Pete Burnap, profile picture
Uploaded byPete Burnap
PDF, PPTX117 views

AI for Cybersecurity Innovation

The document outlines the vision and initiatives of an academic center focusing on cybersecurity innovation, emphasizing the integration of artificial intelligence and cutting-edge research to build resilience against cyber threats in the UK. It highlights the development of advanced security operations centers (SOCs) and machine learning techniques for real-time malware detection and prediction, achieving significant accuracy rates. The research combines expertise from various fields, including computer science, criminology, and psychology, to address emerging challenges in cybersecurity analytics.

Data & Analytics
Related topics:
Cyber-Security

Embed presentation

Download as PDF, PPTX
Academic Centre of Excellence in Cyber Security Research AI for Cybersecurity Innovation Prof. Pete Burnap
The cyber security landscape “Our vision for 2021 is that the UK is secure and resilient to cyber threats…” “commercialise our world leading science base” “build on our areas of competitive advantage, and help new sectors to flourish…” – Artificial Intelligence Core Theme à “Helping to make the UK the safest place to live and do business online” Active Cyber Defence (at Cardiff we use AI for Threat Intel & Situational Awareness)
Cyber Security Analytics Addressing emerging challenges to cyber security by combining: • computational and mathematical methods, drawing on our technical expertise in machine learning, artificial intelligence & big data analytics • criminological expertise in cyber crime • psychology expertise in susceptibility to cyber threat and decision making • international relations expertise in communication and governance
Computer Science Criminology Psychology Law & Politics 50 Researchers: 17 academic staff 9 Post Docs 24 PhDs >£14m external competitive grant income since 2012 > £7m for 2017-21 (plus £3.75m Data Innovation Accelerator) Airbus Centre of Excellence in Cyber Security Analytics Airbus Human Centric Cyber Security Accelerator Human Factors Excellence (HuFEx) Research Group Centre for Internet & Global Politics (CIGP) Privacy & Emerging Tech (e.g. IoT, Cloud, Automotive) Risk assessment & modelling Risk communication, governance and collective decision making Artificial Intelligence for Data-driven human & software behavioural analytics & threat intelligence Human Factors inc. susceptibility, motivations, dynamics and social factors of cyber
AI & Cybersecurity Case Study: Advanced Security Operations Centre (SOC) @ Airbus
The Problem Network Intrusion Detection Systems = fine-grained network data & protocol-level inspection Anti-virus tools = attempt to match code signatures to a list of known malicious code bases However…Attackers are developing increasingly sophisticated methods to avoid detection
APTs are becoming more sophisticated and able to obfuscate much of their identifiable features through encryption, custom code bases and in-memory execution… print(here is some fake code) for i in list <0,f,g,h,6,a> { element * next_element return another_element } if a + b != 7: MV AX+1_068373 wh4T El - se _0_IS There “to_ take on this machine” p_word = “PASSWORD” u_name = “ADMIN” .EXE
Security Operations Centres (SOC) are the front line detection and analysis environments for many corporate and safety-critical systems Commonly use off-the-shelf anti-virus or high-end behaviour analysis tools…most of which are vulnerable to obfuscation So how do we enabling the SOC to ‘learn’ what is malicious in this context? What does next-generation SOC look like?
System-level activity metrics - by executing samples of malicious and trusted executables in a Sandbox environment (Cuckoo) Train a machine classifier to distinguish malicious from trusted executables using `low severity events' - inevitably generated while the executable is running CPU User Use (percentage), CPU System Use (percentage), RAM use (count), SWAP use (count), received packets (count), received bytes (count), sent packets (count), sent bytes (count), number of processes running (count) - just 9 metrics in total. What can we learn that is difficult to hide? Create_admin Extract_da ta Access_data Target’s database Adversary’s database Target’s network .EXE
Attacks vary in their execution but theoretically exhibit similar behaviour overall Supposing we can capture a range of malicious behaviour, can we represent these in such a way that we can identify ‘similar’ activity? Think of DNA…parent/child similarity can be identified by putting a bunch of characteristic ‘features’ together and overlaying them… How does this help? Create_admin Extract_da ta Access_data Target’s database Adversary’s database Target’s network .EXE
APTs are becoming more sophisticated and able to obfuscate much of their identifiable features through encryption, custom code bases and in-memory execution… A DNA profile for software executables…reducing 9 dimensions to 2… “More similar models will be associated with nodes that are closer in the grid, whereas less similar models will be situated gradually farther away in the grid.” total # processes CPU user CPU system memory use swap use packets received packets sent bytes received bytes sent
APTs are becoming more sophisticated and able to obfuscate much of their identifiable features through encryption, custom code bases and in-memory execution…time (s) time total # processes max process ID CPU user CPU system memory use swap use packets received packets sent bytes received bytes sent Looking at the system interactions instead of the code we can detect malware even if code/API call/network traffic obfuscation is being used to evade detection Machine activity data for one piece of malware over 5 minutes Self organising feature maps tranform the training sample data (system interaction) into a 2D space and uses a competitive learning algorithm to re-organise this space so that similar behaviours are close to one another x ‘000s =
APTs are becoming more sophisticated and able to obfuscate much of their identifiable features through encryption, custom code bases and in-memory execution… Add a logistic Regression at the end… Classification 94% accuracy The SOM Reframes the behaviour to better suit classification methods… Provides “fuzzy neighbour -hoods” of behaviour
Lab2Soc: Data robustness for ML-based malware detection • API calls are the most commonly used dynamic data feature for ML malware detection
Lab2Soc: Data robsutness for ML-based malware detection • API calls are the most commonly used dynamic data feature for ML malware detection • Different ways they can be represented • Machine activity metrics show better consistency for detection accuracy acrosss datasets from different sources
APTs are becoming more sophisticated and able to obfuscate much of their identifiable features through encryption, custom code bass and in-memory execution… Early Stage malware detection
5 minutes: 98% accuracy 20 seconds: 98% accuracy 5 seconds: 94% accuracy 99% ransomware detected within 1 second of execution Q: So post attack classification is good, but can we do this is ‘real-time’ and ‘predict’ an attack? A: Yup, prediction accuracy 94% @ 4sec…using recurrent neural nets to learn sequences of activity
Detecting malicious processes and automatically killing them What does this mean for a user? Preliminary results: • 50% fewer files encrypted by fast-acting (starts encryption within first 5 seconds of launching) • 90% ransomware samples detected
Goal oriented models… • Identifying dependencies within complex systems is challenging • Quantifying the risks associated with system components, and determining all attack paths is prone to error (Unknown Unknowns). • Typical risk assessments are failure- oriented (fault tree, attack path etc.) • System owners (arguably) tend to know more about what they depend on for success within their own system • Can we capture that and use cyber analytics to support impact analysis?
Impact of attack Attack on IoT Device
Putting this to use… Within the SOC we can do both post-attack classification and predict at ~94% accuracy Being integrated into Airbus SOC – key feature is interpretability The SOM provides an intuitive and explanatory interface to mine the features leading to a malicious outcome Further reading: P Burnap, R French, F Turner, K Jones (2017) ‘Malware classification using self organising feature maps and machine activity data’. Computers & Security 73, 399-410 Rhode, M., Burnap, P. and Jones, K. (2018). Early-stage malware prediction using recurrent neural networks. Computers and Security 77, pp. 578-594. Rhode, M.et al. (2019). LAB to SOC: Robust Features for Dynamic Malware Detection. Presented at: 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2019) High memory use Low CPU use High bytes out
Thanks. burnapp@cardiff.ac.uk

More Related Content

PDF
IDS - Fact, Challenges and Future
byamiable_indian
 
PPT
Finding Diversity In Remote Code Injection Exploits
byamiable_indian
 
PDF
Intrusion Alert Correlation
byamiable_indian
 
PDF
Intercept product
byDavid Pereira
 
PDF
SentryHQ's Reactive Security
byAmr Ali
 
PPT
Paper1
bySpacSec
 
PDF
IRJET- Review on Intrusion Detection System using Recurrent Neural Network wi...
byIRJET Journal
 
PDF
Icacci presentation-cnn intrusion
byvinaykumar R
 
IDS - Fact, Challenges and Future
byamiable_indian
 
Finding Diversity In Remote Code Injection Exploits
byamiable_indian
 
Intrusion Alert Correlation
byamiable_indian
 
Intercept product
byDavid Pereira
 
SentryHQ's Reactive Security
byAmr Ali
 
Paper1
bySpacSec
 
IRJET- Review on Intrusion Detection System using Recurrent Neural Network wi...
byIRJET Journal
 
Icacci presentation-cnn intrusion
byvinaykumar R
 

What's hot

PDF
International Journal of Computer Science and Security Volume (1) Issue (3)
byCSCJournals
 
PDF
Tinysec
byDhara Ladumor
 
PDF
Automating Analysis and Exploitation of Embedded Device Firmware
byMalachi Jones
 
PDF
IRJET- Implementation of Artificial Intelligence Methods to Curb Cyber Assaul...
byIRJET Journal
 
PDF
Attack Simulation And Threat Modeling -Olu Akindeinde
byBipin Upadhyay
 
PDF
Alert Analysis using Fuzzy Clustering and Artificial Neural Network
byIJRES Journal
 
PDF
NICE: Network Intrusion Detection and Countermeasure Selection in Virtual Net...
byMigrant Systems
 
PDF
Secure data aggregation technique for wireless sensor networks in the presenc...
byLeMeniz Infotech
 
PDF
Beating ips 34137
bySpiros Fraganastasis
 
PDF
Ijetr012045
byER Publication.org
 
PDF
Computer security - A machine learning approach
bySandeep Sabnani
 
PPTX
Application of machine learning and cognitive computing in intrusion detectio...
byMahdi Hosseini Moghaddam
 
DOC
A wireless intrusion detection system and a new attack model (synopsis)
byMumbai Academisc
 
PDF
Online Intrusion Alert Aggregation with Generative Data Stream Modeling
byIJMER
 
PPTX
Comparative analysis of algorithms
byYisal Khan
 
PDF
Secure Data Aggregation Technique for Wireless Sensor Networks in the Presenc...
by1crore projects
 
PDF
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
byijp2p
 
PDF
A Security Overview of Wireless Sensor Network
byIJCSIS Research Publications
 
PDF
145 148
byEditor IJARCET
 
PDF
Multi-Tiered Communication Security Schemes in Wireless Ad-Hoc Sensor Networks
byIDES Editor
 
International Journal of Computer Science and Security Volume (1) Issue (3)
byCSCJournals
 
Tinysec
byDhara Ladumor
 
Automating Analysis and Exploitation of Embedded Device Firmware
byMalachi Jones
 
IRJET- Implementation of Artificial Intelligence Methods to Curb Cyber Assaul...
byIRJET Journal
 
Attack Simulation And Threat Modeling -Olu Akindeinde
byBipin Upadhyay
 
Alert Analysis using Fuzzy Clustering and Artificial Neural Network
byIJRES Journal
 
NICE: Network Intrusion Detection and Countermeasure Selection in Virtual Net...
byMigrant Systems
 
Secure data aggregation technique for wireless sensor networks in the presenc...
byLeMeniz Infotech
 
Beating ips 34137
bySpiros Fraganastasis
 
Ijetr012045
byER Publication.org
 
Computer security - A machine learning approach
bySandeep Sabnani
 
Application of machine learning and cognitive computing in intrusion detectio...
byMahdi Hosseini Moghaddam
 
A wireless intrusion detection system and a new attack model (synopsis)
byMumbai Academisc
 
Online Intrusion Alert Aggregation with Generative Data Stream Modeling
byIJMER
 
Comparative analysis of algorithms
byYisal Khan
 
Secure Data Aggregation Technique for Wireless Sensor Networks in the Presenc...
by1crore projects
 
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATA
byijp2p
 
A Security Overview of Wireless Sensor Network
byIJCSIS Research Publications
 
145 148
byEditor IJARCET
 
Multi-Tiered Communication Security Schemes in Wireless Ad-Hoc Sensor Networks
byIDES Editor
 

Similar to AI for Cybersecurity Innovation

PPTX
Cyber Security in AIIIIIII (3 JULY).pptx
byaneshraj905
 
PPTX
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
byDefCamp
 
PDF
Finding the needle in the haystack: how Nestle is leveraging big data to defe...
byBig Data Spain
 
PDF
Journey to the Center of Security Operations
by♟Sergej Epp
 
PPTX
BSides London 2018 - Solving Threat Detection
byAlex Davies
 
PPTX
Webinar: Will the Real AI Please Stand Up?
byInterset
 
PPTX
The artificial reality of cyber defense
byDATA SECURITY SOLUTIONS
 
PDF
Cyber Defense Automation
by♟Sergej Epp
 
PPTX
PowerPoint on advanced network threats.pptx
byAngieloBecenia1
 
PDF
How to Use Artificial Intelligence to Minimize your Cybersecurity Attack Surface
bySparkCognition
 
PDF
Data Science for Cyber Risk
byScott Allen Mongeau
 
PDF
Intelligent cyber security solutions
bySwapnil Deshmukh
 
PDF
Digital marketing revolution in 2025 for business people
byvcubedigitalmarketin1
 
PPTX
Malicious-Code-Self-Replication-Evasion-and-Exploitation.pptx
byAimsYendada
 
PDF
Security in the age of Artificial Intelligence
byFaction XYZ
 
PPTX
SOD-Presentation-Des-Moines-10.19.21-v2.pptx
byTamaOlan1
 
PPTX
AI_in_Cybersecurity_Detailed_A4_Presentation (1).pptx
bysinghnami694
 
PPTX
AI_in_Cybersecurity_Detailed_A4_Presentation (1).pptx
bysinghnami694
 
PPTX
Self-healing Security Systems - CloudIOTEnterpriseSystems-Group5.pptx
byBiplabRoy71
 
PPTX
Introduction to Artificial Intelligence in Cyber Security
bySoumyajitBag1
 
Cyber Security in AIIIIIII (3 JULY).pptx
byaneshraj905
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
byDefCamp
 
Finding the needle in the haystack: how Nestle is leveraging big data to defe...
byBig Data Spain
 
Journey to the Center of Security Operations
by♟Sergej Epp
 
BSides London 2018 - Solving Threat Detection
byAlex Davies
 
Webinar: Will the Real AI Please Stand Up?
byInterset
 
The artificial reality of cyber defense
byDATA SECURITY SOLUTIONS
 
Cyber Defense Automation
by♟Sergej Epp
 
PowerPoint on advanced network threats.pptx
byAngieloBecenia1
 
How to Use Artificial Intelligence to Minimize your Cybersecurity Attack Surface
bySparkCognition
 
Data Science for Cyber Risk
byScott Allen Mongeau
 
Intelligent cyber security solutions
bySwapnil Deshmukh
 
Digital marketing revolution in 2025 for business people
byvcubedigitalmarketin1
 
Malicious-Code-Self-Replication-Evasion-and-Exploitation.pptx
byAimsYendada
 
Security in the age of Artificial Intelligence
byFaction XYZ
 
SOD-Presentation-Des-Moines-10.19.21-v2.pptx
byTamaOlan1
 
AI_in_Cybersecurity_Detailed_A4_Presentation (1).pptx
bysinghnami694
 
AI_in_Cybersecurity_Detailed_A4_Presentation (1).pptx
bysinghnami694
 
Self-healing Security Systems - CloudIOTEnterpriseSystems-Group5.pptx
byBiplabRoy71
 
Introduction to Artificial Intelligence in Cyber Security
bySoumyajitBag1
 

Recently uploaded

PDF
BCS501 Module-05 Software Engineering and Project Management.pdf
byjaadu6918
 
PDF
10 PyData Piraeus Meetup: Retrieval and Matching at Scale: from embeddings to...
byPyData Piraeus
 
PPTX
Orientation-on-ARAL-Check-in-Assessment.pptx
byJenTeruel1
 
PDF
Natal SM 2025 - Latihan Liturgi Kelas 0 - 3 SD.pdf
byWenny63
 
PDF
OPPOTUS - Malaysians on Malaysia (MOM) Q3 2025
byOppotus
 
PDF
Kate Scrivens-OECD-Community well-being and climate risks.pdf
byStatsCommunications
 
PPTX
Two Factor Authentication for CSE Students.pptx
byfizarcse
 
PPTX
[DSC Europe 25] Jim Sterne - Adopting Generative AI Capabilities Into the Ent...
byDataScienceConferenc1
 
PPTX
Presentation 1-PUM Singapore 2015- 2D.pptx
byWilliamChong71
 
PPTX
Time serise forcasting of non-durble consumer goods industry
byvkumaranand89
 
PPTX
[DSC Europe 25] Boris Perkovic - Lost in performance.pptx
byDataScienceConferenc1
 
PPT
Chapter 3 Reusable Technoldsadadsdsdasdogy.ppt
bytuananle9897
 
PPTX
Python Functions and Modules Detailed Notes.pptx
byJayantAbhinav
 
PDF
[DSC Europe 25] Marija Vlajkovic & Andrea Radonjanin - Integration of AI tool...
byDataScienceConferenc1
 
PPTX
[DSC Europe 25] Max Talanov - Non digital NNs.pptx
byDataScienceConferenc1
 
PPT
How To Write A Scientific Paper- IMRAD pattern
bydrmeenajain
 
PPTX
Betsi- Zero-Trust Security Securing the Modern Enterprise.pptx
bymershaabdisa
 
PPTX
GRADE 8 MATH - Q3 - LESSON 1 -LINEAR EQUATION IN ONE VARIABLE.pptx
byEdlynMalangPanti
 
PPTX
Test Planner for allen 2025-26 samarth batch
byamaanahmed1312
 
PPTX
[DSC Europe 25] Vid Stimac - Policy Parsimony: Between Oversimplifying and Ov...
byDataScienceConferenc1
 
BCS501 Module-05 Software Engineering and Project Management.pdf
byjaadu6918
 
10 PyData Piraeus Meetup: Retrieval and Matching at Scale: from embeddings to...
byPyData Piraeus
 
Orientation-on-ARAL-Check-in-Assessment.pptx
byJenTeruel1
 
Natal SM 2025 - Latihan Liturgi Kelas 0 - 3 SD.pdf
byWenny63
 
OPPOTUS - Malaysians on Malaysia (MOM) Q3 2025
byOppotus
 
Kate Scrivens-OECD-Community well-being and climate risks.pdf
byStatsCommunications
 
Two Factor Authentication for CSE Students.pptx
byfizarcse
 
[DSC Europe 25] Jim Sterne - Adopting Generative AI Capabilities Into the Ent...
byDataScienceConferenc1
 
Presentation 1-PUM Singapore 2015- 2D.pptx
byWilliamChong71
 
Time serise forcasting of non-durble consumer goods industry
byvkumaranand89
 
[DSC Europe 25] Boris Perkovic - Lost in performance.pptx
byDataScienceConferenc1
 
Chapter 3 Reusable Technoldsadadsdsdasdogy.ppt
bytuananle9897
 
Python Functions and Modules Detailed Notes.pptx
byJayantAbhinav
 
[DSC Europe 25] Marija Vlajkovic & Andrea Radonjanin - Integration of AI tool...
byDataScienceConferenc1
 
[DSC Europe 25] Max Talanov - Non digital NNs.pptx
byDataScienceConferenc1
 
How To Write A Scientific Paper- IMRAD pattern
bydrmeenajain
 
Betsi- Zero-Trust Security Securing the Modern Enterprise.pptx
bymershaabdisa
 
GRADE 8 MATH - Q3 - LESSON 1 -LINEAR EQUATION IN ONE VARIABLE.pptx
byEdlynMalangPanti
 
Test Planner for allen 2025-26 samarth batch
byamaanahmed1312
 
[DSC Europe 25] Vid Stimac - Policy Parsimony: Between Oversimplifying and Ov...
byDataScienceConferenc1
 

AI for Cybersecurity Innovation

  • 1.
    Academic Centre ofExcellence in Cyber Security Research AI for Cybersecurity Innovation Prof. Pete Burnap
  • 2.
    The cyber securitylandscape “Our vision for 2021 is that the UK is secure and resilient to cyber threats…” “commercialise our world leading science base” “build on our areas of competitive advantage, and help new sectors to flourish…” – Artificial Intelligence Core Theme à “Helping to make the UK the safest place to live and do business online” Active Cyber Defence (at Cardiff we use AI for Threat Intel & Situational Awareness)
  • 3.
    Cyber Security Analytics Addressingemerging challenges to cyber security by combining: • computational and mathematical methods, drawing on our technical expertise in machine learning, artificial intelligence & big data analytics • criminological expertise in cyber crime • psychology expertise in susceptibility to cyber threat and decision making • international relations expertise in communication and governance
  • 4.
    Computer Science Criminology Psychology Law &Politics 50 Researchers: 17 academic staff 9 Post Docs 24 PhDs >£14m external competitive grant income since 2012 > £7m for 2017-21 (plus £3.75m Data Innovation Accelerator) Airbus Centre of Excellence in Cyber Security Analytics Airbus Human Centric Cyber Security Accelerator Human Factors Excellence (HuFEx) Research Group Centre for Internet & Global Politics (CIGP) Privacy & Emerging Tech (e.g. IoT, Cloud, Automotive) Risk assessment & modelling Risk communication, governance and collective decision making Artificial Intelligence for Data-driven human & software behavioural analytics & threat intelligence Human Factors inc. susceptibility, motivations, dynamics and social factors of cyber
  • 5.
    AI & Cybersecurity CaseStudy: Advanced Security Operations Centre (SOC) @ Airbus
  • 6.
    The Problem Network IntrusionDetection Systems = fine-grained network data & protocol-level inspection Anti-virus tools = attempt to match code signatures to a list of known malicious code bases However…Attackers are developing increasingly sophisticated methods to avoid detection
  • 7.
    APTs are becomingmore sophisticated and able to obfuscate much of their identifiable features through encryption, custom code bases and in-memory execution… print(here is some fake code) for i in list <0,f,g,h,6,a> { element * next_element return another_element } if a + b != 7: MV AX+1_068373 wh4T El - se _0_IS There “to_ take on this machine” p_word = “PASSWORD” u_name = “ADMIN” .EXE
  • 8.
    Security Operations Centres(SOC) are the front line detection and analysis environments for many corporate and safety-critical systems Commonly use off-the-shelf anti-virus or high-end behaviour analysis tools…most of which are vulnerable to obfuscation So how do we enabling the SOC to ‘learn’ what is malicious in this context? What does next-generation SOC look like?
  • 9.
    System-level activity metrics- by executing samples of malicious and trusted executables in a Sandbox environment (Cuckoo) Train a machine classifier to distinguish malicious from trusted executables using `low severity events' - inevitably generated while the executable is running CPU User Use (percentage), CPU System Use (percentage), RAM use (count), SWAP use (count), received packets (count), received bytes (count), sent packets (count), sent bytes (count), number of processes running (count) - just 9 metrics in total. What can we learn that is difficult to hide? Create_admin Extract_da ta Access_data Target’s database Adversary’s database Target’s network .EXE
  • 10.
    Attacks vary intheir execution but theoretically exhibit similar behaviour overall Supposing we can capture a range of malicious behaviour, can we represent these in such a way that we can identify ‘similar’ activity? Think of DNA…parent/child similarity can be identified by putting a bunch of characteristic ‘features’ together and overlaying them… How does this help? Create_admin Extract_da ta Access_data Target’s database Adversary’s database Target’s network .EXE
  • 11.
    APTs are becomingmore sophisticated and able to obfuscate much of their identifiable features through encryption, custom code bases and in-memory execution… A DNA profile for software executables…reducing 9 dimensions to 2… “More similar models will be associated with nodes that are closer in the grid, whereas less similar models will be situated gradually farther away in the grid.” total # processes CPU user CPU system memory use swap use packets received packets sent bytes received bytes sent
  • 12.
    APTs are becomingmore sophisticated and able to obfuscate much of their identifiable features through encryption, custom code bases and in-memory execution…time (s) time total # processes max process ID CPU user CPU system memory use swap use packets received packets sent bytes received bytes sent Looking at the system interactions instead of the code we can detect malware even if code/API call/network traffic obfuscation is being used to evade detection Machine activity data for one piece of malware over 5 minutes Self organising feature maps tranform the training sample data (system interaction) into a 2D space and uses a competitive learning algorithm to re-organise this space so that similar behaviours are close to one another x ‘000s =
  • 13.
    APTs are becomingmore sophisticated and able to obfuscate much of their identifiable features through encryption, custom code bases and in-memory execution… Add a logistic Regression at the end… Classification 94% accuracy The SOM Reframes the behaviour to better suit classification methods… Provides “fuzzy neighbour -hoods” of behaviour
  • 14.
    Lab2Soc: Data robustnessfor ML-based malware detection • API calls are the most commonly used dynamic data feature for ML malware detection
  • 15.
    Lab2Soc: Data robsutnessfor ML-based malware detection • API calls are the most commonly used dynamic data feature for ML malware detection • Different ways they can be represented • Machine activity metrics show better consistency for detection accuracy acrosss datasets from different sources
  • 16.
    APTs are becomingmore sophisticated and able to obfuscate much of their identifiable features through encryption, custom code bass and in-memory execution… Early Stage malware detection
  • 17.
    5 minutes: 98%accuracy 20 seconds: 98% accuracy 5 seconds: 94% accuracy 99% ransomware detected within 1 second of execution Q: So post attack classification is good, but can we do this is ‘real-time’ and ‘predict’ an attack? A: Yup, prediction accuracy 94% @ 4sec…using recurrent neural nets to learn sequences of activity
  • 18.
    Detecting malicious processes andautomatically killing them What does this mean for a user? Preliminary results: • 50% fewer files encrypted by fast-acting (starts encryption within first 5 seconds of launching) • 90% ransomware samples detected
  • 19.
    Goal oriented models… • Identifyingdependencies within complex systems is challenging • Quantifying the risks associated with system components, and determining all attack paths is prone to error (Unknown Unknowns). • Typical risk assessments are failure- oriented (fault tree, attack path etc.) • System owners (arguably) tend to know more about what they depend on for success within their own system • Can we capture that and use cyber analytics to support impact analysis?
  • 20.
  • 21.
    Putting this touse… Within the SOC we can do both post-attack classification and predict at ~94% accuracy Being integrated into Airbus SOC – key feature is interpretability The SOM provides an intuitive and explanatory interface to mine the features leading to a malicious outcome Further reading: P Burnap, R French, F Turner, K Jones (2017) ‘Malware classification using self organising feature maps and machine activity data’. Computers & Security 73, 399-410 Rhode, M., Burnap, P. and Jones, K. (2018). Early-stage malware prediction using recurrent neural networks. Computers and Security 77, pp. 578-594. Rhode, M.et al. (2019). LAB to SOC: Robust Features for Dynamic Malware Detection. Presented at: 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2019) High memory use Low CPU use High bytes out
  • 22.