How to use Big Data and Machine Learning for attacks - specifically to achieve large scale attack planning and automatic attack execution.
This talk was given at Infiltrate 2015.
Predictive Model and Record Description with Segmented Sensitivity Analysis (...Greg Makowski
Describing a predictive data mining model can provide a competitive advantage for solving business problems with a model. The SSA approach can also provide reasons for the forecast for each record. This can help drive investigations into fields and interactions during a data mining project, as well as identifying "data drift" between the original training data, and the current scoring data. I am working on open source version of SSA, first in R.
Tales from an ip worker in consulting and softwareGreg Makowski
Discussion around intellectual property, leverage over consulting projects to build vertical application software. In my use case, data mining, artificial intelligence and intelligence augmentation are part of the value add. Also, discuss software frameworks, open source software and clauses on prior inventions in hiring contracts
High time to add machine learning to your information security stackMinhaz A V
Machine learning might never be the silver bullet for cybersecurity compared to areas where it is thriving. There will always be a person who tries to find issues in our systems and bypass them. They may even use it to assist the attacks.
But adding it to our general information security stack can surely help us be more prepared while defending. Different categories like regression, classification, clustering, recommendations & reinforcement learning can be leveraged to build efficient & faster monitoring, threat response, network traffic analysis and more.
Along with introduction to different aspects and how it can be leveraged - I'd like to present a case study on how ML/AI can be used in distinguishing between benign and Malicious traffic data by means of anomaly detection techniques with 100% True Positive Rate with live demo.
Big Data Analytics (ML, DL, AI) hands-onDony Riyanto
Ini adalah slide tambahan dari materi pengenalan Big Data Analytics (di file berikutnya), yang mengajak kita mulai hands-on dengan beberapa hal terkait Machine/Deep Learning, Big Data (batch/streaming), dan AI menggunakan Tensor Flow
How to use Big Data and Machine Learning for attacks - specifically to achieve large scale attack planning and automatic attack execution.
This talk was given at Infiltrate 2015.
Predictive Model and Record Description with Segmented Sensitivity Analysis (...Greg Makowski
Describing a predictive data mining model can provide a competitive advantage for solving business problems with a model. The SSA approach can also provide reasons for the forecast for each record. This can help drive investigations into fields and interactions during a data mining project, as well as identifying "data drift" between the original training data, and the current scoring data. I am working on open source version of SSA, first in R.
Tales from an ip worker in consulting and softwareGreg Makowski
Discussion around intellectual property, leverage over consulting projects to build vertical application software. In my use case, data mining, artificial intelligence and intelligence augmentation are part of the value add. Also, discuss software frameworks, open source software and clauses on prior inventions in hiring contracts
High time to add machine learning to your information security stackMinhaz A V
Machine learning might never be the silver bullet for cybersecurity compared to areas where it is thriving. There will always be a person who tries to find issues in our systems and bypass them. They may even use it to assist the attacks.
But adding it to our general information security stack can surely help us be more prepared while defending. Different categories like regression, classification, clustering, recommendations & reinforcement learning can be leveraged to build efficient & faster monitoring, threat response, network traffic analysis and more.
Along with introduction to different aspects and how it can be leveraged - I'd like to present a case study on how ML/AI can be used in distinguishing between benign and Malicious traffic data by means of anomaly detection techniques with 100% True Positive Rate with live demo.
Big Data Analytics (ML, DL, AI) hands-onDony Riyanto
Ini adalah slide tambahan dari materi pengenalan Big Data Analytics (di file berikutnya), yang mengajak kita mulai hands-on dengan beberapa hal terkait Machine/Deep Learning, Big Data (batch/streaming), dan AI menggunakan Tensor Flow
Scaling AI in production using PyTorchgeetachauhan
Slides from my talk at MLOps World' 21
Deploying AI models in production and scaling the ML services is still a big challenge. In this talk we will cover details of how to deploy your AI models, best practices for the deployment scenarios, and techniques for performance optimization and scaling the ML services. Come join us to learn how you can jumpstart the journey of taking your PyTorch models from Research to production.
Mentoring Session with Innovesia: Advance RoboticsDony Riyanto
This is my mentoring session presentation for Innovesia. I'm covering several sub-topics such as:
- Mechatronics Programming (robotics)
- Autonomous Programming
- Hard-real-time systems
- Safety compliance and standard issues
Data Science in the Real World: Making a Difference Srinath Perera
We use the terms “Big Data” and “Data Science” for use of data processing to make sense of the world around us. Spanning many fields, Big Data brings together technologies like Distributed Systems, Machine Learning, Statistics, and Internet of Things together. It is a multi-billion-dollar industry including use cases like targeted advertising, fraud detection, product recommendations, and market surveys. With new technologies like Internet of Things (IoT), these use cases are expanding to scenarios like Smart Cities, Smart health, and Smart Agriculture.
These usecases use basic analytics, advanced statistical methods, and predictive technologies like Machine Learning. However, it is not just about crunching the data. Some usecases like Urban Planning can be slow, and there is enough time to process the data. However, with use cases like traffic, patient monitoring, surveillance the the value of results degrades much faster with time and needs results within milliseconds to seconds. Collecting data from many sources, cleaning them up, processing them using computation clusters, and doing all these fast is a major challenge.
This talk will discuss motivation behind big data and data science and how it can make a difference. Then it will discuss the challenges, systems, and methodologies for implementing and sustaining a data science pipeline.
Anomaly Detection using Deep Auto-Encoders | Gianmario SpacagnaData Science Milan
One of the determinants for a good anomaly detector is finding smart data representations that can easily evince deviations from the normal distribution. Traditional supervised approaches would require a strong assumption about what is normal and what not plus a non negligible effort in labeling the training dataset. Deep auto-encoders work very well in learning high-level abstractions and non-linear relationships of the data without requiring data labels. In this talk we will review a few popular techniques used in shallow machine learning and propose two semi-supervised approaches for novelty detection: one based on reconstruction error and another based on lower-dimensional feature compression.
Alert Analysis using Fuzzy Clustering and Artificial Neural NetworkIJRES Journal
Intrusion Detection System (IDS) is used to supervise all tricks which are running on particular machine or network. Also it will give you alert regarding to any attack. However now a day’s these alerts are very large in amount. It is very complicated to examine these attacks. We intend a time and space based alert analysis technique which can strap related alerts without surroundings knowledge and provide attack graph to help the administrator to understand the attack on host or network steps wise clearly and fittingly for analysis. A threat evaluation is given to discover out the most treacherous attack, which decrease administrator’s time and energy in calculating huge amount of alerts. We are analyzing the network traffic in form of attack using Entity Threat Evaluation (ETE) which find out which particular host is attacked, Gadget Threat Evaluation (GTE) which tells us within that host which device is attacked, Network Threat Evaluation (NTE) which tells us which network is attacked, Hit Threat Evaluation (HTE) by giving input as dataset of attack. Main idea is that the distribution of different types of attacks is not balanced. The attacks which are not repeatedly occurs, the learning sample size is too small as compared to high-frequent attacks. It makes Artificial Neural Network (ANN) not easy to become skilled at the characters of these attacks and therefore detection precision is much worse. To solve such troubles, we propose a new technique for ANN-based IDS, Fuzzy Clustering (FC-ANN), to enhance the detection precision for low-frequent attacks and detection stability.
Building Interpretable & Secure AI Systems using PyTorchgeetachauhan
Slides from my talk at Deep Learning World 2020. The talk covered use cases, special challenges and solutions for building Interpretable and Secure AI systems using Pytorch.
- Tools for building Interpretable models
- How to build secure, privacy preserving AI models with Pytorch
- Use cases and insights from the field
Vertex Perspectives | AI Optimized Chipsets | Part IIVertex Holdings
Deep learning is both computationally and memory intensive, necessitating enhancements in processor performance. In this issue, we explore how this has led to the rise of startups adopting alternative, innovative approaches and how it is expected to pave the way for different types of AI-optimized chipsets.
Rise of the machines -- Owasp israel -- June 2014 meetupShlomo Yona
Rise of the machines -- Owasp israel -- June 2014 meetup
Shlomo Yona presents why it is a good idea to use Machine Learning in Security and explains some Machine Learning jargon and demonstraits with two fingerprinting examples: a wifi device (PHY) and a browser (L7)
Webinar: Machine Learning para MicrocontroladoresEmbarcados
Neste webinar, serão apresentados conceitos sobre inteligência artificial, assim como ferramentas disponíveis para o desenvolvimento integradas ao MPLAB X e ao Harmony 3 e demonstração de um sistema de detecção de anomalia utilizando um microcontrolador da família ATSAMD21 (ARM Cortex M0+).
Scaling AI in production using PyTorchgeetachauhan
Slides from my talk at MLOps World' 21
Deploying AI models in production and scaling the ML services is still a big challenge. In this talk we will cover details of how to deploy your AI models, best practices for the deployment scenarios, and techniques for performance optimization and scaling the ML services. Come join us to learn how you can jumpstart the journey of taking your PyTorch models from Research to production.
Mentoring Session with Innovesia: Advance RoboticsDony Riyanto
This is my mentoring session presentation for Innovesia. I'm covering several sub-topics such as:
- Mechatronics Programming (robotics)
- Autonomous Programming
- Hard-real-time systems
- Safety compliance and standard issues
Data Science in the Real World: Making a Difference Srinath Perera
We use the terms “Big Data” and “Data Science” for use of data processing to make sense of the world around us. Spanning many fields, Big Data brings together technologies like Distributed Systems, Machine Learning, Statistics, and Internet of Things together. It is a multi-billion-dollar industry including use cases like targeted advertising, fraud detection, product recommendations, and market surveys. With new technologies like Internet of Things (IoT), these use cases are expanding to scenarios like Smart Cities, Smart health, and Smart Agriculture.
These usecases use basic analytics, advanced statistical methods, and predictive technologies like Machine Learning. However, it is not just about crunching the data. Some usecases like Urban Planning can be slow, and there is enough time to process the data. However, with use cases like traffic, patient monitoring, surveillance the the value of results degrades much faster with time and needs results within milliseconds to seconds. Collecting data from many sources, cleaning them up, processing them using computation clusters, and doing all these fast is a major challenge.
This talk will discuss motivation behind big data and data science and how it can make a difference. Then it will discuss the challenges, systems, and methodologies for implementing and sustaining a data science pipeline.
Anomaly Detection using Deep Auto-Encoders | Gianmario SpacagnaData Science Milan
One of the determinants for a good anomaly detector is finding smart data representations that can easily evince deviations from the normal distribution. Traditional supervised approaches would require a strong assumption about what is normal and what not plus a non negligible effort in labeling the training dataset. Deep auto-encoders work very well in learning high-level abstractions and non-linear relationships of the data without requiring data labels. In this talk we will review a few popular techniques used in shallow machine learning and propose two semi-supervised approaches for novelty detection: one based on reconstruction error and another based on lower-dimensional feature compression.
Alert Analysis using Fuzzy Clustering and Artificial Neural NetworkIJRES Journal
Intrusion Detection System (IDS) is used to supervise all tricks which are running on particular machine or network. Also it will give you alert regarding to any attack. However now a day’s these alerts are very large in amount. It is very complicated to examine these attacks. We intend a time and space based alert analysis technique which can strap related alerts without surroundings knowledge and provide attack graph to help the administrator to understand the attack on host or network steps wise clearly and fittingly for analysis. A threat evaluation is given to discover out the most treacherous attack, which decrease administrator’s time and energy in calculating huge amount of alerts. We are analyzing the network traffic in form of attack using Entity Threat Evaluation (ETE) which find out which particular host is attacked, Gadget Threat Evaluation (GTE) which tells us within that host which device is attacked, Network Threat Evaluation (NTE) which tells us which network is attacked, Hit Threat Evaluation (HTE) by giving input as dataset of attack. Main idea is that the distribution of different types of attacks is not balanced. The attacks which are not repeatedly occurs, the learning sample size is too small as compared to high-frequent attacks. It makes Artificial Neural Network (ANN) not easy to become skilled at the characters of these attacks and therefore detection precision is much worse. To solve such troubles, we propose a new technique for ANN-based IDS, Fuzzy Clustering (FC-ANN), to enhance the detection precision for low-frequent attacks and detection stability.
Building Interpretable & Secure AI Systems using PyTorchgeetachauhan
Slides from my talk at Deep Learning World 2020. The talk covered use cases, special challenges and solutions for building Interpretable and Secure AI systems using Pytorch.
- Tools for building Interpretable models
- How to build secure, privacy preserving AI models with Pytorch
- Use cases and insights from the field
Vertex Perspectives | AI Optimized Chipsets | Part IIVertex Holdings
Deep learning is both computationally and memory intensive, necessitating enhancements in processor performance. In this issue, we explore how this has led to the rise of startups adopting alternative, innovative approaches and how it is expected to pave the way for different types of AI-optimized chipsets.
Rise of the machines -- Owasp israel -- June 2014 meetupShlomo Yona
Rise of the machines -- Owasp israel -- June 2014 meetup
Shlomo Yona presents why it is a good idea to use Machine Learning in Security and explains some Machine Learning jargon and demonstraits with two fingerprinting examples: a wifi device (PHY) and a browser (L7)
Webinar: Machine Learning para MicrocontroladoresEmbarcados
Neste webinar, serão apresentados conceitos sobre inteligência artificial, assim como ferramentas disponíveis para o desenvolvimento integradas ao MPLAB X e ao Harmony 3 e demonstração de um sistema de detecção de anomalia utilizando um microcontrolador da família ATSAMD21 (ARM Cortex M0+).
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleDharmalingam Ganesan
1. Introduction to threat modeling.
2. Applying threat modeling to identify security vulnerabilities and security threats on a simplified real-world system.
Makine Öğrenmesi, Yapay Zeka ve Veri Bilimi Süreçlerinin Otomatikleştirilmesi...Ali Alkan
Makine Öğrenmesi, Yapay Zeka ve Veri Bilimi Süreçlerinin Otomatikleştirilmesi | Automating Machine Learning, Artificial Intelligence, and Data Science | Guided Analytics
Delivering Security Insights with Data Analytics and VisualizationRaffael Marty
It's an interesting exercise to look back to the year 2000 to see how we approached cyber security. We just started to realize that data might be a useful currency, but for the most part, security pursued preventative avenues, such as firewalls, intrusion prevention systems, and anti-virus. With the advent of log management and security incident and event management (SIEM) solutions we started to gather gigabytes of sensor data and correlate data from different sensors to improve on their weaknesses and accelerate their strengths. But fundamentally, such solutions didn't scale that well and struggled to deliver real security insight.
Today, cybersecurity wouldn't work anymore without large scale data analytics and machine learning approaches, especially in the realm of malware classification and threat intelligence. Nonetheless, we are still just scratching the surface and learning where the real challenges are in data analytics for security.
This talk will go on a journey of big data in cybersecurity, exploring where big data has been and where it must go to make a true difference. We will look at the potential of data mining, machine learning, and artificial intelligence, as well as the boundaries of these approaches. We will also look at both the shortcomings and potential of data visualization and the human computer interface. It is critical that today's systems take into account the human expert and, most importantly, provide the right data.
The extent and impact of recent security breaches is showing that current security approaches are just not working. But what can we do to protect our business? We have been advocating monitoring for a long time as a way to detect subtle, advanced attacks that are still making it through our defenses. However, products have failed to deliver on this promise.
Current solutions don't scale in both data volume and analytical insights. In this presentation we will explore what security monitoring is. Specifically, we are going to explore the question of how to visualize a billion log records. A number of security visualization examples will illustrate some of the challenges with big data visualization. They will also help illustrate how data mining and user experience design help us get a handle on the security visualization challenges - enabling us to gain deep insight for a number of security use-cases.
AI & ML in Cyber Security - Why Algorithms Are DangerousRaffael Marty
Every single security company is talking in some way or another about how they are applying machine learning. Companies go out of their way to make sure they mention machine learning and not statistics when they explain how they work. Recently, that's not enough anymore either. As a security company you have to claim artificial intelligence to be even part of the conversation.
Guess what. It's all baloney. We have entered a state in cyber security that is, in fact, dangerous. We are blindly relying on algorithms to do the right thing. We are letting deep learning algorithms detect anomalies in our data without having a clue what that algorithm just did. In academia, they call this the lack of explainability and verifiability. But rather than building systems with actual security knowledge, companies are using algorithms that nobody understands and in turn discover wrong insights.
In this talk I will show the limitations of machine learning, outline the issues of explainability, and show where deep learning should never be applied. I will show examples of how the blind application of algorithms (including deep learning) actually leads to wrong results. Algorithms are dangerous. We need to revert back to experts and invest in systems that learn from, and absorb the knowledge, of experts.
Link to Youtube video: https://youtu.be/OJMqMWnxlT8
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Threat Modeling(system+ enterprise)
What is Threat Modeling?
Why do we need Threat Modeling?
6 Most Common Threat Modeling Misconceptions
Threat Modelling Overview
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
Threat Modeling Approaches
Threat Modeling Methodologies for IT Purposes
STRIDE
Threat Modelling Detailed Flow
System Characterization
Create an Architecture Overview
Decomposing your Application
Decomposing DFD’s and Threat-Element Relationship
Identify possible attack scenarios mapped to S.T.R.I.D.E. model
Identifying Security Controls
Identify possible threats
Report to Developers and Security team
DREAD Scoring
My Opinion on implementing Threat Modeling at enterprise level
Machine learning cybersecurity boon or boondogglePriyanka Aash
Machine learning (ML) and artificial intelligence (AI) are the latest “shiny new things” in cybersecurity technology but while ML and AI hold great promise for automating routine processes and tasks and accelerating threat detection, they are not a panacea. This session will demonstrate what they can and can’t do in a cybersecurity program through real world examples of possibilities and limits.
(Source: RSA Conference USA 2017)
Introduction of streaming data, difference between batch processing and stream processing, Research issues in streaming data processing, Performance evaluation metrics , tools for stream processing.
Machine learning, or predictive analytics have started entering into our daily life. Businesses and enterprises could use predictive analytics to improve efficiency, improve user experience, as well as to create new business opportunities. This talk will present WSO2 Machine Learner, our experiences of predicting Super Bowl winners, and few real life use cases. Furthermore, talk will discuss open challenges and problems people are working on.
Splunk is a powerful platform for understanding your data. The preview of the Machine Learning Toolkit and Showcase App extends Splunk with a rich suite of advanced analytics and machine learning algorithms. In this session, we'll present an overview of the app architecture and API and show you how to use Splunk to easily perform a variety of tasks, including outlier and anomaly detection, predictive analytics, and event clustering. We’ll use real data to explore these techniques and explain the intuition behind the analytics.
Every single security company is talking about how they are using machine learning—as a security company you have to claim artificial intelligence to be even part of the conversation. However, this approach can be dangerous when we blindly rely on algorithms to do the right thing. Rather than building systems with actual security knowledge, companies are using algorithms that nobody understands and, in turn, discovering wrong insights.
In this session, we will discuss:
• Limitations of machine learning and issues of explainability
• Where deep learning should never be applied
• Examples of how the blind application of algorithms can lead to wrong results
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba
A presentation given in April 2019 in London during ICS Cyber Security Conference. I discuss an anonymized investigation conducted by our team to identify a real malware infection on a production network, the tools and techniques used to contain this threat and how to use threat intelligence and visibility to stay ahead of cyber adversaries.
Asset visibility and network baselining
Continuous network monitoring
Threat intelligence ingestion
Thorough incident response plans
AI & ML in Cyber Security - Why Algorithms are DangerousRaffael Marty
Link to the video of the presentation: https://www.youtube.com/watch?v=WG1k-Xh1TqM
Every single security company is talking in some way or another about how they are applying machine learning. Companies go out of their way to make sure they mention machine learning and not statistics when they explain how they work. Recently, that's not enough anymore either. As a security company you have to claim artificial intelligence to be even part of the conversation.
Guess what. It's all baloney. We have entered a state in cyber security that is, in fact, dangerous. We are blindly relying on algorithms to do the right thing. We are letting deep learning algorithms detect anomalies in our data without having a clue what that algorithm just did. In academia, they call this the lack of explainability and verifiability. But rather than building systems with actual security knowledge, companies are using algorithms that nobody understands and in turn discover wrong insights.
In this talk, I will show the limitations of machine learning, outline the issues of explainability, and show where deep learning should never be applied. I will show examples of how the blind application of algorithms (including deep learning) actually leads to wrong results. Algorithms are dangerous. We need to revert back to experts and invest in systems that learn from, and absorb the knowledge, of experts.
AI & ML in Cyber Security - Why Algorithms are DangerousPriyanka Aash
Every single security company is talking in some way or another about how they are applying machine learning. Companies go out of their way to make sure they mention machine learning and not statistics when they explain how they work. Recently, that's not enough anymore either. As a security company you have to claim artificial intelligence to be even part of the conversation.
Guess what. It's all baloney. We have entered a state in cyber security that is, in fact, dangerous. We are blindly relying on algorithms to do the right thing. We are letting deep learning algorithms detect anomalies in our data without having a clue what that algorithm just did. In academia, they call this the lack of explainability and verifiability. But rather than building systems with actual security knowledge, companies are using algorithms that nobody understands and in turn discover wrong insights.
In this talk, I will show the limitations of machine learning, outline the issues of explainability, and show where deep learning should never be applied. I will show examples of how the blind application of algorithms (including deep learning) actually leads to wrong results. Algorithms are dangerous. We need to revert back to experts and invest in systems that learn from, and absorb the knowledge, of experts.
SPEAKERS
Phil Royer, Research Engineer, Splunk
Rod Soto, Principal Security Research Engineer, Splunk
Obtaining data to develop defenses against threats is a constant challenge for security analysts. To that end, Splunk's Security Research team developed the Splunk SIEMulator, a framework modeled after Chris Long's DetectionLab that allows a...
1. No Silver Bullet
Multi contextual threat detection via
Machine Learning.
By @rodsoto @jozephzadeh
2. $:Whoami..
• Rod Soto
– Researcher at Splunk UBA, former AKAMAI,
Prolexic PLXSert. Like to break things, p0wn
botnets and play CTFs.
• Joseph Zadeh
– Data Scientist at Splunk UBA, building behavioral
intrusion detection technologies at scale. Enjoy
working on defense projects that combine
security, artificial intelligence and distributed
systems.
4. Agenda
• Introduction: Big Data and Machine Learning
• Machine Learning in security workflows and
how it can help and limitations
• Describe central nervous system approach to
behavioral security: Lambda Defense
6. Challenges in Current Threat Indicator
Technologies
• Many devices generating logs and alerts
• Data distributed in too many places slows analysis, preventing
analysts from effectively analyzing all alerts
• SIEM makes life somewhat easier, giving analysts one place to
collect data but still deal with needle in haystack issues
7. The Big Data Challenge
• " It costs organizations an average of $1.27
million annually in time wasted responding to
erroneous or inaccurate malware alerts.
According to respondents, an average of 395
hours is wasted each week detecting and
containing malware because of false positives
and/or false negatives. The extrapolated average
value of lost time is estimated at approximately
$25,000 per week or $1.27 million each year for
participating organizations.” Ponemon Institute
8. The Big Data Challenge
• SOCs are challenged and limited in the scope of
detection, analysis and action.
• Constant required training, updates and turnover
of SOCs present a challenge for organizations.
• As of now People vs People model has proven to
be more effective as current threat
detecting/prevention technologies do not seem
sufficient nor effective against malicious actors.
The numbers speak for themselves.
9. Big Data challenge, presents a new
opportunity as well. Enter Machine
Learning
• Machine learning is a subfield of computer science[1] that
evolved from the study of pattern recognition and
computational learning theory in artificial intelligence.[1]
Machine learning explores the study and construction of
algorithms that can learn from and make predictions on
data.[2] Such algorithms operate by building a model from
example inputs in order to make data-driven predictions or
decisions,[3]:2 rather than following strictly static program
instructions.
*Wikipedia
10. Machine Learning & Big Data
Technologies
• The ability to process very large sets of data
through distributed computing plus the ability
to apply algorithms that can learn based on
these large datasets, will provide analysts with
more meaningful detection and actionable
items.
11. Learning Algorithms
• “a process or set of rules to be followed in
calculations or other problem-solving operations,
especially by a computer.” *Wikipedia
• These learners can be designed and develop to
scale against all these sources of data and
produce meaningful detection of anomalies.
• By applying these learners we can build models
that can approach threats from a multi
contextual, dynamic perspective, thus going
beyond the concept of static signature based
security technologies.
12. Sequencing the Security DNA
• The next gen paradigm:
– 1:1 Correspondence between users data footprint
and Compute Resources
• Commoditization of compute means for
300,000 User Accounts means assign 300,000
individual threads + memory + disk to run
learning algorithms per individual log
footprint simultaneously
13. Adversarial Drift
• Current status quo, is driven by adversaries
developing and introducing changes in their
TTPs, bypassing all current detection
technologies.
17. Advantages of using ML
• Using ML allows us to put together very large
and distinct sources of data into a platform for
analysis, interpretation and prediction.
• ML allows us to go beyond of static signature
based technologies.
• ML creates an scenario where detection of
threats based on dynamic and multi
contextual indicators is possible.
18. 18
Automating the Forensic Workflow
• Incident Response Is Hard Work! What
can we automate?
A security analyst is an oracle whose
input is evidence and whose output is
True Positive, False Positive, True
Negative or False Negative
– The list of possible questions is large but
typically the flow is a type of decision tree
for example
19. 19
ML as a tool to make your job easier
Security Oracle Workflow
Example 1:
Evidence => Periodic Communication
=> LAN to WAN Data =>WAN URL has
Bad Reputation => Correlate with VT
=> True Positive
Example 2:
Evidence => Potential C2 Domain =>
LAN to WAN Data => WAN URL is new
Google IP => False Positive
20. Learning = Compression?
• There is a duality between learning and compression
Input Data Total
Size = 1 GB
Learned output is a
set of “coefficients”
Total Output Size =
1K
Primary Key
Tim
e
UserI
D
Count
Row 1 … … …
Row 2 … … …
Row 3 … … …
… … … …
Row N … … …
C
1
C
2
C
3
C4 C
5
22. Learning = Compression?
• Train a model to predict mpg as a function of car
weight, number of cylinders and displacement
23. Learning = Compression?
• Train a model to predict mpg as a function of car
weight, number of cylinders and displacement
24. Learning = Compression?
• The overall input data is reduced in a “compressed
form” to use in future predictions
25. Learning = Compression?
• This process is extremely brittle in terms of modeling a changing
signal or an adversary that changes patterns over time
26. Learning = Compression?
• The simple linear model gives us output that separates the Signal
from the Noise (this is not always possible with a model)
29. ML Challenges
• Over fitting/Under fitting
• Technology still in early stages
• “Operationalization”
• Advesarial drift and changing TTP’s means
models have to change over time (retraining)
33. Mapping Behaviors to Code
• Easy to Parallelize
– Count()
– Average()
– Time series()
– Local state
computations
• Per user/IP/account/…
• Hard to Parallelize (NC
Complete Complexity)
– Rank()
– Median
– …
– Anything that keeps
track of global state
34. Lambda Security
• Lambda architecture provides a design paradigm
for a “Scalable Central Nervous System” for the
SOC whose components include
– Machine learning based ETL(Extract/Transform/Load)
– Distributed crawlers
– Automated identity/session resolution and fingerprinting
– Formal evidence collection protocol for automated
labeling of incident response data
– Analytics Metrics and establishing benchmarks for
heterogeneous data
35. Batch Features + Real Time Features
• Keep in mind all work is done on a cluster
(distributed system)
– Concepts: groupBy (User,Domain, “arbitrary field”)
• Batch Example
– Data driven domain popularity
• Real time example
– Exploit chain content types
• Lambda => Immutable/Functional data structures
– Spark RDD’s (abstraction for a distributed
computation as opposed to result of a distrubted
computation)
36. Lambda + Central Nervous System
• Augment “in memory” lightweight signal from
the point with large scale processing platforms
that can “sequence the security DNA”
– Classical IDS/FW/Point solutions have significant
limitations in terms of sharing state and being able
to correlate across nodes
37. 37
Lambda Architecture
• Architecture is described by three simple equations:
batch view = function(all data)
realtime view = function(realtime view, new data)
query = function(batch view, realtime view)
43. Lambda Security
DHCP
IMS/IPAM
FW
Proxy
VPN
AD
Real Time Identity Resolution
Distributed
ETL
Username = select
coallesce(user_name,
hostname, IP) from
Active_ID_Table
where IP =
‘10.10.100.23)
IP DHCP.MAC DHCP_Lasteventtime AD_FQDN
10.100.1.23 58:5c:35:c3:6e:a4 2014-03-11T14:00:00 joe.eng.acme.com
10.13.11.221 12:3a:74:b2:6a:22 2014-03-12T14:30:00 ad.hr.acme.com
Sequential
Models and
IOC’s
Data
Ingest
Real Time Layer
44. Lambda Security
44
DHCP
IMS/IPAM
FW
Proxy
VPN
AD
Real Time Identity Resolution
Distributed
ETL
Username = select
coallesce(user_name,
hostname, IP) from
Active_ID_Table
where IP =
‘10.10.100.23)
IP DHCP.MAC DHCP_Lasteventtime AD_FQDN
10.100.1.23 58:5c:35:c3:6e:a4 2014-03-11T14:00:00 joe.eng.acme.com
10.13.11.221 12:3a:74:b2:6a:22 2014-03-12T14:30:00 ad.hr.acme.com
Sequential
Models and
IOC’s
Data
Ingest
Large Scale Models and
Non-Sequential IOC’s
Real Time Layer
Batch
Layer
45. Lambda Security
45
DHCP
IMS/IPAM
FW
Proxy
VPN
AD
Real Time Identity Resolution
Distributed
ETL
Username = select
coallesce(user_name,
hostname, IP) from
Active_ID_Table
where IP =
‘10.10.100.23)
IP DHCP.MAC DHCP_Lasteventtime AD_FQDN
10.100.1.23 58:5c:35:c3:6e:a4 2014-03-11T14:00:00 joe.eng.acme.com
10.13.11.221 12:3a:74:b2:6a:22 2014-03-12T14:30:00 ad.hr.acme.com
Sequential
Models and
IOC’s
Data
Ingest
Large Scale Models and
Non-Sequential IOC’s
Real Time Layer
Batch
Layer
Hybrid View
(Batch + Real
Time)
46. 46
DHCP
IMS/IPAM
FW
Proxy
VPN
AD
Real Time Identity Resolution
Distributed
ETL
Username = select
coallesce(user_name,
hostname, IP) from
Active_ID_Table
where IP =
‘10.10.100.23)
IP DHCP.MAC DHCP_Lasteventtime AD_FQDN
10.100.1.23 58:5c:35:c3:6e:a4 2014-03-11T14:00:00 joe.eng.acme.com
10.13.11.221 12:3a:74:b2:6a:22 2014-03-12T14:30:00 ad.hr.acme.com
Sequential
Models and
IOC’s
Data
Ingest
Large Scale Models and
Non-Sequential IOC’s
Hybrid View
(Batch + Real
Time)
47. 47
DHCP
IMS/IPAM
FW
Proxy
VPN
AD
Real Time Identity Resolution
Distributed
ETL
Username = select
coallesce(user_name,
hostname, IP) from
Active_ID_Table
where IP =
‘10.10.100.23)
IP DHCP.MAC DHCP_Lasteventtime AD_FQDN
10.100.1.23 58:5c:35:c3:6e:a4 2014-03-11T14:00:00 joe.eng.acme.com
10.13.11.221 12:3a:74:b2:6a:22 2014-03-12T14:30:00 ad.hr.acme.com
Sequential
Models and
IOC’s
Data
Ingest
Large Scale Models and
Non-Sequential IOC’s
Automated process to
accelerate workflows like
Splunk Query to retrieve PCAP
for further analysis combined
with automatic VT/heuristic
correlations
Hybrid View
(Batch + Real
Time)
48. ML + Sequencing the Security DNA
• We parallelize across many nodes (JVMs) and use
both real time and batch computations
JVM 1
JVM 2
JVM 3
1. GET http://forbes.com/gels-contrariness-domain-
punchable/"
2. GET http://portcullisesposturen.europartsplus.org/
3. POST http://dpckd2ftmf7lelsa.jjeyd2u37an30.com/
1. GET http://youtube.com/
2. GET http://avazudsp.net/
3. GET http://betradar.com/
4. GET http://displaymarketplace.com/
1. GET http:/clickable.net/
2. GET http://vuiviet.vn/
3. GET http://homedepotemail.com/
4. GET http://css-tricks.com/
49. ML applied to Malware Research
Dridex, Zeus
• Malware uses covert command and control
techniques to evade detection
• Malware communication leaves footprints of
anomalous behaviors
– Domain Generation Algorithms
– SSL command and control
– Twitter/Facebook/Gmail based steganography
– RFC Compliant DNS backdoor
50. Adaptive Filter
(Crowd sourced
Popularity
Metrics)
External Domain/IP Profile
Data In
Global
Evidence
Collection
C2 Model
Timing
Features
Lexical
Analysis
Communic
ation Stats
Example:
Variance of Inter-
arrival Times
Example:
N-Gram
Score
Ratio of Bytes
In/Bytes Out
Domain
Communication
Score
Timing Score Layer 7 Score NLP Score
Analyst
Recommendation
www.evil.com High Risk Moderate Risk Moderate Risk No Risk
Critical Prioirty:
Communication is
active and going
unlbocked
www.khhjdkshj33ejj.com 0 Moderate Risk 0 High Risk
Low Priority: Traffic
is blocked by
firewall
www.google.com No Risk No Risk No Risk No Risk No Action Needed
Classification Algorithm
Human Feedback Loop
52. Key to ML: Label Your Analysis
Domain Name TotalCnt RiskFactor
AGD
SessionTime RefEntropy NullUa Outcome
yyfaimjmocdu.com 144 6.05 1 1 0 0 Malicious
jjeyd2u37an30.com 6192 5.05 0 1 0 0 Malicious
cdn4s.steelhousemedia.com 107 3 0 0 0 0 Benign
log.tagcade.com 111 2 0 1 0 0 Benign
go.vidprocess.com 170 2 0 0 0 0 Benign
statse.webtrendslive.com 310 2 0 1 0 0 Benign
cdn4s.steelhousemedia.com 107 1 0 0 0 0 Benign
log.tagcade.com 111 1 0 1 0 0 Benign
• This is how the algorithms will “learn” from
human expertise and help support a common
security workflow
Human Expertise is manually encoded into a format
computers understand: Sometimes this process is
called Labeling or “Truth-ing” the data
53. Sequential Behaviors: Exploit Chain
1. Initial Redirect From Poisoned Domain: [29/Apr/2015:16:52:23 -0700] "Nico Rosberg" 192.168.122.177 69.162.78.253
1500 200 TCP_HIT "GET http://forbes.com/gels-contrariness-domain-punchable/1.html/548828415920276748 HTTP/1.1"
"Internet Services" "low risk" "text/html" 604 142 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64;
Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
"http://forbes.com/gels-contrariness-domain-punchable/1.html" "-" "0" "" "-”
Sequencing data by account name is a great way to
catch certain attacks over http data that are
otherwise very expensive to compute downstream
54. Sequential Behaviors: Exploit Chain
1. Initial Redirect From Poisoned Domain: [29/Apr/2015:16:52:23 -0700] "Nico Rosberg" 192.168.122.177 69.162.78.253
1500 200 TCP_HIT ”GET http://forbes.com/gels-contrariness-domain-punchable/1.html/548828415920276748 HTTP/1.1"
"Internet Services" "low risk" "text/html" 604 142 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64;
Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
"http://forbes.com/gels-contrariness-domain-punchable/1.html" "-" "0" "" "-”
2. Flash Exploit: [29/Apr/2015:16:52:26 -0700] "Nico Rosberg" 192.168.122.177 69.162.78.253 1500 200 TCP_HIT "GET
http://portcullisesposturen.europartsplus.org/IMvOBBZKDLqAJYIDe02t5hMMNyzBLN_q4kafJkVNqJVTnTmd HTTP/1.1"
"Internet Services" "low risk" "application/x-shockwave-flash" 518 821 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1;
WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
"http:///forbes.com/gels-contrariness-domain-punchable/1.html/548828415920276748" "-" "0" "" "-”
58. ML + Sequencing the Security DNA
• We parallelize across many nodes (JVMs) and use
both real time and batch computations
JVM 1
JVM 2
JVM 3
1. GET http://forbes.com/gels-contrariness-domain-
punchable/"
2. GET http://portcullisesposturen.europartsplus.org/
3. POST http://dpckd2ftmf7lelsa.jjeyd2u37an30.com/
1. GET http://youtube.com/
2. GET http://avazudsp.net/
3. GET http://betradar.com/
4. GET http://displaymarketplace.com/
1. GET http:/clickable.net/
2. GET http://vuiviet.vn/
3. GET http://homedepotemail.com/
4. GET http://css-tricks.com/
59. Conclusion
- ML can potentially become a milestone
technology in Cybersecurity
- Upcoming advances in hardware and
distributed computing will accelerate
development in ML: Lambda Security
- Need to industry standard to share behavioral
indicators and labels
- NO SKYNET in the foreseeable future
60. Thank you
- Rod Soto
rsoto@splunk.com @rodsoto
- Joseph Zadeh
jzadeh@splunk.com @josephzadeh
65. Lambda Firewalls?!
Manage the paths accordingly start building lambda
workflows into Everything!!!
• Lambda firewall
– Statistical whitelist computation aspect (fuzzy ACL’s)
– Path for signatures and sequential behaviors that is more expressive
than PCRE
• Central nervous system approach to blending signals
– Defense should scale up and down the size of organization: a properly
engineered central nervous system should be able to protect SMB
market as well as large scale deployments
• Difference between a classical firewall and a lambda firewall
Rod Slide:
Solely based on static signatures.
Passive and cumbersome to apply without special knowledge and training.
Analyst have to deal with multiple sources, producing large quantities of data. Usually relying in these static signatures, and trained eyes.
These technologies produce immense amounts of False Positives/Negatives, not including the overhead in administration and support of such technologies.
These high number of FP usually leads to dismissal and lack of confidence in current technologies. (Cry wolf syndrome)
The adoption of Big Data technologies has only made this worse.
Rod
Rod
Rod Last Slide
Rod
The Complexity Class P-Complete and NC
NC => parallelizable
Some problems don’t parallelize well!!
P-Complete => Inherently Sequential
Any problem where you have to maintain state across nodes: Circuit Value Problem, Linear programming
Streaming models are usually harder to maintain than batch models