SlideShare a Scribd company logo

AI & ML in Cyber Security - Why Algorithms are Dangerous

Priyanka Aash
Priyanka Aash

Every single security company is talking in some way or another about how they are applying machine learning. Companies go out of their way to make sure they mention machine learning and not statistics when they explain how they work. Recently, that's not enough anymore either. As a security company you have to claim artificial intelligence to be even part of the conversation. Guess what. It's all baloney. We have entered a state in cyber security that is, in fact, dangerous. We are blindly relying on algorithms to do the right thing. We are letting deep learning algorithms detect anomalies in our data without having a clue what that algorithm just did. In academia, they call this the lack of explainability and verifiability. But rather than building systems with actual security knowledge, companies are using algorithms that nobody understands and in turn discover wrong insights. In this talk, I will show the limitations of machine learning, outline the issues of explainability, and show where deep learning should never be applied. I will show examples of how the blind application of algorithms (including deep learning) actually leads to wrong results. Algorithms are dangerous. We need to revert back to experts and invest in systems that learn from, and absorb the knowledge, of experts.

Technology
1 of 41
Download to read offline
BlackHat USA | August 2018 AI & ML IN CYBERSECURITY Why Algorithms Are Dangerous RAFFAEL MARTY Vice President of Corporate Strategy, Forcepoint Copyright © 2018 Forcepoint.
A BRIEF SUMMARY We don’t have artificial intelligence (yet) Algorithms are getting ‘smarter’, but experts are more important Stop throwing algorithms on the wall - they are not spaghetti Understand your data and your algorithms Invest in people who know security (and have experience) Build systems that capture “export knowledge” Think out of the box, history is bad for innovation Focus on advancing insights Copyright © 2018 Forcepoint. | 2
RAFFAEL MARTY Sophos PixlCloud Loggly Splunk ArcSight IBM Research Security Visualization Big Data ML & AI SIEM Corp Strategy Leadership Zen Copyright © 2018 Forcepoint. | 3
OUTLINE STATISTICS, MACHINE LEARNING & AI Defining the concepts THE ALGORITHMIC PROBLEM Understanding the data and the algorithms AN EXAMPLE Let’s get practical 01 02 03 Copyright © 2018 Forcepoint. | 4
STATISTICS MACHINE LEARNING & ARTIFICIAL INTELLIGENCE 01 Copyright © 2018 Forcepoint. | 5
“Companies are throwing algorithms on the wall to see what sticks (see security analytics market)” “Everyone calls their stuff ‘machine learning’ or even better ‘artificial intelligence’ - It’s not cool to use statistics!” Copyright © 2018 Forcepoint. | 6
ML AND AI – WHAT IS IT? MACHINE LEARNING Algorithmic ways to “describe” data Supervised We are giving the system a lot of training data and it learns from that Unsupervised We give the system some kind of optimization to solve (clustering, dim reduction) DEEP LEARNING A “newer” machine learning algorithm Eliminates the feature engineering step Explainability / verifiability issues DATA MINING Methods to explore data – automatically ARTIFICIAL INTELLIGENCE “Just calling something AI doesn’t make it AI.” “A program that doesn't simply classify or compute model parameters, but comes up with novel knowledge that a security analyst finds insightful.” We don’t have artificial intelligence (yet)
WHAT “AI” DOES TODAY KICK A HUMAN'S ASS AT GO DESIGN MORE EFFECTIVE DRUGS MAKE SIRI SMARTER Copyright © 2018 Forcepoint. | 8
MACHINE LEARNING USES IN SECURITY SUPERVISED Malware classification Deep learning on millions of samples - 400k new malware samples a day Has increased true positives and decreased false positives compared to traditional ML Spam identification MLSec project on firewall data Analyzing massive amounts of firewall data to predict and score malicious sources (IPs) UNSUPERVISED DNS analytics Domain name classification, lookup frequencies, etc. Threat Intelligence feed curation IOC prioritization, deduplication, … Tier 1 analyst automation Reducing workload from 600M raw events to 100 incidents* User and Entity Behavior Analytics (UEBA) Uses mostly regular statistics and rule-based approaches * See Respond Software Inc. Copyright © 2018 Forcepoint. | 9
THE ALGORITHMIC PROBLEM UNDERSTANDING THE DATA AND THE ALGORITHMS02 Copyright © 2018 Forcepoint. | 10
FAMOUS AI (ALGORITHM) FAILURES http://neil.fraser.name/writing/tank/ PENTAGON - AI FAIL
WHAT MAKES ALGORITHMS DANGEROUS? ALGORITHMS MAKE ASSUMPTIONS ABOUT THE DATA Assume ‘clean’ data (src/dst confusion, user feedback, etc.) Often assume a certain type of data and its distribution Generally don’t deal with outliers Machine learning assumes enough, representative data Need contextual features (e.g., not just IP addresses) Assume all input features are ‘normalized’ the same way ALGORITHMS ARE TOO EASY TO USE THESE DAYS (TENSORFLOW, TORCH, ML ON AWS, ETC.) The process is more important than the algorithm (e.g., feature engineering, supervision, drop outs, parameter choices, etc.) ALGORITHMS DO NOT TAKE DOMAIN KNOWLEDGE INTO ACCOUNT Defining meaningful and representative distance functions, for example e.g., each L4 protocol exhibits different behavior. Train it separately. e.g., interpretation is often unvalidated - beware of overfitting and biased models. Ports look like integers, they are not, same is true for IPs, processIDs, HTTP return codes, etc. Copyright © 2018 Forcepoint. | 13
WHAT MAKES ALGORITHMS DANGEROUS? https://betterhumans.coach.me/cognitive-bias-cheat-sheet-55a472476b18 SAMPLE BIAS KNOWLEDGE BIAS HISTORY BIAS CONFIRMATION BIAS AVAILABILITY BIAS CORRELATION BIAS Copyright © 2018 Forcepoint. | 14
COGNITIVE BIASES How biased is your data set? How do you know? Only a single customer’s data Learning from an ‘infected’ data set Collection errors Missing data (e.g., due to misconfiguration) What’s the context the data operates in? FTP although generally considered old and insecure, isn’t always problematic Don’t trust your IDS (e.g. “UDP bomb”)
THE DANGERS WITH DEEP LEARNING – WHEN NOT TO USE IT Not enough or no quality labelled data Data cleanliness issues (timestamps, normalization across fields, etc.) Bad understanding of the data to engineer meaningful features (e.g., byte stream for binaries) Data is prone to adversarial input DATA No well trained domain experts and data scientists to oversee the implementation A need to understand what ML actually learned (explainability) Verifiability of output Interpretation of output MACHINE LEARNING DETECTIONS EXPERT KNOWLEDGE Copyright © 2018 Forcepoint. | 16
ADVERSARIAL MACHINE LEARNING An example of an attack on deep learning Copyright © 2018 Forcepoint. | 17
EXAMPLE LET’S GET PRACTICAL03 Copyright © 2018 Forcepoint. | 18
FINDING ANOMALIES / ATTACKS IN NETWORK TRAFFIC Given: Network communications (i.e., netflow) Task: Find anomalies / attacks ? Copyright © 2018 Forcepoint. | 19
DEEP LEARNING – THE SOLUTION TO EVERYTHING DEEP LEARNING PROMISES A FEW THINGS: ‘Auto’ feature extraction High accuracy of detections AND WE SATISFY SOME REQUIREMENTS: Lots of data available BUT: A single record does not indicate good/bad BUT: Not enough ‘information’ within flows – need context BUT: No labels available MOST SECURITY PROBLEMS CAN’T BE SOLVED WITH DEEP LEARNING or supervised methods in general Copyright © 2018 Forcepoint. | 20
UNSUPERVISED TO THE RESCUE? Can we exploit the inherent structure within the data to find anomalies and attacks? Clustering traffic to find outliers 1. Clean the data 2. Engineer distance functions 3. Figure out the right algorithm 4. Apply the correct algorithmic parameters 5. Data interpretation Copyright © 2018 Forcepoint. | 21
1. UNDERSTAND AND CLEAN THE DATA dest port! Port 70000? src ports! http://vis.pku.edu.cn/people/simingchen/docs/vastchallenge13-mc3.pdf
2. ENGINEERING DISTANCE FUNCTIONS Distance functions define the similarity of data objects Need domain-specific similarity functions URLs (simple levenshtein distance versus domain based?) Ports (and IPs, ASNs) are NOT integers Treat user names as categorical, not as strings outlier?! Copyright © 2018 Forcepoint. | 23
3. CHOOSING THE RIGHT UNSUPERVISED ALGORITHM CLUSTERING ALGORITHMS K-means Affinity Propagation (AP) DBScan t-SNE CRITERIA TO CHOOSE AN ALGORITHM Dimensionality of data “Shape” of data Intrinsic algorithm workings Algorithm convergence or speed http://hdbscan.readthedocs.io/en/latest/comparing_clustering_algorithms.html Different algorithms find different / more or less clusters Copyright © 2018 Forcepoint. | 24
4. CHOOSING THE CORRECT ALGORITHM PARAMETERS The dangers of not understanding algorithmic parameters t-SNE clustering of network traffic from two types of machines perplexity = 3 epsilon = 3 No clear separation perplexity = 3 epsilon = 19 3 clusters instead of 2 perplexity = 93 epsilon = 19 What a mess Copyright © 2018 Forcepoint. | 25
4. CHOOSING THE CORRECT ALGORITHM PARAMETERS And this is when it gets dangerous Access decisions / enforcements based on cluster membership Copyright © 2018 Forcepoint. | 26
5. INTERPRETING THE DATA We analyze network traffic. The graph shows an abstract space (X and Y axes have no specific meaning). Each dot represents a device on the network. Colors represent machine-identified clusters. Interpretation questions: What are these clusters? What are good clusters? What’s anomalous? Where are compromised machines / attackers? Copyright © 2018 Forcepoint. | 27
A DIFFERENT APPROACH - PROBABILISTIC INFERENCE Rather than running algorithms that model the shape of data, we need to take expert knowledge / domain expertise into account “What is the probability that it is raining, given the grass is wet?”: 35.77% Introducing Belief Networks Models that represent the state of the ‘world’ Helps us make predictions and reason about the world A graph rather than huge joint distribution tables across all states Using Bayes theorem to calculate ‘belief’ Could use ML to learn graph structure (nodes and edges), but it’ll get too unwieldy and non-interpretable! Copyright © 2018 Forcepoint. | 28
BAYESIAN BELIEF NETWORK 1ST STEP – BUILD THE GRAPH Device is Compromised New protocol seen Is using port 23? Connecting from suspicious IP Mistake in IP classification Connecting to suspicious IP Connection to newly registered domain Has known vulnerabilities Open port 53 Shows up with new OS Machine got update to new OS Device is in maintenance mode Not seen for a week Sent huge amount of data in short period of time Protocol mismatch Seen encrypted traffic on port 23 1. What’s our objective? 2. What behaviors can we observe? 4 What are observable factors that reduce uncertainty of the central inference (of device compromised) 4 Observations should not be locally dependent – they should be true across all customers / environments 4 Do we have that data? 4 Do we need context for it?
BAYESIAN BELIEF NETWORK 2ND STEP – GROUP NODES Device is Compromised Suspicious Host State Anomalous Network Behavior Host is Tunneling Data Threat Intelligence Hinting at Compromise Suspicious Protocol Usage New protocol seen Is using port 23? Has never used SSH before Connecting from suspicious IP Mistake in IP classification Connecting to suspicious IP Connection to newly registered domain Has known vulnerabilities Open port 53Shows up with new OS Machine got update to new OS Device is in maintenance mode Not seen for a week Sent huge amount of data in short period of time Protocol mismatch Seen encrypted traffic on port 23 Complexity of this network is too high. We cannot computer all the conditional probabilities. Therefore we need to introduce “grouping nodes”.
BAYESIAN BELIEF NETWORK 3RD STEP – INTRODUCE DEPENDENCIES Device is Compromised Suspicious Host State Anomalous Network Behavior Host is Tunneling Data Threat Intelligence Hinting at Compromise Suspicious Protocol Usage New protocol seen Is using port 23? Has never used SSH before Connecting from suspicious IP Mistake in IP classification Connecting to suspicious IP Connection to newly registered domain Machine got update to new OS Device is in maintenance mode Not seen for a week Sent huge amount of data in short period of time Protocol mismatch Seen encrypted traffic on port 23 Has known vulnerabilities Open port 53Shows up with new OS Relationships between observations Conditional dependencies
BAYESIAN BELIEF NETWORK 4TH STEP – ESTIMATE PROBABILITIES NODE PROBABILITIES 4 P(Protocol mismatch) = 0.01 OR “very low” 4 P(Seen encrypted traffic on port 23) = 0.01 OR “very low” 4 P(Host is Tunnelling Data) = 0.01 OR ”very low” Expert Knowledge Host is Tunneling Data Protocol mismatch Seen encrypted traffic on port 23 CONDITIONAL PROBABILITIES 4 Our belief network teaches us: “Tunnelling is not independent of seeing port 23 traffic” 4 P(Tunnelling | Enc. Port 23 Traffic) = (P(Enc. Port 23 | Tunnelling) * P(Tunnelling)) / P(Enc. Port 23) Copyright © 2018 Forcepoint. | 32 More precise than in pervious formula JOINT PROBABILITIES 4 Multiple factors lead to Tunnelling, not just one 4 P(Tunnelling | Enc. Port 23 AND Proto mismatch) = (P(Enc. Port 23 AND Proto mismatch | Tunnelling) * P(Tunnelling)) / P(Enc Port 23 AND Proto mismatch) Protocol mismatch Seen encrypted traffic on port 23
BAYESIAN BELIEF NETWORK 5TH STEP – GOAL COMPUTATION Device is Compromised Suspicious Host State Anomalous Network Behavior Host is Tunneling Data Threat Intelligence Hinting at Compromise Suspicious Protocol Usage The probability that we have a compromised device is the joint and conditional probability over all the ‘group nodes’ Copyright © 2018 Forcepoint. | 33
Machine got update to new OS Open port 53Shows up with new OS Anomalous Network Behavior BAYESIAN BELIEF NETWORK 6TH STEP – OBSERVE ACTIVITIES Device is Compromised Host is Tunneling Data Threat Intelligence Hinting at Compromise Suspicious Protocol Usage New protocol seen Is using port 23? Has never used SSH before Connecting from suspicious IP Mistake in IP classification Connecting to suspicious IP Connection to newly registered domain Device is in maintenance mode Not seen for a week Sent huge amount of data in short period of time Protocol mismatch Seen encrypted traffic on port 23 Suspicious Host State Has known vulnerabilities 0.4 0.3 0.2
Open port 53 Anomalous Network Behavior BAYESIAN BELIEF NETWORK 6TH STEP – OBSERVE ACTIVITIES Device is Compromised Host is Tunneling Data Threat Intelligence Hinting at Compromise Suspicious Protocol Usage New protocol seen Is using port 23? Has never used SSH before Connecting from suspicious IP Mistake in IP classification Connecting to suspicious IP Connection to newly registered domain Device is in maintenance mode Not seen for a week Sent huge amount of data in short period of time Protocol mismatch Seen encrypted traffic on port 23 1. Update the ‘observation nodes’ in the network with observation (what we find in the logs) 2. Re-compute probabilities on the connected nodes ✓✓ ✗ Suspicious Host State Machine got update to new OS Has known vulnerabilitiesShows up with new OS 0.5 0.1 0.7
BAYESIAN BELIEF NETWORK 7TH STEP – EXPERT INPUT Strengthen the network by introducing expert knowledge Pose any combinations of ‘observations’ and ‘group’ nodes as questions to experts Asking meaningful questions is an art and requires expert knowledge You will find that it matters how you named your nodes to define good questions Question Expert Answer What’s the probability that device is compromised and I have highly suspicious network behavior and nothing on threat intelligence 0.3 Probability that host is in suspicious state, given that port 53 is open, brand new OS 0.1 How likely is it that we see a connection to a newly registered domain and we see port 23 traffic? 0.01 Etc. Note how this is not a full joint probability over only a subset of the group nodes. We can have questions across observational nodes of different groups as well
BELIEF NETWORKS – SOME OBSERVATIONS Iterative process of adding more nodes, grouping, adding expert input, etc. Graph allows for answering many questions – e.g., sensitivity analysis Do not determine the probabilities on the observation nodes with historic data. It is only accurate for scenarios that were included in data – how do you know your data covered all scenarios? Each problem requires the definition of a graphs based on expert input A generic “Network Traffic” graph is hard to build and train Not every FTP is bad Poor network practice -> e.g., using unencrypted protocols like FTP Thanks Chris @ respond-software.com for all your help! Biggest benefit of belief networks is that the learned knowledge can be verified and extracted!
Copyright © 2018 Forcepoint. | 40 IN SUMMARY
RECOMMENDATIONS Start with defining your use-cases, not choosing an algorithm ML is barely ever the solution to your problem Use ensembles of algorithms Teach the algos to ask for input – if it’s unsure, have it ask an expert rather than making a decision on its own Make sure models keep up with change and forget old facts that are not relevant anymore Do you need white lists / black lists for your algos to not go haywire? Verify your models - use visualization to help with that Share your insights with your peers – security is not your competitive advantage GDPR – transparency on what data is collected and used for decisions “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”
BLACK HAT SOUNDBITES “Algorithms are getting ‘smarter’, but experts are more important” “Understand your data, your algorithms, and your data science process” “History is not a predictor – but knowledge is”
http://slideshare.net/zrlram @raffaelmarty QUESTIONS? Copyright © 2018 Forcepoint. | 43

Recommended

The Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksThe Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksPriyanka Aash
 
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017FRSecure
 
Slide Deck Class Session 11 – FRSecure CISSP Mentor Program
Slide Deck Class Session 11 – FRSecure CISSP Mentor ProgramSlide Deck Class Session 11 – FRSecure CISSP Mentor Program
Slide Deck Class Session 11 – FRSecure CISSP Mentor ProgramFRSecure
 
DeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI LocksmithingDeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI LocksmithingPriyanka Aash
 
How to Respond to Industrial Intrusions
How to Respond to Industrial Intrusions How to Respond to Industrial Intrusions
How to Respond to Industrial Intrusions Dragos, Inc.
 
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesPriyanka Aash
 
Slide Deck CISSP Class Session 6
Slide Deck CISSP Class Session 6Slide Deck CISSP Class Session 6
Slide Deck CISSP Class Session 6FRSecure
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 

Recommended

The Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksThe Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksPriyanka Aash
 
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017FRSecure
 
Slide Deck Class Session 11 – FRSecure CISSP Mentor Program
Slide Deck Class Session 11 – FRSecure CISSP Mentor ProgramSlide Deck Class Session 11 – FRSecure CISSP Mentor Program
Slide Deck Class Session 11 – FRSecure CISSP Mentor ProgramFRSecure
 
DeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI LocksmithingDeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI LocksmithingPriyanka Aash
 
How to Respond to Industrial Intrusions
How to Respond to Industrial Intrusions How to Respond to Industrial Intrusions
How to Respond to Industrial Intrusions Dragos, Inc.
 
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesPriyanka Aash
 
Slide Deck CISSP Class Session 6
Slide Deck CISSP Class Session 6Slide Deck CISSP Class Session 6
Slide Deck CISSP Class Session 6FRSecure
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsDemetrio Milea
 
Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4FRSecure
 
Industrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionIndustrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionDragos, Inc.
 
Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5madunix
 
Functional Safety and Security process alignment
Functional Safety and Security process alignmentFunctional Safety and Security process alignment
Functional Safety and Security process alignmentAlan Tatourian
 
PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019Dragos, Inc.
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017FRSecure
 
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017FRSecure
 
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017FRSecure
 
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseDetect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseRahul Neel Mani
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos, Inc.
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
Consequence Informed Cyber Security
Consequence Informed Cyber Security Consequence Informed Cyber Security
Consequence Informed Cyber Security Dragos, Inc.
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
Machine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondoggleMachine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondogglePriyanka Aash
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Priyanka Aash
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
2014-12-16 defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackers2014-12-16 defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackersShawn Wells
 
Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement Ram Shankar Siva Kumar
 
Artificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityArtificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityOlivier Busolini
 
DataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayDataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayInterset
 

More Related Content

What's hot

The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsDemetrio Milea
 
Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4FRSecure
 
Industrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionIndustrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionDragos, Inc.
 
Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5madunix
 
Functional Safety and Security process alignment
Functional Safety and Security process alignmentFunctional Safety and Security process alignment
Functional Safety and Security process alignmentAlan Tatourian
 
PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019Dragos, Inc.
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017FRSecure
 
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017FRSecure
 
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017FRSecure
 
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseDetect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseRahul Neel Mani
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos, Inc.
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
Consequence Informed Cyber Security
Consequence Informed Cyber Security Consequence Informed Cyber Security
Consequence Informed Cyber Security Dragos, Inc.
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
Machine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondoggleMachine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondogglePriyanka Aash
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Priyanka Aash
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
2014-12-16 defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackers2014-12-16 defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackersShawn Wells
 
Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement Ram Shankar Siva Kumar
 

What's hot (20)

The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
 
Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4
 
Industrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionIndustrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology Selection
 
Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5
 
Functional Safety and Security process alignment
Functional Safety and Security process alignmentFunctional Safety and Security process alignment
Functional Safety and Security process alignment
 
PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
 
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
 
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
 
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseDetect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration Testing
 
Consequence Informed Cyber Security
Consequence Informed Cyber Security Consequence Informed Cyber Security
Consequence Informed Cyber Security
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive software
 
Machine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondoggleMachine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondoggle
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive software
 
2014-12-16 defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackers2014-12-16 defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackers
 
Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement
 

Similar to AI & ML in Cyber Security - Why Algorithms are Dangerous

Artificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityArtificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityOlivier Busolini
 
DataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayDataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayInterset
 
[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral Analytics[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral AnalyticsInterset
 
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...Interset
 
David valovcin big data - big risk
David valovcin big data - big riskDavid valovcin big data - big risk
David valovcin big data - big riskIBM Sverige
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaUlf Mattsson
 
BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6Rod Soto
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftOSIsoft, LLC
 
A Journey Through The Far Side Of Data Science
A Journey Through The Far Side Of Data ScienceA Journey Through The Far Side Of Data Science
A Journey Through The Far Side Of Data Sciencetlcj97
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKUlf Mattsson
 
Big Data Security Analytics (BDSA) with Randy Franklin
Big Data Security Analytics (BDSA) with Randy FranklinBig Data Security Analytics (BDSA) with Randy Franklin
Big Data Security Analytics (BDSA) with Randy FranklinSridhar Karnam
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Saama Presents Is your Big Data Solution Ready for Streaming
Saama Presents Is your Big Data Solution Ready for StreamingSaama Presents Is your Big Data Solution Ready for Streaming
Saama Presents Is your Big Data Solution Ready for StreamingSaama
 
Smart Data Webinar: Machine Learning Update
Smart Data Webinar: Machine Learning UpdateSmart Data Webinar: Machine Learning Update
Smart Data Webinar: Machine Learning UpdateDATAVERSITY
 
Endpoint Modeling 101 - A New Approach to Endpoint Security
Endpoint Modeling 101 - A New Approach to Endpoint SecurityEndpoint Modeling 101 - A New Approach to Endpoint Security
Endpoint Modeling 101 - A New Approach to Endpoint SecurityObservable Networks
 
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...Mark Underwood
 
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...Interset
 
Who is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityWho is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityUlf Mattsson
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations♟Sergej Epp
 

Similar to AI & ML in Cyber Security - Why Algorithms are Dangerous (20)

Artificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityArtificial Intelligence and Cybersecurity
Artificial Intelligence and Cybersecurity
 
DataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayDataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the Day
 
[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral Analytics[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral Analytics
 
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
 
David valovcin big data - big risk
David valovcin big data - big riskDavid valovcin big data - big risk
David valovcin big data - big risk
 
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA Atlanta
 
BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 
A Journey Through The Far Side Of Data Science
A Journey Through The Far Side Of Data ScienceA Journey Through The Far Side Of Data Science
A Journey Through The Far Side Of Data Science
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
Protecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UK
 
Big Data Security Analytics (BDSA) with Randy Franklin
Big Data Security Analytics (BDSA) with Randy FranklinBig Data Security Analytics (BDSA) with Randy Franklin
Big Data Security Analytics (BDSA) with Randy Franklin
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Saama Presents Is your Big Data Solution Ready for Streaming
Saama Presents Is your Big Data Solution Ready for StreamingSaama Presents Is your Big Data Solution Ready for Streaming
Saama Presents Is your Big Data Solution Ready for Streaming
 
Smart Data Webinar: Machine Learning Update
Smart Data Webinar: Machine Learning UpdateSmart Data Webinar: Machine Learning Update
Smart Data Webinar: Machine Learning Update
 
Endpoint Modeling 101 - A New Approach to Endpoint Security
Endpoint Modeling 101 - A New Approach to Endpoint SecurityEndpoint Modeling 101 - A New Approach to Endpoint Security
Endpoint Modeling 101 - A New Approach to Endpoint Security
 
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
 
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
 
Who is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityWho is the next target proactive approaches to data security
Who is the next target proactive approaches to data security
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 

Recently uploaded (20)

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 

AI & ML in Cyber Security - Why Algorithms are Dangerous

  • 1. BlackHat USA | August 2018 AI & ML IN CYBERSECURITY Why Algorithms Are Dangerous RAFFAEL MARTY Vice President of Corporate Strategy, Forcepoint Copyright © 2018 Forcepoint.
  • 2. A BRIEF SUMMARY We don’t have artificial intelligence (yet) Algorithms are getting ‘smarter’, but experts are more important Stop throwing algorithms on the wall - they are not spaghetti Understand your data and your algorithms Invest in people who know security (and have experience) Build systems that capture “export knowledge” Think out of the box, history is bad for innovation Focus on advancing insights Copyright © 2018 Forcepoint. | 2
  • 3. RAFFAEL MARTY Sophos PixlCloud Loggly Splunk ArcSight IBM Research Security Visualization Big Data ML & AI SIEM Corp Strategy Leadership Zen Copyright © 2018 Forcepoint. | 3
  • 4. OUTLINE STATISTICS, MACHINE LEARNING & AI Defining the concepts THE ALGORITHMIC PROBLEM Understanding the data and the algorithms AN EXAMPLE Let’s get practical 01 02 03 Copyright © 2018 Forcepoint. | 4
  • 5. STATISTICS MACHINE LEARNING & ARTIFICIAL INTELLIGENCE 01 Copyright © 2018 Forcepoint. | 5
  • 6. “Companies are throwing algorithms on the wall to see what sticks (see security analytics market)” “Everyone calls their stuff ‘machine learning’ or even better ‘artificial intelligence’ - It’s not cool to use statistics!” Copyright © 2018 Forcepoint. | 6
  • 7. ML AND AI – WHAT IS IT? MACHINE LEARNING Algorithmic ways to “describe” data Supervised We are giving the system a lot of training data and it learns from that Unsupervised We give the system some kind of optimization to solve (clustering, dim reduction) DEEP LEARNING A “newer” machine learning algorithm Eliminates the feature engineering step Explainability / verifiability issues DATA MINING Methods to explore data – automatically ARTIFICIAL INTELLIGENCE “Just calling something AI doesn’t make it AI.” “A program that doesn't simply classify or compute model parameters, but comes up with novel knowledge that a security analyst finds insightful.” We don’t have artificial intelligence (yet)
  • 8. WHAT “AI” DOES TODAY KICK A HUMAN'S ASS AT GO DESIGN MORE EFFECTIVE DRUGS MAKE SIRI SMARTER Copyright © 2018 Forcepoint. | 8
  • 9. MACHINE LEARNING USES IN SECURITY SUPERVISED Malware classification Deep learning on millions of samples - 400k new malware samples a day Has increased true positives and decreased false positives compared to traditional ML Spam identification MLSec project on firewall data Analyzing massive amounts of firewall data to predict and score malicious sources (IPs) UNSUPERVISED DNS analytics Domain name classification, lookup frequencies, etc. Threat Intelligence feed curation IOC prioritization, deduplication, … Tier 1 analyst automation Reducing workload from 600M raw events to 100 incidents* User and Entity Behavior Analytics (UEBA) Uses mostly regular statistics and rule-based approaches * See Respond Software Inc. Copyright © 2018 Forcepoint. | 9
  • 10. THE ALGORITHMIC PROBLEM UNDERSTANDING THE DATA AND THE ALGORITHMS02 Copyright © 2018 Forcepoint. | 10
  • 11.
  • 12. FAMOUS AI (ALGORITHM) FAILURES http://neil.fraser.name/writing/tank/ PENTAGON - AI FAIL
  • 13. WHAT MAKES ALGORITHMS DANGEROUS? ALGORITHMS MAKE ASSUMPTIONS ABOUT THE DATA Assume ‘clean’ data (src/dst confusion, user feedback, etc.) Often assume a certain type of data and its distribution Generally don’t deal with outliers Machine learning assumes enough, representative data Need contextual features (e.g., not just IP addresses) Assume all input features are ‘normalized’ the same way ALGORITHMS ARE TOO EASY TO USE THESE DAYS (TENSORFLOW, TORCH, ML ON AWS, ETC.) The process is more important than the algorithm (e.g., feature engineering, supervision, drop outs, parameter choices, etc.) ALGORITHMS DO NOT TAKE DOMAIN KNOWLEDGE INTO ACCOUNT Defining meaningful and representative distance functions, for example e.g., each L4 protocol exhibits different behavior. Train it separately. e.g., interpretation is often unvalidated - beware of overfitting and biased models. Ports look like integers, they are not, same is true for IPs, processIDs, HTTP return codes, etc. Copyright © 2018 Forcepoint. | 13
  • 14. WHAT MAKES ALGORITHMS DANGEROUS? https://betterhumans.coach.me/cognitive-bias-cheat-sheet-55a472476b18 SAMPLE BIAS KNOWLEDGE BIAS HISTORY BIAS CONFIRMATION BIAS AVAILABILITY BIAS CORRELATION BIAS Copyright © 2018 Forcepoint. | 14
  • 15. COGNITIVE BIASES How biased is your data set? How do you know? Only a single customer’s data Learning from an ‘infected’ data set Collection errors Missing data (e.g., due to misconfiguration) What’s the context the data operates in? FTP although generally considered old and insecure, isn’t always problematic Don’t trust your IDS (e.g. “UDP bomb”)
  • 16. THE DANGERS WITH DEEP LEARNING – WHEN NOT TO USE IT Not enough or no quality labelled data Data cleanliness issues (timestamps, normalization across fields, etc.) Bad understanding of the data to engineer meaningful features (e.g., byte stream for binaries) Data is prone to adversarial input DATA No well trained domain experts and data scientists to oversee the implementation A need to understand what ML actually learned (explainability) Verifiability of output Interpretation of output MACHINE LEARNING DETECTIONS EXPERT KNOWLEDGE Copyright © 2018 Forcepoint. | 16
  • 17. ADVERSARIAL MACHINE LEARNING An example of an attack on deep learning Copyright © 2018 Forcepoint. | 17
  • 18. EXAMPLE LET’S GET PRACTICAL03 Copyright © 2018 Forcepoint. | 18
  • 19. FINDING ANOMALIES / ATTACKS IN NETWORK TRAFFIC Given: Network communications (i.e., netflow) Task: Find anomalies / attacks ? Copyright © 2018 Forcepoint. | 19
  • 20. DEEP LEARNING – THE SOLUTION TO EVERYTHING DEEP LEARNING PROMISES A FEW THINGS: ‘Auto’ feature extraction High accuracy of detections AND WE SATISFY SOME REQUIREMENTS: Lots of data available BUT: A single record does not indicate good/bad BUT: Not enough ‘information’ within flows – need context BUT: No labels available MOST SECURITY PROBLEMS CAN’T BE SOLVED WITH DEEP LEARNING or supervised methods in general Copyright © 2018 Forcepoint. | 20
  • 21. UNSUPERVISED TO THE RESCUE? Can we exploit the inherent structure within the data to find anomalies and attacks? Clustering traffic to find outliers 1. Clean the data 2. Engineer distance functions 3. Figure out the right algorithm 4. Apply the correct algorithmic parameters 5. Data interpretation Copyright © 2018 Forcepoint. | 21
  • 22. 1. UNDERSTAND AND CLEAN THE DATA dest port! Port 70000? src ports! http://vis.pku.edu.cn/people/simingchen/docs/vastchallenge13-mc3.pdf
  • 23. 2. ENGINEERING DISTANCE FUNCTIONS Distance functions define the similarity of data objects Need domain-specific similarity functions URLs (simple levenshtein distance versus domain based?) Ports (and IPs, ASNs) are NOT integers Treat user names as categorical, not as strings outlier?! Copyright © 2018 Forcepoint. | 23
  • 24. 3. CHOOSING THE RIGHT UNSUPERVISED ALGORITHM CLUSTERING ALGORITHMS K-means Affinity Propagation (AP) DBScan t-SNE CRITERIA TO CHOOSE AN ALGORITHM Dimensionality of data “Shape” of data Intrinsic algorithm workings Algorithm convergence or speed http://hdbscan.readthedocs.io/en/latest/comparing_clustering_algorithms.html Different algorithms find different / more or less clusters Copyright © 2018 Forcepoint. | 24
  • 25. 4. CHOOSING THE CORRECT ALGORITHM PARAMETERS The dangers of not understanding algorithmic parameters t-SNE clustering of network traffic from two types of machines perplexity = 3 epsilon = 3 No clear separation perplexity = 3 epsilon = 19 3 clusters instead of 2 perplexity = 93 epsilon = 19 What a mess Copyright © 2018 Forcepoint. | 25
  • 26. 4. CHOOSING THE CORRECT ALGORITHM PARAMETERS And this is when it gets dangerous Access decisions / enforcements based on cluster membership Copyright © 2018 Forcepoint. | 26
  • 27. 5. INTERPRETING THE DATA We analyze network traffic. The graph shows an abstract space (X and Y axes have no specific meaning). Each dot represents a device on the network. Colors represent machine-identified clusters. Interpretation questions: What are these clusters? What are good clusters? What’s anomalous? Where are compromised machines / attackers? Copyright © 2018 Forcepoint. | 27
  • 28. A DIFFERENT APPROACH - PROBABILISTIC INFERENCE Rather than running algorithms that model the shape of data, we need to take expert knowledge / domain expertise into account “What is the probability that it is raining, given the grass is wet?”: 35.77% Introducing Belief Networks Models that represent the state of the ‘world’ Helps us make predictions and reason about the world A graph rather than huge joint distribution tables across all states Using Bayes theorem to calculate ‘belief’ Could use ML to learn graph structure (nodes and edges), but it’ll get too unwieldy and non-interpretable! Copyright © 2018 Forcepoint. | 28
  • 29. BAYESIAN BELIEF NETWORK 1ST STEP – BUILD THE GRAPH Device is Compromised New protocol seen Is using port 23? Connecting from suspicious IP Mistake in IP classification Connecting to suspicious IP Connection to newly registered domain Has known vulnerabilities Open port 53 Shows up with new OS Machine got update to new OS Device is in maintenance mode Not seen for a week Sent huge amount of data in short period of time Protocol mismatch Seen encrypted traffic on port 23 1. What’s our objective? 2. What behaviors can we observe? 4 What are observable factors that reduce uncertainty of the central inference (of device compromised) 4 Observations should not be locally dependent – they should be true across all customers / environments 4 Do we have that data? 4 Do we need context for it?
  • 30. BAYESIAN BELIEF NETWORK 2ND STEP – GROUP NODES Device is Compromised Suspicious Host State Anomalous Network Behavior Host is Tunneling Data Threat Intelligence Hinting at Compromise Suspicious Protocol Usage New protocol seen Is using port 23? Has never used SSH before Connecting from suspicious IP Mistake in IP classification Connecting to suspicious IP Connection to newly registered domain Has known vulnerabilities Open port 53Shows up with new OS Machine got update to new OS Device is in maintenance mode Not seen for a week Sent huge amount of data in short period of time Protocol mismatch Seen encrypted traffic on port 23 Complexity of this network is too high. We cannot computer all the conditional probabilities. Therefore we need to introduce “grouping nodes”.
  • 31. BAYESIAN BELIEF NETWORK 3RD STEP – INTRODUCE DEPENDENCIES Device is Compromised Suspicious Host State Anomalous Network Behavior Host is Tunneling Data Threat Intelligence Hinting at Compromise Suspicious Protocol Usage New protocol seen Is using port 23? Has never used SSH before Connecting from suspicious IP Mistake in IP classification Connecting to suspicious IP Connection to newly registered domain Machine got update to new OS Device is in maintenance mode Not seen for a week Sent huge amount of data in short period of time Protocol mismatch Seen encrypted traffic on port 23 Has known vulnerabilities Open port 53Shows up with new OS Relationships between observations Conditional dependencies
  • 32. BAYESIAN BELIEF NETWORK 4TH STEP – ESTIMATE PROBABILITIES NODE PROBABILITIES 4 P(Protocol mismatch) = 0.01 OR “very low” 4 P(Seen encrypted traffic on port 23) = 0.01 OR “very low” 4 P(Host is Tunnelling Data) = 0.01 OR ”very low” Expert Knowledge Host is Tunneling Data Protocol mismatch Seen encrypted traffic on port 23 CONDITIONAL PROBABILITIES 4 Our belief network teaches us: “Tunnelling is not independent of seeing port 23 traffic” 4 P(Tunnelling | Enc. Port 23 Traffic) = (P(Enc. Port 23 | Tunnelling) * P(Tunnelling)) / P(Enc. Port 23) Copyright © 2018 Forcepoint. | 32 More precise than in pervious formula JOINT PROBABILITIES 4 Multiple factors lead to Tunnelling, not just one 4 P(Tunnelling | Enc. Port 23 AND Proto mismatch) = (P(Enc. Port 23 AND Proto mismatch | Tunnelling) * P(Tunnelling)) / P(Enc Port 23 AND Proto mismatch) Protocol mismatch Seen encrypted traffic on port 23
  • 33. BAYESIAN BELIEF NETWORK 5TH STEP – GOAL COMPUTATION Device is Compromised Suspicious Host State Anomalous Network Behavior Host is Tunneling Data Threat Intelligence Hinting at Compromise Suspicious Protocol Usage The probability that we have a compromised device is the joint and conditional probability over all the ‘group nodes’ Copyright © 2018 Forcepoint. | 33
  • 34. Machine got update to new OS Open port 53Shows up with new OS Anomalous Network Behavior BAYESIAN BELIEF NETWORK 6TH STEP – OBSERVE ACTIVITIES Device is Compromised Host is Tunneling Data Threat Intelligence Hinting at Compromise Suspicious Protocol Usage New protocol seen Is using port 23? Has never used SSH before Connecting from suspicious IP Mistake in IP classification Connecting to suspicious IP Connection to newly registered domain Device is in maintenance mode Not seen for a week Sent huge amount of data in short period of time Protocol mismatch Seen encrypted traffic on port 23 Suspicious Host State Has known vulnerabilities 0.4 0.3 0.2
  • 35. Open port 53 Anomalous Network Behavior BAYESIAN BELIEF NETWORK 6TH STEP – OBSERVE ACTIVITIES Device is Compromised Host is Tunneling Data Threat Intelligence Hinting at Compromise Suspicious Protocol Usage New protocol seen Is using port 23? Has never used SSH before Connecting from suspicious IP Mistake in IP classification Connecting to suspicious IP Connection to newly registered domain Device is in maintenance mode Not seen for a week Sent huge amount of data in short period of time Protocol mismatch Seen encrypted traffic on port 23 1. Update the ‘observation nodes’ in the network with observation (what we find in the logs) 2. Re-compute probabilities on the connected nodes ✓✓ ✗ Suspicious Host State Machine got update to new OS Has known vulnerabilitiesShows up with new OS 0.5 0.1 0.7
  • 36. BAYESIAN BELIEF NETWORK 7TH STEP – EXPERT INPUT Strengthen the network by introducing expert knowledge Pose any combinations of ‘observations’ and ‘group’ nodes as questions to experts Asking meaningful questions is an art and requires expert knowledge You will find that it matters how you named your nodes to define good questions Question Expert Answer What’s the probability that device is compromised and I have highly suspicious network behavior and nothing on threat intelligence 0.3 Probability that host is in suspicious state, given that port 53 is open, brand new OS 0.1 How likely is it that we see a connection to a newly registered domain and we see port 23 traffic? 0.01 Etc. Note how this is not a full joint probability over only a subset of the group nodes. We can have questions across observational nodes of different groups as well
  • 37. BELIEF NETWORKS – SOME OBSERVATIONS Iterative process of adding more nodes, grouping, adding expert input, etc. Graph allows for answering many questions – e.g., sensitivity analysis Do not determine the probabilities on the observation nodes with historic data. It is only accurate for scenarios that were included in data – how do you know your data covered all scenarios? Each problem requires the definition of a graphs based on expert input A generic “Network Traffic” graph is hard to build and train Not every FTP is bad Poor network practice -> e.g., using unencrypted protocols like FTP Thanks Chris @ respond-software.com for all your help! Biggest benefit of belief networks is that the learned knowledge can be verified and extracted!
  • 38. Copyright © 2018 Forcepoint. | 40 IN SUMMARY
  • 39. RECOMMENDATIONS Start with defining your use-cases, not choosing an algorithm ML is barely ever the solution to your problem Use ensembles of algorithms Teach the algos to ask for input – if it’s unsure, have it ask an expert rather than making a decision on its own Make sure models keep up with change and forget old facts that are not relevant anymore Do you need white lists / black lists for your algos to not go haywire? Verify your models - use visualization to help with that Share your insights with your peers – security is not your competitive advantage GDPR – transparency on what data is collected and used for decisions “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”
  • 40. BLACK HAT SOUNDBITES “Algorithms are getting ‘smarter’, but experts are more important” “Understand your data, your algorithms, and your data science process” “History is not a predictor – but knowledge is”