The document discusses the application of deep learning in User and Entity Behavior Analytics (UEBA) to enhance security by detecting anomalies in user behavior and identifying compromised accounts. It emphasizes the importance of adapting deep learning solutions to rapidly evolving security threats, particularly in a landscape dominated by IoT and cloud technologies. Real-world examples demonstrate how UEBA approaches have successfully identified significant security breaches, highlighting the need for a comprehensive solution that goes beyond traditional methods.

1. Deep Learning In Security:
An Empirical Example in User & Entity Behavior Analytics (UEBA)
Jisheng Wang, Min-Yi Shen

2. 2© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
 Jisheng Wang, Chief Scientist in Niara
• Over 12-year experiences of applying machine learning and big data technology to security
• Ph.D from Penn State – ML in security with 100GB data
• Technical Leader in Cisco – Security Intelligence Operations (SIO) with 10B/day
• Lead the overall big data analytics innovation and development in Niara
 Niara
• Recognized leader by Gartner in user and entity behavior analytics (UEBA)
• Re-invent enterprise security analytics for attack detection and incident response
ME, US

3. 3© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
USER & ENTITY BEHAVIOR ANALYTICS
UEBA SECURITY
why this matters
UEBA SOLUTION
how to detect attacks before damage is done
BEYOND DEEP LEARNING
how to build a comprehensive solution
YOU
ARE
HERE

4. 4© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
PROBLEM THE SECURITY GAP
PREVENTION & DETECTION (US $B)
SECURITY SPEND
# BREACHES
DATA BREACHES

5. 5© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
PROBLEM CAUSE OF THE GAP
ATTACKERS
ARE QUICKLY INNOVATING &
ADAPTING
BATTLEFIELD
WITH IOT AND CLOUD, SECURITY
IS BORDERLESS

6. 6© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
PROBLEM ADDRESSING THE CAUSE
ATTACKERS
ARE QUICKLY INNOVATING &
ADAPTING
DEEP LEARNING
SOLUTIONS MUST BE
RESPONSIVE TO CHANGES

7. 7© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
PROBLEM ADDRESSING THE CAUSE
BATTLEFIELD
WITH IOT AND CLOUD, SECURITY
IS BORDERLESS
INSIDER BEHAVIOR
LOOK AT BEHAVIOR CHANGE OF
INSIDE USERS AND MACHINES

8. 8© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
USER & ENTITY BEHAVIOR ANALYTICS (UEBA)
MACHINE LEARNING DRIVEN
BEHAVIOR ANALYTICS IS
A NEW WAY TO COMBAT ATTACKERS
1
2
3
Machine driven, not only human driven
Detect compromised users, not only attackers
Post-infection detection, not only prevention

9. 9© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
REAL WORLD NEWS WORTHY EXAMPLES
COMPROMISED
40 million credit cards were stolen
from Target’s severs
STOLEN CREDENTIALS
NEGLIGENT
DDoS attack from 10M+ hacked home
devices took down major websites
ALL USED THE SAME PASSWORD
MALICIOUS
Edward Snowden stole more than 1.7 million
classified documents
INTENDED TO LEAK INFORMATION

10. 10© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
USER & ENTITY BEHAVIOR ANALYTICS
UEBA SECURITY
why this matters
UEBA SOLUTION
how to detect attacks before damage is done
BEYOND DEEP LEARNING
how to build a comprehensive solution
YOU
ARE
HERE

11. 11© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
REAL WORLD ATTACKS CAUGHT BY NIARA
SCANNING ATTACK
scan servers in the data center to find
out vulnerable targets
DETECTED WITH AD LOGS
EXFILTRATION OF DATA
upload a large file to cloud server hosted in
new country never accessed before
DETECTED WITH WEB PROXY LOGS
DATA DOWNLOAD
download data from internal document
repository which is not typical for the host
DETECTED WITH NETWORK TRAFFIC

12. 12© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
BEHAVIOR ENCODING – USER
User 1 User 2

13. 13© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
BEHAVIOR ENCODING – USER VS MACHINE
User Machine

14. 14© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
BEHAVIOR ANOMALY USER | EXFILTRATION
User – Before Compromise User – Post Compromise

15. 15© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
BEHAVIOR ANOMALY MACHINE | DATA DOWNLOAD
Dropcam – Before Compromise Dropcam – Post Compromise

16. 16© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
BEHAVIOR DETECTION ARCHITECTURE
Stream Data
Pre-processing
Behavior
Encoding
Input
Data
User
Activities
Labeled
User
Behavior
Repository
Apache Spark
Behavior Anomaly
Detection
CNN Training
Behavior
Classifier
Tensorflow

17. 17© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
CNN – COMPUTATION GRAPH
Behavior
Image
(24x60x9
)
8x20
Convolution
User
Labels
Feature
Maps
(24x60x40)
Feature
Maps
(12x30x40)
Feature
Maps
(12x30x80)
Feature
Maps
(6x15x80)
Output
Layer
1024
Nodes
2x2
Pooling
4x10
Convolution
2x2
Pooling
Fully
Connected
Fully
Connected
with Dropout
Feature Extraction Classification

18. 18© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
CNN – PROGRESSION OF TRAINING ERROR
TrainingError
# of minibatches (100 profiles/batch)

19. 19© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
USER & ENTITY BEHAVIOR ANALYTICS
UEBA SECURITY
what is UEBA
UEBA SOLUTION
infrastructure needed to deep learning
BEYOND DEEP LEARNING
how to build a comprehensive solution
YOU
ARE
HERE

20. 20© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
BEYOND DEEP LEARNING ENSEMBLE LEARNING
Behavioral
Analytics
Internal Resource Access
Finance servers
Authentication
AD logins
Remote Access
VPN logins
External Activity
C&C, personal email
SaaS Activity
Office 365, Box
Cloud IaaS
AWS, Azure
Physical Access
badge logs
Exfiltration
DLP, Email
Ensemble
approach using a
mix of different
models over
various types of
behaviors from the
same entity

21. 21© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
BEYOND DEEP LEARNING REINFORCEMENT LEARNING
Models
Alerts
User
Feedback
Interactive Learning
Local
Context
Input
Data
Self Learning
Initial Parameters

22. 22© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
USER & ENTITY BEHAVIOR ANALYTICS
UEBA SECURITY
what is UEBA
UEBA SOLUTION
infrastructure needed to deep learning
BEYOND DEEP LEARNING
how to build a comprehensive solution

23. Thank You