Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Deep Learning In Security
An Empirical Example in User & Entity Behavior Analytics (UEBA)
Jisheng Wang
June 7, 2017
2
Ø Jisheng Wang, Senior Director of Data Science, CTO Office, Aruba / HPE
• Over 12-year experiences: Machine Learning + ...
3
USER & ENTITY BEHAVIOR ANALYTICS
UEBA SECURITY
why this matters
UEBA SOLUTION
how to detect attacks before damage is don...
4
PROBLEM THE SECURITY GAP
PREVENTION & DETECTION (US $B)
SECURITY SPEND
# BREACHES
DATA BREACHES
5
PROBLEM CAUSE OF THE GAP
ATTACKERS
ARE QUICKLY INNOVATING &
ADAPTING
BATTLEFIELD
WITH IOT AND CLOUD, SECURITY
IS BORDERL...
6
PROBLEM ADDRESSING THE CAUSE
ATTACKERS
ARE QUICKLY INNOVATING &
ADAPTING
DEEP LEARNING
SOLUTIONS MUST BE
RESPONSIVE TO C...
7
PROBLEM ADDRESSING THE CAUSE
BATTLEFIELD
WITH IOT AND CLOUD, SECURITY
IS BORDERLESS
INSIDER BEHAVIOR
LOOK AT BEHAVIOR CH...
8
USER & ENTITY BEHAVIOR ANALYTICS (UEBA)
MACHINE LEARNING DRIVEN
BEHAVIOR ANALYTICS IS
A NEW WAY TO COMBAT ATTACKERS
1
2
...
9
REAL WORLD NEWS WORTHY EXAMPLES
COMPROMISED
40 million credit cards were stolen
from Target’s severs
STOLEN CREDENTIALS
...
10
USER & ENTITY BEHAVIOR ANALYTICS
UEBA SECURITY
why this matters
UEBA SOLUTION
how to detect attacks before damage is do...
11
REAL WORLD ATTACKS CAUGHT BY NIARA
SCANNING ATTACK
scan servers in the data center to find
out vulnerable targets
DETEC...
12
BEHAVIOR ENCODING USERS
User 1 User 2
13
BEHAVIOR ENCODING USER VS MACHINE
User Machine
14
ANOMALY DETECTION CONVOLUTIONAL NEURAL NETWORK (CNN)
Behavior
Image
(24x60x9)
8x20
Convolution
User
Labels
Feature
Maps...
15
ANOMALY DETECTION ARCHITECTURE
Stream Data
Pre-processing
Behavior
Encoding
Input
Data
User
Activities
Labeled
User
Beh...
16
BEHAVIOR ANOMALY USER | EXFILTRATION
User – Before Compromise User – Post Compromise
17
BEHAVIOR ANOMALY IOT DEVICE | DATA DOWNLOAD
Dropcam – Before Compromise Dropcam – Post Compromise
18
BEHAVIOR ANALYTICS MULTI-DIMENSIONAL
Behavioral
Analytics
Internal Resource Access
Finance servers
Authentication
AD lo...
19
ENTITY SCORING TEMPORAL SEQUENCE TRACKING
20
ENTITY SCORING RECURRENT NEURAL NETWORK (RNN)
t1,
PHISHING
EMAIL
INFECTION
t2,
SUSPCIOUS
C&C DNS
TUNNEL
t3,
ABORNOMAL
S...
21
ENTITY SCORING RECURRENT NEURAL NETWORK (RNN)
f(t1)
0
0
0
0
f(t2-t1)
0
0
0
0
f(t3-t2)
0
0
0
0
f(t4-t3)
t1,
PHISHING
EMA...
22
ENTITY SCORING RECURRENT NEURAL NETWORK (RNN)
0.6
0
0
0
0
0.8
0
0
0
0
0.9
0
0
0
0
0.5
t1,
PHISHING
EMAIL
INFECTION
t2,
...
23
ENTITY SCORING RECURRENT NEURAL NETWORK (RNN)
f(t1)
0
0
0
0
f(t2-t1)
0
0
0
0
f(t3-t2)
0
0
0
0
f(t4-t3)
t1,
PHISHING
EMA...
24
USER & ENTITY BEHAVIOR ANALYTICS
UEBA SECURITY
what is UEBA
UEBA SOLUTION
infrastructure needed to deep learning
BEYOND...
25
LOCAL CONTEXT MACHINE + HUMAN INTELLIGENCE
Models
Alerts
Reinforcement
Learning
Local
Context
Input
Data
Continuous
Lea...
26
TRAINING DATA GLOBAL + LOCAL INTELLIGENCE
Global Security Intelligence
in the cloud
Local Security Intelligence
Individ...
27
USER & ENTITY BEHAVIOR ANALYTICS
UEBA SECURITY
what is UEBA
UEBA SOLUTION
infrastructure needed to deep learning
BEYOND...
Thank You
Upcoming SlideShare
Loading in …5
×

of

Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 1 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 2 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 3 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 4 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 5 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 6 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 7 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 8 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 9 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 10 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 11 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 12 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 13 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 14 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 15 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 16 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 17 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 18 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 19 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 20 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 21 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 22 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 23 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 24 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 25 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 26 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 27 Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang  Slide 28
Upcoming SlideShare
A Developer's View Into Spark's Memory Model with Wenchen Fan
Next
Download to read offline and view in fullscreen.

6 Likes

Share

Download to read offline

Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang

Download to read offline

Recently, deep learning has delivered groundbreaking advances in many industries. In this presentation, Dr. Wang will share empirical experiences of applying deep learning to solving some specific security problems with real-world customer attack detection examples. He will also discuss the challenges and guidelines for successfully deploying deep learning, or general machine learning, in broader security.

This session will feature two deep learning examples. The first example is a user-behavior anomaly detection solution using Convolutional Neural Network (CNN). Since CNN is most effective for image processing, Dr. Wang will introduce an innovative way to encode a user’s daily behavior into multi-channel images. He will also share the experimental comparison results of CNN hyperparameter tuning. The second example is a stateful user risk scoring system using Long Short Term Memory (LSTM). Most of the modern attacks happen in a multi-stage fashion, i.e., infection -> command & control -> lateral movement -> data infiltration -> data exfiltration. In this case, the company uses LSTM to monitor the temporal state transition of each user over these.“

Deep Learning in Security—An Empirical Example in User and Entity Behavior Analytics with Dr. Jisheng Wang

  1. 1. Deep Learning In Security An Empirical Example in User & Entity Behavior Analytics (UEBA) Jisheng Wang June 7, 2017
  2. 2. 2 Ø Jisheng Wang, Senior Director of Data Science, CTO Office, Aruba / HPE • Over 12-year experiences: Machine Learning + Big Data => Security • Chief Scientist, Niara, lead overall data analytics innovation and development • Ph.D from Penn State, Technical Lead in Cisco Ø Niara – a Hewlett Packard Enterprise company • Recognized leader by Gartner in User and Entity Behavior Analytics (UEBA) • Re-invent enterprise security using big data and data science • Acquired by Aruba, a Hewlett Packard Enterprise company in Feb, 2017 ME, NIARA, HPE
  3. 3. 3 USER & ENTITY BEHAVIOR ANALYTICS UEBA SECURITY why this matters UEBA SOLUTION how to detect attacks before damage is done BEYOND DEEP LEARNING how to build a comprehensive solution YOU ARE HERE
  4. 4. 4 PROBLEM THE SECURITY GAP PREVENTION & DETECTION (US $B) SECURITY SPEND # BREACHES DATA BREACHES
  5. 5. 5 PROBLEM CAUSE OF THE GAP ATTACKERS ARE QUICKLY INNOVATING & ADAPTING BATTLEFIELD WITH IOT AND CLOUD, SECURITY IS BORDERLESS
  6. 6. 6 PROBLEM ADDRESSING THE CAUSE ATTACKERS ARE QUICKLY INNOVATING & ADAPTING DEEP LEARNING SOLUTIONS MUST BE RESPONSIVE TO CHANGES
  7. 7. 7 PROBLEM ADDRESSING THE CAUSE BATTLEFIELD WITH IOT AND CLOUD, SECURITY IS BORDERLESS INSIDER BEHAVIOR LOOK AT BEHAVIOR CHANGE OF INSIDE USERS AND MACHINES
  8. 8. 8 USER & ENTITY BEHAVIOR ANALYTICS (UEBA) MACHINE LEARNING DRIVEN BEHAVIOR ANALYTICS IS A NEW WAY TO COMBAT ATTACKERS 1 2 3 Machine driven, not only human driven Detect compromised users, not only attackers Post-infection detection, not only prevention
  9. 9. 9 REAL WORLD NEWS WORTHY EXAMPLES COMPROMISED 40 million credit cards were stolen from Target’s severs STOLEN CREDENTIALS NEGLIGENT DDoS attack from 10M+ hacked home devices took down major websites ALL USED THE SAME PASSWORD MALICIOUS Edward Snowden stole more than 1.7 million classified documents INTENDED TO LEAK INFORMATION
  10. 10. 10 USER & ENTITY BEHAVIOR ANALYTICS UEBA SECURITY why this matters UEBA SOLUTION how to detect attacks before damage is done BEYOND DEEP LEARNING how to build a comprehensive solution YOU ARE HERE
  11. 11. 11 REAL WORLD ATTACKS CAUGHT BY NIARA SCANNING ATTACK scan servers in the data center to find out vulnerable targets DETECTED WITH AD LOGS EXFILTRATION OF DATA upload a large file to cloud server hosted in new country never accessed before DETECTED WITH WEB PROXY LOGS DATA DOWNLOAD download data from internal document repository which is not typical for the host DETECTED WITH NETWORK TRAFFIC
  12. 12. 12 BEHAVIOR ENCODING USERS User 1 User 2
  13. 13. 13 BEHAVIOR ENCODING USER VS MACHINE User Machine
  14. 14. 14 ANOMALY DETECTION CONVOLUTIONAL NEURAL NETWORK (CNN) Behavior Image (24x60x9) 8x20 Convolution User Labels Feature Maps (24x60x40) Feature Maps (12x30x40) Feature Maps (12x30x80) Feature Maps (6x15x80) Output Layer 1024 Nodes 2x2 Pooling 4x10 Convolution 2x2 Pooling Fully Connected Fully Connected with Dropout Feature Extraction Classification
  15. 15. 15 ANOMALY DETECTION ARCHITECTURE Stream Data Pre-processing Behavior Encoding Input Data User Activities Labeled User Behavior Repository Apache Spark Behavior Anomaly Detection CNN Training Behavior Classifier Tensorflow
  16. 16. 16 BEHAVIOR ANOMALY USER | EXFILTRATION User – Before Compromise User – Post Compromise
  17. 17. 17 BEHAVIOR ANOMALY IOT DEVICE | DATA DOWNLOAD Dropcam – Before Compromise Dropcam – Post Compromise
  18. 18. 18 BEHAVIOR ANALYTICS MULTI-DIMENSIONAL Behavioral Analytics Internal Resource Access Finance servers Authentication AD logins Remote Access VPN logins External Activity C&C, personal email SaaS Activity Office 365, Box Cloud IaaS AWS, Azure Physical Access badge logs Exfiltration DLP, Email
  19. 19. 19 ENTITY SCORING TEMPORAL SEQUENCE TRACKING
  20. 20. 20 ENTITY SCORING RECURRENT NEURAL NETWORK (RNN) t1, PHISHING EMAIL INFECTION t2, SUSPCIOUS C&C DNS TUNNEL t3, ABORNOMAL SERVER ACCESS t4, LARGE DATA UPLOAD TO NEW COUNTRY Input Events Risk Scores 25 48 76 92
  21. 21. 21 ENTITY SCORING RECURRENT NEURAL NETWORK (RNN) f(t1) 0 0 0 0 f(t2-t1) 0 0 0 0 f(t3-t2) 0 0 0 0 f(t4-t3) t1, PHISHING EMAIL INFECTION t2, SUSPCIOUS C&C DNS TUNNEL t3, ABORNOMAL SERVER ACCESS t4, LARGE DATA UPLOAD TO NEW COUNTRY Input Layer (200 x 1) Input Events one hot time-decayed encoding
  22. 22. 22 ENTITY SCORING RECURRENT NEURAL NETWORK (RNN) 0.6 0 0 0 0 0.8 0 0 0 0 0.9 0 0 0 0 0.5 t1, PHISHING EMAIL INFECTION t2, SUSPCIOUS C&C DNS TUNNEL t3, ABORNOMAL SERVER ACCESS t4, LARGE DATA UPLOAD TO NEW COUNTRY Input Layer (200 x 1) Input Events one hot time-decayed encoding
  23. 23. 23 ENTITY SCORING RECURRENT NEURAL NETWORK (RNN) f(t1) 0 0 0 0 f(t2-t1) 0 0 0 0 f(t3-t2) 0 0 0 0 f(t4-t3) t1, PHISHING EMAIL INFECTION t2, SUSPCIOUS C&C DNS TUNNEL t3, ABORNOMAL SERVER ACCESS t4, LARGE DATA UPLOAD TO NEW COUNTRY Input Layer (200 x 1) Hidden Layer (64 x 1) Output Layer (64 x 1) Input Events Score Layer (100 x 1) Long-Short Term Memory (LSTM) Risk Scores 25 48 76 92
  24. 24. 24 USER & ENTITY BEHAVIOR ANALYTICS UEBA SECURITY what is UEBA UEBA SOLUTION infrastructure needed to deep learning BEYOND DEEP LEARNING how to build a comprehensive solution YOU ARE HERE
  25. 25. 25 LOCAL CONTEXT MACHINE + HUMAN INTELLIGENCE Models Alerts Reinforcement Learning Local Context Input Data Continuous Learning User Feedback
  26. 26. 26 TRAINING DATA GLOBAL + LOCAL INTELLIGENCE Global Security Intelligence in the cloud Local Security Intelligence Individual customer deployments CLASSIFIER FEEDBACK
  27. 27. 27 USER & ENTITY BEHAVIOR ANALYTICS UEBA SECURITY what is UEBA UEBA SOLUTION infrastructure needed to deep learning BEYOND DEEP LEARNING how to build a comprehensive solution
  28. 28. Thank You
  • ssuser205b4d

    Sep. 14, 2019
  • KeshavChaurasia1

    May. 7, 2019
  • weihuiqiu

    May. 18, 2018
  • MattHulse

    Feb. 23, 2018
  • JunyoungPark22

    Nov. 1, 2017
  • abirchermitie

    Jun. 21, 2017

Recently, deep learning has delivered groundbreaking advances in many industries. In this presentation, Dr. Wang will share empirical experiences of applying deep learning to solving some specific security problems with real-world customer attack detection examples. He will also discuss the challenges and guidelines for successfully deploying deep learning, or general machine learning, in broader security. This session will feature two deep learning examples. The first example is a user-behavior anomaly detection solution using Convolutional Neural Network (CNN). Since CNN is most effective for image processing, Dr. Wang will introduce an innovative way to encode a user’s daily behavior into multi-channel images. He will also share the experimental comparison results of CNN hyperparameter tuning. The second example is a stateful user risk scoring system using Long Short Term Memory (LSTM). Most of the modern attacks happen in a multi-stage fashion, i.e., infection -> command & control -> lateral movement -> data infiltration -> data exfiltration. In this case, the company uses LSTM to monitor the temporal state transition of each user over these.“

Views

Total views

2,810

On Slideshare

0

From embeds

0

Number of embeds

170

Actions

Downloads

291

Shares

0

Comments

0

Likes

6

×