Sven Krasser, profile picture
Uploaded bySven Krasser
PDF, PPTX1,805 views

IJCNN 2017

The document discusses the challenges of applying machine learning in information security, highlighting issues such as high false positive rates, the need for multiple models, and the impact of data distribution differences. It emphasizes the importance of combining various data sources and non-ML techniques for effective security measures. Additionally, it points out the complexities of data management, including retraining and labeling costs, as significant factors affecting machine learning success in this area.

Technology
Related topics:
Information Security

Embed presentation

Download as PDF, PPTX
SO YOU GOT A MODEL… DR. SVEN KRASSER CHIEF SCIENTIST @SVENKRASSER A 5 MINUTE RUNDOWN OF THE COMMON AND NOT-SO-COMMON PITFALLS OF APPLYING MACHINE LEARNING IN INFORMATION SECURITY
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. MACHINE LEARNING AT CROWDSTRIKE § ~40 billion events per day § ~800 thousand events per second peak § ~700 trillion bytes of sample data § Local decisions on endpoint and large scale analysis in cloud § Static and dynamic analysis techniques, various rich data sources § Analysts generating new ground truth 24/7
CHALLENGES FOR APPLIED ML
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. FALSE POSITIVE RATE § Most events are associated with clean executions § Most files on a given system are clean § Therefore, even low FPRs cause large numbers of FPs § Industry expectations driven by performance of narrow signatures
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Repeated independent trials guarantee adversary success TRUE POSITIVE RATE § Security cannot be solved with a single ML model § Need to consider various data sources (pre and post- execution) § Augment with non-ML techniques Chanceofatleastonesuccessforadversary Number of attempts at 99% detection rate 1% >99.3%
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. UNWIELDY DATA § Many outliers § Multimodal distributions § Sometimes narrow modes far apart § Adversary-controlled features § Mix of sparse/dense and discrete/continuous features
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Training set distribution generally differs from… DIFFERENCE IN DISTRIBUTIONS § Real-world distribution (customer networks) § Evaluations (what customers test) § Testing houses (various 3rd party testers with varying methodologies) § Community resources (e.g. user submissions to CrowdStrike scanner on VirusTotal)
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Or: the second model needs to be cheaper REPEATABLE SUCCESS § Retraining cadence § Concept drift § Changes in data content (e.g. event field definitions) § Changes in data distribution (e.g. event disposition) § Data cleansing is expensive (conventional wisdom) § Needs automation § Labeling can be expensive § Ephemeral instances (data content or distribution changed) § Lack of sufficient observations § Embeddings and intermediate models § Keep track of input data § Keep track of ground truth budget
IJCNN 2017

More Related Content

PDF
Practical Machine Learning in Information Security
bySven Krasser
 
PDF
A Sober Look at Machine Learning
bySven Krasser
 
PDF
Of Search Lights and Blind Spots: Machine Learning in Cybersecurity
bySven Krasser
 
PDF
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
bySven Krasser
 
PDF
Fundamentals of Machine Learning: Perspectives from a Data Scientist (ISC Wes...
bySven Krasser
 
PDF
IoT-Shield: A Novel DDoS Detection Approach for IoT-Based Devices
bySaeidGhasemshirazi
 
PPTX
Threat Hunting for Command and Control Activity
bySqrrl
 
PDF
Automatiza las detecciones de amenazas y evita los falsos positivos
byElasticsearch
 
Practical Machine Learning in Information Security
bySven Krasser
 
A Sober Look at Machine Learning
bySven Krasser
 
Of Search Lights and Blind Spots: Machine Learning in Cybersecurity
bySven Krasser
 
Straight Talk on Machine Learning -- What the Marketing Department Doesn’t Wa...
bySven Krasser
 
Fundamentals of Machine Learning: Perspectives from a Data Scientist (ISC Wes...
bySven Krasser
 
IoT-Shield: A Novel DDoS Detection Approach for IoT-Based Devices
bySaeidGhasemshirazi
 
Threat Hunting for Command and Control Activity
bySqrrl
 
Automatiza las detecciones de amenazas y evita los falsos positivos
byElasticsearch
 

What's hot

PPTX
Dev talks 2021 Data Science @crowdstrike
byRuxandra Burtica
 
PPTX
Episode IV: A New Scope
byThreatConnect
 
PDF
Threat Hunting Platforms (Collaboration with SANS Institute)
bySqrrl
 
PDF
Elastic Stack Roadmap
byImma Valls Bernaus
 
PPTX
SQRRL threat hunting platform
byDataWorks Summit/Hadoop Summit
 
PDF
The Art and Science of Alert Triage
bySqrrl
 
PPTX
Modernizing Your SOC: A CISO-led Training
bySqrrl
 
PDF
Machine Learning for Incident Detection: Getting Started
bySqrrl
 
PDF
Au cœur de la roadmap de la Suite Elastic
byElasticsearch
 
PPTX
Grace Hopper Open Source Day Findings | Thorn & Cloudera Cares
byCloudera, Inc.
 
PDF
Managing Indicator Deprecation in ThreatConnect
byThreatConnect
 
PDF
NSL Thesis defense
byChristopher Keller
 
PPTX
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
byThreatConnect
 
PDF
University of Oxford: building a next generation SIEM
byElasticsearch
 
PDF
Building a Real-Time Gaming Analytics Service with Apache Druid
byImply
 
PPTX
Art into Science 2017 - Investigation Theory: A Cognitive Approach
bychrissanders88
 
PDF
Troubleshooting your elasticsearch cluster like a support engineer
byImma Valls Bernaus
 
PPTX
Abstract Tools for Effective Threat Hunting
bychrissanders88
 
PDF
User and Entity Behavior Analytics using the Sqrrl Behavior Graph
bySqrrl
 
PDF
Sqrrl 2.0 Launch Webinar
bySqrrl
 
Dev talks 2021 Data Science @crowdstrike
byRuxandra Burtica
 
Episode IV: A New Scope
byThreatConnect
 
Threat Hunting Platforms (Collaboration with SANS Institute)
bySqrrl
 
Elastic Stack Roadmap
byImma Valls Bernaus
 
SQRRL threat hunting platform
byDataWorks Summit/Hadoop Summit
 
The Art and Science of Alert Triage
bySqrrl
 
Modernizing Your SOC: A CISO-led Training
bySqrrl
 
Machine Learning for Incident Detection: Getting Started
bySqrrl
 
Au cœur de la roadmap de la Suite Elastic
byElasticsearch
 
Grace Hopper Open Source Day Findings | Thorn & Cloudera Cares
byCloudera, Inc.
 
Managing Indicator Deprecation in ThreatConnect
byThreatConnect
 
NSL Thesis defense
byChristopher Keller
 
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
byThreatConnect
 
University of Oxford: building a next generation SIEM
byElasticsearch
 
Building a Real-Time Gaming Analytics Service with Apache Druid
byImply
 
Art into Science 2017 - Investigation Theory: A Cognitive Approach
bychrissanders88
 
Troubleshooting your elasticsearch cluster like a support engineer
byImma Valls Bernaus
 
Abstract Tools for Effective Threat Hunting
bychrissanders88
 
User and Entity Behavior Analytics using the Sqrrl Behavior Graph
bySqrrl
 
Sqrrl 2.0 Launch Webinar
bySqrrl
 

Similar to IJCNN 2017

PDF
BSidesLV 2013 - Using Machine Learning to Support Information Security
byAlex Pinto
 
PDF
Machine learning cybersecurity boon or boondoggle
byPriyanka Aash
 
PPTX
Machine Learning in Information Security by Mohammed Zuber
byOWASP Delhi
 
PPTX
Machine learning cyphort_malware_most_wanted
byCyphort
 
PPTX
Presentation_42240_Content_Document_20251003051833PM.pptx
bybhfcvh531
 
PPTX
The 4 Machine Learning Models Imperative for Business Transformation
byRocketSource
 
PDF
The Myths + Realities of Machine-Learning Cybersecurity
byInterset
 
PPTX
Machine Learning SPPU Unit 1
byAmruta Aphale
 
PPTX
Machine Learning: Addressing the Disillusionment to Bring Actual Business Ben...
byJon Mead
 
PPTX
Advanced Analytics and Data Science Expertise
bySoftServe
 
PPTX
Machine learning in computer security
byKishor Datta Gupta
 
PPTX
M01-L02 - Introduction to Machine Learning for Cybersecurity.pptx
byMinhaoCheng2
 
PPTX
AI and ML Training for non technical
byShiv Onkar Deepak Kumar, Ph.D.
 
PPTX
Machine Learning - Lecture2.pptx
byNsitTech
 
PDF
Practical Applications of Machine Learning in Cybersecurity
byscoopnewsgroup
 
PPTX
Mastering_Data_Achieving_Machine_Intelligence (1).pptx
bypremalathac6
 
PPT
ML.pptvdvdvdvdvdfvdfgvdsdgdsfgdfgdfgdfgdf
byAvijitChaudhuri3
 
PPT
ML.ppt
byssuserd27779
 
PPT
ML.ppt
bynazimsattar
 
PPT
ML.ppt
byssuserd27779
 
BSidesLV 2013 - Using Machine Learning to Support Information Security
byAlex Pinto
 
Machine learning cybersecurity boon or boondoggle
byPriyanka Aash
 
Machine Learning in Information Security by Mohammed Zuber
byOWASP Delhi
 
Machine learning cyphort_malware_most_wanted
byCyphort
 
Presentation_42240_Content_Document_20251003051833PM.pptx
bybhfcvh531
 
The 4 Machine Learning Models Imperative for Business Transformation
byRocketSource
 
The Myths + Realities of Machine-Learning Cybersecurity
byInterset
 
Machine Learning SPPU Unit 1
byAmruta Aphale
 
Machine Learning: Addressing the Disillusionment to Bring Actual Business Ben...
byJon Mead
 
Advanced Analytics and Data Science Expertise
bySoftServe
 
Machine learning in computer security
byKishor Datta Gupta
 
M01-L02 - Introduction to Machine Learning for Cybersecurity.pptx
byMinhaoCheng2
 
AI and ML Training for non technical
byShiv Onkar Deepak Kumar, Ph.D.
 
Machine Learning - Lecture2.pptx
byNsitTech
 
Practical Applications of Machine Learning in Cybersecurity
byscoopnewsgroup
 
Mastering_Data_Achieving_Machine_Intelligence (1).pptx
bypremalathac6
 
ML.pptvdvdvdvdvdfvdfgvdsdgdsfgdfgdfgdfgdf
byAvijitChaudhuri3
 
ML.ppt
byssuserd27779
 
ML.ppt
bynazimsattar
 
ML.ppt
byssuserd27779
 

Recently uploaded

PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
final.pdf
byomarbishtawi04
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
apidays New York 2025 | AI in Application Security
byapidays
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
final.pdf
byomarbishtawi04
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 

IJCNN 2017

  • 1.
    SO YOU GOTA MODEL… DR. SVEN KRASSER CHIEF SCIENTIST @SVENKRASSER A 5 MINUTE RUNDOWN OF THE COMMON AND NOT-SO-COMMON PITFALLS OF APPLYING MACHINE LEARNING IN INFORMATION SECURITY
  • 2.
    2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. MACHINE LEARNING ATCROWDSTRIKE § ~40 billion events per day § ~800 thousand events per second peak § ~700 trillion bytes of sample data § Local decisions on endpoint and large scale analysis in cloud § Static and dynamic analysis techniques, various rich data sources § Analysts generating new ground truth 24/7
  • 3.
  • 4.
    2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. FALSE POSITIVE RATE §Most events are associated with clean executions § Most files on a given system are clean § Therefore, even low FPRs cause large numbers of FPs § Industry expectations driven by performance of narrow signatures
  • 5.
    2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Repeated independent trialsguarantee adversary success TRUE POSITIVE RATE § Security cannot be solved with a single ML model § Need to consider various data sources (pre and post- execution) § Augment with non-ML techniques Chanceofatleastonesuccessforadversary Number of attempts at 99% detection rate 1% >99.3%
  • 6.
    2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. UNWIELDY DATA § Manyoutliers § Multimodal distributions § Sometimes narrow modes far apart § Adversary-controlled features § Mix of sparse/dense and discrete/continuous features
  • 7.
    2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Training set distributiongenerally differs from… DIFFERENCE IN DISTRIBUTIONS § Real-world distribution (customer networks) § Evaluations (what customers test) § Testing houses (various 3rd party testers with varying methodologies) § Community resources (e.g. user submissions to CrowdStrike scanner on VirusTotal)
  • 8.
    2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Or: the secondmodel needs to be cheaper REPEATABLE SUCCESS § Retraining cadence § Concept drift § Changes in data content (e.g. event field definitions) § Changes in data distribution (e.g. event disposition) § Data cleansing is expensive (conventional wisdom) § Needs automation § Labeling can be expensive § Ephemeral instances (data content or distribution changed) § Lack of sufficient observations § Embeddings and intermediate models § Keep track of input data § Keep track of ground truth budget