This document summarizes a presentation on behavioral intrusion detection and machine learning. The presentation discusses how machine learning can help detect advanced and insider threats by analyzing behavioral patterns. It also talks about the failings of traditional cybersecurity defenses and how a philosophy of "fractal defense" can help scale detection, protection, and response across different levels of an IT ecosystem. Fractal defense is based on the concept that security principles apply across different scales, similar to how fractals exhibit repeating patterns at different magnitudes.
DeepLocker - Concealing Targeted Attacks with AI LocksmithingPriyanka Aash
In this talk, we describe DeepLocker, a novel class of highly targeted and evasive attacks powered by artificial intelligence (AI). As cybercriminals increasingly weaponize AI, cyber defenders must understand the mechanisms and implications of the malicious use of AI in order to stay ahead of these threats and deploy appropriate defenses.
DeepLocker was developed as a proof of concept by IBM Research in order to understand how several AI and malware techniques already being seen in the wild could be combined to create a highly evasive new breed of malware, which conceals its malicious intent until it reached a specific victim. It achieves this by using a Deep Neural Network (DNN) AI-model to hide its attack payload in benign carrier applications, while the payload will only be unlocked if—and only if —the intended target is reached. DeepLocker leverages several attributes for target identification, including visual, audio, geolocation, and system-level features. In contrast to existing evasive and targeted malware, this method would make it extremely challenging to reverse engineer the benign carrier software and recover the mission-critical secrets, including the attack payload and the specifics of the target.
We will perform a live demonstration of a proof-of-concept implementation of a DeepLocker malware, in which we camouflage well-known ransomware in a benign application such that it remains undetected by malware analysis tools, including anti-virus engines and malware sandboxes. We will discuss technical details, implications, and use cases of DeepLocker. More importantly, we will share countermeasures that could help defend against this type of attack in the wild.
I will talk about innovation in the area of cyber security analytics - developing machine learning methods to detect and block cyber attacks (e.g. detecting ransomware within 4 seconds of execution and killing the underlying processes). Rather than just focusing on this as a 'black box', I'll pull it apart and talk about how we can use these methods to enable security practitioners (SOC/CIRT etc) to ask and answer questions about 'what' and 'why' these methods are flagging attacks. I'll also talk about resilience of machine learning methods to manipulation and adversarial attacks - how stable these approaches are to diversity and evolution of malware for example.
Machine learning cybersecurity boon or boondogglePriyanka Aash
Machine learning (ML) and artificial intelligence (AI) are the latest “shiny new things” in cybersecurity technology but while ML and AI hold great promise for automating routine processes and tasks and accelerating threat detection, they are not a panacea. This session will demonstrate what they can and can’t do in a cybersecurity program through real world examples of possibilities and limits.
(Source: RSA Conference USA 2017)
This document discusses two new security paradigms: 1) Knowing your enemy by analyzing attackers and their methods through a game theoretic lens, and 2) Applied security by obscurity using logical complexity and one-way programming to obscure systems from attackers.
The document provides background on old security paradigms, including the view that security is an architectural problem solved by separating secure and insecure areas, and the assumption that attackers have unlimited logical and programming powers. It then introduces the new paradigm of knowing your enemy by modeling security as a game of incomplete information, where players try to learn about each other's capabilities and strategies. The document outlines a simple model of this security game.
The second new paradigm discussed is applied security
The document discusses several testbeds and frameworks for evaluating intrusion detection systems (IDS), including the Air Force Evaluation Environment, LARIAT, and TIDeS testbeds. The TIDeS framework allows for customized testing scenarios, automated evaluations, and uses fuzzy logic to evaluate IDS performance based on metrics like detection depth, breadth, and false alarms. It generates realistic network profiles and traffic and can test IDSs under different environments.
Advances in cloud scale machine learning for cyber-defensePriyanka Aash
Picking an attacker’s signals out of billions of log events in near real time from petabyte scale storage is a daunting task, but Microsoft has been using security data science at cloud scale to successfully disrupt attackers. This session will present the latest frameworks, techniques and the unconventional machine-learning algorithms that Microsoft uses to protect its infrastructure and customers.
(Source : RSA Conference USA 2017)
DeepLocker - Concealing Targeted Attacks with AI LocksmithingPriyanka Aash
In this talk, we describe DeepLocker, a novel class of highly targeted and evasive attacks powered by artificial intelligence (AI). As cybercriminals increasingly weaponize AI, cyber defenders must understand the mechanisms and implications of the malicious use of AI in order to stay ahead of these threats and deploy appropriate defenses.
DeepLocker was developed as a proof of concept by IBM Research in order to understand how several AI and malware techniques already being seen in the wild could be combined to create a highly evasive new breed of malware, which conceals its malicious intent until it reached a specific victim. It achieves this by using a Deep Neural Network (DNN) AI-model to hide its attack payload in benign carrier applications, while the payload will only be unlocked if—and only if —the intended target is reached. DeepLocker leverages several attributes for target identification, including visual, audio, geolocation, and system-level features. In contrast to existing evasive and targeted malware, this method would make it extremely challenging to reverse engineer the benign carrier software and recover the mission-critical secrets, including the attack payload and the specifics of the target.
We will perform a live demonstration of a proof-of-concept implementation of a DeepLocker malware, in which we camouflage well-known ransomware in a benign application such that it remains undetected by malware analysis tools, including anti-virus engines and malware sandboxes. We will discuss technical details, implications, and use cases of DeepLocker. More importantly, we will share countermeasures that could help defend against this type of attack in the wild.
I will talk about innovation in the area of cyber security analytics - developing machine learning methods to detect and block cyber attacks (e.g. detecting ransomware within 4 seconds of execution and killing the underlying processes). Rather than just focusing on this as a 'black box', I'll pull it apart and talk about how we can use these methods to enable security practitioners (SOC/CIRT etc) to ask and answer questions about 'what' and 'why' these methods are flagging attacks. I'll also talk about resilience of machine learning methods to manipulation and adversarial attacks - how stable these approaches are to diversity and evolution of malware for example.
Machine learning cybersecurity boon or boondogglePriyanka Aash
Machine learning (ML) and artificial intelligence (AI) are the latest “shiny new things” in cybersecurity technology but while ML and AI hold great promise for automating routine processes and tasks and accelerating threat detection, they are not a panacea. This session will demonstrate what they can and can’t do in a cybersecurity program through real world examples of possibilities and limits.
(Source: RSA Conference USA 2017)
This document discusses two new security paradigms: 1) Knowing your enemy by analyzing attackers and their methods through a game theoretic lens, and 2) Applied security by obscurity using logical complexity and one-way programming to obscure systems from attackers.
The document provides background on old security paradigms, including the view that security is an architectural problem solved by separating secure and insecure areas, and the assumption that attackers have unlimited logical and programming powers. It then introduces the new paradigm of knowing your enemy by modeling security as a game of incomplete information, where players try to learn about each other's capabilities and strategies. The document outlines a simple model of this security game.
The second new paradigm discussed is applied security
The document discusses several testbeds and frameworks for evaluating intrusion detection systems (IDS), including the Air Force Evaluation Environment, LARIAT, and TIDeS testbeds. The TIDeS framework allows for customized testing scenarios, automated evaluations, and uses fuzzy logic to evaluate IDS performance based on metrics like detection depth, breadth, and false alarms. It generates realistic network profiles and traffic and can test IDSs under different environments.
Advances in cloud scale machine learning for cyber-defensePriyanka Aash
Picking an attacker’s signals out of billions of log events in near real time from petabyte scale storage is a daunting task, but Microsoft has been using security data science at cloud scale to successfully disrupt attackers. This session will present the latest frameworks, techniques and the unconventional machine-learning algorithms that Microsoft uses to protect its infrastructure and customers.
(Source : RSA Conference USA 2017)
This document discusses challenges in detecting lateral movement attacks and proposes a solution using machine learning models. It summarizes:
1) Independent alert streams from security tools create a triage burden and do not capture complex attacks.
2) A combined model is built to detect compromised accounts/machines from Windows event logs, assessing login probability, credential elevation, and other signals.
3) The combined model ranks sessions using gradient descent learning to rank. Testing with penetration testers showed the top-ranked sessions had a 96% precision.
Indicators of Compromise were meant to solve the failures of signature-based detection tools. Yet today’s array of IOC standards, feeds and products haven’t impeded attackers, and most intel is shared in flat lists of hashes, IPs and strings. This session will explore why IOCs haven’t raised the bar, how to better utilize brittle IOCs and how to use intrinsic network data to craft better IOCs.
(Source: RSA USA 2016-San Francisco)
Reducing cyber risks in the era of digital transformationSergey Soldatov
The session record is available here: https://www.youtube.com/watch?v=5-CoJNjtAmY
Link to all sessions from Sberbank ICC: https://icc.moscow/translyatsii.html
This document provides an introduction to cryptography. It defines cryptography as the science of hiding information to provide confidentiality, integrity, authentication, and non-repudiation. The document then summarizes the history of cryptography, the main types of cryptography including encryption, decryption, hashing, and steganography. It also describes symmetric and asymmetric cryptographic algorithms like AES, RSA, and hash functions like MD5 and SHA-1/2. The document concludes by emphasizing the safe use of standard algorithms and protection of private keys.
The document discusses threat intelligence and how Lookingglass' ScoutPlatform helps organizations leverage threat intelligence from multiple sources. It collects data on internet infrastructure and indicators of compromise from over 40 sources to provide context and a comprehensive view of risks. This aggregated intelligence helps security operations transition to a more proactive posture by providing timely and actionable insights.
This document outlines an overview of intelligent threat hunting presented by Dhruv Majumdar. It discusses the basics of threat hunting, including that it is a proactive and iterative process to detect threats that evade existing security solutions. It provides a threat hunting recipe and describes important data sources and skills needed like host analysis, network analysis, and threat intelligence. It also walks through an attack scenario and things to look for at different stages of an attack lifecycle. Finally, it concludes with the growing demand for threat hunters and recommendations on how to get started with threat hunting.
Network security using data mining conceptsJaideep Ghosh
Network Security is a major part of a network that needs to be maintained because information is being passed between computers etc. and is very vulnerable to attack.
Data Mining is the process of extraction of required/specific information from data in database.
Data mining is integrated with network security and can be used with various security tools as well as hacking tool.
This document provides an overview of intrusion detection systems (IDS), including their challenges, potential solutions, and future developments. It discusses how IDS aim to detect attacks against computer systems and networks. The challenges of high false alarm rates and dependency on the environment are outlined. Potential solutions explored include data mining, machine learning, and co-simulation mechanisms. Alarm correlation techniques are examined as ways to combine fragmented alert information to better interpret attack flows. Artificial intelligence is seen as important for improving IDS flexibility, adaptability, and pattern recognition.
Red Canary's lessons learned from remapping their detection analytics to the MITRE ATT&CK framework include figuring out where analytics are currently mapped, letting code do the work of remapping, reviewing mappings for consistency, finding and fixing legacy mapping issues, and considering conditional mapping approaches. The speaker also emphasizes giving back to the ATT&CK community and having fun with the remapping process.
The Finest Penetration Testing Framework for Software-Defined NetworksPriyanka Aash
Software-Defined Networking (SDN) is getting attention for the next-generation networking today. The key concept of SDN is to decouple the control logic from the traditional network devices so that network developers can design innovative network functions in a more flexible and programmable way. However, SDN is not always bringing advantages to us. Security experts have constantly raised security concerns about SDN, and some vulnerabilities have been uncovered in the real world. If SDN is not secure, how can we measure the security level of SDN environments?
In this talk, we introduce a powerful penetration testing tool for SDN called DELTA, which is officially supported by Open Networking Foundation (ONF). First, DELTA can automate diverse published attack scenarios against various SDN components from testing to evaluating. Also, to discover unknown vulnerabilities that may exist in SDN, DELTA leverages a blackbox fuzzing technique that randomizes different control flows in SDN. It enables us to systemically reveal unknown security issues rather than the empirical and ad-hoc methods that most previous studies use. By using DELTA, anyone can easily and thoroughly test not only popular open source SDN controllers (i.e., ONOS, OpenDaylight, Floodlight, and Ryu), but also SDN-enabled switches (i.e., OpenvSwitch, HP, and Pica8) in the real world.
We will show nine new attack cases that have been found by DELTA but never been announced before.
Also, we will discuss:
- What control flows are in SDN, and why those are important as a key feature compared to the traditional networks.
- What key components and workflow of DELTA to attack the real SDN components.
- Which nine new attack cases have been discovered by DELTA, and we will demonstrate it. For example, one of the new attacks violates the table condition, leading to the black hole of handling packets in the switch.
This document discusses a proactive approach to cybersecurity called cyber-attack forecasting. It involves using machine learning and game theory to model a cyber system and analyze interactions between attackers and defenders to predict future attacks. The approach includes using hierarchical clustering to group similar systems, detecting anomalies, and formulating interactions as games to determine optimal defense strategies like probing frequencies. This proactive approach aims to address limitations of reactive security by enabling preemptive countermeasures against sophisticated threats.
Secure data aggregation technique for wireless sensor networks in the presenc...LeMeniz Infotech
Secure data aggregation technique for wireless sensor networks in the presence of collusion attacks
Do Your Projects With Technology Experts
To Get this projects Call : 9566355386 / 99625 88976
Visit : www.lemenizinfotech.com / www.ieeemaster.com
Mail : projects@lemenizinfotech.com
This is about what is threat hunting and how to perform it in cyberworld. Our traditional detection systems are being bypassed and we need modern approach to detect & respond to modern day threats.
Entire demo of the same is available on youtube - https://www.youtube.com/playlist?list=PL2iM-fIRjbTCQVI4tR7U2I5IdwLb2QSi_
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016grecsl
In the presentation that threat intel vendors do not want you to see, open source and internal data meets home grown resources to produce actionable threat intelligence that your organization can leverage to stop the bad guys. This presentation discusses and shows examples of using what your already have to bootstrap this capability using existing data management platforms with open and flexible schemas to ease identification of advanced threats. Specific topics covered include the advantages of using open and flexible platforms that can be molded into a data repository, a case tracking system, an indicator database, and more. By analyzing this data organizations can discovery trends across attacks that help them understand their adversaries. An example nosql schema will be release to help attendees create their own implementations.
Attack Simulation And Threat Modeling -Olu AkindeindeBipin Upadhyay
Released by Olu Akindeinde under GNU Free Documentation license: http://old.nabble.com/Attack-Simulation-and-Threat-Modeling-book-to27540377.html#a27540377
Intro:
Attack Simulation and Threat Modeling is a book that explores the abundant resources available in advanced security data collection, classification, processing and mining. It attempts to give insight into a number of alternative methods of security and attack analytics that leverage methodologies adopted from various other disciplines in extracting valuable data to support security research work and chart a course for enterprise security decision making.
Synopsis
Threat Vectors and Attack Signatures
Attack Virtualization and Behavioural analysis
Security Event Correlation and Pattern Recognition
Exploratory Security Analytics and Threat Hypothesis
Machine Learning Algorithms
It is released under the GNU FDL v1.3 License.
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
Detection Challenges
Machine Learning Approaches
Modeling Machine Learning classifiers
Attacks on Machine Learning Defenses
Real Protect
Deep Learning in Sandbox
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillFrode Hommedal
When you are responding to severe intrusions, it has been gospel for the past years to observe, learn and plan before your start cleaning up. This is very sound advice, and probably the only way you can successfully evict a determined and mission driven adversary from your networks. But when is the right time? When do you actually know enough to evict, and more importantly, resist immediate re-entry? Enter the Cyber Threat Intelligence Matrix.
The document discusses evasion techniques that can be used to bypass Intrusion Prevention Systems (IPS). It introduces techniques such as fragmentation, protocol violations, and obfuscation. It then demonstrates how these techniques can be applied to a known attack on the MS08-067 vulnerability in order to evade detection by major IPS vendors, including HP TippingPoint, Check Point, Palo Alto Networks, Cisco, and Fortinet. The goal is to trick the IPS into allowing the malicious traffic through to compromise the target system.
Finding Diversity In Remote Code Injection Exploitsamiable_indian
1. The document analyzes the diversity among remote code injection exploits by collecting exploit samples from network traces, extracting and emulating shellcodes, and clustering the shellcodes based on an exedit distance metric.
2. It finds that exploits can be grouped into families based on the vulnerability targeted. The LSASS and ISystemActivator exploit families show subtle variations among related exploits, while RemoteActivation exploits exhibit more diversity.
3. Analyzing exploit phylogenies reveals code sharing among families and subtle variations within families, providing insights into the emergence of polymorphism in malware payloads.
Us67903 using universo_online_marcioghiraldelli_paymentgatewaymonitoringwiths...Sid Ugrankar
This document discusses how Universo Online is using Splunk to monitor its PagSeguro payment gateway. Some key ways Splunk is being used include:
1) Monitoring PagSeguro transactions in real-time with dashboards to track metrics like transaction volume and response times.
2) Supporting PagSeguro's business decisions by providing visibility into operational metrics and anomalies.
3) Enabling R&D teams to debug issues across their distributed Java application architecture by correlating logs from different servers.
4) Providing operational intelligence on their datacenter environment by ingesting logs from existing monitoring tools into Splunk dashboards.
Taking Splunk to the Next Level – Management - AdvancedSplunk
Your team is up and running with Splunk. Now you want to maximize your investment and solve additional business problems. Attend this session led by a Splunk expert on how to expand beyond the initial use case. Learn how to how to capture, document and present Splunk's data and present impactful ways to calculate ROI using concrete metrics; cost savings, time savings, efficiency gains, and competitive advantage.
This document discusses challenges in detecting lateral movement attacks and proposes a solution using machine learning models. It summarizes:
1) Independent alert streams from security tools create a triage burden and do not capture complex attacks.
2) A combined model is built to detect compromised accounts/machines from Windows event logs, assessing login probability, credential elevation, and other signals.
3) The combined model ranks sessions using gradient descent learning to rank. Testing with penetration testers showed the top-ranked sessions had a 96% precision.
Indicators of Compromise were meant to solve the failures of signature-based detection tools. Yet today’s array of IOC standards, feeds and products haven’t impeded attackers, and most intel is shared in flat lists of hashes, IPs and strings. This session will explore why IOCs haven’t raised the bar, how to better utilize brittle IOCs and how to use intrinsic network data to craft better IOCs.
(Source: RSA USA 2016-San Francisco)
Reducing cyber risks in the era of digital transformationSergey Soldatov
The session record is available here: https://www.youtube.com/watch?v=5-CoJNjtAmY
Link to all sessions from Sberbank ICC: https://icc.moscow/translyatsii.html
This document provides an introduction to cryptography. It defines cryptography as the science of hiding information to provide confidentiality, integrity, authentication, and non-repudiation. The document then summarizes the history of cryptography, the main types of cryptography including encryption, decryption, hashing, and steganography. It also describes symmetric and asymmetric cryptographic algorithms like AES, RSA, and hash functions like MD5 and SHA-1/2. The document concludes by emphasizing the safe use of standard algorithms and protection of private keys.
The document discusses threat intelligence and how Lookingglass' ScoutPlatform helps organizations leverage threat intelligence from multiple sources. It collects data on internet infrastructure and indicators of compromise from over 40 sources to provide context and a comprehensive view of risks. This aggregated intelligence helps security operations transition to a more proactive posture by providing timely and actionable insights.
This document outlines an overview of intelligent threat hunting presented by Dhruv Majumdar. It discusses the basics of threat hunting, including that it is a proactive and iterative process to detect threats that evade existing security solutions. It provides a threat hunting recipe and describes important data sources and skills needed like host analysis, network analysis, and threat intelligence. It also walks through an attack scenario and things to look for at different stages of an attack lifecycle. Finally, it concludes with the growing demand for threat hunters and recommendations on how to get started with threat hunting.
Network security using data mining conceptsJaideep Ghosh
Network Security is a major part of a network that needs to be maintained because information is being passed between computers etc. and is very vulnerable to attack.
Data Mining is the process of extraction of required/specific information from data in database.
Data mining is integrated with network security and can be used with various security tools as well as hacking tool.
This document provides an overview of intrusion detection systems (IDS), including their challenges, potential solutions, and future developments. It discusses how IDS aim to detect attacks against computer systems and networks. The challenges of high false alarm rates and dependency on the environment are outlined. Potential solutions explored include data mining, machine learning, and co-simulation mechanisms. Alarm correlation techniques are examined as ways to combine fragmented alert information to better interpret attack flows. Artificial intelligence is seen as important for improving IDS flexibility, adaptability, and pattern recognition.
Red Canary's lessons learned from remapping their detection analytics to the MITRE ATT&CK framework include figuring out where analytics are currently mapped, letting code do the work of remapping, reviewing mappings for consistency, finding and fixing legacy mapping issues, and considering conditional mapping approaches. The speaker also emphasizes giving back to the ATT&CK community and having fun with the remapping process.
The Finest Penetration Testing Framework for Software-Defined NetworksPriyanka Aash
Software-Defined Networking (SDN) is getting attention for the next-generation networking today. The key concept of SDN is to decouple the control logic from the traditional network devices so that network developers can design innovative network functions in a more flexible and programmable way. However, SDN is not always bringing advantages to us. Security experts have constantly raised security concerns about SDN, and some vulnerabilities have been uncovered in the real world. If SDN is not secure, how can we measure the security level of SDN environments?
In this talk, we introduce a powerful penetration testing tool for SDN called DELTA, which is officially supported by Open Networking Foundation (ONF). First, DELTA can automate diverse published attack scenarios against various SDN components from testing to evaluating. Also, to discover unknown vulnerabilities that may exist in SDN, DELTA leverages a blackbox fuzzing technique that randomizes different control flows in SDN. It enables us to systemically reveal unknown security issues rather than the empirical and ad-hoc methods that most previous studies use. By using DELTA, anyone can easily and thoroughly test not only popular open source SDN controllers (i.e., ONOS, OpenDaylight, Floodlight, and Ryu), but also SDN-enabled switches (i.e., OpenvSwitch, HP, and Pica8) in the real world.
We will show nine new attack cases that have been found by DELTA but never been announced before.
Also, we will discuss:
- What control flows are in SDN, and why those are important as a key feature compared to the traditional networks.
- What key components and workflow of DELTA to attack the real SDN components.
- Which nine new attack cases have been discovered by DELTA, and we will demonstrate it. For example, one of the new attacks violates the table condition, leading to the black hole of handling packets in the switch.
This document discusses a proactive approach to cybersecurity called cyber-attack forecasting. It involves using machine learning and game theory to model a cyber system and analyze interactions between attackers and defenders to predict future attacks. The approach includes using hierarchical clustering to group similar systems, detecting anomalies, and formulating interactions as games to determine optimal defense strategies like probing frequencies. This proactive approach aims to address limitations of reactive security by enabling preemptive countermeasures against sophisticated threats.
Secure data aggregation technique for wireless sensor networks in the presenc...LeMeniz Infotech
Secure data aggregation technique for wireless sensor networks in the presence of collusion attacks
Do Your Projects With Technology Experts
To Get this projects Call : 9566355386 / 99625 88976
Visit : www.lemenizinfotech.com / www.ieeemaster.com
Mail : projects@lemenizinfotech.com
This is about what is threat hunting and how to perform it in cyberworld. Our traditional detection systems are being bypassed and we need modern approach to detect & respond to modern day threats.
Entire demo of the same is available on youtube - https://www.youtube.com/playlist?list=PL2iM-fIRjbTCQVI4tR7U2I5IdwLb2QSi_
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016grecsl
In the presentation that threat intel vendors do not want you to see, open source and internal data meets home grown resources to produce actionable threat intelligence that your organization can leverage to stop the bad guys. This presentation discusses and shows examples of using what your already have to bootstrap this capability using existing data management platforms with open and flexible schemas to ease identification of advanced threats. Specific topics covered include the advantages of using open and flexible platforms that can be molded into a data repository, a case tracking system, an indicator database, and more. By analyzing this data organizations can discovery trends across attacks that help them understand their adversaries. An example nosql schema will be release to help attendees create their own implementations.
Attack Simulation And Threat Modeling -Olu AkindeindeBipin Upadhyay
Released by Olu Akindeinde under GNU Free Documentation license: http://old.nabble.com/Attack-Simulation-and-Threat-Modeling-book-to27540377.html#a27540377
Intro:
Attack Simulation and Threat Modeling is a book that explores the abundant resources available in advanced security data collection, classification, processing and mining. It attempts to give insight into a number of alternative methods of security and attack analytics that leverage methodologies adopted from various other disciplines in extracting valuable data to support security research work and chart a course for enterprise security decision making.
Synopsis
Threat Vectors and Attack Signatures
Attack Virtualization and Behavioural analysis
Security Event Correlation and Pattern Recognition
Exploratory Security Analytics and Threat Hypothesis
Machine Learning Algorithms
It is released under the GNU FDL v1.3 License.
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
Detection Challenges
Machine Learning Approaches
Modeling Machine Learning classifiers
Attacks on Machine Learning Defenses
Real Protect
Deep Learning in Sandbox
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillFrode Hommedal
When you are responding to severe intrusions, it has been gospel for the past years to observe, learn and plan before your start cleaning up. This is very sound advice, and probably the only way you can successfully evict a determined and mission driven adversary from your networks. But when is the right time? When do you actually know enough to evict, and more importantly, resist immediate re-entry? Enter the Cyber Threat Intelligence Matrix.
The document discusses evasion techniques that can be used to bypass Intrusion Prevention Systems (IPS). It introduces techniques such as fragmentation, protocol violations, and obfuscation. It then demonstrates how these techniques can be applied to a known attack on the MS08-067 vulnerability in order to evade detection by major IPS vendors, including HP TippingPoint, Check Point, Palo Alto Networks, Cisco, and Fortinet. The goal is to trick the IPS into allowing the malicious traffic through to compromise the target system.
Finding Diversity In Remote Code Injection Exploitsamiable_indian
1. The document analyzes the diversity among remote code injection exploits by collecting exploit samples from network traces, extracting and emulating shellcodes, and clustering the shellcodes based on an exedit distance metric.
2. It finds that exploits can be grouped into families based on the vulnerability targeted. The LSASS and ISystemActivator exploit families show subtle variations among related exploits, while RemoteActivation exploits exhibit more diversity.
3. Analyzing exploit phylogenies reveals code sharing among families and subtle variations within families, providing insights into the emergence of polymorphism in malware payloads.
Us67903 using universo_online_marcioghiraldelli_paymentgatewaymonitoringwiths...Sid Ugrankar
This document discusses how Universo Online is using Splunk to monitor its PagSeguro payment gateway. Some key ways Splunk is being used include:
1) Monitoring PagSeguro transactions in real-time with dashboards to track metrics like transaction volume and response times.
2) Supporting PagSeguro's business decisions by providing visibility into operational metrics and anomalies.
3) Enabling R&D teams to debug issues across their distributed Java application architecture by correlating logs from different servers.
4) Providing operational intelligence on their datacenter environment by ingesting logs from existing monitoring tools into Splunk dashboards.
Taking Splunk to the Next Level – Management - AdvancedSplunk
Your team is up and running with Splunk. Now you want to maximize your investment and solve additional business problems. Attend this session led by a Splunk expert on how to expand beyond the initial use case. Learn how to how to capture, document and present Splunk's data and present impactful ways to calculate ROI using concrete metrics; cost savings, time savings, efficiency gains, and competitive advantage.
SplunkLive is a global series of events showcasing Splunk customer success. These events also feature an afternoon technical workshop.
The advanced session assumes:
• You have developed advanced searches with Splunk to manipulate and present data
• You have mastered sourcetyping and extracting fields
• You have built reports beyond | timechart count
• You have created dashboards of some kind
• You have bookmarked http://www.splunk.com/base/Documentation
• You have seen all of the Splunk Ninja videos
For more, see www.splunk.com
Data Science Transforming Security OperationsPriyanka Aash
Data science can transform security operations by being applied across the entire process, beyond just prevention and detection. It can enhance detection through advanced analytics, augment investigations by aggregating alerts and prioritizing threats, improve continuously through feedback loops, enable intelligence sharing, and inform automated responses. Organizations should assess their data science maturity and focus on integrating it throughout their security operations rather than treating it as an isolated feature. Building an in-house data science practice requires alignment, strategic staffing, and a long-term commitment to maximize the benefits.
Using Hadoop to Drive Down Fraud for TelcosCloudera, Inc.
Communication Service Providers (CSPs) lose around $38 Billion to fraud every year. Check out this webinar to learn more about the Cloudera - Argyle Data real-time fraud analytics platform and how Telcos can utilize Apache Hadoop to drive down fraud.
Transforming incident Response to Intelligent Response using GraphsRam Shankar Siva Kumar
The market is overflowing with vendors who are out to build—wherein, graphs are used in the Detection phase. This session showcases the collaborative efforts between Azure Security Data Science, Microsoft Research, Azure Security Assurance and Microsoft’s Threat Intelligence Center to explore the idea of using graphs during/after the Incident Response phase, wherein the IOCs have been (or in the process of being) collected. At the end of the session, audience will gain insights from their incident response process using open source tools and take steps towards automating them.
This document discusses various machine learning applications and companies. It provides examples of companies using machine learning for security/fraud detection (BrightPoint Sentinel), HR/recruiting analysis (Textio, hiQ People Analytics), sales recommendations (Sentient Aware), marketing personalization (LiftIgniter), customer support insights (Clarabridge, Quantifind), internal data knowledge management (Alation), and market intelligence (Mattermark). It also discusses machine learning techniques like classification, regression, clustering, and time series analysis. Frameworks mentioned include SAP HANA, SAP Automated Predictive Library, and SAP Lumira.
Jim Geovedi - Machine Learning for Cybersecurityidsecconf
This document discusses using machine learning for cybersecurity. It outlines some key challenges in cybersecurity like the increasing number of vulnerabilities and novel attacks. It then discusses how machine learning can help by allowing minimum human intervention in prevention, detection, and analysis of attacks. Some implementation challenges of machine learning for cybersecurity are also highlighted, like lack of data and evolving attacks. The document also describes components of a threat prediction platform using machine learning as well as characteristics of security-related data.
Data Science ATL Meetup - Risk I/O Security Data ScienceMichael Roytman
This is a talk about data science operations and the applications of Risk I/Os insights to the security industry - how we went about mining insights from our large dataset
This document discusses user behavioral analytics and machine learning for threat detection. It summarizes that legacy security information and event management (SIEM) technologies are not adequate for detecting insider threats and advanced adversaries. It then describes how user behavioral analytics uses machine learning to develop multi-entity behavioral models across users, applications, hosts, and networks to detect anomalous behavior indicative of insider threats or advanced cyberattacks. Contact information is provided for the security consultant presenting on this topic.
Video (at YouTube) - http://bit.ly/19TNSTF
Big Data Security Analytics, Data Science and Machine Learning are a few of the new buzzwords that have invaded out industry of late. Most of what we hear are promises of an unicorn-laden, silver-bullet panacea by heavy-handed marketing folks, evoking an expected pushback from the most enlightened members of our community.
This talk will help parse what we as a community need to know and understand about these concepts and help understand where the technical details and actual capabilities of those concepts and also where they fail and how they can be exploited and fooled by an attacker.
The talk will also share results of the author's current ongoing research (on MLSec Project) of applying machine learning techniques to information secuirty monitoring.
This document contains a disclaimer stating that any forward-looking statements made during the presentation are based on current expectations and estimates and could differ materially. It also states that the information provided about product roadmaps is for informational purposes only and may change. The document provides an overview of machine learning, including definitions of common machine learning techniques like supervised learning, unsupervised learning, and reinforcement learning. It also describes Splunk's machine learning capabilities, including search commands, the Machine Learning Toolkit, and packaged solutions like Splunk IT Service Intelligence that incorporate machine learning.
1. Intuit uses security science and big data analytics to improve their cloud security operations. They aggregate logs from AWS accounts and services into a single platform for detection and investigation.
2. Intuit profiles account usage and detects drift from standards to identify misuse early. They use threat intelligence and egress monitoring to detect external attacks and unauthorized access.
3. Intuit is developing tools and scoring to help product development teams understand how their decisions impact security and compliance. This aims to reduce security friction and guide more secure choices.
Computer security - A machine learning approachSandeep Sabnani
This document discusses applying machine learning algorithms to the task of computer intrusion detection. Specifically, it analyzes two machine learning algorithms, NBTree and VFI, and compares their performance on detecting intrusions. The author finds that the NBTree algorithm achieves high accuracy and recall for intrusion detection, making it well-suited for this task compared to the VFI algorithm. In conclusion, the author states that machine learning is useful for computer security problems like intrusion detection that require analyzing large amounts of data.
This document provides an overview of data enrichment techniques in Splunk including tags, field aliases, calculated fields, event types, and lookups. It describes how tags can add context and categorize data, field aliases can simplify searches by normalizing field labels, and lookups can augment data with additional external fields. The document also discusses various data sources that Splunk can index such as network data, HTTP events, alerts, scripts, databases, and modular inputs for custom data collection.
When Cyber Security Meets Machine LearningLior Rokach
This document discusses machine learning approaches for cyber security, specifically malware detection. It begins with an introduction to cyber security and machine learning. It then discusses using machine learning for malware detection, including analyzing files through static and dynamic analysis. The document outlines extracting features from files and using text categorization approaches. It evaluates various machine learning classifiers and features for malware detection. Finally, it discusses applying these techniques on Android devices for abnormal state detection.
The document discusses a presentation on threat hunting with Splunk. It provides an agenda that includes topics like threat hunting basics, data sources for threat hunting, using Sysmon endpoint data, the cyber kill chain framework, and doing an advanced threat hunting walkthrough using Splunk. It also discusses applying machine learning and data science techniques to security. The presentation aims to help attendees build their threat hunting methodology and drive maturity in their threat hunting practices.
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...Cybereason
Security analytics, what is real and examined the promise, the hype and the real state of artificial intelligence, machine learning and data science in solving fundamental security problems.
The Future of Security: How Artificial Intelligence Will Impact UsPECB
For decades, the security profession has relied on the best technology we had at the time to deflect the onslaught of what we faced daily in the way of virus and malware attacks. Now, as predicted by Thomas Kuhn in his book “The Structure of Scientific Revolutions, we’re seeing the dawn of a new day where AI’s machine learning and advanced mathematical algorithms now offer validated deflection rates, pre-execution, in the realm of 99%. This session will explore this new paradigm and how it will impact our future.
Main points covered:
• How did our profession change in the world of reactive detection?
• How to escape the inertia that held us, prisoners?
• What is the power of AI and machine learning?
• What are the risks of this new technology?
Presenter:
Our presenter for this webinar, John McClurg serves as Vice President and Ambassador-At-Large of Cylance, where he is responsible for building Security and Trust programs & operational excellence efforts. Prior to Cylance, he served as the CSO of Dell, Honeywell, and Lucent and in the U.S. Intelligence Community, as a twice-decorated member of the Federal Bureau of Investigation (FBI). He also served as a Deputy Branch Chief of CIA where he helped to establish the new Counterespionage Group and was responsible for the management of complex counterespionage investigations. McClurg was voted one of America’s 25 most influential security professionals.
Organizer: Ardian Berisha
Date: October 25th, 2018
Recorded webinar link:
Jason Christopher, Dragos Principal Cyber Risk Advisor, joins CyberWire for this podcast that discusses the evolution of ICS/OT ransomware, its impacts on the community, and cybersecurity best practices ICS/OT practitioners can implement to combat it. Listen to the full podcast here: https://dragos.com/resource/ransomware-in-an-industrial-world/
Delivering Security Insights with Data Analytics and VisualizationRaffael Marty
It's an interesting exercise to look back to the year 2000 to see how we approached cyber security. We just started to realize that data might be a useful currency, but for the most part, security pursued preventative avenues, such as firewalls, intrusion prevention systems, and anti-virus. With the advent of log management and security incident and event management (SIEM) solutions we started to gather gigabytes of sensor data and correlate data from different sensors to improve on their weaknesses and accelerate their strengths. But fundamentally, such solutions didn't scale that well and struggled to deliver real security insight.
Today, cybersecurity wouldn't work anymore without large scale data analytics and machine learning approaches, especially in the realm of malware classification and threat intelligence. Nonetheless, we are still just scratching the surface and learning where the real challenges are in data analytics for security.
This talk will go on a journey of big data in cybersecurity, exploring where big data has been and where it must go to make a true difference. We will look at the potential of data mining, machine learning, and artificial intelligence, as well as the boundaries of these approaches. We will also look at both the shortcomings and potential of data visualization and the human computer interface. It is critical that today's systems take into account the human expert and, most importantly, provide the right data.
Cyber Space Operation- Offensive Cyber Space OperationRubal Sagwal
Offensive cyber operations (OCO) involve proactively searching for vulnerabilities in an enemy's networks and systems in order to exploit them. This involves identifying vulnerabilities, gaining access, deploying payloads to achieve desired effects like data destruction or network degradation. The goal is to stop an attacker's offense rather than just playing defense. Honeypots, web bugs, and intrusion response systems are some proposed proactive techniques. Components of an OCO capability include research, operations support, intelligence analysis, and cyber weapons. Stuxnet is an example of an advanced cyber weapon allegedly used by the US to set back Iran's nuclear program.
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Harry McLaren
We’ll be exploring some of the more advanced capabilities of Phantom and also discussing the security framework from MITRE “ATT&CK” and it’s valued use when integrating it with Splunk Enterprise! We’ll also have two SplunkTrust members available for some general Q&A in our own ‘Meet the Experts’.
- Splunk Phantom Workbook Automation - SOAR (Security Orchestration, Automation & Response)
-- Tom Wise (Phantom Security Solutions Engineer & Trainer)
- Threat Hunting, Or: How I Learned to Stop Worrying & Love ATT&CK
-- Cian Heasley / Fraser Dumayne (Security Engineers)
- Meet the Experts with SplunkTrust
-- Harry McLaren (Senior Splunk Consultant)
-- Tom Wise (Splunk Consultant, Phantom Security Solutions Engineer & Trainer)
This document summarizes an presentation on e-extortion trends and defense. It discusses the evolution of extortion from early distributed denial of service attacks and ransomware to more sophisticated techniques that combine encryption, data exfiltration, and extortion demands. The presentation outlines strategies for defending against these threats, including backups, system hardening, endpoint security solutions, threat intelligence sharing, and following financial trails.
This document discusses using machine learning and big data technologies to improve security workflows. It describes the challenges of analyzing large amounts of security data from many sources to detect threats. Machine learning can help by analyzing patterns in the data at scale. The document introduces the Lambda Defense approach, which applies a lambda architecture to build a "central nervous system" for security. This combines batch and real-time machine learning models to detect threats based on both sequential and unordered behaviors.
This document discusses Edwin Hubble and his discoveries at the Mt. Wilson Observatory in the early 20th century. It then summarizes some of the major scientific discoveries of the Hubble Space Telescope since its launch in 1990, including determining the age of the universe and existence of dark energy and exoplanets. The document also outlines Sophos' strategy around next-generation cybersecurity technologies like machine learning and deep learning to more quickly identify unknown threats.
Sie haben viel Geld für Ihre Security Infrastruktur ausgegeben. Wie führen Sie nun all die verschiedenen Systeme zusammen, damit Sie Ihre Ziele erreichen: Bedrohungen schnelle entdecken, darauf reagieren und sie zukünftig zu verhindern. Gleichzeitg soll es Ihrem Security Team natürlich möglich sein, im Sinne Ihre Geschäftstätigkeit und Strategie zu handeln. Erfahren Sie hier, wie Sie Ihre Security Ressources am effektivsten einsetzen. Wir zeigen Ihnen das Ganze in einer Live Demo.
The document discusses incident response in cyber-relevant time and the need for automation and standardization to enable faster response times. It introduces OpenC2 as an emerging open standard for command and control that aims to provide unambiguous machine-to-machine communication through a common language and protocols. OpenC2 focuses on the "acting" portion of cyber defense by coordinating defensive actions across different security systems through open specifications.
The document discusses software and hardware security. It describes the Digital Security group at Radboud University which uses rigorous and formal methods to design and analyze secure ICT systems, considering their societal impact especially on privacy. The group also looks at concrete applications of their research in areas like software security, hardware security, online privacy, and cybercrime.
This chapter provides a high-level overview of threat hunting. It defines hunting as finding ways for threats to perform malicious actions. It emphasizes that hunting goes beyond just waiting for alerts, and that organizations may define hunting in different ways based on their goals and environments. The chapter discusses that the most important assets for hunting are people, not technology. It stresses the importance of hiring the right people with varied skills and experience to build an effective hunting team. Each analyst will develop their own individual hunting style and processes over time.
The SOC analyst training program is meticulously designed by the subject matter experts at Infosec Train. The training program offers a deep insight into the SOC operations and workflows. It is an excellent opportunity for aspiring and current SOC analysts (L1/L2/L3) to level up their skills to mitigate business risks by effectively handling and responding to security threats.
https://www.infosectrain.com/courses/soc-analyst-expert-training/
The SOC analyst training program is meticulously designed by the subject matter experts at Infosec Train. The training program offers a deep insight into the SOC operations and workflows. It is an excellent opportunity for aspiring and current SOC analysts (L1/L2/L3) to level up their skills to mitigate business risks by effectively handling and responding to security threats.
https://www.infosectrain.com/courses/soc-analyst-expert-training/
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...TI Safe
Cognitive security solutions using artificial intelligence can help address cybersecurity threats by assisting overworked human analysts. Watson provides a cognitive security platform that analyzes both structured security data and vast amounts of unstructured online data to gain insights. It helps speed up investigation of incidents by quickly providing relevant indicators, related threats, and recommended courses of action based on its security knowledge graph. This frees up analysts to focus on higher-level tasks. Customers have seen Watson reduce investigation time from 50 minutes to just 10 minutes on average.
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
The security industry is talking a lot about threat intelligence; external information that a company can leverage to understand where potential threats are knocking on the door and might have already perpetrated the network boundaries. Conversations with many CERTs have shown that we have to stop relying on knowledge about how attacks have been conducted in the past and start 'hunting' for signs of compromises and anomalies in our own environments.
In this presentation we explore how the decade old field of security visualization has emerged. We show how we have applied advanced analytics and visualization to create our own threat intelligence and investigated lateral movement in a Fortune 50 company.
Visualization. Data science. No machine learning. But pretty pictures.
Here is a blog post I wrote a bit ago about the general theme of internal threat intelligence:
http://www.darkreading.com/analytics/creating-your-own-threat-intel-through-hunting-and-visualization/a/d-id/1321225?
Similar to us-15-Zadeh-From-False-Positives-To-Actionable-Analysis-Behavioral-Intrusion-Detection-Machine-Learning-And-The-SOC (20)
4. Extends
Security
Analy2cs
Leadership
by
Adding
Behavioral
Analy2cs
to
Be;er
Detect
Advanced
and
Insider
Threats
Come
see
us
at
the
Black
Hat
Booth
#347
Splunk
Acquires
Splunk
App
for
Enterprise
Security
Machine
Learning
+
+
ADVANCED
THREATS
INSIDER
THREATS
5. 5
Research
Background
• Security
Research
– First
security
talk
ever
a^ended
@
Decfon
8:
Jon
Erickson
“Number
Theory,
Complexity
Theory,
Cryptography,
and
Quantum
CompuRng”
ê I
am
sRll
trying
to
understand
that
talk…
– Late
90’s:
Traffic
baselines
and
Layer
2
behavioral
profiling
using
MRTG
and
first
generaRon
NMS
– Recently:
Consultant
on
cybersecurity
analyRcs
projects
the
last
few
years
standing
up
custom
soluRons
• Related
Research:
– Fractal
random
walks:
predicRng
Rme
series
ê Human
Behavior
(stocks),
Physical
Processes
(heat,
magneRsm)
ê Molecular
kineRcs
(Brownian
moRon,
quantum
mechanics)
ê StochasRc
Fast
Dynamo,
StochasRc
Anderson
EquaRon
ê Time
as
a
random
process
7. 7
A.I.
and
the
“Big”
Picture
Can
Strong
AI
help
predict..
– The
dynamo
effect?
– Pole
shins?
– ExRncRon
events?
– Military
escalaRons?
– Cybersecurity
catastrophes?
8. 8
Cybersecurity
Defense:
Failings
and
MoRvaRons
Mudge,
“How
a
Hacker
Has
Helped
Influence
the
Government
-‐
and
Vice
Versa”
Blackhat
2011
9,000
Malware
Samples
Analyzed
– 125
LOC
for
Average
Malware
Sample
– Stuxnet
=
15,000
LOC
(120x
average
malware
sample
LOC)
– 10,000,000
=
Average
LOC
for
modern
firewall/security
stack
Key
Takeaway:
For
one
single
offensive
LOC
defenders
write
100,000
LOC
– 120:1
Stuxnet
to
average
malware
– 500:1
Simple
text
editor
to
average
malware
– 2,000:1
Malware
suite
to
average
malware
– 100,000:1
Defensive
tool
to
average
malware
– 1,000,000:1
Target
operaRng
system
to
average
malware
Bruce
Schneier,
“The
State
of
Incident
Response
by
Bruce
Schneier”
Blackhat
2014
– G.
Akerlof,
“The
Market
for
Lemons:
Quality
Uncertainty
and
the
Market
Mechanism”
Key
Takeaway:
Security
is
a
lemons
market!
– Prospect
theory
“As
a
species
we
are
risk
adverse
when
it
comes
to
gains
and
risk
taking
when
it
comes
to
losses”
Key
Takeaway:
We
don’t
buy
security
products
un2l
it
is
too
late!
9. 9
A
Philosophy
of
Defense
"Once
you
understand
The
Way
broadly,
you
can
see
it
in
all
things."
―
Miyamoto
Musashi,
Book
of
Five
Ring
1643
10. 10
A
Philosophy
of
Defense
"Once
you
understand
The
Way
broadly,
you
can
see
it
in
all
things."
―
Miyamoto
Musashi,
Book
of
Five
Ring
1643
• Musashi
was
undefeated
samurai
(60
duels)
• Throughout
the
book,
Musashi
implies
that
the
way
of
the
Warrior,
as
well
as
the
meaning
of
a
"True
strategist"
is
that
of
somebody
who
has
made
mastery
of
many
art
forms
away
from
that
of
the
sword…
• Such
a
philosophy
is
fractal
–
it
has
similar
properRes
on
many
scales
11. 11
Fractal
Defense
"Once
you
understand
The
Way
broadly,
you
can
see
it
in
all
things."
―
Miyamoto
Musashi,
Book
of
Five
Ring
1643
• A
fractal
is
a
natural
phenomenon
or
a
mathemaRcal
set
that
exhibits
a
repeaRng
pa^ern
that
displays
at
every
scale.
• Security
is
a
combinaRon
of
detecRon,
protecRon
and
response
• Fractal
defense:
a
philosophy
for
scaling
detecRon,
protecRon
and
response
up
and
down
the
IT
ecosystem
12. 12
Fractal
Defense:
Example
From
our
white
paper
“Defense
at
scale:
Building
a
Central
Nervous
System
for
the
SOC”
– Leverage
expressive
ways
to
target
TTP’s
(tacRcs,
techniques
and
procedures)
that
are
reusable
and
scalable
across
many
use
cases/
behaviors
– Can
incorporate
classical
signatures
into
a
probabilisRc
scoring
mechanism
13. 13
Fractal
Defense:
Example
From
our
white
paper
“Defense
at
scale:
Building
a
Central
Nervous
System
for
the
SOC”
14. 14
Fractal
Defense:
Example
From
our
white
paper
“Defense
at
scale:
Building
a
Central
Nervous
System
for
the
SOC”
15. F1
=
Snort
IOC
"MALWARE-‐CNC
Win.Trojan.Zeus
encrypted
POST
Data
exfiltra2on”
F5
=
Behavioral
IOC:
Large
number
of
POST’s
and
Null
web
referrals
F3
=
Behavioral
IOC:
Periodic
traffic
over
SSL
without
valid
cer2ficate
F4
=
Behavioral
IOC:
New
domain
registered
with
correlated
whois
data
Overall
Social
Cluster
Score
=
g(F1,
F2,
F3,
F4,
F5)
Central
Nervous
System
Approach
16. 16
Sound
Bytes
– Fractal
Defense:
Reuse
logic
(and
code)
across
different
security
use
cases.
Make
behavior
based
IOC’s
map
to
adversary
tacRcs,
techniques
and
procedures
for
be^er
scalability.
– Cybersecurity
Analy2cs
ROI:
Make
security
requirements
funcRonal
by
sexng
realisRc
benchmarks
based
on
your
own
data
– Lambda
Architecture:
a
generic
problem
solving
system
built
on
immutability
and
hybrid
batch/real-‐Rme
workflows
18. 18
Cybersecurity
AnalyRcs
• MoRvaRon
– Number
one
mistake
I
see
researchers
making
is
modeling
the
“ConRnuum
of
behaviors”
vs.
modeling
a
discrete
security
use
case
– Help
rank
order
use
cases
for
management/researchers
without
security
background
(ranking
should
coincide
with
security
expert
intuiRon)
• Possible
a^ack
behaviors
are
infinite!
– Intractable
dimensionality
– “Project
the
problem
down
to
finitely
many
sub
problems”
• Anomaly
DetecRon
!=
AcRonable
Intelligence
19. 19
Cybersecurity
AnalyRcs
Roadmap
• Step
1:
Make
a
grab
bag
of
your
favorite
use
cases/gaps
of
the
threat
surface
– Model
primiRves:
acRonable
units
or
single
behaviors
• Step
2:
Determine
exisRng
coverage
and
cost
of
impact
per
use
case
(APPROXIMATE!
Unless
you
are
have
been
logging
costs
of
security
events
internally
similar
to
MS…)
• Step
3:
Build
ROI
Graph
– What
is
your
formula
for
ROI?
• Step
4:
Rank
Order
– Rank
by
determining
which
ordering
provides
addiRonal
value
to
minimizing
risk
– Our
example
uses
the
added
structure
of
LAN
and
WAN
but
you
can
complicate
things
further
by
trying
to
incorporate
adversary
capabiliRes,
point
soluRon
metrics,
etc…
20. 20
Enumerate
Threat
Surface
§ PtH/PtT
§ Time
of
Day
Model
§ Lateral
Reconnaissance
§ Pop
@
Risk
§ Passive
DNS
§ Data
Store
Exfiltra2on
§ Two
Factor
A;ack
§ Exploit
Kits
§ Crowd
sourced
Executable
Classifica2on
§ MITM
§ Telecommuter
Ground
Speed/
Triangula2on
§ Data
mart
reconnaissance/mapping
§ VIP
Asset
Profiling
§ User
to
Group
Behavior
Metrics
§ User
Access
Pa;ern
Models
§ Shadow
IT
misconfigura2on
and
gap
profiling
§ Beachhead/DMZ
a;ack
graph
modeling
Use
Cases:
Insider/LAN
Threats
21. 21
Enumerate
Threat
Surface
§ Web
Referral
Graph
§ Time
of
Day
Model
§ Heartbeat
Beacon
Detec2on
§ SSL
Side
Channel
Analysis
§ Watering
Hole
Analy2c
§ Passive
DNS
AI
§ Predic2ve
Blacklis2ng
§ URL
Rela2ve
Path
Tokens
§ Edit
Distance
Classifica2on
§ Exploit
Kits
Analy2cs
§ Pseudo
Random
Domain
Detec2on
§ Executable
Graph
Classifier
§ DNS
Tunneling
Use
Cases:
External/WAN
Threats
22. 22
Enumerate
Threat
Surface
§ Embedded
Systems
Behavioral
Profiles
§ BYOD
Popula2on
Analysis
§ Passive
mobile
applica2on
classifier
§ Mobile
app
store
profiling
§ Common
environment
baselines
for
mobile
users
§ Mobile
Beacon
Detec2on
§ SSL
Side
Channel
Analysis
§ Creden2al
compromise
§ Rogue
Device
Detec2on
§ HVAC
Controller
A;acks
(BacNet)
Use
Cases:
IoT
and
Shadow
IT
23. 23
Security
AnalyRcs
ROI
• What
is
the
intrinsic
value
of
each
model
we
build?
– False
PosiRve/True
PosiRve
raRos,
AUC,
etc.
– Cost
of
ValidaRng
the
Model
– What
is
the
risk
to
the
organizaRon
for
missing
the
threat?
– Find
Net
New
Threats!
• How
to
prioriRze
what
analyRc
models
to
invest
in
– Dimensions:
Impact
Risk,
Cost
of
ValidaRon,
Cost
of
Investment,
Cost
of
Maintenance,
Adversary
Model
27. 27
Adversary
CapabiliRes
and
the
Threat
Surface
• A^acker
capability
vs.
Security
Capability
is
an
important
dimension
to
consider
when
prioriRzing
new
soluRons/
analyRcs
• Try
to
handle
the
low
hanging
fruit
to
more
complex
adversary
behavior
by
road
mapping
custom
analyRcs
based
on
gaps
in
exisRng
and
future
technology
soluRons
• It
is
a
mistake
to
model
the
most
complex
adversaries
first
28. 28
Nextgen
Benchmarks
• DARPA,
Predict.org
spearheading
the
collecRon
and
annotaRon
of
complex
data
sets
for
security
research
– Skaion
2006
DARPA
Dataset
– Contagio
Malware
Dump
– CTU
University:
CTU-‐13
Dataset.
A
Labeled
Dataset
with
Botnet,
Normal
and
Background
traffic
• Evidence
CollecRon
and
the
SOC
– Most
important
workflow
that
is
missing
from
large
scale
Intel/telemetry
sharing
across
organizaRons.,
• Public
Repos
/
OSINT
29. 29
FuncRonal
Requirements!
• Real
problem
in
security
is
requirements
are
non-‐funcRonal
• Benchmark
next
gen
product
by
isolaRng
the
sub
problems
and
holding
specific
metrics
accountable
to
real
world
data
• How
do
you
rank
order
the
value
of
a
cybersecurity
analyRc?
31. 31
Why
Build
A
Defensive
Tool?
• Incident
Response
Is
Hard
Work!
What
can
we
automate?
A
security
analyst
is
an
oracle
whose
input
is
evidence
and
whose
output
is
True
Posi2ve,
False
Posi2ve,
True
Nega2ve
or
False
Nega2ve
– The
list
of
possible
quesRons
is
large
but
typically
the
flow
is
a
type
of
decision
tree
for
example
32. 32
Why
Build
A
Defensive
Tool?
Security
Oracle
Workflow
Example
1:
Evidence
=>
Periodic
CommunicaRon
=>
LAN
to
WAN
Data
=>WAN
URL
has
Bad
ReputaRon
=>
Correlate
with
VT
=>
True
PosiRve
Example
2:
Evidence
=>
PotenRal
C2
Domain
=>
LAN
to
WAN
Data
=>
WAN
URL
is
new
Google
IP
=>
False
PosiRve
33. 33
Lambda
Security
• Lambda
Architecture:
batch
+
real
Rme
compuRng
paradigm
• Minimizes
the
complexity
in
historical
computaRons
overcoming
bo^lenecks
SOC
has
experienced
operaRng
first
gen
SIEMs
• Data
model
that
is
append-‐only,
distributed
and
immutable
is
opRmized
for
security
centric
workflows
and
analyst
queries
34. 34
Lambda
Security
• Architecture
is
described
by
three
simple
equaRons:
batch
view
=
func2on(all
data)
real2me
view
=
func2on(real2me
view,
new
data)
query
=
func2on(batch
view,
real2me
view)
35. 35
Lambda
Security
• Lambda
architecture
provides
a
design
paradigm
for
a
scalable
central
nervous
system
for
the
SOC
whose
components
include
– Machine
learning
based
ETL(Extract/Transform/Load)
– Distributed
crawlers
– Automated
idenRty/session
resoluRon
and
fingerprinRng
– Formal
evidence
collecRon
protocol
for
automated
labeling
of
incident
response
data
– AnalyRcs
Metrics
and
establishing
benchmarks
for
heterogeneous
data
37. 37
Lambda
Firewalls?!
Manage
the
paths
accordingly
start
building
lambda
workflows
into
Everything!!!
• Lambda
firewall
– StaRsRcal
whitelist
computaRon
aspect
(fuzzy
ACL’s)
– Path
for
signatures
and
sequenRal
behaviors
that
is
more
expressive
than
PCRE
• Central
nervous
system
approach
to
blending
signals
– Defense
should
scale
up
and
down
the
size
of
organizaRon:
a
properly
engineered
central
nervous
system
should
be
able
to
protect
SMB
market
as
well
as
large
scale
deployments
38. • The
Complexity
Class
P-‐Complete
and
NC
– NC
=>
parallelizable
• Some
problems
don’t
parallelize
well!!
– P-‐Complete
=>
Inherently
SequenRal
– Any
problem
where
you
have
to
maintain
state
across
nodes:
Circuit
Value
Problem,
Linear
programming
– Streaming
models
are
usually
harder
to
maintain
than
batch
models
38
Complexity
Class
P-‐Complete
and
NC
40. 40
Cybersecurity
and
Graph
Mining
• Dynamic
Temporal
Graphs
– Social
Network
of
CommunicaRons
forms
a
dynamic
graph
that
evolves
over
Rme
– Given
a
graph
structure
we
can
leverage
state
of
the
art
graph
mining
techniques
to
detect
anomalous
graph
pa^erns
ê Anomalous
Clicks
ê Rare
Sub-‐Structures
ê Rare
Paths
• Anomalies
in
graphs
can
be
easy
to
idenRfy
algorithmically
– PageRank
– Graph
Cut/ParRRoning
– Random
Walk
Driven
Label
PropagaRon
41. Command
and
Control
(C2)
traffic
has
been
established
between
compromised
hosts
inside
the
corporate
network
and
C2
servers
Behavioral
IOC:
Mobile
C2
42. C2
Infrastructure
changes
locaRons
of
command
and
control
server
new
communicaRon
path
is
established
Behavioral
IOC:
Mobile
C2
43.
Behavioral
IOC:
Mobile
C2
C2
Infrastructure
changes
locaRons
of
command
and
control
server
new
communicaRon
path
is
established
45. At
each
Rme
step
(typically
a
day
or
two)
the
C2
Infrastructure
changes
locaRons
of
command
and
control
via
this
“Fluxing”
behavior.
A
subset
of
these
type
of
graph
pa^erns
is
known
as
“Fast
Fluxing”
Behavioral
IOC:
Mobile
C2
46.
Behavioral
IOC:
Mobile
C2
The
constant
mobility
of
command
and
control
infrastructure
will
conRnue
this
IP/Domain
fluxing
movement
unRl
detected
47. Command
and
Control
(C2)
traffic
has
been
established
between
“Beachhead”
and
command
and
control
operator
Behavioral
IOC:
Perimeter
Pivot
48. Heartbeat
traffic
signals
C2
operator
that
infected
asset
is
up
and
ready
for
instrucRons
Behavioral
IOC:
Perimeter
Pivot
49. Obfuscated
instrucRons
get
returned
through
an
Upstream
conversaRon
embedded
in
PHP,
.js,
Flash,
etc..
Commands
obfuscated
in
this
way
can
be
through
of
as
a
hidden
“Downstream
Beacon”
Behavioral
IOC:
Perimeter
Pivot
50. Embedded
commands
can
signal
infected
asset
to
enumerate
local
informaRon
on
the
machine,
a^ach
to
open
network
shares
and
perform
lateral
reconnaissance
and
privilege
escalaRon
throughout
the
compromised
network
Behavioral
IOC:
Perimeter
Pivot
51. Aner
targeted
lateral
movement
and
privilege
enumeraRon
all
cases
of
targeted
a^acks
eventually
involve
the
compromise
of
the
directory
services
roots
servers
(Usually
AD
Forest
Roots)
and
exfiltraRon
of
key
personnel
informaRon
along
with
any
Behavioral
IOC:
Perimeter
Pivot
52. ExfiltraRon
and
other
pa^erns
have
different
network
components
but
are
usually
constrained
by
the
pictures
they
make
as
paths
in
a
graph…
Behavioral
IOC:
Perimeter
Pivot
53. BFS/DFS
+
Other
classic
graph
search
algorithms
are
a
great
examples
of
algorithms
useful
in
detecRng
this
graph
signature
Edge
weights
can
be
encoded
with
key
security
features
to
increase
overall
model
accuracy
regardless
of
the
underlying
algorithms
Behavioral
IOC:
Perimeter
Pivot
57. F1
=
Snort
IOC
"MALWARE-‐CNC
Win.Trojan.Zeus
encrypted
POST
Data
exfiltra2on”
F5
=
Behavioral
IOC:
Large
number
of
POST’s
and
Null
web
referrals
F3
=
Behavioral
IOC:
Periodic
traffic
over
SSL
without
valid
cer2ficate
F4
=
Behavioral
IOC:
New
domain
registered
with
correlated
whois
data
Overall
Social
Cluster
Score
=
g(F1,
F2,
F3,
F4,
F5)
Central
Nervous
System
Approach
59. 59
Machine
Learning
and
Cybersecurity
• Specific
Challenges
– No
Ground
Truth:
Machine
Learning
works
best
in
the
case
of
large
amount
of
labeled
examples
– Concept/Adversarial
Drin:
Labels
change
over
Rme
• Lack
of
Labeled
Data
=>
“No
Free
Lunch”
– Wolpert,
D.H.,
Macready,
W.G.
(1997),
"No
Free
Lunch
Theorems
for
OpRmizaRon",
IEEE
Transac*ons
on
Evolu*onary
Computa*on
1,
67.
–
Wolpert,
David
(1996),
"
The
Lack
of
A
Priori
DisRncRons
between
Learning
Algorithms",
Neural
Computa*on,
pp.
1341-‐1390.
60. 60
Limits
of
Automated
Intrusion
DetecRon
• Travis
Goodspeed:
“Packets
in
Packets”
– Paper
showing
any
communicaRon
medium
we
can
embed
a
covert
language
to
avoid
eavesdropping
in
open
channels
• Can
we
programmaRcally
answer
the
quesRons:
“Does
a
communicaRon
contain
steganography?”
– Equivalent
to
checking
if
a
computer
program
will
halt?
• Polymorphic
Malware
=>
NFL
61. 61
A.I.
and
Meta-‐Theorems
• Is
intelligence
achievable
in
sonware
(Strong
AI)?
– Sco^
Aronson:
Unlikely
sonware/hardware
combinaRons
are
compeRng
against
3
Billion
years
of
evoluRon
• Keep
a
catalogue
of
deep
results
and
curiosiRes
– Gödel's
Incompleteness
– Church-‐Turning
– Blum's
Speedup
Theorem
– No
free
Lunch
– One
Learning
Algorithm
Hypothesis
– Grover's/Shor’s
Algorithms
• Track
Cuxng
Edge
ML
–
Paper:
“Building
high-‐level
features
using
large
scale
unsupervised
learning”
ê Andrew
Ng
and
Jeff
Dean
et
al.
(2012)
ICML
62. 62
HalRng
Problem
• The
problem
is
to
determine,
given
a
program
and
an
input
to
the
program,
whether
the
program
will
eventually
halt
when
run
with
that
input
• The
halRng
problem
is
famous
because
it
was
one
of
the
first
problems
proven
algorithmically
undecidable.
This
means
there
is
no
algorithm
which
can
be
applied
to
any
arbitrary
program
and
input
to
decide
whether
the
program
stops
when
run
with
that
input.
63. 63
TheoreRcal
Backbone
– Classical
ComputaRon
ê Logical
Consistency
of
Computer
Languages
(Church-‐Turing)
ê Physical
RealizaRon
of
Turning
Machine
(Church
turning
+
Von
Neumann)
ê FloaRng
point
representaRon
with
controllable
error
propagaRon
– Weak/Strong
AI
ê HalRng
problem
and
No
Free
Lunch
theorems
=>
building
intelligent
sonware
is
“hard”
ê Current
machine
learning
methods
are
a
type
of
weak
AI
– Distributed
ComputaRon
ê Complexity
classes
P-‐Complete,
NC
ê CAP
Theorem
ê Actor
Models
ê Batch
+
Real-‐Time
:=
Lambda
Architecture
64. 64
Data
Science
in
Cybersecurity
• What
is
a
behavior
mathemaRcally?
– Fraud
in
Cybersecurity
manifests
itself
in
infinitely
many
possibiliRes
• Automated
idenRficaRon
of
fraud
in
IT
is
in
some
sense
equivalent
to
trying
solve
the
halRng
problem
on
a
Turning
Machine
– ComputaRonally
it
is
impossible
to
“enumerate”
all
possible
behaviors
65. 65
Blackhat
Sound
Bytes
– Fractal
Defense:
Reuse
logic
(and
code)
across
different
security
use
cases.
Make
behavior
based
IOC’s
map
to
adversary
TacRcs,
Techniques
and
Procedures
for
be^er
scalability.
– Cybersecurity
Analy2cs
ROI:
Make
requirements
funcRonal
by
sexng
realisRc
benchmarks
based
on
your
own
data
and
metrics
– Lambda
Architecture:
a
generic
problem
solving
system
built
on
immutability
and
hybrid
batch/real-‐Rme
workflows
72. 72
TheoreRcal
Background
• Doctoral
Research
– Iterated
Processes:
What
happens
when
we
replace
Rme
with
a
random
process?
ê Set
t
“=“
B(t)
where
B
is
a
Brownian
moRon
– Can
Feynman
Path
Integral
be
defined
MathemaRcally?
ê Feynman-‐Kac’s
Formula:
Duality
between
PDE’s
and
SDE’s
ê Measures
on
the
space
of
conRnuous
funcRons
– FracRonal
Brownian
moRon
and
processes
with
long
memory
ê Random
walks
that
are
not
Markov
ê Malliavin
Calculus:
(Used
to
prove
Hörmander’s
Theorem)
– Malliavin
built
a
calculus
out
of
Random
processes
replacing
Rme
by
h
in
a
Hilbert
space
73. 73
StochasRc
Processes
with
Long
Memory
• Since
ancient
Rmes
the
Nile
River
has
been
known
for
its
long
periods
of
dryness
followed
by
long
periods
of
floods
• The
hydrologist
Hurst
was
the
first
one
to
describe
these
characterisRcs
when
he
was
trying
to
solve
the
problem
of
flow
regularizaRon
of
the
Nile
River.
80. IT
OperaRons
ApplicaRon
Delivery
Business
AnalyRcs
Industrial
Data
and
Internet
of
Things
80
Splunk
Is
Used
Across
IT
and
the
Business
Business
AnalyRcs
Industrial
Data
and
Internet
of
Things
Security,
Compliance
and
Fraud
Strong
ROI
&
facilitates
cross-‐department
collaboraEon