Paragon Science used a combination of network analysis, community detection, topic detection, sentiment analysis, and anomaly detection to find key influencers and viral topics in two recent Twitter data sets: one of 7.9 M tweets regarding ISIS and a second set consisting of 13 M tweets about the recent primary elections.
Using Chaos to Disentangle an ISIS-Related Twitter NetworkSteve Kramer
Paragon Science used a combination of network analysis, community detection, topic detection, sentiment analysis, and anomaly detection to find key influencers and emotionally charged websites in a ISIS-related Twitter network.
Unraveling Ebola One Tweet at a Time: Dynamic Network Analysis of an Ebola-Re...Paragon_Science_Inc
A sample of 2.5M tweets mentioning "Ebola" was collected during November 5-12, 2014. The titles of the 6227 web pages referenced by the tweets were used to cluster the web pages into roughly 100 topics. Then Paragon Science's patented dynamic anomaly detection software (http://www.paragonscience.com/intellectual_property.htm) then identified the top five most-anomalous topics. This research demonstrates how these techniques allow us to focus attention quickly on viral, emerging topics. A video showing an animation of those anomalous topics and the key related web pages for every hour of that week in November 2014 is available at https://www.youtube.com/watch?v=AEQ02hv4Xjw.
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
How to leverage the Mitre ATT&CK Framework to improve your organization security posture and bring your SOC/BlueTeam up to speed with the current Tactics, Techniques and Procedures (TTP) that modern Threat Actors uses.
In the modern age, all organizations face threats from various types of cyber attacks. Although great strides have been made to consider human factors in cybersecurity and to become more proactive in threat analysis, security is still generally a reactive, technical field. The research presented in this talk seeks to develop a framework which adapts the existing MITRE ATT&CK framework to look at attacks in a less linear, more human-centered framework that focuses on the capabilities and decisions of the threat actor.
The framework approaches threat analysis from a binary assessment of success vs. failure in order to see the entire attack and consider the potential for a number of methods and attempts made in a single attack. A detailed methodology and sample charts are included for a reference and a starting point in developing one’s own personalized charts, and recommendations are made for ways to integrate this methodology into the risk management process.
Using Chaos to Disentangle an ISIS-Related Twitter NetworkSteve Kramer
Paragon Science used a combination of network analysis, community detection, topic detection, sentiment analysis, and anomaly detection to find key influencers and emotionally charged websites in a ISIS-related Twitter network.
Unraveling Ebola One Tweet at a Time: Dynamic Network Analysis of an Ebola-Re...Paragon_Science_Inc
A sample of 2.5M tweets mentioning "Ebola" was collected during November 5-12, 2014. The titles of the 6227 web pages referenced by the tweets were used to cluster the web pages into roughly 100 topics. Then Paragon Science's patented dynamic anomaly detection software (http://www.paragonscience.com/intellectual_property.htm) then identified the top five most-anomalous topics. This research demonstrates how these techniques allow us to focus attention quickly on viral, emerging topics. A video showing an animation of those anomalous topics and the key related web pages for every hour of that week in November 2014 is available at https://www.youtube.com/watch?v=AEQ02hv4Xjw.
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
How to leverage the Mitre ATT&CK Framework to improve your organization security posture and bring your SOC/BlueTeam up to speed with the current Tactics, Techniques and Procedures (TTP) that modern Threat Actors uses.
In the modern age, all organizations face threats from various types of cyber attacks. Although great strides have been made to consider human factors in cybersecurity and to become more proactive in threat analysis, security is still generally a reactive, technical field. The research presented in this talk seeks to develop a framework which adapts the existing MITRE ATT&CK framework to look at attacks in a less linear, more human-centered framework that focuses on the capabilities and decisions of the threat actor.
The framework approaches threat analysis from a binary assessment of success vs. failure in order to see the entire attack and consider the potential for a number of methods and attempts made in a single attack. A detailed methodology and sample charts are included for a reference and a starting point in developing one’s own personalized charts, and recommendations are made for ways to integrate this methodology into the risk management process.
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
Video (at YouTube) - http://bit.ly/19TNSTF
Big Data Security Analytics, Data Science and Machine Learning are a few of the new buzzwords that have invaded out industry of late. Most of what we hear are promises of an unicorn-laden, silver-bullet panacea by heavy-handed marketing folks, evoking an expected pushback from the most enlightened members of our community.
This talk will help parse what we as a community need to know and understand about these concepts and help understand where the technical details and actual capabilities of those concepts and also where they fail and how they can be exploited and fooled by an attacker.
The talk will also share results of the author's current ongoing research (on MLSec Project) of applying machine learning techniques to information secuirty monitoring.
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE - ATT&CKcon
Unit 42 researches threat activity and publishes detailed reports on attack campaigns launched by these adversaries. One of these adversaries, known as Sofacy, has been carrying out attack campaigns on high profile targets for many years and has continued into 2018.
To understand how to defend against these threats, an analyst has to read our reports, process them and mentally map them to their defenses. In most cases we expect readers just "block" all of the indicators we include in the report and assume they are covered. Last year we started using ATT&CK to codify the techniques we observed, linking those techniques to indicator patterns and encoding them into STIX 2 objects, with the goal of creating something that a defender can use to answer the question: "How am I defending against this adversary?" We call these documents, "Adversary Playbooks" as they contain our best approximation of how the adversary launches their attacks.
This talk describes the concept of Adversary Playbooks, as well as provides an overview of the attack campaigns Unit 42 has attributed to the Sofacy group in 2018. It uses the discussed attacks to show how these playbooks are constructed and explain some of the challenges of incorporating ATT&CK and STIX 2 together for this purpose.
From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...Alex Pinto
This session will center on a market-centric and technological exploration of commercial and open-source threat intelligence feeds that are becoming common to be offered as a way to improve the defense capabilities of organizations.
While not all Threat Intelligence can be represented as "indicator feeds", this space has enough market attention that it deserves a proper scientific, evidence-based investigation so that practitioners and decision makers can maximize the results they are able to get for the data they have available.
The presentation will consist of a data-driven analysis of a cross-section of threat intelligence feeds (both open-source and commercial) to measure their statistical bias, overlap, and representability of the unknown population of breaches worldwide. All the statistical code written and research data used (from the publicly available feeds) will be made available in the spirit of reproducible research. The tool itself will be able to be used by attendees to perform the same type of tests on their own data (called tiq-test).
Some of the important questions and answers that emerge in this presentation include:
"Are Threat Intelligence Feeds a statistical good measure of the population of 'bad stuff' happening out there? Is there even such a thing?"
"How tuned to YOUR specific threat surface are those feeds?"
"Can we actually make good use of them even if the threats they describe have no overlap with the actual incidents you have been seeing in your environment? (hint: probably not)"
We will provide an open-source tool for attendees to extract, normalize and export data from threat intelligence feeds to use in their internal projects and systems. It will be pre-configured with current publicly available network feeds and easily extensible for private or commercial feeds (called combine).
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting AutomationAlex Pinto
Threat Hunting has been commonly definable as a series of investigative actions that should be performed by human teams in order to cover detection gaps where automated tools fail. However, as those techniques become more and more popular and standardized, wouldn't it be the case that we are able to automate a large part of those common threat hunting activities, creating what is basicaly a definition oxymoron?
In this session, we will demonstrate how some IOC-based threat hunting techniques can be automated or constructed to augment human activity by encoding analyst intuition into repeatable data extraction and processing techniques. Those techniques can be used to simplify the triage stage and get actionable information from potential threats with minimal human interaction. The more math-oriented parts will cover descriptive statistics, graph theory, and non-linear scoring techniques on the relationships of known network-based IOCs to an organization's log data.
Our goal here is to demonstrate that by elevating the quality of data available to our automation processes we can effectively simulate "analyst intuition" on some of the more time consuming aspects of network threat hunting. IR teams can then theoretically more productive as soon as the initial triage stages, with data products that provide a “sixth sense” on what events are the ones worth of additional analyst time.
Sharing is Caring: Understanding and Measuring Threat Intelligence Sharing Ef...Alex Pinto
For the last 18 months, MLSec Project and Niddel collaborated to collect threat intelligence indicator data from multiple sources in order to make sense of the ecosystem and try to find a measure of efficiency or quality in these feeds. This initiative culminated in the creation of Combine and TIQ-test, two of the open source projects from MLSec Project. These projects have been improved upon for the last year, and are able to gather and compare data from multiple Threat Intelligence sources on the Internet.
Alex Sieira and his team have gathered aggregated usage information from intelligence sharing communities in order to determine if the added interest and "push" towards sharing is really being followed by the companies and if its adoption is putting us on the right track to close these gaps. He proposes a new set of metrics on the same vein as TIQ-test to help you understand what a "healthy" threat intelligence sharing community looks like.
To better illustrate the points and metrics, Alex will be conducting part of this analysis using usage data from some high-profile threat intelligence platforms and sharing communities that have been kind enough to contribute with usage data for this research.
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...MITRE - ATT&CKcon
USAA has utilized the MITRE ATT&CK framework as a unique means to map their current detection infrastructure and assess their ability to defend against the most relevant threats to their network. In this presentation they share some lessons learned during their journey with ATT&CK leading to identified best practices for workflow integration through team composition and custom tool development.
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE - ATT&CKcon
The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner.
VERIS has been the base analysis framework for supporting the Verizon Data Breach Investigations Report (DBIR) since its inception. However, as organizations work to interpret the richness of information present on the DBIR to a more tactical level, the Threat Action Varieties available on VERIS fail to capture the detail present on the incidents recorded.
This talk presents the Verizon Common Attack Framework (VCAF), an effort from the Security Data Science team and the DBIR team in Verizon to expand and map the ATT&CK framework in alignment with the DBIR Threat Action Varieties to provide this much-sought level of granularity in recording and analyzing recorded breaches.
Additionally, this talk describes possible outcomes when this data is available and organized as such. Examples include applying DBIR-inspired attack vector analytics upon ATT&CK layer information, effectively identifying optimal control choke points on the attack graphs according to specific industries covered by the DBIR.
Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and SharingAlex Pinto
For the past 18 months, Niddel has been collecting threat intelligence indicator data from multiple sources in order to make sense of the ecosystem and try to find a measure of efficiency or quality in these feeds. This initiative culminated in the creation of Combine and TIQ-test, two of the open source projects from MLSec Project. These projects have been improved upon for the last year and are able to gather and compare data from multiple Threat Intelligence sources on the Internet.
We take this analysis a step further and extract insights form more than 12 months of collected threat intel data to verify the overlap and uniqueness of those sources. If we are able to find enough overlap, there could be a strategy that could put together to acquire an optimal number of feeds, but as Niddel demonstrated on the 2015 Verizon DBIR, that is not the case.
We also gathered aggregated usage information from intelligence sharing communities in order to determine if the added interest and "push" towards sharing is really being followed by the companies and if its adoption is putting us in the right track to close these gaps.
Join us in an data-driven analysis of over an year of collected Threat Intelligence indicators and their sharing communities!
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...Alex Pinto
We could all have predicted this with our magical Big Data analytics platforms, but it seems that Machine Learning is the new hotness in Information Security. A great number of startups with ‘cy’ and ‘threat’ in their names that claim that their product will defend or detect more effectively than their neighbour's product "because math". And it should be easy to fool people without a PhD or two that math just works.
Indeed, math is powerful and large scale machine learning is an important cornerstone of much of the systems that we use today. However, not all algorithms and techniques are born equal. Machine Learning is a most powerful tool box, but not every tool can be applied to every problem and that’s where the pitfalls lie.
This presentation will describe the different techniques available for data analysis and machine learning for information security, and discuss their strengths and caveats. The Ghost of Marketing Past will also show how similar the unfulfilled promises of deterministic and exploratory analysis were, and how to avoid making the same mistakes again.
Finally, the presentation will describe the techniques and feature sets that were developed by the presenter on the past year as a part of his ongoing research project on the subject, in particular present some interesting results obtained since the last presentation on DefCon 21, and some ideas that could improve the application of machine learning for use in information security, especially in its use as a helper for security analysts in incident detection and response.
Threat Intelligence is by far one of the most over-used buzz words in the security industry. Many professionals have very mixed feelings about Threat Intelligence feeds as well. This discussion is around how LogRhythm’s internal security team utilizes Threat Intelligence to operationalize efficiently and streamline Security Operations processes and help improve an organization’s defenses. We will show how you can generate your own Threat Intelligence and create information sharing loops within like industries to fully realize the team's defensive capabilities. On top of the technical aspects around building out a good Threat Intel program, we will discuss how to manage this from a leadership perspective and get buy-in from the top. Most importantly, once these systems are in place, how we can show value to leadership using key performance indicators and leverage this to improve the overall security program.
Спецвипуск бібліографічного бюлетеня бібліотеки присвячено аналітичному огляду статей з журналу "Підприємництво, Господарство. Право", №№ 11-12 2016 рік
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
Video (at YouTube) - http://bit.ly/19TNSTF
Big Data Security Analytics, Data Science and Machine Learning are a few of the new buzzwords that have invaded out industry of late. Most of what we hear are promises of an unicorn-laden, silver-bullet panacea by heavy-handed marketing folks, evoking an expected pushback from the most enlightened members of our community.
This talk will help parse what we as a community need to know and understand about these concepts and help understand where the technical details and actual capabilities of those concepts and also where they fail and how they can be exploited and fooled by an attacker.
The talk will also share results of the author's current ongoing research (on MLSec Project) of applying machine learning techniques to information secuirty monitoring.
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE - ATT&CKcon
Unit 42 researches threat activity and publishes detailed reports on attack campaigns launched by these adversaries. One of these adversaries, known as Sofacy, has been carrying out attack campaigns on high profile targets for many years and has continued into 2018.
To understand how to defend against these threats, an analyst has to read our reports, process them and mentally map them to their defenses. In most cases we expect readers just "block" all of the indicators we include in the report and assume they are covered. Last year we started using ATT&CK to codify the techniques we observed, linking those techniques to indicator patterns and encoding them into STIX 2 objects, with the goal of creating something that a defender can use to answer the question: "How am I defending against this adversary?" We call these documents, "Adversary Playbooks" as they contain our best approximation of how the adversary launches their attacks.
This talk describes the concept of Adversary Playbooks, as well as provides an overview of the attack campaigns Unit 42 has attributed to the Sofacy group in 2018. It uses the discussed attacks to show how these playbooks are constructed and explain some of the challenges of incorporating ATT&CK and STIX 2 together for this purpose.
From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...Alex Pinto
This session will center on a market-centric and technological exploration of commercial and open-source threat intelligence feeds that are becoming common to be offered as a way to improve the defense capabilities of organizations.
While not all Threat Intelligence can be represented as "indicator feeds", this space has enough market attention that it deserves a proper scientific, evidence-based investigation so that practitioners and decision makers can maximize the results they are able to get for the data they have available.
The presentation will consist of a data-driven analysis of a cross-section of threat intelligence feeds (both open-source and commercial) to measure their statistical bias, overlap, and representability of the unknown population of breaches worldwide. All the statistical code written and research data used (from the publicly available feeds) will be made available in the spirit of reproducible research. The tool itself will be able to be used by attendees to perform the same type of tests on their own data (called tiq-test).
Some of the important questions and answers that emerge in this presentation include:
"Are Threat Intelligence Feeds a statistical good measure of the population of 'bad stuff' happening out there? Is there even such a thing?"
"How tuned to YOUR specific threat surface are those feeds?"
"Can we actually make good use of them even if the threats they describe have no overlap with the actual incidents you have been seeing in your environment? (hint: probably not)"
We will provide an open-source tool for attendees to extract, normalize and export data from threat intelligence feeds to use in their internal projects and systems. It will be pre-configured with current publicly available network feeds and easily extensible for private or commercial feeds (called combine).
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting AutomationAlex Pinto
Threat Hunting has been commonly definable as a series of investigative actions that should be performed by human teams in order to cover detection gaps where automated tools fail. However, as those techniques become more and more popular and standardized, wouldn't it be the case that we are able to automate a large part of those common threat hunting activities, creating what is basicaly a definition oxymoron?
In this session, we will demonstrate how some IOC-based threat hunting techniques can be automated or constructed to augment human activity by encoding analyst intuition into repeatable data extraction and processing techniques. Those techniques can be used to simplify the triage stage and get actionable information from potential threats with minimal human interaction. The more math-oriented parts will cover descriptive statistics, graph theory, and non-linear scoring techniques on the relationships of known network-based IOCs to an organization's log data.
Our goal here is to demonstrate that by elevating the quality of data available to our automation processes we can effectively simulate "analyst intuition" on some of the more time consuming aspects of network threat hunting. IR teams can then theoretically more productive as soon as the initial triage stages, with data products that provide a “sixth sense” on what events are the ones worth of additional analyst time.
Sharing is Caring: Understanding and Measuring Threat Intelligence Sharing Ef...Alex Pinto
For the last 18 months, MLSec Project and Niddel collaborated to collect threat intelligence indicator data from multiple sources in order to make sense of the ecosystem and try to find a measure of efficiency or quality in these feeds. This initiative culminated in the creation of Combine and TIQ-test, two of the open source projects from MLSec Project. These projects have been improved upon for the last year, and are able to gather and compare data from multiple Threat Intelligence sources on the Internet.
Alex Sieira and his team have gathered aggregated usage information from intelligence sharing communities in order to determine if the added interest and "push" towards sharing is really being followed by the companies and if its adoption is putting us on the right track to close these gaps. He proposes a new set of metrics on the same vein as TIQ-test to help you understand what a "healthy" threat intelligence sharing community looks like.
To better illustrate the points and metrics, Alex will be conducting part of this analysis using usage data from some high-profile threat intelligence platforms and sharing communities that have been kind enough to contribute with usage data for this research.
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...MITRE - ATT&CKcon
USAA has utilized the MITRE ATT&CK framework as a unique means to map their current detection infrastructure and assess their ability to defend against the most relevant threats to their network. In this presentation they share some lessons learned during their journey with ATT&CK leading to identified best practices for workflow integration through team composition and custom tool development.
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE - ATT&CKcon
The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner.
VERIS has been the base analysis framework for supporting the Verizon Data Breach Investigations Report (DBIR) since its inception. However, as organizations work to interpret the richness of information present on the DBIR to a more tactical level, the Threat Action Varieties available on VERIS fail to capture the detail present on the incidents recorded.
This talk presents the Verizon Common Attack Framework (VCAF), an effort from the Security Data Science team and the DBIR team in Verizon to expand and map the ATT&CK framework in alignment with the DBIR Threat Action Varieties to provide this much-sought level of granularity in recording and analyzing recorded breaches.
Additionally, this talk describes possible outcomes when this data is available and organized as such. Examples include applying DBIR-inspired attack vector analytics upon ATT&CK layer information, effectively identifying optimal control choke points on the attack graphs according to specific industries covered by the DBIR.
Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and SharingAlex Pinto
For the past 18 months, Niddel has been collecting threat intelligence indicator data from multiple sources in order to make sense of the ecosystem and try to find a measure of efficiency or quality in these feeds. This initiative culminated in the creation of Combine and TIQ-test, two of the open source projects from MLSec Project. These projects have been improved upon for the last year and are able to gather and compare data from multiple Threat Intelligence sources on the Internet.
We take this analysis a step further and extract insights form more than 12 months of collected threat intel data to verify the overlap and uniqueness of those sources. If we are able to find enough overlap, there could be a strategy that could put together to acquire an optimal number of feeds, but as Niddel demonstrated on the 2015 Verizon DBIR, that is not the case.
We also gathered aggregated usage information from intelligence sharing communities in order to determine if the added interest and "push" towards sharing is really being followed by the companies and if its adoption is putting us in the right track to close these gaps.
Join us in an data-driven analysis of over an year of collected Threat Intelligence indicators and their sharing communities!
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...Alex Pinto
We could all have predicted this with our magical Big Data analytics platforms, but it seems that Machine Learning is the new hotness in Information Security. A great number of startups with ‘cy’ and ‘threat’ in their names that claim that their product will defend or detect more effectively than their neighbour's product "because math". And it should be easy to fool people without a PhD or two that math just works.
Indeed, math is powerful and large scale machine learning is an important cornerstone of much of the systems that we use today. However, not all algorithms and techniques are born equal. Machine Learning is a most powerful tool box, but not every tool can be applied to every problem and that’s where the pitfalls lie.
This presentation will describe the different techniques available for data analysis and machine learning for information security, and discuss their strengths and caveats. The Ghost of Marketing Past will also show how similar the unfulfilled promises of deterministic and exploratory analysis were, and how to avoid making the same mistakes again.
Finally, the presentation will describe the techniques and feature sets that were developed by the presenter on the past year as a part of his ongoing research project on the subject, in particular present some interesting results obtained since the last presentation on DefCon 21, and some ideas that could improve the application of machine learning for use in information security, especially in its use as a helper for security analysts in incident detection and response.
Threat Intelligence is by far one of the most over-used buzz words in the security industry. Many professionals have very mixed feelings about Threat Intelligence feeds as well. This discussion is around how LogRhythm’s internal security team utilizes Threat Intelligence to operationalize efficiently and streamline Security Operations processes and help improve an organization’s defenses. We will show how you can generate your own Threat Intelligence and create information sharing loops within like industries to fully realize the team's defensive capabilities. On top of the technical aspects around building out a good Threat Intel program, we will discuss how to manage this from a leadership perspective and get buy-in from the top. Most importantly, once these systems are in place, how we can show value to leadership using key performance indicators and leverage this to improve the overall security program.
Спецвипуск бібліографічного бюлетеня бібліотеки присвячено аналітичному огляду статей з журналу "Підприємництво, Господарство. Право", №№ 11-12 2016 рік
This presentation from GlobalCAST Resources highlights some principles that can guide missions mobilization. We explore mobilization that does not resort to tactics like manipulation. Here we seek to apply community development principles to missions mobilization and ask the question what does mobilization out of the tree of life look like?
FALTAN MILES DE VACANTES EN LAS ESCUELAS PUBLICAS DE CIUDAD DE BUENOS AIRESLaura Marrone
Más de 10.000 vacantes siguen faltando en la Ciudad de Buenos Aires. 1755 para sala de 4 y al menos 700 en el nivel primario. El presupuesto 2017 tampoco contempla la construcción de escuelas para resolverlo. El FIT presentó proyectos para la construcción de 33 escuelas en la zona sur y Retiro. Así mismo para 40 escuelas de nivel inicial. No se tratan desde 2014.
Enabling your Company to Embrace SEO by Nakul GoyalNakul Goyal
Enterprise SEOs often find themselves in day-to-day SEO challenges: IT Resources, Budgets, Tools & Technology along with Core SEO Problems like Site Architecture, Technical SEO and Content. Is there something we can do differently to get past these problems so that we can focus and work on the right things?
Setting Up for Paid Social Success - Caitlin Jeansonne, SMX West 2017MMI Agency
MMI's Caitlin Jeansonne presented Setting Up for Paid Social Success: Tracking, Attribution and Reporting at SMX West 2017.
As more social networks develop increasingly sophisticated targeting, tracking and attribution capabilities, paid social strategy and management has become a key focus for digital marketing agencies and in-house marketing departments. Social has also been at the leading edge of the advertising shift to mobile, making paid social a must-have discipline for both B2B and B2C companies.
Finding Key Influencers and Viral Topics in Twitter Networks Related to ISIS,...Steve Kramer
Paragon Science used a combination of network analysis, community detection, topic detection, sentiment analysis, and anomaly detection methods to find key influencers and viral topics in two recent Twitter data sets: one of 7.9 M tweets regarding ISIS, a second set consisting of more than 117 M tweets about the 2016 primary elections, and a third set of 7M tweets realted to Brexit.
Paragon Science's patented dynamic anomaly detection technology is based on methods drawn from dynamical systems and chaos theory. In particular, we can calculate finite-time Lyapunov exponents from any time-dependent data stream to find the clusters of entities that are behaving most chaotically compared to the rest of the data set. Because we do not have to specify normal vs. abnormal behavior in advance, no machine learning per se is required. In a robust fashion that is tolerant of missing or erroneous data, we can identify the "unknown unknowns" that can represent threats to be mitigate or opportunities to be seized. To date, our technique has been applied successfully to a broad range of industry verticals, including healthcare data (Advisory Board Company), web user behavior data (Vast), mobile phone data (Place IQ), vehicle pricing analytics (Digital Motorworks/CDK Global), online coupon data (RetailMeNot), email monitoring for patent law cases, and social media monitoring.
Finding Emerging Topics Using Chaos and Community Detection in Social Media G...Paragon_Science_Inc
In this talk, we describe our recent work in the analysis of Twitter-based network graphs, including the Ebola crisis in 2014 and the stock market in 2015.
This presentation was provided by Dr. Paul Burton of the University of Bristol during the NISO Symposium, Privacy Implications of Research Data, held on September 11, 2016, in conjunction with the International Data Week in Denver, Colorado.
Opening Keynote Lecture
15th Annual ON*VECTOR International Photonics Workshop
Calit2’s Qualcomm Institute
University of California, San Diego
February 29, 2016
BDVe Webinar Series - Ocean Protocol – Why you need to care about how you sha...Big Data Value Association
Come and learn about Ocean Protocol, a blockchain powered infrastructure built specifically to enable data sharing. It addresses a lot of the challenging issues surrounding data privacy, trust, security, auditability, and control, which is a key factor hindering data sharing in the private sectors.
Dr Irene López de Vallejo, Tue, 11 Dec 2018
Over the last few years, cloud services have been steadily gaining traction in their use by commercial and non-commercial entities. As more and more sensitive or valuable processes, business functions and data move into the cloud, the need to improve threat identification and response, via auditing cloud transactions,increases. At the same time, the need for cloud users to protect the security and privacy of their resources has also intensified. In this talk, I cover how mechanisms can be used to ensure these constraints are met.
Domain Identification for Linked Open DataSarasi Sarangi
Linked Open Data (LOD) has emerged as one of the largest collections of interlinked structured datasets on the Web. Although the adoption of such datasets for applications is
increasing, identifying relevant datasets for a specific task or topic is still challenging. As an initial step to make such identification easier, we provide an approach to automatically identify the topic domains of given datasets. Our method utilizes existing knowledge sources, more specifically Freebase, and we present an evaluation which validates the topic domains we can identify with our system. Furthermore, we evaluate the effectiveness of identified topic domains for the purpose of finding relevant datasets, thus showing that our approach improves reusability of LOD datasets.
NISTIR 8202
Blockchain Technology Overview
Dylan Yaga
Peter Mell
Nik Roby
Karen Scarfone
This publication is available free of charge from:
https://doi.org/10.6028/NIST.IR.8202
NISTIR 8202
Blockchain Technology Overview
Dylan Yaga
Peter Mell
Computer Security Division
Information Technology Laboratory
Nik Roby
G2, Inc.
Annapolis Junction, MD
Karen Scarfone
Scarfone Cybersecurity
Clifton, VA
This publication is available free of charge from:
https://doi.org/10.6028/NIST.IR.8202
October 2018
U.S. Department of Commerce
Wilbur L. Ross, Jr., Secretary
National Institute of Standards and Technology
Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology
National Institute of Standards and Technology Internal Report 8202
66 pages (October 2018)
This publication is available free of charge from:
https://doi.org/10.6028/NIST.IR.8202
Certain commercial entities, equipment, or materials may be identified in this document in order to describe an
experimental procedure or concept adequately. Such identification is not intended to imply recommendation or
endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best
available for the purpose.
There may be references in this publication to other publications currently under development by NIST in accordance
with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies,
may be used by federal agencies even before the completion of such companion publications. Thus, until each
publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For
planning and transition purposes, federal agencies may wish to closely follow the development of these new
publications by NIST.
Organizations are encouraged to review all draft publications during public comment periods and provide feedback to
NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at
https://csrc.nist.gov/publications.
Comments on this publication may be submitted to:
National Institute of Standards and Technology
Attn: Computer Security Division, Information Technology Laboratory
100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930
Email: [email protected]
All comments are subject to release under the Freedom of Information Act (FOIA).
https://csrc.nist.gov/publications
mailto:[email protected]
NISTIR 8202 BLOCKCHAIN TECHNOLOGY OVERVIEW
ii
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.IR
.8202
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and
Technology (NIST) promotes the U.S. economy and public welfare by providing technical
leadership for the Nation’s measurement and st ...
Chatty Kathy - UNC Bootcamp Final Project Presentation - Final Version - 5.23...John Andrews
SlideShare Description for "Chatty Kathy - UNC Bootcamp Final Project Presentation"
Title: Chatty Kathy: Enhancing Physical Activity Among Older Adults
Description:
Discover how Chatty Kathy, an innovative project developed at the UNC Bootcamp, aims to tackle the challenge of low physical activity among older adults. Our AI-driven solution uses peer interaction to boost and sustain exercise levels, significantly improving health outcomes. This presentation covers our problem statement, the rationale behind Chatty Kathy, synthetic data and persona creation, model performance metrics, a visual demonstration of the project, and potential future developments. Join us for an insightful Q&A session to explore the potential of this groundbreaking project.
Project Team: Jay Requarth, Jana Avery, John Andrews, Dr. Dick Davis II, Nee Buntoum, Nam Yeongjin & Mat Nicholas
Adjusting primitives for graph : SHORT REPORT / NOTESSubhajit Sahu
Graph algorithms, like PageRank Compressed Sparse Row (CSR) is an adjacency-list based graph representation that is
Multiply with different modes (map)
1. Performance of sequential execution based vs OpenMP based vector multiply.
2. Comparing various launch configs for CUDA based vector multiply.
Sum with different storage types (reduce)
1. Performance of vector element sum using float vs bfloat16 as the storage type.
Sum with different modes (reduce)
1. Performance of sequential execution based vs OpenMP based vector element sum.
2. Performance of memcpy vs in-place based CUDA based vector element sum.
3. Comparing various launch configs for CUDA based vector element sum (memcpy).
4. Comparing various launch configs for CUDA based vector element sum (in-place).
Sum with in-place strategies of CUDA mode (reduce)
1. Comparing various launch configs for CUDA based vector element sum (in-place).
Techniques to optimize the pagerank algorithm usually fall in two categories. One is to try reducing the work per iteration, and the other is to try reducing the number of iterations. These goals are often at odds with one another. Skipping computation on vertices which have already converged has the potential to save iteration time. Skipping in-identical vertices, with the same in-links, helps reduce duplicate computations and thus could help reduce iteration time. Road networks often have chains which can be short-circuited before pagerank computation to improve performance. Final ranks of chain nodes can be easily calculated. This could reduce both the iteration time, and the number of iterations. If a graph has no dangling nodes, pagerank of each strongly connected component can be computed in topological order. This could help reduce the iteration time, no. of iterations, and also enable multi-iteration concurrency in pagerank computation. The combination of all of the above methods is the STICD algorithm. [sticd] For dynamic graphs, unchanged components whose ranks are unaffected can be skipped altogether.
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...pchutichetpong
M Capital Group (“MCG”) expects to see demand and the changing evolution of supply, facilitated through institutional investment rotation out of offices and into work from home (“WFH”), while the ever-expanding need for data storage as global internet usage expands, with experts predicting 5.3 billion users by 2023. These market factors will be underpinned by technological changes, such as progressing cloud services and edge sites, allowing the industry to see strong expected annual growth of 13% over the next 4 years.
Whilst competitive headwinds remain, represented through the recent second bankruptcy filing of Sungard, which blames “COVID-19 and other macroeconomic trends including delayed customer spending decisions, insourcing and reductions in IT spending, energy inflation and reduction in demand for certain services”, the industry has seen key adjustments, where MCG believes that engineering cost management and technological innovation will be paramount to success.
MCG reports that the more favorable market conditions expected over the next few years, helped by the winding down of pandemic restrictions and a hybrid working environment will be driving market momentum forward. The continuous injection of capital by alternative investment firms, as well as the growing infrastructural investment from cloud service providers and social media companies, whose revenues are expected to grow over 3.6x larger by value in 2026, will likely help propel center provision and innovation. These factors paint a promising picture for the industry players that offset rising input costs and adapt to new technologies.
According to M Capital Group: “Specifically, the long-term cost-saving opportunities available from the rise of remote managing will likely aid value growth for the industry. Through margin optimization and further availability of capital for reinvestment, strong players will maintain their competitive foothold, while weaker players exit the market to balance supply and demand.”
2. Overview
Background Information about Paragon Science
Example 1: ISIS Twitter Network Analysis
Example 2: 2016 Election Twitter Network Analysis
Q & A
Paragon Science, Inc. 2
3. About Paragon Science
Advisory Board Company
• Analysis of Healthcare Data
Digital Motorworks/CDK Global
• Vehicle Pricing Analytics
Houston Law Firm
• Email Analysis for Patent Lawsuit
Place IQ
• Mobile Phone Data Analysis
RetailMeNot
• Web Analytics for Online Coupons
Vast.com
• Web User Click Patterns
Paragon Science, Inc. 3
Founder: Dr. Steve Kramer
• PhD in computational physics (nonlinear
dynamics)
• Self-funded data science entrepreneur
• 22 years of research and high-tech
experience
• Manager and consultant at software
companies
• Reviewer for scientific journals and
conferences
• Member of StartOut Austin steering
committee
http://affinityincmagazine.com/paragon-science-puts-patented-technology
/
4. Paragon Science, Inc. 4
Using our patented anomaly detection software to find the
“unknown unknowns”: unusual changes that represent
revenue opportunities to exploit or risks to mitigate
Many possible application areas:
• Social media alerting and sentiment change detection
• Pricing and market trend analysis and alerting
• Fraud prevention (banking, insurance, online auctions,…)
Key advantages
• No machine learning or training required
• Robust to missing or erroneous data
• Highly scalable and parallelizable
What Are We Doing?
5. Paragon Science, Inc. 5
How Is It Done Today?
Existing approaches
• Standard SNA metrics
• Rule-based systems (transaction profiling, etc.)
• Bayesian and other statistical/probabilistic models
• Machine learning tools (neural nets, HMMs, etc.)
Some limitations of existing methods
• Training requirements can be large for neural nets.
• For rule-based systems, it is difficult to effectively predict or define
new “bad” anomalies or patterns in advance.
• Many current methods are not scalable to real-world operational
requirements.
6. Paragon Science, Inc. 6
What Is New in Our Patented Approach?
A powerful anomaly detection approach that
incorporates nonlinear time series analysis methods
• US Patent #8738652 (1.usa.gov/1kkyVD9)
“Systems and Methods for Dynamic Anomaly Detection”
Key questions answered:
• Which entities behave or evolve differently than others in the
data set?
• Which entities have shifted their behavior unexpectedly?
7. Paragon Science, Inc. 7
What Is New in Our Approach? (Cont’d.)
Our framework inherently captures the dynamics of the entities under
study, without having to specify in advance normal vs. abnormal
behavior.
We can simultaneously analyze the time evolution of
• Network structures
• Any associated attributes (text terms, geospatial position, etc.)
Our technique is robust with respect to missing or erroneous data.
As result, we can
• Find key players in rapidly changing networks
• Provide early warning of viral videos and online documents
• Focus attention on the most-anomalous events or transactions
8. Paragon Science, Inc. 8
Dynamic Anomaly Detection Overview
A general approach that incorporates nonlinear time series
analysis methods
• Complexity measures
• Finite-time Lyapunov exponents (FTLEs)
Input data
• Communications or transactional data streams
• General time-dependent data sets
Key questions
• Which entities behave or evolve differently than others in the data
set?
• Which entities have shifted their behavior unexpectedly?
9. Paragon Science, Inc. 9
Finite-Time Lyapunov Exponents (FTLEs)
General dynamical system
Flow map
• Advects points in the state
space
• Describes the time
evolution of the system
10. Paragon Science, Inc. 10
FTLEs characterize the amount of stretching or contraction
about a point x0 during a time interval T
• Stability
• Predictability
Definition
Finite-Time Lyapunov Exponents (FTLEs)
11. Paragon Science, Inc. 11
Similarly, characteristic vectors derived from the flow map’s
Jacobian can describe the generalized directions of the
local stretching or contraction.
Possible derivation approaches:
• Weight-based column sampling
• Singular value decomposition (SVD)
• Principal component analysis (PCA)
Derived Jacobian Vectors
12. Paragon Science, Inc. 12
Paragon Dynamic Anomaly Detection
Representation
of Data at t=ti
Cluster
Resolution
Feature Vector
Encoding
Outlier Detection
at t=ti
3+Time
Intervals?
Yes
No
Clustering /
Segmentation
Dynamic Anomaly Detection
Nonlinear Time Series Analysis
FTLEs, Dynamic Thresholds, etc.
Pattern
Classification
Outlier
Detection
Domain-Specific Filtering
Threat Signatures,
Risk Profiles, etc.
13. Overview
Background Information about Paragon Science
Example 1: ISIS Twitter Network Analysis
Example 2: 2016 Election Twitter Network Analysis
Q & A
Paragon Science, Inc. 13
14. Example 1: ISIS-Related Twitter Analysis
Initial data set from Twitter API collected using twittertap:
Date range: 11/30/2015 – 12/10/2015
2,541,812 tweets
7,802,210 generated links with hashtags, URLs, and user replies
Research plan
Perform k-core decomposition
Run anomaly detection software on sub-networks of nodes in the
central core to find the most influential users and most viral URLs
Carry out community detection, topic detection, and sentiment
analysis
Paragon Science, Inc. 14
15. Example 1: ISIS-Related Twitter Network
Paragon Science, Inc. 15
User A User B
User C
replies to
mentions
URL 1 URL 2
Hash Tag 1
Hash Tag 2
references
uses
uses
references
Link Type # Links
User links to URL 2,014,572
User mentions user 2,867,633
User references hashtag 2,699,875
User references symbol 2,636
User replies to user 215,343
16. K-core Decomposition
The k-core of a graph is a maximal subgraph in which each
vertex has at least degree k.
The coreness of a vertex is k if it belongs to the k-core but not to
the (k+1)-core.
The k-core decomposition is performing by recursively removing
all the vertices (along with their respective edges) that have
degrees less than k.
The k-core decomposition of a network can be very
effective in identifying the individuals within a network who
are best positioned to spread or share information.
M. Kitska, et al., “Identifying influential spreaders in complex networks,”
arXiv:1001.5285v1 [physics.soc-ph] (2010).
16
17. K-Core Decomposition of the ISIS Network
Paragon Science, Inc. 17
http://sourceforge.net/projects/lanet-vi/
18. Central Core of the ISIS Network
Paragon Science, Inc. 18
Users at the center
of the k-core
decomposition are
positioned well to
spread information
and influence the
network.
19. Top URLs in the Central Core
Paragon Science, Inc. 19
URL Web Page Title Coreness # Links
http://www.mirror.co.uk/news/uk-news/isis-
would-love-you-bomb-
6941441#ICID=sharebar_twitter
ISIS would love you to bomb them to bring
about apocalyptic final fight, says journalist who
lived among terrorists - Jurgen Todenhofer -
Mirror Online
89 398
https://www.youtube.com/watch?
v=nVDiK3J9PKQ
How to Paralyse & Eliminate ISIS in Less Than 24
Hours - Younus AlGohar - YouTube
89 384
http://shr.gs/Um8lnCZ Jihadi BILLIONAIRES: ISIS top terror rich list“ but
how are they blowing all the dough?
89 349
https://www.youtube.com/watch?v=FS9iPz-cPlY Humanity Under Attack! What Must Be Done
Now? - Younus AlGohar - YouTube
89 331
http://is.gd/txNkng How to Paralyse & Eliminate ISIS in Less Than 24
Hours - Younus AlGohar
89 327
http://bbc.in/aggad Paris attacks: Bataclan third attacker identified -
BBC News
89 317
http://ti.me/1XPKXcx London Subway Attacker Had ISIS Images on
Phone: Officials
89 317
http://dailym.ai/1NFIp5L ISIS releases its latest video as they execute two
˜sorcerers” in Libya | Daily Mail Online
89 298
http://youtu.be/mXOSQj4xjPY Fitna-e-Khwarij - YouTube 89 259
http://www.telegraph.co.uk/news/worldnews/
northamerica/usa/12037849/
Majority-of-Americans-support-sending-ground-
troops-to-fight
Majority of Americans support sending ground
troops to fight Isil
89 255
21. Top Users in the Central Core
Paragon Science, Inc. 21
User Coreness # Links
MailOnline 89 6255
David_Cameron 89 3330
Telegraph 89 2072
TarekFatah 89 1907
BBCWorld 89 992
younusalgohar 89 977
mehdifoundation 89 830
rafu007 89 791
TIMEWorld 89 700
niallboylan4fm 89 667
22. Topic Detection in the ISIS
Twitter Network
Paragon Science, Inc. 22
User A User B
User C
replies to
mentions
URL 1 URL 2
references
Term 1
Term 2
Term N
Term 3
Topic 1
Topic 2
Topic M
146 Topics Detected
29. Incorporating Sentiment Analysis
• Incorporate sentiment analysis scores as an input to dynamic
anomaly detection in order to track the propagation of
references to websites with particular emotions.
• Use the LIWC (Linguistic Inquiry and Word Count) tool to
calculate the sentiment scores of the web pages.
– Prof. James Pennebaker from UT Austin (http://liwc.wpengine.com/)
– Sample categories
• Positive emotion
• Negative emotion
• Anger
• Anxiety
Paragon Science, Inc.
30. Top Web Pages by Anxiety
Web Page Title URL Anxiety Score
Watch Daniel Scavino Jr.'s Vine "POTUS
on terrorism."
https://vine.co/v/i71FvOKlYgv 11.11
*WARNING: New ISIS VIDEO: Muslim
Children Execute Captives, Obama, we
will behead you, as we will do to all the
Jews | Pamela Geller
http://bit.ly/1TMcgif 6.51
The Mastermind Of The San Bernardino
Massacre Has All The Hallmarks Of An
ISIS Terrorist Attack... - Linkis.com
http://ln.is/shoebat.com/2015/
12/PGcNB
5.56
The Far-Reaching Effects of Global
Terrorism - YouTube
http://youtu.be/L_qr01yHoQs 4.85
Terrorism isn't scaring Americans;
Obama is by Andrew Malcolm -
Investors.com
http://news.investors.com/poli
tics-andrew-malcolm/120715-
784023-obama-isis-speech-no-
new-strategy.htm
4.03
57 Paris airport workers on terror
watch list, “Allahu akbar” scrawled on
fuel tank
http://www.jihadwatch.org/20
15/12/57-paris-airport-
workers-on-terror-watch-list-
allahu-akbar-scrawled-on-fuel-
tank
3.03
DIA Emails: ISIS was deliberately armed
and funded by Obama & Hillary Clinton
http://ian56.blogspot.com/201
5/06/the-terrorist-threat-has-
been.html?m=1
2.94
Paragon Science, Inc.
31. Top Web Pages by Negative Emotion Ratio
Web Page Title URL Negative/
Positive
Emotion Score
Russian airstrike 'kills family in their car' as bombs
obliterate ISIS oil convoy | Daily Mail Online
http://dailym.ai/1IIU2Yz 21.9
Study: Unprecedented support for ISIS in the U.S. -
CNNPolitics.com
http://cnn.it/1XF0p61 13.3
US-led coalition not striking ISIS oil trucks despite
evidence – Russia’s General Staff” RT News
http://on.rt.com/6y9c 12.1
ISIS PARIS TERRORIST Recruited Fighters at Hungarian
Refugee Camp - YouTube
https://www.youtube.com/watch?
v=88TJBvH1zzg
11.9
U.S. rejects Russia’s claim of Turkey’s cooperation with
ISIS
http://goo.gl/Q9MWGk 11.8
Islamic State's Sinai chief said in Gaza to coordinate with
Hamas | The Times of Israel
http://bit.ly/1N6bqZa 10.0
Is ISIS Entering US Through Mexico? Amid Islamic State
Fears, Border Patrol Captures Afghan, Pakistani Men
Being Smuggled Into Country
http://bit.ly/1l9Mxo1 9.8
Why Can't White House Just Say ISIS Beheaded Christians?
- Investors.com
http://ift.tt/1zMpWNz 8.6
For the Record: How Stubborn U.S. Leaders May Be
Hurting the Fight Against ISIS on Vimeo
https://vimeo.com/147860012 8.4
Just 0.4 Percent of Syrian Refugees Admitted to U.S. Since
Paris Attacks Are Christian - Breitbart
http://www.breitbart.com/big-
government/2015/12/08/just-0-4-
percent-syrian-refugees-admitted-
u-s-since-paris-attacks-christian/
8.1
32. Paragon Science, Inc. 32
Mapping Anomalies to Source Data
Anomalies
Discrete/Continuous
Attribute Distributions
Related Source
Data
Where and
when are the
hotspots of
changes?
Which nodes
and attributes
were involved in
each
anomalous
peak?
33. Anomaly Detection Results for Websites with
Negative Emotions
Paragon Science, Inc. 33
Surge of Twitter user links to
web page with high negative
emotion score: “The ISIS
Trail of Death - NBC News”
34. Summary of Top 50 Negative Emotion Anomalies
34
Web Page Title Peak Start Peak End Max Change
Metric
#
Anomalies
The ISIS Trail of Death - NBC News 2015-12-08
03:36:39
2015-12-09
13:36:39
3.01 24
Russia strikes ISIS targets in Syria from
sub in Mediterranean for first time
(VIDEO) RT News
2015-12-09
07:36:39
2015-12-09
16:36:39
2.33 8
US Air Force running out of bombs to
fight ISIS | Fox News
2015-12-06
07:36:39
2015-12-06
21:36:39
2.10 2
If you keep saying Saudi Arabia is like
ISIS, you might get sued - The
Washington Post
2015-12-02
04:36:39
2015-12-07
09:36:39
2.01 11
Everyone knows what’s going on:
Istanbul residents on Turkey-ISIS oil
trade — RT News
2015-12-04
15:36:39
2015-12-04
16:36:39
1.96 2
Is ISIS Entering US Through Mexico?
Amid Islamic State Fears, Border Patrol
Captures Afghan, Pakistani Men Being
Smuggled Into C
2015-12-03
15:36:39
2015-12-03
15:36:39
1.91 1
Iran news in brief, 30 November 2015 -
YouTube
2015-12-01
17:36:39
2015-12-01
17:36:39
1.90 1
No Christians: All 132 Syrian Refugees
Admitted to U.S. Since Paris Attacks Are
Sunni Muslims
2015-12-01
19:36:39
2015-12-01
19:36:39
1.89 1
36. Animation of ISIS Twitter Network
Paragon Science, Inc. 36
Many thanks to Cambridge
Intelligence for a trial license
to their KeyLines software.
https://www.youtube.com/watch?v=j7Sof3BdDSY
37. Overview
Background Information about Paragon Science
Example 1: ISIS Twitter Network Analysis
Example 2: 2016 Election Twitter Network Analysis
Q & A
Paragon Science, Inc. 37
38. Example 2: Election 2016 Twitter Network
Paragon Science, Inc. 38
Data set from Twitter API collected using twittertap:
Date range: 2/24/2016-3/4/2016
13 M tweets sent by 2.8 M users
22.6 M generated links with hashtags, URLs, and user replies
K-core decomposition:
Performed once for each day
Maximum coreness of 88
Central part of the network created by selecting the three
innermost shells for each day
39. K-Core Decomposition of the Innermost
Election 2016 Twitter Network
Paragon Science, Inc. 39
40. Detail View of the Central Core
Paragon Science, Inc. 40
41. Top 10 Users in the Central Core
Paragon Science, Inc. 41
42. Top 10 URLs in the Central Core
Paragon Science, Inc. 42
URL Degree
http://www.infowars.com/report-trump-supporters-in-texas-see-votes-switched-to-
rubio/ 2334
http://www.bostonherald.com/news/us_politics/2016/02/amid_trump_surge_nearly_2
0000_mass_voters_quit_democratic_party 1665
http://newsninja2012.com/gov-nikki-haley-just-became-a-liability-for-rubio-after-this-
was-published-to-social-media/ 1340
http://www.thepoliticalinsider.com/donald-trump-quietly-helped-marine-whom-
obama-ignored/ 1203
https://www.donaldjtrump.com/press-releases/donald-j.-trump-demands-retraction-
of-misleading-ads-produced-by-marco-rubi 1172
http://m.washingtontimes.com/news/2016/feb/29/victims-illegal-immigrant-violence-
gop-no-rubio/ 1136
http://goo.gl/cTEFYR 978
http://drudge.tw/1ngE3Mt 778
https://www.washingtonpost.com/news/post-politics/wp/2016/02/21/donald-trump-
consults-with-rudy-giuliani-as-he-builds-political-kitchen-cabinet/ 770
43. Top URL in the Central Core
Paragon Science, Inc. 43
51. Paragon Science, Inc. 51
What Are the Payoffs?
Find the “unknown unknowns” in dynamic data sets
Quickly identify key influencers and trends in online
networks
Provide early warning of viral videos, anomalous web
events, or unusual network traffic
Enable enhanced business intelligence without having to
specify normal vs. abnormal behavior in advance
52. Third-Party Software Acknowledgements
Paragon Science gratefully acknowledges the following researchers and software
providers:
• Cytoscape (http://www.cytoscape.org/)
• KeyLines (http://www.keylines.com)
• Lanet-vi (http://sourceforge.net/projects/lanet-vi/)
◦ J. Alvarez-Hamelin, et al. "Understanding Edge Connectivity in the Internet through
Core Decomposition," Internet Mathematics 7 (1): 45–66, 2011.
• Louvain community detection software (http://perso.crans.org/aynaud/communities/)
◦ V. Blondel, et al., “Fast Unfolding of Communities in Large Networks,” Journal of
Statistical Mechanics: Theory and Experiment, 10, P10008, 2008.
• Networkx (https://networkx.github.io/)
◦ A Hagberg, D Conway, "Hacking social networks using the Python programming
language (Module II - Why do SNA in NetworkX)", Sunbelt 2010: International
Network for Social Network Analysis.
Paragon Science, Inc. 52
53. Overview
Background Information about Paragon Science
Example 1: ISIS Twitter Network Analysis
Example 2: 2016 Election Twitter Network Analysis
Q & A
Thanks for your interest!
Steve Kramer
@ParagonSci_Inc
Paragon Science, Inc. 53