.com.br, ibjjf.org Visual Check Check in database Visual Check
  14. 14. CYXTERA TECHNOLOGIES Threat Actor 2 14 vopus.org 13 URLs http://www.vopus.org/es/images/cursos/thumbs/tdcanadatr ust http://www.vopus.org/ru/media/tdcanadatrust/index.html http://vopus.org/common/index.htm http://www.vopus.org/es/images/cursos/thumbs/tdcanadatr ust/index.html http://vopus.org/descargas/otros/tdcanadatrust/index.html Keyword tdcanadatrust/index.html 19 domains friooptimo.com, kramerelementary.org, kalblue.com, vopus.org, artwood.co.kr, stephenpizzuti.com, heatherthinks.com, corvusseo.com, natikor.by, optioglobal.com, backfire.se, fncl.ma, greenant.de, mersintenisakademisi.com, cavtel.net Visual Check Check in database Visual Check
  15. 15. CYXTERA TECHNOLOGIES Threat Actors Efficiency 15 0.24% 0.69% 4.91% All Attacks (1,146,441) Threat Actor 1 (1,009) Threat Actor 2 (102)
  16. 16. SimulatingMaliciousAI
  17. 17. CYXTERA TECHNOLOGIES DeepPhish Algorithm - Training 17 Non Effective URLs Effective URLs Encoding … … … … … Model Az Rolling Window Concatenate andcreate Transform Train http://www.naylorantiques.com/content/centrais/fone_facil http://kisanart.com/arendivento/menu-opcoes-fone-facil/ http://naylorantiques.com/atendimento/menu-opcoes-fone-facil/3 http://www.naylorantiques.com/content/centr ais/fone_facilhttp://kisanart.com/arendivento/ menu-opcoes-fone- facil/http://naylorantiques.com/atendimento/ menu-opcoes-fone-facil/3
  18. 18. CYXTERA TECHNOLOGIES DeepPhish LSTM Network 18 URL h t t p : / / w w w . p a p a y a . c o m One hot Encoding … … … … … … … … … … … … … … … … … … … … … LSTM LSTM LSTM LSTM Softmax … tanH tanH tanH tanH …
  19. 19. CYXTERA TECHNOLOGIES DeepPhish Algorithm – Prediction 19 Compromised Domains Allowed Paths + Model Filterpaths Predict Next Character Iteratively Synthetic URLs /arendipemto/nenu-opcines-fone-facil vfone/faci/Atondime+ http:// + www.naylorantiques.com + /arendipemto/nenu-opcines-fone-facilvone/facil/Atondime Create
  20. 20. CYXTERA TECHNOLOGIES Simulating Malicious AI using DeepPhish 20  We selected the two most effective threat actors.With each subsample of effective URLs by threat actor, we implemented DeepPhish algorithm.
  21. 21. CYXTERA TECHNOLOGIES TraditionalAttacksvs.AI-DrivenAttacks 21 0.69% 20.90% Traditional DeepPhish 4.91% 36.28% Traditional DeepPhish Threat Actor 1 Threat Actor 2
  22. 22. CYXTERA TECHNOLOGIES Takeaways! 22 AIenhancesattackersefficiencies ML and AI driven detection systems Deep Adversarial Learning Relentless monitoring Multi-layered approach to anti- fraud
  23. 23. CYXTERA TECHNOLOGIES 23 The Power of Adversary AI  More & Better Phishing Attacks Increasingly Powerful Self-Spreading Malware Weaken Authentication Controls Cheat Rule-based Transaction Monitoring
  24. 24. CYXTERA TECHNOLOGIES 24  1-Minute ResearchVideo Brief  2 Page Research Summary  Slides (Extended Version)  Academic paper AIvs.AI:CanPredictiveModelsStoptheTideofHackerAI? www.easysol.net/ai-project
  25. 25. www.cyxtera.com IvanTorroledo – ivan.torroledo@cyxtera.com Alejandro Correa Bahnsen – alejandro.correa@cyxtera.com Luis Camacho – luis.camacho@cyxtera.com

×