This document discusses a proactive approach to cybersecurity called cyber-attack forecasting. It involves using machine learning and game theory to model a cyber system and analyze interactions between attackers and defenders to predict future attacks. The approach includes using hierarchical clustering to group similar systems, detecting anomalies, and formulating interactions as games to determine optimal defense strategies like probing frequencies. This proactive approach aims to address limitations of reactive security by enabling preemptive countermeasures against sophisticated threats.
Security from both sides of the fence – a discussion of techniques, such as fuzzing, to reduce the likelihood of an attacker
discovering exploits on smartphones and PCs;
plus a demonstration of approaches hackers may use to weaponize and exploit vulnerabilities.
Automating Analysis and Exploitation of Embedded Device FirmwareMalachi Jones
Dynamic binary analysis tools utilize a combination of techniques that include fuzzing, symbolic execution, and concolic execution to discover exploitable code in sophisticated binaries. Much work has been dedicated to developing automated analysis tools to target mainstream processor architectures (e.g. x86 and x86_64. ). An often overlooked and inadequately addressed area is the development of tools that target embedded systems processors that include PowerPC, MIPS, and SuperH. Historically, a challenge with targeting multiple embedded architectures was that it was often necessary to write an analysis tool for each architecture.
In this talk, we'll discuss an approach for decoupling the architecture specifics from the analysis by utilizing intermediate representation (IR) languages. Intermediate representation languages provide a method to abstract out machine specifics in order to aid in the analysis of computer programs. In particular, the LLVM IR language provides an extensive set of analysis and optimization libraries, along with a JIT engine, that can be collectively utilized to develop architecture-independent automated analysis and exploitation tools.
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersOllie Whitehouse
This short 45 minutes presentation is aimed at ICS/SCADA and general IT engineers who want to understand basic concepts related to the much discussed threat that is APT.
The audience is first introduced to the concepts, who employs APTs before going into how they manifest before finally closing out with mitigation and defense strategies.
Ethical Hacking Conference 2015- Building Secure Products -a perspectiveDr. Anish Cheriyan (PhD)
This talk was given in Unicom Ethical Hacking Conference 2015. This talk focuses on the importance of building security inside the product development life cycle. The presentation talks about architectural flaws and implementation bugs, principles of design, software development life cycle and activities to be done from security perspective.
The Finest Penetration Testing Framework for Software-Defined NetworksPriyanka Aash
Software-Defined Networking (SDN) is getting attention for the next-generation networking today. The key concept of SDN is to decouple the control logic from the traditional network devices so that network developers can design innovative network functions in a more flexible and programmable way. However, SDN is not always bringing advantages to us. Security experts have constantly raised security concerns about SDN, and some vulnerabilities have been uncovered in the real world. If SDN is not secure, how can we measure the security level of SDN environments?
In this talk, we introduce a powerful penetration testing tool for SDN called DELTA, which is officially supported by Open Networking Foundation (ONF). First, DELTA can automate diverse published attack scenarios against various SDN components from testing to evaluating. Also, to discover unknown vulnerabilities that may exist in SDN, DELTA leverages a blackbox fuzzing technique that randomizes different control flows in SDN. It enables us to systemically reveal unknown security issues rather than the empirical and ad-hoc methods that most previous studies use. By using DELTA, anyone can easily and thoroughly test not only popular open source SDN controllers (i.e., ONOS, OpenDaylight, Floodlight, and Ryu), but also SDN-enabled switches (i.e., OpenvSwitch, HP, and Pica8) in the real world.
We will show nine new attack cases that have been found by DELTA but never been announced before.
Also, we will discuss:
- What control flows are in SDN, and why those are important as a key feature compared to the traditional networks.
- What key components and workflow of DELTA to attack the real SDN components.
- Which nine new attack cases have been discovered by DELTA, and we will demonstrate it. For example, one of the new attacks violates the table condition, leading to the black hole of handling packets in the switch.
Security from both sides of the fence – a discussion of techniques, such as fuzzing, to reduce the likelihood of an attacker
discovering exploits on smartphones and PCs;
plus a demonstration of approaches hackers may use to weaponize and exploit vulnerabilities.
Automating Analysis and Exploitation of Embedded Device FirmwareMalachi Jones
Dynamic binary analysis tools utilize a combination of techniques that include fuzzing, symbolic execution, and concolic execution to discover exploitable code in sophisticated binaries. Much work has been dedicated to developing automated analysis tools to target mainstream processor architectures (e.g. x86 and x86_64. ). An often overlooked and inadequately addressed area is the development of tools that target embedded systems processors that include PowerPC, MIPS, and SuperH. Historically, a challenge with targeting multiple embedded architectures was that it was often necessary to write an analysis tool for each architecture.
In this talk, we'll discuss an approach for decoupling the architecture specifics from the analysis by utilizing intermediate representation (IR) languages. Intermediate representation languages provide a method to abstract out machine specifics in order to aid in the analysis of computer programs. In particular, the LLVM IR language provides an extensive set of analysis and optimization libraries, along with a JIT engine, that can be collectively utilized to develop architecture-independent automated analysis and exploitation tools.
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersOllie Whitehouse
This short 45 minutes presentation is aimed at ICS/SCADA and general IT engineers who want to understand basic concepts related to the much discussed threat that is APT.
The audience is first introduced to the concepts, who employs APTs before going into how they manifest before finally closing out with mitigation and defense strategies.
Ethical Hacking Conference 2015- Building Secure Products -a perspectiveDr. Anish Cheriyan (PhD)
This talk was given in Unicom Ethical Hacking Conference 2015. This talk focuses on the importance of building security inside the product development life cycle. The presentation talks about architectural flaws and implementation bugs, principles of design, software development life cycle and activities to be done from security perspective.
The Finest Penetration Testing Framework for Software-Defined NetworksPriyanka Aash
Software-Defined Networking (SDN) is getting attention for the next-generation networking today. The key concept of SDN is to decouple the control logic from the traditional network devices so that network developers can design innovative network functions in a more flexible and programmable way. However, SDN is not always bringing advantages to us. Security experts have constantly raised security concerns about SDN, and some vulnerabilities have been uncovered in the real world. If SDN is not secure, how can we measure the security level of SDN environments?
In this talk, we introduce a powerful penetration testing tool for SDN called DELTA, which is officially supported by Open Networking Foundation (ONF). First, DELTA can automate diverse published attack scenarios against various SDN components from testing to evaluating. Also, to discover unknown vulnerabilities that may exist in SDN, DELTA leverages a blackbox fuzzing technique that randomizes different control flows in SDN. It enables us to systemically reveal unknown security issues rather than the empirical and ad-hoc methods that most previous studies use. By using DELTA, anyone can easily and thoroughly test not only popular open source SDN controllers (i.e., ONOS, OpenDaylight, Floodlight, and Ryu), but also SDN-enabled switches (i.e., OpenvSwitch, HP, and Pica8) in the real world.
We will show nine new attack cases that have been found by DELTA but never been announced before.
Also, we will discuss:
- What control flows are in SDN, and why those are important as a key feature compared to the traditional networks.
- What key components and workflow of DELTA to attack the real SDN components.
- Which nine new attack cases have been discovered by DELTA, and we will demonstrate it. For example, one of the new attacks violates the table condition, leading to the black hole of handling packets in the switch.
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentInfocyte
This webinar and presentation outlines the Infocyte HUNT threat detection and incident response platform, and how it enables state and local government organizations:
- Reduce risk across local, off-network, and cloud IT assets
- Expose and eliminate hidden cyber threats and vulnerabilities
- Streamline your overall security operations
- Achieve and maintain compliance
Using Infocyte, TIG can provide their customers with cost-effective, easy-to-manage, and on-demand cybersecurity consulting services (e.g. compromise assessments, incident response) and managed security services (e.g. managed detection and response).
Visit https://www.infocyte.com/ to learn more and request a demo, or request a cybersecurity risk assessment (Compromise Assessment) using the link below:
https://www.infocyte.com/free-compromise-assessment/
Der Vortrag zeigt anhand von Beispielen für Angriffe auf eingebettete Systeme, wie sie in vernetzten Systemen heute schon praktiziert werden, wie wichtig Security hier ist.
Aus den Angriffen und einer Prognose über die Weiterentwicklung der System-funktionen werden Sicherheitsanforderungen für eingebettete Systeme der Zukunft abgeleitet. Daraus ergibt sich dann eine Sicherheitsarchitektur für die Systeme mit wichtigen Standardkomponenten als Vertrauensanker. Dazu zählen sogenannte Secure Elements, sichere Identitäten und separierende Betriebssysteme.
Hierzu werden aktuelle Forschungsarbeiten zum Einsatz von Secure Elements im Automobil, Smart Grid und mobilen Endgeräten vorgestellt. Es wird gezeigt, wie sichere Identitäten aus Materialeigenschaften mit Physical Unclonable Functions abgeleitet werden können und wie Betriebssysteme, die Secure Elements und Separierung nutzen, die Sicherheit erhöhen.
Kolloquiumsvortrag von Prof. Georg Sigl, Technische Universität München
Dienstag, 17.12.2013, 16:00 Uhr, Hörsaal 47.03 (Elektrotechnikgebäude, Pfaffenwaldring 47)
Informatik-Forum Stuttgart e.V.
AI & ML in Cyber Security - Why Algorithms are DangerousRaffael Marty
Link to the video of the presentation: https://www.youtube.com/watch?v=WG1k-Xh1TqM
Every single security company is talking in some way or another about how they are applying machine learning. Companies go out of their way to make sure they mention machine learning and not statistics when they explain how they work. Recently, that's not enough anymore either. As a security company you have to claim artificial intelligence to be even part of the conversation.
Guess what. It's all baloney. We have entered a state in cyber security that is, in fact, dangerous. We are blindly relying on algorithms to do the right thing. We are letting deep learning algorithms detect anomalies in our data without having a clue what that algorithm just did. In academia, they call this the lack of explainability and verifiability. But rather than building systems with actual security knowledge, companies are using algorithms that nobody understands and in turn discover wrong insights.
In this talk, I will show the limitations of machine learning, outline the issues of explainability, and show where deep learning should never be applied. I will show examples of how the blind application of algorithms (including deep learning) actually leads to wrong results. Algorithms are dangerous. We need to revert back to experts and invest in systems that learn from, and absorb the knowledge, of experts.
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)FFRI, Inc.
• About Black Hat USA
• Hot Research
• Vehicle
– CANSPY: A Platform For Auditing CAN Devices
– Advanced CAN Injection Techniques For Vehicle Networks
– Can You Trust Autonomous Vehicles: Contactless Attacks against Sensors of Self-driving Vehicle
• IoT
– Into The Core – In-Depth Exploration of Windows 10 IoT Core
– GATTAttacking Bluetooth Smart Devices
– Introducing A New BLE Proxy Tool
– GreatFET: Making GoodFET Great Again
• Conclusions
• References
Peter Wood has worked as an ethical hacker for the past 20 years, with clients in sectors as diverse as banking, insurance, retail and manufacturing. He will describe how advanced persistent threats operate from a security intelligence perspective, based on published case studies and analysis. He will highlight APT entry points and exploitation techniques and suggest practical prevention and detection strategies.
This presentation talk about some of the challenges in detecting advanced malware which uses evasion techniques such as inline assembly or previously unknown approaches. The presentation also focuses on leveraging the static code analysis as an opportunity to detect these evasive malware in the sandbox
The New Pentest? Rise of the Compromise AssessmentInfocyte
If an attacker had a foothold in your network today, would you know it?
If they made it past your real-time defense measures (EDR, EPP, AV, UEBA, firewalls, etc.) or an analyst misinterpreted a critical alert, chances are they've entrenched themselves for the long haul. Skilled and organized attackers know long-term persistence in your network is the most critical component to meeting their goal of stealing information, causing damage, or pivoting attacks on other organizations.
Threat hunting is the proactive practice of finding attackers in your environment before they can cause damage (or at least stop the bleeding from continued exposure). Unfortunately, effective threat hunting practices remain out-of-reach for most organizations due to lack of security infrastructure and qualified people to manage advanced endpoint security solutions.
One solution to this problem is to hire a third party to conduct a periodic assessment geared toward discovery of unauthorized access and compromised systems. This is called a "compromise assessment" and just recently compromise assessments have become one of the most requested services from top security service providers.
Customers don’t want to just know if they can be hacked (a good penetration tester will generally conclude “yes”) they want to know if they ARE hacked—right now—and if so, what endpoints/hosts/servers on their network are compromised.
In this presentation, which was originally prepared for Black Hat 2018, Chris Gerritz outlines the growing practice of compromise assessments and the best practices being utilized by some of the largest and most sophisticated managed security service providers (MSSPs) with this offering.
What approaches are most effective?
What data is being utilized?
What are some of the top challenges?
To request a free 100-node compromise assessment or to learn more about Infocyte HUNT — our comprehensive threat hunting platform — and start a free trial, please visit https://try.infocyte.com.
As the number and severity of cyber-crimes continues to grow, it’s important to understand the steps cyber-criminals take to attack your network, the types of malware they use, and the tools you need to stop them. The basic steps of a cyber attack include reconnaissance (finding vulnerabilities); intrusion (actual penetration of the network); malware insertion (secretly leaving code behind);
and clean-up (covering tracks).
Malware comes in various forms, some more nefarious than others, ranging from annoying sales pitches to potentially business-devastating assaults. Dell SonicWALL offers comprehensive solutions to counter every stage of cyber attacks and eliminate every type of malware from disrupting your business network.
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentInfocyte
This webinar and presentation outlines the Infocyte HUNT threat detection and incident response platform, and how it enables state and local government organizations:
- Reduce risk across local, off-network, and cloud IT assets
- Expose and eliminate hidden cyber threats and vulnerabilities
- Streamline your overall security operations
- Achieve and maintain compliance
Using Infocyte, TIG can provide their customers with cost-effective, easy-to-manage, and on-demand cybersecurity consulting services (e.g. compromise assessments, incident response) and managed security services (e.g. managed detection and response).
Visit https://www.infocyte.com/ to learn more and request a demo, or request a cybersecurity risk assessment (Compromise Assessment) using the link below:
https://www.infocyte.com/free-compromise-assessment/
Der Vortrag zeigt anhand von Beispielen für Angriffe auf eingebettete Systeme, wie sie in vernetzten Systemen heute schon praktiziert werden, wie wichtig Security hier ist.
Aus den Angriffen und einer Prognose über die Weiterentwicklung der System-funktionen werden Sicherheitsanforderungen für eingebettete Systeme der Zukunft abgeleitet. Daraus ergibt sich dann eine Sicherheitsarchitektur für die Systeme mit wichtigen Standardkomponenten als Vertrauensanker. Dazu zählen sogenannte Secure Elements, sichere Identitäten und separierende Betriebssysteme.
Hierzu werden aktuelle Forschungsarbeiten zum Einsatz von Secure Elements im Automobil, Smart Grid und mobilen Endgeräten vorgestellt. Es wird gezeigt, wie sichere Identitäten aus Materialeigenschaften mit Physical Unclonable Functions abgeleitet werden können und wie Betriebssysteme, die Secure Elements und Separierung nutzen, die Sicherheit erhöhen.
Kolloquiumsvortrag von Prof. Georg Sigl, Technische Universität München
Dienstag, 17.12.2013, 16:00 Uhr, Hörsaal 47.03 (Elektrotechnikgebäude, Pfaffenwaldring 47)
Informatik-Forum Stuttgart e.V.
AI & ML in Cyber Security - Why Algorithms are DangerousRaffael Marty
Link to the video of the presentation: https://www.youtube.com/watch?v=WG1k-Xh1TqM
Every single security company is talking in some way or another about how they are applying machine learning. Companies go out of their way to make sure they mention machine learning and not statistics when they explain how they work. Recently, that's not enough anymore either. As a security company you have to claim artificial intelligence to be even part of the conversation.
Guess what. It's all baloney. We have entered a state in cyber security that is, in fact, dangerous. We are blindly relying on algorithms to do the right thing. We are letting deep learning algorithms detect anomalies in our data without having a clue what that algorithm just did. In academia, they call this the lack of explainability and verifiability. But rather than building systems with actual security knowledge, companies are using algorithms that nobody understands and in turn discover wrong insights.
In this talk, I will show the limitations of machine learning, outline the issues of explainability, and show where deep learning should never be applied. I will show examples of how the blind application of algorithms (including deep learning) actually leads to wrong results. Algorithms are dangerous. We need to revert back to experts and invest in systems that learn from, and absorb the knowledge, of experts.
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)FFRI, Inc.
• About Black Hat USA
• Hot Research
• Vehicle
– CANSPY: A Platform For Auditing CAN Devices
– Advanced CAN Injection Techniques For Vehicle Networks
– Can You Trust Autonomous Vehicles: Contactless Attacks against Sensors of Self-driving Vehicle
• IoT
– Into The Core – In-Depth Exploration of Windows 10 IoT Core
– GATTAttacking Bluetooth Smart Devices
– Introducing A New BLE Proxy Tool
– GreatFET: Making GoodFET Great Again
• Conclusions
• References
Peter Wood has worked as an ethical hacker for the past 20 years, with clients in sectors as diverse as banking, insurance, retail and manufacturing. He will describe how advanced persistent threats operate from a security intelligence perspective, based on published case studies and analysis. He will highlight APT entry points and exploitation techniques and suggest practical prevention and detection strategies.
This presentation talk about some of the challenges in detecting advanced malware which uses evasion techniques such as inline assembly or previously unknown approaches. The presentation also focuses on leveraging the static code analysis as an opportunity to detect these evasive malware in the sandbox
The New Pentest? Rise of the Compromise AssessmentInfocyte
If an attacker had a foothold in your network today, would you know it?
If they made it past your real-time defense measures (EDR, EPP, AV, UEBA, firewalls, etc.) or an analyst misinterpreted a critical alert, chances are they've entrenched themselves for the long haul. Skilled and organized attackers know long-term persistence in your network is the most critical component to meeting their goal of stealing information, causing damage, or pivoting attacks on other organizations.
Threat hunting is the proactive practice of finding attackers in your environment before they can cause damage (or at least stop the bleeding from continued exposure). Unfortunately, effective threat hunting practices remain out-of-reach for most organizations due to lack of security infrastructure and qualified people to manage advanced endpoint security solutions.
One solution to this problem is to hire a third party to conduct a periodic assessment geared toward discovery of unauthorized access and compromised systems. This is called a "compromise assessment" and just recently compromise assessments have become one of the most requested services from top security service providers.
Customers don’t want to just know if they can be hacked (a good penetration tester will generally conclude “yes”) they want to know if they ARE hacked—right now—and if so, what endpoints/hosts/servers on their network are compromised.
In this presentation, which was originally prepared for Black Hat 2018, Chris Gerritz outlines the growing practice of compromise assessments and the best practices being utilized by some of the largest and most sophisticated managed security service providers (MSSPs) with this offering.
What approaches are most effective?
What data is being utilized?
What are some of the top challenges?
To request a free 100-node compromise assessment or to learn more about Infocyte HUNT — our comprehensive threat hunting platform — and start a free trial, please visit https://try.infocyte.com.
As the number and severity of cyber-crimes continues to grow, it’s important to understand the steps cyber-criminals take to attack your network, the types of malware they use, and the tools you need to stop them. The basic steps of a cyber attack include reconnaissance (finding vulnerabilities); intrusion (actual penetration of the network); malware insertion (secretly leaving code behind);
and clean-up (covering tracks).
Malware comes in various forms, some more nefarious than others, ranging from annoying sales pitches to potentially business-devastating assaults. Dell SonicWALL offers comprehensive solutions to counter every stage of cyber attacks and eliminate every type of malware from disrupting your business network.
In this presentation i have given the overview of different kind of cyber attacks or crimes, Email frauds ,fake mails ,how to create it and how to prevent it and different types of software's used for spying.......
Looking to understand how hackers and other attackers use cyber technology to attack your network and your executives? This slide set provides an overview and details the anatomy of a cyber attack, and the strategies you can use to manage and mitigate risk.
Volatile Memory: Behavioral Game Theory in Defensive SecurityKelly Shortridge
This presentation will explore some of the teachings from the young field of behavioral game theory, which empirically measures how humans behave in games, as an improvement upon prior discussions involving traditional Game Theory models in which humans are considered perfectly rational. I will use behavioral game theory to examine how people’s natural cognitive biases lead to sub-optimal behavior in their decision-making processes in adversarial games – and specifically processes related to playing defense in the information security “game.”
I will detail various sorts of games in which this sub-optimal performance manifests, how humans cognitively approach these games and touch on some of the algorithms, such as self-tuning EWAs, that help predict how people will behave in certain defender-attacker-defender (DAD) games. Finally, I will explore what sort of strategies and counter-measures can be implemented to improve defense’s performance in DAD games, incorporating techniques such as belief prompting, improved incorporation of information and decision trees.
SPS'20 - Designing a Methodological Framework for the Empirical Evaluation of...Andrea Montemaggio
Presented at the 2nd International Workshop on Self-Protecting Systems (SPS'20).
Abstract:
Increasingly, cyber attacks against enterprises and governments make use of automated tools. For this reason, and given the importance of a timely protection, in the last decade there has been a push in researching methodologies to automate the full defense life-cycle of computer systems. The two core phases of this life-cycle are Intrusion Detection and Intrusion Response. However, while some progress has been done on the former, the latter is still at an early stage. This is due to several factors, among which the lack of a standardized methodology for the validation and comparison of Intrusion Response methodologies.
In this paper, we attempt to fill this gap by introducing a methodological framework for the quantitative empirical evaluation of self-protecting systems, based on the metrics of response time and cost. An experimental design is also provided and its applicability is illustrated by the means of a template experiment.
I will talk about innovation in the area of cyber security analytics - developing machine learning methods to detect and block cyber attacks (e.g. detecting ransomware within 4 seconds of execution and killing the underlying processes). Rather than just focusing on this as a 'black box', I'll pull it apart and talk about how we can use these methods to enable security practitioners (SOC/CIRT etc) to ask and answer questions about 'what' and 'why' these methods are flagging attacks. I'll also talk about resilience of machine learning methods to manipulation and adversarial attacks - how stable these approaches are to diversity and evolution of malware for example.
"Cyberhunting" actively looks for signs of compromise within an organization and seeks to control and minimize the overall damage. These rare, but essential, breed of enterprise cyber defenders give proactive security a whole new meaning.
Check out the accompanying webinar: http://www.hosting.com/resources/webinars/?commid=228353
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
Despite changing threats and the near certainty of compromise, most
IT security programs are much the same as they were a decade ago. How
have attacker motivations and tactics changed, and why? What does
this mean for IT security departments, and how must they adapt?
This webinar will detail the security challenges organizations face
today, the implications of changes in attacker tactics and
motivations, and what firms can do to better align their security
program with today's reality.
Our featured speakers for this webinar will be:
- Ted Julian, Chief Marketing Officer, Co3 Systems
- Colby Clark, Director of Incident Management, Fishnet Security
AI Cybersecurity: Pros & Cons. AI is reshaping cybersecurityTasnim Alasali
Discover how AI is reshaping cybersecurity. This presentation delves into AI's role in enhancing threat detection, the balance of innovation and risk, and the strategies shaping the future of digital defense.
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
We can all agree that threat detection is an essential component of a functioning security monitoring program. Let's start thinking about how to take our tradecraft to the next level and hunt for ways for evil to do evil things. This talk will run through some of the observations gathered during hunting expeditions inside the networks of multiple Fortune ranked organizations. We hope to challenge you to expand your security operations, moving beyond traditional signature based detection.
Improving cyber security using biosecurity experienceNorman Johnson
See the paper that goes with the PPT on my LinkedIn.
See detailed comments in PPT.
Abstract: How does the current planning and response to cyber threats compare to biological threats planning and response? How do the resources of each compare? Biothreats have been a concern for millennia, and humans systems have had significant time and funding to develop a mature response. In this paper we observe that by comparison, cyber response is still in a relatively immature stage, possibly comparable to the state of public health protection prior to the implementation of safe water, sanitary conditions and vaccinations. Furthermore, we argue that because of the similarity between bio- and cyber systems, there are significant opportunities to advance the maturity of cyber research and response, either by using bio analogies for inspiration or by the direct transfer of resources. An analysis of existing cyber resources and gaps are compared to available bio resources. Specific examples are provided for the application of bio-resources to cyber systems.
Digital Forensics for Artificial Intelligence (AI ) Systems.pdfMahdi_Fahmideh
Digital Forensics for Artificial
Intelligence (AI ) Systems:
AI systems make decisions impacting our daily life Their actions might cause accidents, harm or, more generally, violate
regulations either intentionally or not and consequently might be considered suspects for various events. In this lecture we explore how digital forensics can be performed for AI based systems.
This is a simple presentation on Game Theory in Network Security. I made it when I was searching for research points for my Master degree. Still searching for other research points. Any suggestions on research points in network security or network architecture? :)
2. About Me(Cyber-security Background)
4
• Georgia Tech (2007-2013)
– Security research collaboration between Georgia Tech (GT) and University of
California Santa Barbara (UCSB)
– PhD thesis topic: “Cyber-Attack Forecasting” [1]
• Harris Corporation (2013 – Present)
– (2014) Crypto-system software development and security consultant
– (2015) Cyber Security Vulnerability Researcher
Giovanni Vigna, PhD
Security Researcher
Joao Hespana, PhD
Game Theorist
Jeff Shamma, PhD
Game Theorist
Georgios Kotsalis, PhD
Game Theorist
Malachi Jones, PhD
Security Researcher
3. Outline
5
• Motivation: Reactive vs. Proactive
• Background
– Game Theory
– Machine Learning
• Cyber-Attack Forecasting
– Modeling a Cyber System
– Analyzing the Model
• Conclusion
• Questions
• Additional Resources
4. Motivation: Reactive vs Proactive
• Reactive Security
– Backward looking: Addressing
yesterday’s security threats today
– Status quo in Cyber-Security
Community
– Effective against novice hackers
– Inadequate for
• Advanced Persistent Threats (APTs)
• Sophisticated cyberweapons
Teen Hacker in Basement
State Sponsored Hacking
5. Motivation: Reactive vs Proactive
• Reactive Cyber-Security Process
Hacker
Develops New
Technique
Technique
tested against
security
systems
Technique
adopted by
other hackers
Security
community
eventually
responds
6. Motivation: Proactive Approach (Healthcare)
• Forecasting Infections/diseases
– Reliably Predict the next outbreak
of an infection or disease
– Learn/Estimate the capabilities of
the disease (i.e. Highly contagious)
– Proactive Countermeasures
• Provide vaccinations
• Quarantine infected individuals
• Set up medical facilities near
areas where outbreak likely to be
worst
7. Motivation: Proactive Approach (Cyber Security)
• Forecasting a cyber attack
– Reliably predict a cyber-attack
– Learn/estimate attacker and/or
malware capabilities
– Launch proactive countermeasures
• Take infected systems offline
• Scrub and reinstall system
• Repressive actions (i.e. sandbox
databases/datastores)
• Perform more invasive “checkups” on
systems likely to be infected
8. Motivation: Cyber Attack Forecasting
• Forecasting Challenges
– Modeling attacker and cyber system in
an analytical framework
– Computational complexity of analyzing
model to predict future attacks
9. Background: Game Theory
• Cyber Security
– At least two decision makers (i.e. Cyber
Defender and Attacker)
– Want to predict likely behavior of attacker
– Objective to make “good” decisions to
defend against cyber-attacks
• Game Theory
– Mathematical decision framework
– Provides methods to analyze interactions
among decision makers
– Can allow us to predict the likely actions
of an adversary and recommend
appropriate actions for the defender
10. Background: Game Theory
• Prisoner‟s Dilemma
– Police arrest two suspects
– Suspects interrogated in separate rooms
– Each suspect can choose an action:
• Cooperate: Stay silent (Not Guilty)
• Defect: Confess and “rat out” the other
suspect (Guilty)
• Analysis of likely behavior of decision maker
– Best outcome for the group is to Cooperate
– Best outcome for the individual is to Defect and rat
out the other person
– Outcome is defect for each decision maker
2,2 5,1
1,5 3,3
C D
D
C
11. Background: Machine Learning
• Machine Learning:
– Discovering/learning from patterns in
collected data
– Can be useful to group „like‟ objects
• Hierarchical Clustering
– Clusters are a group of „like‟ objects
– Builds a hierarchy of clusters
• Agglomerative Clustering
– Bottom up approach to building cluster
– Initially, each object is its own cluster
– Pairs of clusters are merged based on
„likeness‟
– Performance: O(n2)
Example of Agglomerative Clustering
12. Actionable Cyber-Attack Forecasting
14
• Two components of forecasting we will focus on:
Analyzing the Model Using
Game Theoretic Methods
Modeling a Cyber System
14. Modeling a Cyber System: A Simple Model
16
• Decision makers: Defender and Attacker
• Actions
– Defender: Rate (xi) to check up on the cyber-health of Host hi
– Attacker: Rate (yi) to attack (e.g. exfiltrate info) from Host hi
• Utility function for Host hi:
where is the cyber-health of hi
• Global Utility:
• Defender objective: Maximize the global utility function
• Zero-sum assumption: Attacker objective inverse of defender
,
15. Modeling a Cyber System: A Simple Model
17
• A closer inspection of the local utility function of host hi:
• Feasible constraints on the parameters:
• How do we obtain the following information to input into utility function?
– Cyber health of a node
– Parameters: cinfo, rdetect , and cprobe
Information leakage cost.
Cost for probing that includes
bandwidth and processing
Reward for detecting malware
and/or a cyber-attack
16. Estimating Cyber Health: High Level Overview
18
• Machine Learning:
– Use agglomerative clustering algorithm to cluster hosts based on the similarity of
the top 10 active processes with respect to CPU time
– Caution: We need to protect against malicious clusters from forming. We don‟t
want a subset of bad nodes to form their own cluster
– Example stopping criteria to help prevent malicious clusters:
– Since we are using hierarchical clustering, the algorithm will terminate once all
clusters are at least the minimum cluster size
17. Estimating Cyber Health: High Level Overview
19
• Anomaly Detection:
– Let the health of a node be a function of how far away it is from the center of
mass of its assigned cluster
– Example:
• Let Pi be the set of processes running on host hi
• We will measure the similarity of nodes i and j by using the Jaccard index as follows
below:
• Let be the set of processes that are at least on 75% of machines in the cluster
that host hi is in
• Then
18. Estimating Utility Function Parameters
20
• Information leakage cost for host hi
– We can borrow an idea from sophisticated cyperweapons like Regin
– Assign higher costs to hosts that are accessed by people that have higher
privileges in an organization (IT admins, CEO, CTO, etc…)
• Probing cost for host hi
– Another idea borrowed from sophisticated malware
– Self monitor process cpu/memory/bandwidth usage at different probe rates to
derive costs for each host
• Reward for detecting malware
– Determine organizations attribution risk appetite for unknowingly hosting
botnets/zombies
– The reward can be proportionate to the resources available for use on a host by
a botmaster and/or hacker
20. • Suppose the following:
– Defender: Actions are always probe and never probe (i.e. xi = 1 or xi = 0)
– Attacker : Actions are always attack and never attack (i.e. yi= 1 or xi = 0)
• The zero-sum 2X2 matrix game representation for host hi
Analysis with Game Theory
22
NA
P
A
NP
P
NP
NAA
....
P
NP
NAA
21. Analysis with Game Theory
23
• Formulation of game as a general optimization problem:
where s* is the optimal mixed strategy for the defender
• Note: s* is the probability that the defender should always probe
• Key Point: This problem can be formulated as a linear program, which
is computationally more efficient
• Linear Programming Formulation:
22. Conclusion: Q&A
• Can you really forecast a cyber attack in a real, non-trivial system?
– Yes…Forecasting isn‟t necessarily binary (i.e. either it will happen or not happen)
– The predictiveness can be about intensity/frequency/distribution of an attack in a
system (e.g. Will it get worse? How often will it occur? Where will it spread next? )
– Example: I have a cough. Will this turn into a flu? Can it spread to others?
– All models are wrong, but some models can be useful
• How far in advance could you predict an attack (Lead-time)?
– You don‟t have to predict an event days or weeks in advance for the prediction to
be useful
– Even a 20 minute warning could be the difference between 1,000 users sensitive
information being exfiltrated and 1,000,0000
24
23. Conclusion: Q&A
• If you can forecast, what approaches/methodologies will you use to
predict cyber attacks in a real world system?
– Machine Learning: Hierarchical clustering of groups of hosts in a system based
on the similarity of processes/services running on each host
– Anomaly Detection: Amongst hosts in a cluster, determining which hosts
behaviors are significantly different and deriving cyber-health for each host
– Game Theory: Mathematical decision framework that can allow us to predict the
likely actions of an adversary and recommend appropriate action for the defender
• What are examples of „actionable‟ decisions in the context of a
defender of a cyber system?
– Probing frequency/intensity: How often should we „check up‟ on a host and how
invasive should the checkup be?
– Should a host stay online, be taken offline, or wiped and reinstalled
25
24. Conclusion: Q&A
• Are there any connections with healthcare (i.e. modeling/forecasting
infectious diseases like malaria and ebola)?
– There may be a lot of ideas from the medical field that we can borrow that are
relevant and useful in predicting/detecting/treating cyber infections.
– Example: When you go to the doctor for a checkup, they compare your vitals (i.e.
blood pressure, pulse, and body temperature) to what is „normal‟ for someone in
your respective demographic
– We explicitly borrow this concept of deriving cyber-health of a node based on what
is „normal‟ for the cluster.
26
26. Additional Resources
28
1. M. Jones, G. Kotsalis, and J. Shamma, “Cyber-attack forecast modeling and
complexity reduction using a game-theoretic framework,” in Control of Cyber-
Physical Systems (D. C. Tarraf, ed.), vol. 449 of Lecture Notes in Control and
Information Sciences, pp. 65–84, Springer International Publishing, 2013.
2. Singer, P.W. & Friedman, A. (2014). Cybersecurity: What Everyone Needs to
Know. OUP USA.
3. Zetter, Kim (2014). Countdown to Zero Day: Stuxnet and the Launch of the
World's First Digital Weapon. Crown Publishing Group
4. Jacobs, Jay & Rudis, Bob (2014). Data-Driven Security: Analysis,
Visualization and Dashboards. Wiley Publishing
5. Kleidermacher, D. & Kleidermacher, M. (2012). Embedded Systems Security:
Practical Methods for Safe and Secure Software and Systems Development.
27. Additional Resources
29
6. Ferguson, Niels, Schneier, Bruce & Kohno, Tadayoshi (2010). Cryptography
Engineering: Design Principles and Practical Applications. Wiley Publishing
7. Gebotys, C.H. (2009). Security in Embedded Devices. Springer
8. Anderson, R., "Why information security is hard - an economic perspective,"
Computer Security Applications Conference, 2001. ACSAC 2001.
Proceedings 17th Annual , vol., no., pp.358,365, 10-14 Dec. 2001