This document discusses using deep learning for user and entity behavior analytics (UEBA) security. It provides an example of how deep learning can be used to detect anomalies in user and entity behaviors to identify security threats like data exfiltration and malware infections. The document outlines how behavioral data from different sources can be encoded and analyzed using techniques like convolutional neural networks (CNNs) and recurrent neural networks (RNNs) to learn normal behavior patterns and detect anomalies. It also discusses how a UEBA solution combines machine learning models with local context and continuous feedback to improve detection of new threats.
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
Deep Learning Powers Anomaly Detection in User Behavior Analytics
1. Deep Learning In Security
An Empirical Example in User & Entity Behavior Analytics (UEBA)
Jisheng Wang
June 7, 2017
2. 2
Ø Jisheng Wang, Senior Director of Data Science, CTO Office, Aruba / HPE
• Over 12-year experiences: Machine Learning + Big Data => Security
• Chief Scientist, Niara, lead overall data analytics innovation and development
• Ph.D from Penn State, Technical Lead in Cisco
Ø Niara – a Hewlett Packard Enterprise company
• Recognized leader by Gartner in User and Entity Behavior Analytics (UEBA)
• Re-invent enterprise security using big data and data science
• Acquired by Aruba, a Hewlett Packard Enterprise company in Feb, 2017
ME, NIARA, HPE
3. 3
USER & ENTITY BEHAVIOR ANALYTICS
UEBA SECURITY
why this matters
UEBA SOLUTION
how to detect attacks before damage is done
BEYOND DEEP LEARNING
how to build a comprehensive solution
YOU
ARE
HERE
4. 4
PROBLEM THE SECURITY GAP
PREVENTION & DETECTION (US $B)
SECURITY SPEND
# BREACHES
DATA BREACHES
5. 5
PROBLEM CAUSE OF THE GAP
ATTACKERS
ARE QUICKLY INNOVATING &
ADAPTING
BATTLEFIELD
WITH IOT AND CLOUD, SECURITY
IS BORDERLESS
6. 6
PROBLEM ADDRESSING THE CAUSE
ATTACKERS
ARE QUICKLY INNOVATING &
ADAPTING
DEEP LEARNING
SOLUTIONS MUST BE
RESPONSIVE TO CHANGES
7. 7
PROBLEM ADDRESSING THE CAUSE
BATTLEFIELD
WITH IOT AND CLOUD, SECURITY
IS BORDERLESS
INSIDER BEHAVIOR
LOOK AT BEHAVIOR CHANGE OF
INSIDE USERS AND MACHINES
8. 8
USER & ENTITY BEHAVIOR ANALYTICS (UEBA)
MACHINE LEARNING DRIVEN
BEHAVIOR ANALYTICS IS
A NEW WAY TO COMBAT ATTACKERS
1
2
3
Machine driven, not only human driven
Detect compromised users, not only attackers
Post-infection detection, not only prevention
9. 9
REAL WORLD NEWS WORTHY EXAMPLES
COMPROMISED
40 million credit cards were stolen
from Target’s severs
STOLEN CREDENTIALS
NEGLIGENT
DDoS attack from 10M+ hacked home
devices took down major websites
ALL USED THE SAME PASSWORD
MALICIOUS
Edward Snowden stole more than 1.7 million
classified documents
INTENDED TO LEAK INFORMATION
10. 10
USER & ENTITY BEHAVIOR ANALYTICS
UEBA SECURITY
why this matters
UEBA SOLUTION
how to detect attacks before damage is done
BEYOND DEEP LEARNING
how to build a comprehensive solution
YOU
ARE
HERE
11. 11
REAL WORLD ATTACKS CAUGHT BY NIARA
SCANNING ATTACK
scan servers in the data center to find
out vulnerable targets
DETECTED WITH AD LOGS
EXFILTRATION OF DATA
upload a large file to cloud server hosted in
new country never accessed before
DETECTED WITH WEB PROXY LOGS
DATA DOWNLOAD
download data from internal document
repository which is not typical for the host
DETECTED WITH NETWORK TRAFFIC
20. 20
ENTITY SCORING RECURRENT NEURAL NETWORK (RNN)
t1,
PHISHING
EMAIL
INFECTION
t2,
SUSPCIOUS
C&C DNS
TUNNEL
t3,
ABORNOMAL
SERVER
ACCESS
t4,
LARGE DATA
UPLOAD TO
NEW
COUNTRY
Input Events Risk Scores
25
48
76
92
21. 21
ENTITY SCORING RECURRENT NEURAL NETWORK (RNN)
f(t1)
0
0
0
0
f(t2-t1)
0
0
0
0
f(t3-t2)
0
0
0
0
f(t4-t3)
t1,
PHISHING
EMAIL
INFECTION
t2,
SUSPCIOUS
C&C DNS
TUNNEL
t3,
ABORNOMAL
SERVER
ACCESS
t4,
LARGE DATA
UPLOAD TO
NEW
COUNTRY
Input Layer
(200 x 1)
Input Events
one hot
time-decayed
encoding
22. 22
ENTITY SCORING RECURRENT NEURAL NETWORK (RNN)
0.6
0
0
0
0
0.8
0
0
0
0
0.9
0
0
0
0
0.5
t1,
PHISHING
EMAIL
INFECTION
t2,
SUSPCIOUS
C&C DNS
TUNNEL
t3,
ABORNOMAL
SERVER
ACCESS
t4,
LARGE DATA
UPLOAD TO
NEW
COUNTRY
Input Layer
(200 x 1)
Input Events
one hot
time-decayed
encoding
23. 23
ENTITY SCORING RECURRENT NEURAL NETWORK (RNN)
f(t1)
0
0
0
0
f(t2-t1)
0
0
0
0
f(t3-t2)
0
0
0
0
f(t4-t3)
t1,
PHISHING
EMAIL
INFECTION
t2,
SUSPCIOUS
C&C DNS
TUNNEL
t3,
ABORNOMAL
SERVER
ACCESS
t4,
LARGE DATA
UPLOAD TO
NEW
COUNTRY
Input Layer
(200 x 1)
Hidden Layer
(64 x 1)
Output Layer
(64 x 1)
Input Events Score Layer
(100 x 1)
Long-Short Term Memory (LSTM)
Risk Scores
25
48
76
92
24. 24
USER & ENTITY BEHAVIOR ANALYTICS
UEBA SECURITY
what is UEBA
UEBA SOLUTION
infrastructure needed to deep learning
BEYOND DEEP LEARNING
how to build a comprehensive solution
YOU
ARE
HERE
25. 25
LOCAL CONTEXT MACHINE + HUMAN INTELLIGENCE
Models
Alerts
Reinforcement
Learning
Local
Context
Input
Data
Continuous
Learning
User
Feedback
26. 26
TRAINING DATA GLOBAL + LOCAL INTELLIGENCE
Global Security Intelligence
in the cloud
Local Security Intelligence
Individual customer deployments
CLASSIFIER FEEDBACK
27. 27
USER & ENTITY BEHAVIOR ANALYTICS
UEBA SECURITY
what is UEBA
UEBA SOLUTION
infrastructure needed to deep learning
BEYOND DEEP LEARNING
how to build a comprehensive solution