This document provides a high-level overview of an AI-based malware detection system. The system uses a multilayer perceptron neural network with over 5 billion nodes that analyzes files and extracts features to determine if files are malicious or clean. It continuously trains and improves itself by processing large volumes of known malware and benign files. The system also has a separate process for introducing new unknown malware samples in a controlled way to generate new features without disrupting the existing network.
Application of machine learning and cognitive computing in intrusion detectio...Mahdi Hosseini Moghaddam
This document describes a proposed hardware-based machine learning intrusion detection system using cognitive processors. It discusses the need for new intrusion detection approaches due to limitations of signature-based methods. The proposed system collects network packet data using a Raspberry Pi and classifies it using a Cognimem CM1K cognitive processor chip, which implements restricted coulomb energy and k-nearest neighbor algorithms. The document outlines the system architecture, data collection and normalization methodology, and analysis of results from testing the CM1K chip on both custom and NSL-KDD network datasets, finding accuracy levels around 70-80% but slower processing times than a software simulation of the chip's algorithms. Future work areas include adding more packet features, using
This document provides an overview of Mahdi Hosseini Moghaddam's background and work applying machine learning and cognitive computing for intrusion detection. It discusses his education in computer science and engineering and awards. It then outlines the goals of the presentation to discuss real-world applications of machine learning rather than scientific details. The document proceeds to discuss problems with current intrusion detection systems, introduce concepts in machine learning and cognitive computing, and describe Mahdi's methodology and architecture for a hardware-based machine learning system using a cognitive processor to enable fast intrusion detection.
Biometric Hashing technique for AuthenticationAnIsh Kumar
This document summarizes a student project on bio-hashing authentication techniques. It includes an outline of topics to be covered such as types of cryptography, image encryption methods, cellular automata techniques like Langton's ant, and algorithms like Blowfish. The project is mentored by Dr. Debasis Giri and includes four students - Ankit Agarwal, Tuhin Kundu, Bachu Paul, and Anish Kumar. It aims to introduce bio-hashing authentication, discuss related work, and propose improvements such as generating a visually meaningful encrypted image.
Principles of Hierarchical Temporal Memory - Foundations of Machine IntelligenceNumenta
This document provides an overview of a workshop on hierarchical temporal memory (HTM) held by Numenta on October 17, 2014. The key points discussed include:
1) Numenta's mission is to discover the operating principles of the neocortex and create machine intelligence technology based on these principles.
2) HTM is based on theories about how the neocortex works, and models the neocortex as a hierarchical system that learns sequences and makes predictions.
3) Numenta's research roadmap focuses on developing HTM applications for tasks like prediction, anomaly detection, and goal-oriented behavior.
The document provides an introduction to hierarchical temporal memory (HTM) theory and technology. It begins with a disclaimer noting that the speaker has limited knowledge and requests feedback to correct any mistakes. It then presents points related to cricket to introduce HTM concepts. The document discusses HTM algorithms, networks, properties of problems well-suited to HTM, and existing tools like NuPIC for applying HTM approaches.
The document discusses using machine learning algorithms like Random Forest and k-Nearest Neighbors for intrusion detection. It analyzes the KDD Cup 1999 intrusion detection dataset to classify network traffic as normal or different types of attacks. The proposed model uses Random Forest for feature selection and k-Nearest Neighbors for classification to more accurately detect known and unknown attacks. Experimental results show the combined approach achieves better detection rates than other algorithms alone, especially for novel attacks not present in training data. Further combining the algorithms into a two-stage process may yield even higher accuracy.
Why Neurons have thousands of synapses? A model of sequence memory in the brainNumenta
Presentation given by Yuwei Cui, Numenta Research Engineer at Beijing Normal University. December 2015.
Collaborators: Jeff Hawkins, Subutai Ahmad, Chetan Surpur
Application of machine learning and cognitive computing in intrusion detectio...Mahdi Hosseini Moghaddam
This document describes a proposed hardware-based machine learning intrusion detection system using cognitive processors. It discusses the need for new intrusion detection approaches due to limitations of signature-based methods. The proposed system collects network packet data using a Raspberry Pi and classifies it using a Cognimem CM1K cognitive processor chip, which implements restricted coulomb energy and k-nearest neighbor algorithms. The document outlines the system architecture, data collection and normalization methodology, and analysis of results from testing the CM1K chip on both custom and NSL-KDD network datasets, finding accuracy levels around 70-80% but slower processing times than a software simulation of the chip's algorithms. Future work areas include adding more packet features, using
This document provides an overview of Mahdi Hosseini Moghaddam's background and work applying machine learning and cognitive computing for intrusion detection. It discusses his education in computer science and engineering and awards. It then outlines the goals of the presentation to discuss real-world applications of machine learning rather than scientific details. The document proceeds to discuss problems with current intrusion detection systems, introduce concepts in machine learning and cognitive computing, and describe Mahdi's methodology and architecture for a hardware-based machine learning system using a cognitive processor to enable fast intrusion detection.
Biometric Hashing technique for AuthenticationAnIsh Kumar
This document summarizes a student project on bio-hashing authentication techniques. It includes an outline of topics to be covered such as types of cryptography, image encryption methods, cellular automata techniques like Langton's ant, and algorithms like Blowfish. The project is mentored by Dr. Debasis Giri and includes four students - Ankit Agarwal, Tuhin Kundu, Bachu Paul, and Anish Kumar. It aims to introduce bio-hashing authentication, discuss related work, and propose improvements such as generating a visually meaningful encrypted image.
Principles of Hierarchical Temporal Memory - Foundations of Machine IntelligenceNumenta
This document provides an overview of a workshop on hierarchical temporal memory (HTM) held by Numenta on October 17, 2014. The key points discussed include:
1) Numenta's mission is to discover the operating principles of the neocortex and create machine intelligence technology based on these principles.
2) HTM is based on theories about how the neocortex works, and models the neocortex as a hierarchical system that learns sequences and makes predictions.
3) Numenta's research roadmap focuses on developing HTM applications for tasks like prediction, anomaly detection, and goal-oriented behavior.
The document provides an introduction to hierarchical temporal memory (HTM) theory and technology. It begins with a disclaimer noting that the speaker has limited knowledge and requests feedback to correct any mistakes. It then presents points related to cricket to introduce HTM concepts. The document discusses HTM algorithms, networks, properties of problems well-suited to HTM, and existing tools like NuPIC for applying HTM approaches.
The document discusses using machine learning algorithms like Random Forest and k-Nearest Neighbors for intrusion detection. It analyzes the KDD Cup 1999 intrusion detection dataset to classify network traffic as normal or different types of attacks. The proposed model uses Random Forest for feature selection and k-Nearest Neighbors for classification to more accurately detect known and unknown attacks. Experimental results show the combined approach achieves better detection rates than other algorithms alone, especially for novel attacks not present in training data. Further combining the algorithms into a two-stage process may yield even higher accuracy.
Why Neurons have thousands of synapses? A model of sequence memory in the brainNumenta
Presentation given by Yuwei Cui, Numenta Research Engineer at Beijing Normal University. December 2015.
Collaborators: Jeff Hawkins, Subutai Ahmad, Chetan Surpur
I will talk about innovation in the area of cyber security analytics - developing machine learning methods to detect and block cyber attacks (e.g. detecting ransomware within 4 seconds of execution and killing the underlying processes). Rather than just focusing on this as a 'black box', I'll pull it apart and talk about how we can use these methods to enable security practitioners (SOC/CIRT etc) to ask and answer questions about 'what' and 'why' these methods are flagging attacks. I'll also talk about resilience of machine learning methods to manipulation and adversarial attacks - how stable these approaches are to diversity and evolution of malware for example.
This document discusses future computing technologies and challenges. It describes how current computing relies on silicon chips that will soon hit physical limits. Alternative technologies like quantum, photonic and neuromorphic computing are presented as possibilities to overcome these limits. A new university, SIT, is proposed to conduct research on these new computing paradigms through interdisciplinary partnerships. SIT aims to become a top research university and prepare students for leadership roles in technology companies through new advanced degree programs.
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
Detection Challenges
Machine Learning Approaches
Modeling Machine Learning classifiers
Attacks on Machine Learning Defenses
Real Protect
Deep Learning in Sandbox
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
This document discusses machine learning approaches for defending against zero-day threats. It begins with an overview of the challenges of signature-based detection as malware variants increase. It then covers extracting static and behavioral features from files to build feature vectors for machine learning models. Unsupervised and classification-based clustering are examined for grouping similar objects. The document outlines attacks against machine learning defenses, such as obfuscating files to evade detection or poisoning training data. Defenses include preventing access to training data and making models resilient to poisoning. The document introduces Real Protect, a product from Intel Security that uses machine learning including deep learning in sandboxes to detect malware.
This document discusses computer generations and their characteristics from the 1st to 5th generations. It describes the transition from vacuum tubes to transistors to integrated circuits. It also discusses the positive and negative impacts of information and communication technology on society, as well as the need for ethics and law in computing. Finally, it covers security threats and measures related to computers and networks.
4 technologies including AI, IoT, blockchain, and virtual reality will revolutionize the maritime sector. AI and blockchain will have many applications including supply chain visibility, data science, voyage optimization, and diagnosis systems. Training seafarers for an AI-based future will require changes to curriculum, including teaching mathematics, programming, cybersecurity, and manual operation skills. Ensuring safe return to port capabilities with redundancy will also be important as autonomy increases.
4 technologies including AI, IoT, blockchain, and virtual reality will revolutionize the maritime sector. AI and blockchain will have many applications including supply chain visibility, data science, voyage optimization, and diagnosis systems. Training seafarers for an AI-based future will require changes to curriculum, including teaching mathematics, programming, cybersecurity, and manual operation skills. Ensuring safe return to port capabilities with redundancy will also be important as autonomy increases.
4 key technologies - AI, IoT, blockchain, and virtual reality - will revolutionize the maritime sector. AI and blockchain will have many applications, including supply chain visibility, data-driven insights, voyage optimization, and diagnostic systems. Training seafarers for an AI-based future will require changes to curriculum, including teaching fundamentals of AI systems, cybersecurity awareness, and skills for manual operation and troubleshooting of automated systems. Ensuring safe operation will also require redundancy measures for full autonomous control.
- Currently they ingest over 2 billion events per day into Splunk and use it for security, performance, and infrastructure monitoring across many teams, but plan to expand analytics through machine learning, threat intelligence integration, and focus on more proactive security logs.
An introduction to AI,ML,DL
Working of AI System
Scope of AI ,Cyber Security and BCT in Marine
Marine Education Scope of AI and BCT
Changes Required in Curriculum
Cyber security in Marine field
Parametric Analysis
Skill Set Requirement
Democratizing Fuzzing at Scale by Abhishek Aryaabh.arya
Presented at NUS: Fuzzing and Software Security Summer School 2024
This keynote talks about the democratization of fuzzing at scale, highlighting the collaboration between open source communities, academia, and industry to advance the field of fuzzing. It delves into the history of fuzzing, the development of scalable fuzzing platforms, and the empowerment of community-driven research. The talk will further discuss recent advancements leveraging AI/ML and offer insights into the future evolution of the fuzzing landscape.
Security Analytics for Data Discovery - Closing the SIEM GapEric Johansen, CISSP
This document discusses security analytics and hunting maturity. It defines hunting as a proactive approach to identifying incidents by actively looking for patterns, intelligence or hunches, rather than waiting for notifications. It describes the "SIEM gap" where SIEM tools are designed for known threats and lack the tools and flexibility for human analysis and hunting of unknown threats. It outlines techniques used in security analytics like event clustering, association analysis, and visualization to help analyze large datasets and discover unknown threats. The document argues security analytics provides the data access, analysis techniques and workflows to help close the SIEM gap and improve an organization's hunting maturity over time.
This document discusses tools and services for data intensive research in the cloud. It describes several initiatives by the eXtreme Computing Group at Microsoft Research related to cloud computing, multicore computing, quantum computing, security and cryptography, and engaging with research partners. It notes that the nature of scientific computing is changing to be more data-driven and exploratory. Commercial clouds are important for research as they allow researchers to start work quickly without lengthy installation and setup times. The document discusses how economics has driven improvements in computing technologies and how this will continue to impact research computing infrastructure. It also summarizes several Microsoft technologies for data intensive computing including Dryad, LINQ, and Complex Event Processing.
Threat Intelligence Ops In-Depth at Massive EnterpriseJeremy Li
Topic: Threat Intelligence Ops In-Depth at Massive Enterprise
Source: Massive Data Analytic Session of ISC2019
Author: Jeremy Li of Meituan-Dianping Inc.
Ansaldo STS at CPExpo 2013: "Risks and Security Management in Logistics and ...Leonardo
Finmeccanica is Italy's largest manufacturer in the high technology sector and Ansaldo STS's largest shareholder. The document discusses cyber security strategies for railway signaling systems, distinguishing between vital systems that ensure safety and non-vital systems subject to cyber risks. It promotes a mature approach to cyber security including discovery and assessment, redesign to address gaps, and intelligence/analytics. Best practices include incident management, monitoring, and governance. Specific strategies proposed include enhancing monitoring through correlation, adding virtual patching and firewall logging, near real-time asset control, and lightweight security information and event management.
Machine learning and deep learning techniques can be used to analyze diverse types of data such as images, text, signals and more. Deep learning uses neural networks to learn directly from raw data, enabling applications like object recognition, speech recognition, and analyzing time series signals. Deep learning has become popular due to labeled public datasets, increased GPU acceleration, and pre-trained models that provide a starting point for new problems.
This document provides details of an industrial training presentation on artificial intelligence, machine learning, and deep learning that was delivered at the Centre for Advanced Studies in Lucknow, India from July 15th to August 14th, 2020. The presentation covered theoretical background on AI, machine learning, and deep learning. It was divided into 4 modules that discussed topics such as what machine learning is, supervised vs unsupervised learning, classification vs clustering, neural networks, activation functions, and applications of deep learning. The conclusion discussed how AI is impacting many industries and emerging technologies and will continue to be a driver of innovation.
CyberOm - Hacking the Wellness Code in a Chaotic Cyber WorldEC-Council
Learn how to find peace and happiness within you and around you amidst chaos and understanding how the mind-body-energy connection plays a crucial role in the world of Cyber. Mental health and wellness can be the difference between a Cyber professional and a criminal.
Cloud Security Architecture - a different approachEC-Council
Whether people admit or not, everyone is moving to the cloud and all future business will run somewhere on the internet. Moving to the cloud requires different set of architecture and mindset. Data is stored, accessed and processed on different platforms and devices. Employees are working anywhere from the world, corporate data is no more under company IT custody. CISOs and CIOs need to think differently and set new Cloud Security Architecture. This session will try to draw the main areas of concern from Security perspective while moving to the cloud.
More Related Content
Similar to Global CCISO Forum 2018 | AI vs Malware 2018
I will talk about innovation in the area of cyber security analytics - developing machine learning methods to detect and block cyber attacks (e.g. detecting ransomware within 4 seconds of execution and killing the underlying processes). Rather than just focusing on this as a 'black box', I'll pull it apart and talk about how we can use these methods to enable security practitioners (SOC/CIRT etc) to ask and answer questions about 'what' and 'why' these methods are flagging attacks. I'll also talk about resilience of machine learning methods to manipulation and adversarial attacks - how stable these approaches are to diversity and evolution of malware for example.
This document discusses future computing technologies and challenges. It describes how current computing relies on silicon chips that will soon hit physical limits. Alternative technologies like quantum, photonic and neuromorphic computing are presented as possibilities to overcome these limits. A new university, SIT, is proposed to conduct research on these new computing paradigms through interdisciplinary partnerships. SIT aims to become a top research university and prepare students for leadership roles in technology companies through new advanced degree programs.
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
Detection Challenges
Machine Learning Approaches
Modeling Machine Learning classifiers
Attacks on Machine Learning Defenses
Real Protect
Deep Learning in Sandbox
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
This document discusses machine learning approaches for defending against zero-day threats. It begins with an overview of the challenges of signature-based detection as malware variants increase. It then covers extracting static and behavioral features from files to build feature vectors for machine learning models. Unsupervised and classification-based clustering are examined for grouping similar objects. The document outlines attacks against machine learning defenses, such as obfuscating files to evade detection or poisoning training data. Defenses include preventing access to training data and making models resilient to poisoning. The document introduces Real Protect, a product from Intel Security that uses machine learning including deep learning in sandboxes to detect malware.
This document discusses computer generations and their characteristics from the 1st to 5th generations. It describes the transition from vacuum tubes to transistors to integrated circuits. It also discusses the positive and negative impacts of information and communication technology on society, as well as the need for ethics and law in computing. Finally, it covers security threats and measures related to computers and networks.
4 technologies including AI, IoT, blockchain, and virtual reality will revolutionize the maritime sector. AI and blockchain will have many applications including supply chain visibility, data science, voyage optimization, and diagnosis systems. Training seafarers for an AI-based future will require changes to curriculum, including teaching mathematics, programming, cybersecurity, and manual operation skills. Ensuring safe return to port capabilities with redundancy will also be important as autonomy increases.
4 technologies including AI, IoT, blockchain, and virtual reality will revolutionize the maritime sector. AI and blockchain will have many applications including supply chain visibility, data science, voyage optimization, and diagnosis systems. Training seafarers for an AI-based future will require changes to curriculum, including teaching mathematics, programming, cybersecurity, and manual operation skills. Ensuring safe return to port capabilities with redundancy will also be important as autonomy increases.
4 key technologies - AI, IoT, blockchain, and virtual reality - will revolutionize the maritime sector. AI and blockchain will have many applications, including supply chain visibility, data-driven insights, voyage optimization, and diagnostic systems. Training seafarers for an AI-based future will require changes to curriculum, including teaching fundamentals of AI systems, cybersecurity awareness, and skills for manual operation and troubleshooting of automated systems. Ensuring safe operation will also require redundancy measures for full autonomous control.
- Currently they ingest over 2 billion events per day into Splunk and use it for security, performance, and infrastructure monitoring across many teams, but plan to expand analytics through machine learning, threat intelligence integration, and focus on more proactive security logs.
An introduction to AI,ML,DL
Working of AI System
Scope of AI ,Cyber Security and BCT in Marine
Marine Education Scope of AI and BCT
Changes Required in Curriculum
Cyber security in Marine field
Parametric Analysis
Skill Set Requirement
Democratizing Fuzzing at Scale by Abhishek Aryaabh.arya
Presented at NUS: Fuzzing and Software Security Summer School 2024
This keynote talks about the democratization of fuzzing at scale, highlighting the collaboration between open source communities, academia, and industry to advance the field of fuzzing. It delves into the history of fuzzing, the development of scalable fuzzing platforms, and the empowerment of community-driven research. The talk will further discuss recent advancements leveraging AI/ML and offer insights into the future evolution of the fuzzing landscape.
Security Analytics for Data Discovery - Closing the SIEM GapEric Johansen, CISSP
This document discusses security analytics and hunting maturity. It defines hunting as a proactive approach to identifying incidents by actively looking for patterns, intelligence or hunches, rather than waiting for notifications. It describes the "SIEM gap" where SIEM tools are designed for known threats and lack the tools and flexibility for human analysis and hunting of unknown threats. It outlines techniques used in security analytics like event clustering, association analysis, and visualization to help analyze large datasets and discover unknown threats. The document argues security analytics provides the data access, analysis techniques and workflows to help close the SIEM gap and improve an organization's hunting maturity over time.
This document discusses tools and services for data intensive research in the cloud. It describes several initiatives by the eXtreme Computing Group at Microsoft Research related to cloud computing, multicore computing, quantum computing, security and cryptography, and engaging with research partners. It notes that the nature of scientific computing is changing to be more data-driven and exploratory. Commercial clouds are important for research as they allow researchers to start work quickly without lengthy installation and setup times. The document discusses how economics has driven improvements in computing technologies and how this will continue to impact research computing infrastructure. It also summarizes several Microsoft technologies for data intensive computing including Dryad, LINQ, and Complex Event Processing.
Threat Intelligence Ops In-Depth at Massive EnterpriseJeremy Li
Topic: Threat Intelligence Ops In-Depth at Massive Enterprise
Source: Massive Data Analytic Session of ISC2019
Author: Jeremy Li of Meituan-Dianping Inc.
Ansaldo STS at CPExpo 2013: "Risks and Security Management in Logistics and ...Leonardo
Finmeccanica is Italy's largest manufacturer in the high technology sector and Ansaldo STS's largest shareholder. The document discusses cyber security strategies for railway signaling systems, distinguishing between vital systems that ensure safety and non-vital systems subject to cyber risks. It promotes a mature approach to cyber security including discovery and assessment, redesign to address gaps, and intelligence/analytics. Best practices include incident management, monitoring, and governance. Specific strategies proposed include enhancing monitoring through correlation, adding virtual patching and firewall logging, near real-time asset control, and lightweight security information and event management.
Machine learning and deep learning techniques can be used to analyze diverse types of data such as images, text, signals and more. Deep learning uses neural networks to learn directly from raw data, enabling applications like object recognition, speech recognition, and analyzing time series signals. Deep learning has become popular due to labeled public datasets, increased GPU acceleration, and pre-trained models that provide a starting point for new problems.
This document provides details of an industrial training presentation on artificial intelligence, machine learning, and deep learning that was delivered at the Centre for Advanced Studies in Lucknow, India from July 15th to August 14th, 2020. The presentation covered theoretical background on AI, machine learning, and deep learning. It was divided into 4 modules that discussed topics such as what machine learning is, supervised vs unsupervised learning, classification vs clustering, neural networks, activation functions, and applications of deep learning. The conclusion discussed how AI is impacting many industries and emerging technologies and will continue to be a driver of innovation.
Similar to Global CCISO Forum 2018 | AI vs Malware 2018 (20)
CyberOm - Hacking the Wellness Code in a Chaotic Cyber WorldEC-Council
Learn how to find peace and happiness within you and around you amidst chaos and understanding how the mind-body-energy connection plays a crucial role in the world of Cyber. Mental health and wellness can be the difference between a Cyber professional and a criminal.
Cloud Security Architecture - a different approachEC-Council
Whether people admit or not, everyone is moving to the cloud and all future business will run somewhere on the internet. Moving to the cloud requires different set of architecture and mindset. Data is stored, accessed and processed on different platforms and devices. Employees are working anywhere from the world, corporate data is no more under company IT custody. CISOs and CIOs need to think differently and set new Cloud Security Architecture. This session will try to draw the main areas of concern from Security perspective while moving to the cloud.
This webinar is primarily intended for those that are in need of an informational overview on how to respond to information security incidents or have a responsibility for doing so. It will also assist with your preparation for a Computer Security Incident Handling certification.
Weaponizing OSINT – Hacker Halted 2019 – Michael James EC-Council
The document discusses weaponizing open-source intelligence (OSINT) and outlines potential passive attack paths an attacker could take using only publicly available information. It describes how attackers could profile targets using personal details from social media, pastebins, medical records, business cards, news articles, and other open sources. The document also provides recommendations for prevention, including assessing one's digital footprint and value to attackers, using privacy tools, updating social media settings, and spreading disinformation to obscure true personal details and locations that could be leveraged in attacks.
Hacking Your Career – Hacker Halted 2019 – Keith TurpinEC-Council
HACKING YOUR CAREER
Learn how to take charge of your future and ring success out of every opportunity. I had some hard lessons on my way to becoming the CISO of a billion dollar company and now you can benefit from those experiences. In this candid conversation, you will learn the secrets to kicking your career’s ass.
HACKING DIVERSITY
We talk a lot about why diversity is important and we are all familiar with the woeful inclusion stats. In this talk we will discuss why diversity is important from both the perspective of an organization’s bottom line and the individual contributor.
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverEC-Council
The document provides an overview of cloud proxy technology and cyber security. It discusses how proxies work by terminating connections between users and servers and inspecting transmitted objects. The document then shares several "real world" examples of how proxies can detect and prevent phishing attempts, malware infections, and other cyber threats by analyzing URLs, file downloads, and network traffic patterns. It emphasizes the importance of threat intelligence and how proxies use global intelligence networks to identify and block malicious activity in real-time.
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
This document discusses strategies for reducing DNS data leakage and protecting online privacy. It begins with an introduction and overview of topics to be covered, including why DNS data is important from a privacy perspective, common DNS privacy exploits, insecure DNS resolution processes, and solutions for anonymizing DNS data like DNS over HTTPS and DNS over TLS. The document provides details on how DNS data can be tracked and leaked, as well as tools and techniques for analyzing DNS traffic and protecting privacy, including public secure resolvers, browser-based protections, VPNs, and running one's own recursive resolver. It concludes with taking privacy to varying degrees and balancing privacy with usability.
Data in cars can be creepy – Hacker Halted 2019 – Andrea AmicoEC-Council
THE $750 BILLION VEHICLE DATA GOLD RUSH – PIRATES AHOY!
Vehicle data may be worth $750b by 2030. Problem: vehicle security, privacy, and user awareness of risks are inadequate. Andrea Amico will share some exploits including his “CarsBlues” which exposes people’s personal data, affects 22 makes, and is still a 0-Day for tens of millions of vehicles.
BREAKING SMART [BANK] STATEMENTS
Explanation of how I find and exploit a security flaw (bad implementation of cryptography) in a bank statement, sent via email, of one of the biggest banks in Mexico.
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanEC-Council
ARE YOUR CLOUD SERVERS UNDER ATTACK
For this presentation, I built out a test lab in AWS and allowed someone to hack the servers. I will talk about what we saw when we opened RDP to the internet, what the hackers did once they got in, and someone trying to kick me off my own servers.
War Game: Ransomware – Global CISO Forum 2019EC-Council
This document describes a tabletop exercise to simulate responding to a ransomware attack. It provides examples of recent ransomware attacks against various organizations, including municipalities and healthcare and private companies. These resulted in ransoms demanded from $51,000 to $600,000 and costs of recovery and lost operations from $17 million to companies having to cease operations. The exercise involves forming an incident response team and working through simulated ransomware attacks, assessing damage, determining payment and recovery options, developing alternative communications, and deciding whether to pay a ransom demand.
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...EC-Council
Behold the powers of behavioral alchemy! Are you ready to unleash 4 "Trojan Horses for the Mind" that will change the way you communicate forever? How about a magic wand that will help manifest secure behaviors and shape culture? Attend this session and harness the power.
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...EC-Council
Present your risk assessments to your board of directors in the language they understand - financial loss. "FAIR" or "Factor Analysis of Information Risk" is the quantitative risk analysis methodology that works with common frameworks while adding context for truly effective risk management.
Alexa is a snitch! Hacker Halted 2019 - Wes WidnerEC-Council
ALEXA IS A SNITCH!
You’re not paranoid, your voice assistant is listening. And what’s worse, Alexa is stitching on you! What is she hearing? Where is she sending it? And is there anything we can do to stop her?!
Join me as we discuss the current state of security around voice assistants. And how to silence them.
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law EnforcementEC-Council
A man was discovered murdered on a street late at night. Police were called to the scene and began their investigation. They found limited clues but saw footage of a potential suspect. Detectives then used big data analytics to identify individuals near the crime scene around the time of the murder. This led them to three male suspects. Further investigation of these suspects focused on building profiles of their patterns of life in hopes of identifying the killer.
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...EC-Council
This document provides guidance on effective communication when delivering bad news or security incidents to various stakeholders. It discusses targeting communications to different audience levels, including end users, middle management, and C-level executives. For each group, it suggests focusing on the relevant impact and providing information in a concise, judicious, and empathetic manner. The document also emphasizes the importance of non-verbal communication and body language awareness to ensure the intended message is properly conveyed.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365.
Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
A Comprehensive Guide to DeFi Development Services in 2024Intelisync
DeFi represents a paradigm shift in the financial industry. Instead of relying on traditional, centralized institutions like banks, DeFi leverages blockchain technology to create a decentralized network of financial services. This means that financial transactions can occur directly between parties, without intermediaries, using smart contracts on platforms like Ethereum.
In 2024, we are witnessing an explosion of new DeFi projects and protocols, each pushing the boundaries of what’s possible in finance.
In summary, DeFi in 2024 is not just a trend; it’s a revolution that democratizes finance, enhances security and transparency, and fosters continuous innovation. As we proceed through this presentation, we'll explore the various components and services of DeFi in detail, shedding light on how they are transforming the financial landscape.
At Intelisync, we specialize in providing comprehensive DeFi development services tailored to meet the unique needs of our clients. From smart contract development to dApp creation and security audits, we ensure that your DeFi project is built with innovation, security, and scalability in mind. Trust Intelisync to guide you through the intricate landscape of decentralized finance and unlock the full potential of blockchain technology.
Ready to take your DeFi project to the next level? Partner with Intelisync for expert DeFi development services today!
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
2. 2Fortinet - Confidential
Introduction
21 years military
»USAF – nuclear weapons
»USA – FC/test pilot, threat officer, various leadership roles
20 years security management and consulting
»NASA JPL, World Bank, CME, Delta Air Lines, Humana, HECO, Honda
NA, USAA, Corning, many others
»Consulting, Practice Manager, Director of Security, CISO
Currently: Strategist at Fortinet
»Technology + resource management + business needs = CISO success
3. 3Fortinet - Confidential
Bingo Time!
Deep Analytics
Crowdculture
Virtual / Augmented Reality
Big / Real Big / Way Big Data
Holistic Eco_______
Artificial Intelligence
Machine Learning
Deep learning
4. 4Fortinet - Confidential
LEVEL II
» Content Pattern Recognition
» Looks at wrappers and payload for repeats
» Handles large volumes of permutations
» Proactive in nature, but manually created
Malicious File Packed/Encrypted Run time/memory
Pack Run
Headers
1111010101010
Code
0010101010101
1010101010101
10111101010111
Data
1010101010111
1010101010101
1010101010101
Headers
1111010101010
Code
0010101010101
1010101010101
10111101010111
Data
1010101010111
1010101010101
1010101010101
Headers
1111010101010
Code
0010101010101
1010101010101
10111101010111
Data
1010101010111
1010101010101
1010101010101
Antivirus Evolution
LEVEL I
» Simple MD5 / SHA 56 computations
» Resulted in large DBs for file comparisons
» One signature – one piece of malware
» Reactive and non-responsive to mutations
C:Md5sum malware.exe
5e3830ee3282a53920e00784fec44cfd (malware.exe)
Cfac6385a0cdd5f09b2e38c833c93c9d
5ae8c55fbc7b8f5bafa1af1675478cba
1af8e09e41fc850e15ffc4ea0be68c21
ce1ff097a3f0afec3bd5c5f0fb57cfda
80f27e4d562dc4f55e38f4088251e83c
bf6ba9baa2e0dcb8d175a4ff594dccd9
5e3830ee3282a53920e00784fec44cfd
Malware Found
5. 5Fortinet - Confidential
AI Visions
Facebook ‘emergency shutdown
Fear over planet being “Zuckerburged”’
Reality Was different
6. 6Fortinet - Confidential
Alan Turing called an infant’s mind an
‘unorganized machine’ in 1930s
Created early definitions of machine learning
» First type (A) consists of simple NAND
(negative – AND gates
» Second type (B) is combination of A types with modifiers
added – results in weighted input/variable output method
» Saw the need for:
Seeded solution set of accurate or known potential output
Population of variably weighted pieces or functions
A method for removing the worst solutions while retaining the best
Early AI Defined
Major inhibitor of his research – was far ahead of available capabilities in
terms of computing power.
7. 7Fortinet - Confidential
Artificial Intelligence – Nearing a Century
History of AI Outside Cyber Security Industry
1930s
Turing, Kleene and
Church propose
machine learning
solution
1943
McCullouch and
Pitts create formal
design of Turing’s
‘artificial neurons’
1956
AI research
formally founded as
a discipline at
Dartmouth
College
1960s
AI research
heavily funded
by the U. S.
military
1974
The First AI Winter
Difficulty resulted in
funding cuts in US
and Britain
1980s
Proliferation of
Expert Systems
Lisp vs. PC
1990s
AI applied to
data mining,
medical
diagnosis with
increased CPU
power
1997
IBM Deep Blue
beats Grand
Master Kasparov
in chess
2003
Deep learning is
achieved using
faster computing,
large data
structures
2011
IBM Watson
defeats Jeopardy
champions Brad
Rutter and Ken
Jennings
2013
IBM Watson
application for
management
decisions of lung
cancer treatment
2015
2,700+ AI projects
in place at
Google
2017
Elon Musk
calls for the
regulation of AI
before we hit
100 years
8. 8Fortinet - Confidential
Supervised Learning – Using known solution sets
to embed proper functions and create proper output.
» Reinforcement – action on an environment
triggers an observation resulting in a defined state.
Unsupervised Learning – unknown solution sets
» Clustering – group according to similarities.
» Dimensionality Reduction – deductive reasoning.
» Structured Prediction – random fields are analyzed to
predict according to defined output probabilities.
» Anomaly Detection – input does not match expectations.
Types of Problem Solving
Artificial Neural Networks (ANNs)
Large collections of simple interconnected nodes (neurons), each with a weighted input and output value.
?!
9. 9Fortinet - Confidential
Consists of three or more layers
» Input layer
» One or more hidden layers
» Output layer
Layers are made of up nodes
» Connected to every node in the previous
and subsequent layer
» Provide discrete processing of input information
(files and features)
» Produces an output value based on inputs, function,
and weighted valuation
Type of AI – Artificial Neural Network (Multilayer Perceptron)
The Multilayer Perceptron approach provides deep
machine learning capabilities.
MP behavior is similar to human neurons - if
input is strong enough, signal is passed
according to weighted value
Input layer
Hidden layer 1 Hidden layer 2
Output layer
Inputs Weights Sum Output
Input 1
Input 2
Input 3
YES/NO
decision
∑
10. 10Fortinet - Confidential
Point observable characteristics based on code blocks
» Files are parsed when entering the system
1 : 1 relationship with nodes
Features are maintained in a knowledgebase
repository (features, pattern recognition sigs, other
information)
Quality is critical
» Provides more accurate determination of file status
» We leveraged internal legacy samples (~.5PB) to create
features from samples
Each feature is weighted to assist in decisions
Feature weighting can change over time
Features
f - feature
w - weight
Func(f1*w1+f2*w2+...+fn*wn) -> {0,1}
Feature/Node Algorithm
11. 11Fortinet - Confidential
System is fed initial data sets for analysis
» Supervised machine learning approach
Files are broken into code blocks
Information (features) extracted during the
learning phase.
» Binary present within the blocks
» Represents behavioral activation
The system learns by weight features based on
» Surety of indicators (‘tells’)
» Frequency of observation
Layers + Nodes + Features = Learning
Source accuracy of the population input A computer program is said to learn from
experience E with respect to some class of tasks T and performance measure P if
its performance at tasks in T, as measured by P, improves with experience E.
12. 12Fortinet - Confidential
Features, Nodes & Weights – Single Instance
70
FEATURE
100 wt.
NODE
+90
FEATURE
100 wt.
NODE
-20File Result
INPUT LAYER HIDDEN LAYER HIDDEN LAYER OUTPUT LAYER
File
1. We start with an input file – malicious or clean
2. Feature presence is calculated, re-weighted and passed forward to the next node
3. The analysis is repeated using the next layer feature, then passed to the next node
4. Result – the overall probability based on a score of feature presence
13. 13Fortinet - Confidential
Features, Nodes & Weights – Multiple Instance
FEATURES FEATURES
Result
INPUT LAYER MALICIOUS LAYER CLEAN LAYER OUTPUT LAYER
File
14. 14Fortinet - Confidential
AI Operational Example - Machine vs. Malware
1 = process the input file
2 = 2.3 billion nodes analyzing potential malicious
features
3 = 3.2 Billion nodes analyzing files for clean features
4 = output or decision layer (1 = malicious , 0 = clean)
4 Layer Architecture
Consists of separate layers for either malicious or clean feature processing
Mathematical models compare samples and features to decide output
Input layer
Malicious Layer Clean Layer
Output layer
FortiGuard AI
Output is a result of 2.3B x 3.2B individual node computations.
Initial capability – 58 samples per second
15. 15Fortinet - Confidential
System Training
FEATURES
REPOSITORY
TRAINING
FILES
1. We start with AI and an
empty feature repository
2. A training set of files are
input, consisting of clean and
malicious files. Files are
labeled for initial training
3. Files are input and
broken into code blocks.
AI logic builds a set of
features.
4. Features are modified as the
system learns (weighting values,
next phase)
AI
16. 16Fortinet - Confidential
System Testing
MALICIOUS
CLEAN
FEATURES
REPOSITORY
TESTING
FILES
OUTPUT1. Test samples are selected
and input to the system
2. Using the feature repository,
samples are analyzed
3. As this occurs, existing
features may get modified
or others added
4. The system determines clean
or malicious output
5. Output is compared to expected
results. If not accurate, reset to
known point and retrain.
RESULTS
EXAMINED
AI
17. 17Fortinet - Confidential
AI in Operation
MALICIOUS
CLEAN
OUTPUT
INPUT
RAW SAMPLES
Feature Set Improvements
Quality
Stabilized Number
Weighting Confidence
Continued Accuracy
to a High Degree of
Confidence
FEATURESQuantity
Quality
18. 18Fortinet - Confidential
Has to integrate to support current systems
Must use features (code blocks), create signatures
Continuous, seamless operational support
Managing New Malware
?!
Problem - how to introduce new samples and create new features
New features are naturally regressed in weight – no history
Requires false weighting to have value in decisions
Cannot subvert existing weighted features
Cannot use single samples / false weight
Would cause heavy skewing of results
Introduces potentially large errors in main system
19. 19Fortinet - Confidential
New Malware Management System – Part I
AI
130+ Threat Feeds
Global Sensors
CTA
1
New Files
2 Sandbox
Non-matching Feature Sets
(all code blocks)
A ‘rolling’ input is used – last batch + new
AI is fast – millions per day
Sandbox is slower – 10s/K per day
Features created as in original training
Features are relative to AI – consist of code
blocks, which are also used by CPR
AI
3 4
20. 20Fortinet - Confidential
New Malware Management System – Part II (AI Side)
1
2
3
4
5
6
Knowledgebase Repository
Production
Feature Set
21. 21Fortinet - Confidential
New Malware Management System – Part III
2 4
5
Knowledgebase Repository
Production CPR
Signature Set
CB
CB
CB
CB
CB
CB
CB
CB
CB
CB
7Customer Enterprise
1 3
6
CPR
Engine
8
22. 22Fortinet - Confidential
Results
• Significantly Increases cybercriminal cost burden for limited return
• Obtain unsurpassed accuracy not possible through manual methods
• Eliminate manual labor/potential errors
• Create autonomous system – operational and continued learning
23. 23Fortinet - Confidential
Take-Aways
• AI as a business solution is not
trivial
• Large effort to implement
• Example ~ 8 years to date
• AI should ease technical resource
demands
• Reallocate to more critical tasks
• Hybrid approaches cause more labor
Anyone pitching AI without some level of
detail is probably BS Bingo selling
• Should not have to watch it
• Tell it right from wrong?
• Lack of trust = poor implementation
We present a hybrid data mining approach to detect
malicious executables. In this approach we identify important
features of the malicious and benign executables. These features
are used by a classifier to learn a classification model that can
distinguish between malicious and benign executables. We
construct a novel combination of three different kinds of
features: binary n-grams, assembly n-grams, and library function
calls. Binary features are extracted from the binary executables,
whereas assembly features are extracted from the disassembled
executables. The function call features are extracted from the
program headers. We also propose an efficient and scalable
feature extraction technique. We apply our model on a large
corpus of real benign and malicious executables. We extract the
abovementioned features from the data and train a classifier
using Support Vector Machine. This classifier achieves a very
high accuracy and low false positive rate in detecting malicious
executables. Our model is compared with other feature-based
approaches, and found to be more efficient in terms of detection
accuracy and false alarm rate.
Watson used 200 million pages of structured & unstructured content, 4 terabytes
Clustering - Task based, used to define probabilities. Walls + air + constant temperature = room. Air + flat surface does not equal room.
Dimensionality - determine solution by eliminating noise.
Structured prediction - Used for language modeling
Anomaly detection - Think bank fraud detection techniques.
Reinforcement learning - Used extensively in game theory. Good action = good result, bad action = bad result.
Different file types are sent to different nodes within each layer, for instance a pdf file will be sent to a different layer than a exe.
If we are dealing with EXE files, one of the features that we extract is the code block (assembly code snippets) which should then be normalised (eg extracting patterns that could change between malwares) before hashing them (reduced representation of features)
Different file types are sent to different nodes within each layer, for instance a pdf file will be sent to a different layer than a exe.
If we are dealing with EXE files, one of the features that we extract is the code block (assembly code snippets) which should then be normalised (eg extracting patterns that could change between malwares) before hashing them (reduced representation of features)
Different file types are sent to different nodes within each layer, for instance a pdf file will be sent to a different layer than a exe.
If we are dealing with EXE files, one of the features that we extract is the code block (assembly code snippets) which should then be normalised (eg extracting patterns that could change between malwares) before hashing them (reduced representation of features)
Training Phase – Malicious and Clean files , flagged as so, are passed through classifier in a feature extraction (collection and selection).
We have two sets of data, one that is used for training and one other for testing
Both should be the most accurate representation of malware families and behavior to start off with a good initial footprint.
We ingest new samples from a large array of sources, to include 120 threat feeds (such as STIX, FS-ISAC, VirusTotal, CTA, etc.) and our more than 3 million deployed global sensors.
We follow the same methodology as when we trained the larger system by breaking files into code blocks using technologies similar to IDA.
The difference is that now we will feed them into 2 smaller AI systems with much smaller nodes and feature set capacity. The first system is imply an AI and we get features created as we did when we trained the larger system. This particular instance is very fast – it can process millions of files per day.
The second system uses a sandbox to detonate the file and associated code blocks to analyze behavioral results. The features are built much as they are in the simpler AI system, with the exception that the malware was activated resulting in different features than the non-detonated sample.
Basically we do this for each new sample we want to analyze. The feature sets fill within both systems, but they are different.
We first look at the AI side.
The features we created are compared with the larger production feature set to determine if there are duplicates. If so, the production feature is weighted due to the hit, then removed from the smaller AI feature set.
Next, all feature weights are added together, and the sum is divided by the number of features. This provides an average. The features below the average are removed, those above the average are retained.
The AI features now only have the best of what was created during this filtering process.
Now we reintroduce the malware and test the features to determine performance.
We note which features produce the best results as far as speed, malware identification, and zero false positives. Only those features that contribute significantly are retained.
We then artificially pad the new features so they will be significant within the production feature set.
We did not lose significant features when we did this – after 5 years the system still has hundreds of thousands of features that are insignificant.
As the new features are integrated into the analysis process, they are treated the same as any other feature – their weight value may increase or decrease over time.
The features we previously extracted have a weighted value at this point. We then check the current production features located in the knowledgebase repository. If duplicates exist, we add some weighting to the production features and remove them from the smaller AI feature set.
We then add the AI feature weights in and divide that by the number of features. This gives us an average weight. We then cull out the lower ones and retain the higher weighted features.
The system is reset and the are new features are placed in it.
The malware is untagged (so the system does not know) and fed into the system.
The features that provided the most speed, accuracy of detection, and lowest false positives are retained.
The features are given additional weight value
The features are added to the knowledge base where the production AI uses them to continue analysis of incoming files
Next we look at the CPRL side, which is very similar to the smaller AI but with a couple of key differences.
As in the AI version, the features we previously extracted have a weighted value at this point. We then check the current production features located in the knowledgebase repository. If duplicates exist, we add some weighting to the production features and remove them from the smaller sandbox/AI feature set.
We add the sandbox/AI feature weights in and divide that by the number of features. This gives us an average weight. We then cull out the lower ones and retain the higher weighted features.
The system now has the best of the features loaded in the feature set.
The malware is untagged (so the system does not know) and fed into the system.
The features that provided the most speed, accuracy of detection are transformed back into the code block they originated from. The code blocks are clustered according to how well all possible combinations did during testing.
CPRL signatures are created and uploaded to the knowledgebase repository.
The signatures are distributed to Fortinet customer Secure Fabric implementations.
Next we look at the CPRL side, which is very similar to the smaller AI but with a couple of key differences.
As in the AI version, the features we previously extracted have a weighted value at this point. We then check the current production features located in the knowledgebase repository. If duplicates exist, we add some weighting to the production features and remove them from the smaller sandbox/AI feature set.
We add the sandbox/AI feature weights in and divide that by the number of features. This gives us an average weight. We then cull out the lower ones and retain the higher weighted features.
The system now has the best of the features loaded in the feature set.
The malware is untagged (so the system does not know) and fed into the system.
The features that provided the most speed, accuracy of detection are transformed back into the code block they originated from. The code blocks are clustered according to how well all possible combinations did during testing.
CPRL signatures are created and uploaded to the knowledgebase repository.
The signatures are distributed to Fortinet customer Secure Fabric implementations.
Next we look at the CPRL side, which is very similar to the smaller AI but with a couple of key differences.
As in the AI version, the features we previously extracted have a weighted value at this point. We then check the current production features located in the knowledgebase repository. If duplicates exist, we add some weighting to the production features and remove them from the smaller sandbox/AI feature set.
We add the sandbox/AI feature weights in and divide that by the number of features. This gives us an average weight. We then cull out the lower ones and retain the higher weighted features.
The system now has the best of the features loaded in the feature set.
The malware is untagged (so the system does not know) and fed into the system.
The features that provided the most speed, accuracy of detection are transformed back into the code block they originated from. The code blocks are clustered according to how well all possible combinations did during testing.
CPRL signatures are created and uploaded to the knowledgebase repository.
The signatures are distributed to Fortinet customer Secure Fabric implementations.