AI & ML in Cyber Security - Why Algorithms Are Dangerous

Raffael Marty
Raffael MartyGeneralManager Cybersecurity at ConnectWise
Raffael Marty AI & ML in Cyber Security Why Algorithms Are Dangerous Cancun, Mexico March, 2018
A Brief Summary 2 • We don’t have artificial intelligence (yet) • Algorithms are getting ‘smarter’, but experts are more important • Stop throwing algorithms on the wall - they are not spaghetti • Understand your data and your algorithms • Invest in people who know security (and have experience) • Build “export knowledge” absorbing systems • Focus on advancing insights
3 The master of Kennin temple was Mokurai. He had a little protégé named Toyo who was only twelve years old. Toyo saw how students entered the masters room each day and received instructions and guidance in Zen. The young boy wished to do zazen (meditation) as well. Upon convincing Mokuri, he went in front of the master who gave him the following koan to ponder: "You can hear the sound of two hands when they clap together," said Mokurai. "Now show me the sound of one hand."
Outline 4 An Example Let’s Get Practical Statistics, Machine Learning & AI Defining the Concepts 1 2 The Algorithmic Problem Understanding the Data and the Algorithms 3
5http://theconversation.com/your-questions-answered-on-artificial-intelligence-49645 Statistics
 Machine Learning &
 Artificial Intelligence
6 “Everyone calls their stuff ‘machine learning’ or even better ‘artificial intelligence’ - It’s not cool to use statistics!” 
 “Companies are throwing algorithms on the wall to see what sticks - see security analytics market”
ML and AI – What Is It? 7 • Machine Learning – Algorithmic ways to “describe” data o Supervised - learning from training data o Unsupervised - optimization problem to solve (clustering, dim reduction) • Deep Learning – a ‘newer’ machine learning algorithm o Eliminates the feature engineering step o Verifiability / explainability issues • Data Mining – Methods to explore data – automatically and interactively • Artificial Intelligence – “Just calling something AI doesn’t make it AI.” ”A program that doesn't simply classify or compute model parameters, but comes up with novel knowledge that a security analyst finds insightful.”
What “AI” Does Today 8 •Kick a human's ass at Go •Design more effective drugs •Make Siri smarter
Machine Learning Uses in Security 9 • Supervised o Malware classification (deep learning poster child) o Spam identification o MLSec project on firewall data • Unsupervised o DNS analytics (domain name classification, lookup frequencies, etc.) o Threat Intelligence feed curation (IOC prioritization, deduplication, …) o Tier 1 analyst automation (reducing 600M events to 100 incidents)* o User and Entity Behavior Analytics (UEBA) * See Respond Software Inc.
The Algorithmic Problem Understanding the Data and the Algorithms 10
Algorithms Are Dangerous 11
Famous AI (Algorithm) Failures 12 neil.fraser.name/writing/tank/ US government in October 2016 published a comprehensive report titled 
 “Preparing for the future of artificial intelligence”
What Makes Algorithms Dangerous? 13 • Algorithms make assumptions about the data • Assume ‘clean’ data (src/dst confusion, user feedback, etc.) • Often assume a certain type of data and their distribution • Don’t deal with outliers • Machine learning assumes enough, representative data • Needs contextual features (e.g., not just IP addresses) • Assume all input features are ‘normalized’ the same way • Algorithms are too easy to use these days (tensorflow, torch, ML on AWS, etc.) • The process is more important than the algorithm (e.g., feature engineering, supervision, drop outs, parameter choices, etc.) • Algorithms do not take domain knowledge into account • Defining meaningful and representative distance functions, for example • e.g., each L4 protocol exhibits different behavior. Train it separately. • e.g., interpretation is often unvalidated - beware of overfitting and biased models. • Ports look like numerical features, they are not, same is true for IPs, processIDs, HTTP return codes, etc.
Models Are Just Approximations 14 High Bias -  increasing the number of input features. How do you know in what case you operate? • ML explainability problem • Compute error margins model
 classifies future instances high 
 error failure
 to generalize High Variance reduce the number of input features, increasing the number of training examples
Cognitive Biases 15 • How biased is your data set? How do you know? • Only a single customer’s data • Learning from an ‘infected’ data set • Collection errors • Missing data (e.g., due to misconfiguration) • What’s the context the data operates in? • FTP although generally considered old and insecure, isn’t always problematic • Don’t trust your IDS (e.g. “UDP bomb”)
Don’t Use Machine Learning If … 16 • Not enough or no quality labeled data • Don’t use for network traffic analysis - you don’t have labeled data - really, you don’t! • No well trained domain experts and data scientists to oversee the implementation • Not enough domain expertise to engineer good features • Need to understand what ML actually learned (explainability) Also remember • Data cleanliness issues (timestamps, normalization across fields, etc.) • Operational challenges (scalability and adaptability) of implementing machine learning models in practice
Adversarial Machine Learning 17 • An example of an attack on deep learning
Example Let’s Get Practical 18
Network Traffic - Finding Anomalies / Attacks 19 • Given: Netflow • Task: Find anomalies / attacks 2 2005-10-22 23:09:45.903 -1.000 UDP 192.168.0.2 62569 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 3 2005-10-22 23:09:53.003 -1.000 UDP 192.168.0.2 52457 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 4 2005-10-22 23:09:58.435 -1.000 ICMP 192.168.2.2 0 -> 192.168.2.1 3.3 0 0 2 0 .A.... 192 0 0 5 2005-10-22 23:10:00.103 -1.000 UDP 192.168.0.2 59028 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 6 2005-10-22 23:10:03.839 -1.000 UDP 192.168.2.2 138 -> 192.168.2.255 138 0 0 2 0 .A.... 0 0 0 7 2005-10-22 23:10:04.971 -1.000 UDP 192.168.0.2 17500 -> 255.255.255.255 17500 0 0 1 0 .A.... 0 0 0 8 2005-10-22 23:10:04.971 -1.000 UDP 192.168.0.2 17500 -> 192.168.0.255 17500 0 0 1 0 .A.... 0 0 0 9 2005-10-22 23:10:07.207 -1.000 UDP 192.168.0.2 62319 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 10 2005-10-22 23:10:14.311 -1.000 UDP 192.168.0.2 50273 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 11 2005-10-22 23:10:21.403 -1.000 UDP 192.168.0.2 56243 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 12 2005-10-22 23:10:25.267 -1.000 ICMP 192.168.0.2 0 -> 192.168.2.1 8.0 0 0 1 0 .A.... 0 0 0 13 2005-10-22 23:10:28.043 0.004 ICMP 192.168.0.2 0 -> 192.168.2.2 8.0 0 0 1 2 .A.... 0 1338 1 14 2005-10-22 23:10:28.499 -1.000 UDP 192.168.0.2 62390 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 15 2005-10-22 23:10:35.019 -1.000 UDP 192.168.0.2 17500 -> 255.255.255.255 17500 0 0 1 0 .A.... 0 0 0 16 2005-10-22 23:10:35.019 -1.000 UDP 192.168.0.2 17500 -> 192.168.0.255 17500 0 0 1 0 .A.... 0 0 0 ?
Network Traffic - Deep Learning 20 • Solution: Deep Learning • No feature engineering - really? • Lots of data available • What are the labels? Most security problems can’t be solved with Deep Learning
Analytics Challenges 21 • Data cleansing • Wrong features -> wrong results • Distance functions (for unsupervised approaches) • Selecting the right algorithm (there is more than k-means!) • Algorithmic stability across iterations (iterative)? • Parameter choices for algorithm
VAST Challenge 2013 Submission – Spot the Problems? 22 dest port! Port 70000? src ports! http://vis.pku.edu.cn/people/simingchen/docs/vastchallenge13-mc3.pdf
Distance Functions 23 • Need a domain-centric similarity function • URLs (simple levenshtein distance versus domain based?) • Ports (and IPs, ASNs) are NOT numerical features • Treat user names as categories, not strings outlier?!
Distance Functions 24
Illustration of Parameter Choices and Their Failures • t-SNE clustering of network traffic from two types of machines perplexity = 3 epsilon = 3 No clear separation perplexity = 3 epsilon = 19 3 clusters instead of 2 perplexity = 93 epsilon = 19 What a mess
Illustration of Parameter Choices and Their Failures • Dangerous clusters
Network Traffic - Unsupervised Attempt 27 The graph shows an abstract space with colors being machine identified clusters. Preparation: • Feature engineering • Distance functions (what’s similar?) • Algorithm parameters Hard Questions: • What are these clusters? • What are good clusters? • What’s anomalous? What are the attacks?
The Real Problems 28 • Missing context • Asset inventory • User information • Missing expert knowledge • Domain expertise Possible Solutions • Enable data exploration • Improved Human Computer Interfaces & visualization • (Bayesian) Belief Networks
In Summary 29
Summary • Build solutions for actual problems with real data that produce actionable insight • Encode expert knowledge - leverage experienced experts • Use simple systems - how about letting users give input? Push problem to the edge • Don’t start with the algorithms - EVER • Start with the problem at hand and choose the right approach (hardly ever ML) • From the problem gather the right data and context • Use ML for problems where you have a large corpus of well labeled data • Chose meaningful distance functions • Verify your models - use visualization to help with that • Measure through user feedback, what you have implemented makes sense and pleases users • Allow for expert supervision - feedback loops • Share your insights with your peers – security is not your competitive advantage
BlackHat Workshop 31 Applied Machine Learning 
 for 
 Identity and Access Management August 4,5 & August 6,7 - Las Vegas, USA ML | AI | IAM http://secviz.org
Questions? 32 http://slideshare.net/zrlram @raffaelmarty "You can hear the sound of two hands when they clap together," said Mokurai. "Now show me the sound of one hand."
1 of 32

AI & ML in Cyber Security - Why Algorithms Are Dangerous

Download to read offline
Internet

Every single security company is talking in some way or another about how they are applying machine learning. Companies go out of their way to make sure they mention machine learning and not statistics when they explain how they work. Recently, that's not enough anymore either. As a security company you have to claim artificial intelligence to be even part of the conversation. Guess what. It's all baloney. We have entered a state in cyber security that is, in fact, dangerous. We are blindly relying on algorithms to do the right thing. We are letting deep learning algorithms detect anomalies in our data without having a clue what that algorithm just did. In academia, they call this the lack of explainability and verifiability. But rather than building systems with actual security knowledge, companies are using algorithms that nobody understands and in turn discover wrong insights. In this talk I will show the limitations of machine learning, outline the issues of explainability, and show where deep learning should never be applied. I will show examples of how the blind application of algorithms (including deep learning) actually leads to wrong results. Algorithms are dangerous. We need to revert back to experts and invest in systems that learn from, and absorb the knowledge, of experts.

Raffael Marty
Raffael MartyGeneralManager Cybersecurity at ConnectWise

Recommended

AI and ML in Cybersecurity by
AI and ML in CybersecurityAI and ML in Cybersecurity
AI and ML in CybersecurityForcepoint LLC
2.7K views40 slides
Ethical hacking by
Ethical hackingEthical hacking
Ethical hackingNaveen Sihag
28.7K views19 slides
Artificial Intelligence and Cybersecurity by
Artificial Intelligence and CybersecurityArtificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityOlivier Busolini
17.2K views25 slides
Cyber security with ai by
Cyber security with aiCyber security with ai
Cyber security with aiBurhan Ahmed
14.4K views19 slides
The Ethics of Artificial Intelligence by
The Ethics of Artificial IntelligenceThe Ethics of Artificial Intelligence
The Ethics of Artificial IntelligenceKarl Seiler
9.1K views43 slides
The Secret Of Hacking Trial Pages by
The Secret Of Hacking Trial PagesThe Secret Of Hacking Trial Pages
The Secret Of Hacking Trial Pagesleoimpact
19.3K views29 slides

More Related Content

What's hot

Cyber security and AI by
Cyber security and AICyber security and AI
Cyber security and AIDexterJanPineda
466 views15 slides
HOW AI CAN HELP IN CYBERSECURITY by
HOW AI CAN HELP IN CYBERSECURITYHOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITYPriyanshu Ratnakar
905 views13 slides
Phishing Detection using Machine Learning by
Phishing Detection using Machine LearningPhishing Detection using Machine Learning
Phishing Detection using Machine LearningArjun BM
6.2K views8 slides
Artificial Intelligence in cybersecurity by
Artificial Intelligence in cybersecurityArtificial Intelligence in cybersecurity
Artificial Intelligence in cybersecuritySmartlearningUK
399 views22 slides
Cyber crime by
Cyber crimeCyber crime
Cyber crimeDebayon Saha
3.9K views19 slides
What is Artificial Intelligence | Artificial Intelligence Tutorial For Beginn... by
What is Artificial Intelligence | Artificial Intelligence Tutorial For Beginn...What is Artificial Intelligence | Artificial Intelligence Tutorial For Beginn...
What is Artificial Intelligence | Artificial Intelligence Tutorial For Beginn...Edureka!
1.9M views42 slides

What's hot(20)

Cyber security and AI by DexterJanPineda
Cyber security and AICyber security and AI
Cyber security and AI
DexterJanPineda466 views
HOW AI CAN HELP IN CYBERSECURITY by Priyanshu Ratnakar
HOW AI CAN HELP IN CYBERSECURITYHOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITY
Priyanshu Ratnakar905 views
Phishing Detection using Machine Learning by Arjun BM
Phishing Detection using Machine LearningPhishing Detection using Machine Learning
Phishing Detection using Machine Learning
Arjun BM6.2K views
Artificial Intelligence in cybersecurity by SmartlearningUK
Artificial Intelligence in cybersecurityArtificial Intelligence in cybersecurity
Artificial Intelligence in cybersecurity
SmartlearningUK399 views
Cyber crime by Debayon Saha
Cyber crimeCyber crime
Cyber crime
Debayon Saha3.9K views
What is Artificial Intelligence | Artificial Intelligence Tutorial For Beginn... by Edureka!
What is Artificial Intelligence | Artificial Intelligence Tutorial For Beginn...What is Artificial Intelligence | Artificial Intelligence Tutorial For Beginn...
What is Artificial Intelligence | Artificial Intelligence Tutorial For Beginn...
Edureka!1.9M views
A report on cyber Crime by Nikhil Chaudhary
A report on cyber CrimeA report on cyber Crime
A report on cyber Crime
Nikhil Chaudhary27.1K views
AI in security by Subrat Panda, PhD
AI in securityAI in security
AI in security
Subrat Panda, PhD965 views
Ai Ethics by sparks & honey
Ai EthicsAi Ethics
Ai Ethics
sparks & honey9.9K views
Machine Learning and its Applications by Dr Ganesh Iyer
Machine Learning and its ApplicationsMachine Learning and its Applications
Machine Learning and its Applications
Dr Ganesh Iyer16.1K views
Fraud detection ML by MaatougSelim
Fraud detection MLFraud detection ML
Fraud detection ML
MaatougSelim746 views
Overview of Artificial Intelligence in Cybersecurity by Olivier Busolini
Overview of Artificial Intelligence in CybersecurityOverview of Artificial Intelligence in Cybersecurity
Overview of Artificial Intelligence in Cybersecurity
Olivier Busolini10.6K views
ARTIFICIAL INTELLIGENCE by Omkar Shinde
ARTIFICIAL INTELLIGENCEARTIFICIAL INTELLIGENCE
ARTIFICIAL INTELLIGENCE
Omkar Shinde10.4K views
AI and the Impact on Cybersecurity by Graham Mann
AI and the Impact on CybersecurityAI and the Impact on Cybersecurity
AI and the Impact on Cybersecurity
Graham Mann1.1K views
Explaining Black-Box Machine Learning Predictions - Sameer Singh, Assistant P... by Sri Ambati
Explaining Black-Box Machine Learning Predictions - Sameer Singh, Assistant P...Explaining Black-Box Machine Learning Predictions - Sameer Singh, Assistant P...
Explaining Black-Box Machine Learning Predictions - Sameer Singh, Assistant P...
Sri Ambati4.2K views
How is ai important to the future of cyber security by Robert Smith
How is ai important to the future of cyber security How is ai important to the future of cyber security
How is ai important to the future of cyber security
Robert Smith489 views
The Rise of AI in Cybersecurity by EarlyRetirementBluep
The Rise of AI in Cybersecurity The Rise of AI in Cybersecurity
The Rise of AI in Cybersecurity
EarlyRetirementBluep95 views
Artificial intelligence by Institute of Technology Telkom
Artificial intelligenceArtificial intelligence
Artificial intelligence
Institute of Technology Telkom11.5K views
Machine Learning in Cyber Security by Rishi Kant
Machine Learning in Cyber SecurityMachine Learning in Cyber Security
Machine Learning in Cyber Security
Rishi Kant4.8K views
Artificial intelligence by gayathrysatheesan1
Artificial intelligenceArtificial intelligence
Artificial intelligence
gayathrysatheesan16.3K views

Similar to AI & ML in Cyber Security - Why Algorithms Are Dangerous

Rise of the machines -- Owasp israel -- June 2014 meetup by
Rise of the machines -- Owasp israel -- June 2014 meetupRise of the machines -- Owasp israel -- June 2014 meetup
Rise of the machines -- Owasp israel -- June 2014 meetupShlomo Yona
825 views44 slides
influence of AI in IS by
influence of AI in ISinfluence of AI in IS
influence of AI in ISISACA Riyadh
504 views65 slides
Webinar: Machine Learning para Microcontroladores by
Webinar: Machine Learning para MicrocontroladoresWebinar: Machine Learning para Microcontroladores
Webinar: Machine Learning para MicrocontroladoresEmbarcados
207 views82 slides
BsidesLVPresso2016_JZeditsv6 by
BsidesLVPresso2016_JZeditsv6BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6Rod Soto
261 views66 slides
Algorithm Marketplace and the new "Algorithm Economy" by
Algorithm Marketplace and the new "Algorithm Economy"Algorithm Marketplace and the new "Algorithm Economy"
Algorithm Marketplace and the new "Algorithm Economy"Diego Oppenheimer
2.3K views47 slides
are algorithms really a black box by
are algorithms really a black boxare algorithms really a black box
are algorithms really a black boxAnsgar Koene
842 views14 slides

Similar to AI & ML in Cyber Security - Why Algorithms Are Dangerous(20)

Rise of the machines -- Owasp israel -- June 2014 meetup by Shlomo Yona
Rise of the machines -- Owasp israel -- June 2014 meetupRise of the machines -- Owasp israel -- June 2014 meetup
Rise of the machines -- Owasp israel -- June 2014 meetup
Shlomo Yona825 views
influence of AI in IS by ISACA Riyadh
influence of AI in ISinfluence of AI in IS
influence of AI in IS
ISACA Riyadh504 views
Webinar: Machine Learning para Microcontroladores by Embarcados
Webinar: Machine Learning para MicrocontroladoresWebinar: Machine Learning para Microcontroladores
Webinar: Machine Learning para Microcontroladores
Embarcados207 views
BsidesLVPresso2016_JZeditsv6 by Rod Soto
BsidesLVPresso2016_JZeditsv6BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6
Rod Soto261 views
Algorithm Marketplace and the new "Algorithm Economy" by Diego Oppenheimer
Algorithm Marketplace and the new "Algorithm Economy"Algorithm Marketplace and the new "Algorithm Economy"
Algorithm Marketplace and the new "Algorithm Economy"
Diego Oppenheimer2.3K views
are algorithms really a black box by Ansgar Koene
are algorithms really a black boxare algorithms really a black box
are algorithms really a black box
Ansgar Koene842 views
INCOSE IS 2019: AI and Systems Engineering by CARLOS III UNIVERSITY OF MADRID
INCOSE IS 2019: AI and Systems EngineeringINCOSE IS 2019: AI and Systems Engineering
INCOSE IS 2019: AI and Systems Engineering
CARLOS III UNIVERSITY OF MADRID388 views
2020 09-16-ai-engineering challanges by Ivica Crnkovic
2020 09-16-ai-engineering challanges2020 09-16-ai-engineering challanges
2020 09-16-ai-engineering challanges
Ivica Crnkovic154 views
AI4SE: Challenges and opportunities in the integration of Systems Engineering... by CARLOS III UNIVERSITY OF MADRID
AI4SE: Challenges and opportunities in the integration of Systems Engineering...AI4SE: Challenges and opportunities in the integration of Systems Engineering...
AI4SE: Challenges and opportunities in the integration of Systems Engineering...
CARLOS III UNIVERSITY OF MADRID671 views
Machine Learning Deep Learning AI and Data Science by Venkata Reddy Konasani
Machine Learning Deep Learning AI and Data Science Machine Learning Deep Learning AI and Data Science
Machine Learning Deep Learning AI and Data Science
Venkata Reddy Konasani7.9K views
Visualization in the Age of Big Data by Raffael Marty
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
Raffael Marty6.9K views
Delivering Security Insights with Data Analytics and Visualization by Raffael Marty
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
Raffael Marty3.7K views
Machine Learning for Your Enterprise: Operations and Security for Mainframe E... by Precisely
Machine Learning for Your Enterprise: Operations and Security for Mainframe E...Machine Learning for Your Enterprise: Operations and Security for Mainframe E...
Machine Learning for Your Enterprise: Operations and Security for Mainframe E...
Precisely406 views
Applications of Machine Learning and Metaheuristic Search to Security Testing by Lionel Briand
Applications of Machine Learning and Metaheuristic Search to Security TestingApplications of Machine Learning and Metaheuristic Search to Security Testing
Applications of Machine Learning and Metaheuristic Search to Security Testing
Lionel Briand697 views
The Scope for Robotic Process Automation & Machine Learning in Telecom Operat... by James Crawshaw
The Scope for Robotic Process Automation & Machine Learning in Telecom Operat...The Scope for Robotic Process Automation & Machine Learning in Telecom Operat...
The Scope for Robotic Process Automation & Machine Learning in Telecom Operat...
James Crawshaw83 views
H2O for IoT - Jo-Fai (Joe) Chow, H2O by Data Science Milan
H2O for IoT - Jo-Fai (Joe) Chow, H2OH2O for IoT - Jo-Fai (Joe) Chow, H2O
H2O for IoT - Jo-Fai (Joe) Chow, H2O
Data Science Milan428 views
AI in the Enterprise: Past, Present & Future - StampedeCon AI Summit 2017 by StampedeCon
AI in the Enterprise: Past, Present & Future - StampedeCon AI Summit 2017AI in the Enterprise: Past, Present & Future - StampedeCon AI Summit 2017
AI in the Enterprise: Past, Present & Future - StampedeCon AI Summit 2017
StampedeCon563 views
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a... by Chris Hammerschmidt
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...
Chris Hammerschmidt52 views
On the Application of AI for Failure Management: Problems, Solutions and Algo... by Jorge Cardoso
On the Application of AI for Failure Management: Problems, Solutions and Algo...On the Application of AI for Failure Management: Problems, Solutions and Algo...
On the Application of AI for Failure Management: Problems, Solutions and Algo...
Jorge Cardoso173 views
Network Automation Journey, A systems engineer NetOps perspective by Walid Shaari
Network Automation Journey, A systems engineer NetOps perspectiveNetwork Automation Journey, A systems engineer NetOps perspective
Network Automation Journey, A systems engineer NetOps perspective
Walid Shaari1.5K views

More from Raffael Marty

Exploring the Defender's Advantage by
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's AdvantageRaffael Marty
137 views36 slides
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti... by
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Raffael Marty
973 views19 slides
How To Drive Value with Security Data by
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security DataRaffael Marty
3.4K views7 slides
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes? by
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Raffael Marty
6.4K views30 slides
Artificial Intelligence – Time Bomb or The Promised Land? by
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Raffael Marty
1K views20 slides
Understanding the "Intelligence" in AI by
Understanding the "Intelligence" in AIUnderstanding the "Intelligence" in AI
Understanding the "Intelligence" in AIRaffael Marty
942 views12 slides

More from Raffael Marty(20)

Exploring the Defender's Advantage by Raffael Marty
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's Advantage
Raffael Marty137 views
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti... by Raffael Marty
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Raffael Marty973 views
How To Drive Value with Security Data by Raffael Marty
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security Data
Raffael Marty3.4K views
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes? by Raffael Marty
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Raffael Marty6.4K views
Artificial Intelligence – Time Bomb or The Promised Land? by Raffael Marty
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?
Raffael Marty1K views
Understanding the "Intelligence" in AI by Raffael Marty
Understanding the "Intelligence" in AIUnderstanding the "Intelligence" in AI
Understanding the "Intelligence" in AI
Raffael Marty942 views
Security Chat 5.0 by Raffael Marty
Security Chat 5.0Security Chat 5.0
Security Chat 5.0
Raffael Marty449 views
AI & ML in Cyber Security - Why Algorithms are Dangerous by Raffael Marty
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
Raffael Marty7.2K views
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed by Raffael Marty
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
Raffael Marty4.5K views
Security Insights at Scale by Raffael Marty
Security Insights at ScaleSecurity Insights at Scale
Security Insights at Scale
Raffael Marty2.5K views
Creating Your Own Threat Intel Through Hunting & Visualization by Raffael Marty
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty2.7K views
Creating Your Own Threat Intel Through Hunting & Visualization by Raffael Marty
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty25.2K views
Big Data Visualization by Raffael Marty
Big Data VisualizationBig Data Visualization
Big Data Visualization
Raffael Marty41.5K views
The Heatmap
 - Why is Security Visualization so Hard? by Raffael Marty
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty2.5K views
Workshop: Big Data Visualization for Security by Raffael Marty
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
Raffael Marty22.1K views
Visualization for Security by Raffael Marty
Visualization for SecurityVisualization for Security
Visualization for Security
Raffael Marty7.7K views
The Heatmap
 - Why is Security Visualization so Hard? by Raffael Marty
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty8K views
DAVIX - Data Analysis and Visualization Linux by Raffael Marty
DAVIX - Data Analysis and Visualization LinuxDAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization Linux
Raffael Marty4.2K views
Cloud - Security - Big Data by Raffael Marty
Cloud - Security - Big DataCloud - Security - Big Data
Cloud - Security - Big Data
Raffael Marty2.1K views
Cyber Security – How Visual Analytics Unlock Insight by Raffael Marty
Cyber Security – How Visual Analytics Unlock InsightCyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock Insight
Raffael Marty33K views

Recently uploaded

information by
informationinformation
informationkhelgishekhar
10 views4 slides
Affiliate Marketing by
Affiliate MarketingAffiliate Marketing
Affiliate MarketingNavin Dhanuka
17 views30 slides
IETF 118: Starlink Protocol Performance by
IETF 118: Starlink Protocol PerformanceIETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol PerformanceAPNIC
394 views22 slides
How to think like a threat actor for Kubernetes.pptx by
How to think like a threat actor for Kubernetes.pptxHow to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptxLibbySchulze1
5 views33 slides
PORTFOLIO 1 (Bret Michael Pepito).pdf by
PORTFOLIO 1 (Bret Michael Pepito).pdfPORTFOLIO 1 (Bret Michael Pepito).pdf
PORTFOLIO 1 (Bret Michael Pepito).pdfbrejess0410
9 views6 slides
WEB 2.O TOOLS: Empowering education.pptx by
WEB 2.O TOOLS: Empowering education.pptxWEB 2.O TOOLS: Empowering education.pptx
WEB 2.O TOOLS: Empowering education.pptxnarmadhamanohar21
16 views16 slides

Recently uploaded(10)

information by khelgishekhar
informationinformation
information
khelgishekhar10 views
Affiliate Marketing by Navin Dhanuka
Affiliate MarketingAffiliate Marketing
Affiliate Marketing
Navin Dhanuka17 views
IETF 118: Starlink Protocol Performance by APNIC
IETF 118: Starlink Protocol PerformanceIETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol Performance
APNIC394 views
How to think like a threat actor for Kubernetes.pptx by LibbySchulze1
How to think like a threat actor for Kubernetes.pptxHow to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptx
LibbySchulze15 views
PORTFOLIO 1 (Bret Michael Pepito).pdf by brejess0410
PORTFOLIO 1 (Bret Michael Pepito).pdfPORTFOLIO 1 (Bret Michael Pepito).pdf
PORTFOLIO 1 (Bret Michael Pepito).pdf
brejess04109 views
WEB 2.O TOOLS: Empowering education.pptx by narmadhamanohar21
WEB 2.O TOOLS: Empowering education.pptxWEB 2.O TOOLS: Empowering education.pptx
WEB 2.O TOOLS: Empowering education.pptx
narmadhamanohar2116 views
Building trust in our information ecosystem: who do we trust in an emergency by Tina Purnat
Building trust in our information ecosystem: who do we trust in an emergencyBuilding trust in our information ecosystem: who do we trust in an emergency
Building trust in our information ecosystem: who do we trust in an emergency
Tina Purnat109 views
The Dark Web : Hidden Services by Anshu Singh
The Dark Web : Hidden ServicesThe Dark Web : Hidden Services
The Dark Web : Hidden Services
Anshu Singh5 views
Marketing and Community Building in Web3 by Federico Ast
Marketing and Community Building in Web3Marketing and Community Building in Web3
Marketing and Community Building in Web3
Federico Ast14 views
hamro digital logics.pptx by tupeshghimire
hamro digital logics.pptxhamro digital logics.pptx
hamro digital logics.pptx
tupeshghimire9 views

AI & ML in Cyber Security - Why Algorithms Are Dangerous

  • 1. Raffael Marty AI & ML in Cyber Security Why Algorithms Are Dangerous Cancun, Mexico March, 2018
  • 2. A Brief Summary 2 • We don’t have artificial intelligence (yet) • Algorithms are getting ‘smarter’, but experts are more important • Stop throwing algorithms on the wall - they are not spaghetti • Understand your data and your algorithms • Invest in people who know security (and have experience) • Build “export knowledge” absorbing systems • Focus on advancing insights
  • 3. 3 The master of Kennin temple was Mokurai. He had a little protégé named Toyo who was only twelve years old. Toyo saw how students entered the masters room each day and received instructions and guidance in Zen. The young boy wished to do zazen (meditation) as well. Upon convincing Mokuri, he went in front of the master who gave him the following koan to ponder: "You can hear the sound of two hands when they clap together," said Mokurai. "Now show me the sound of one hand."
  • 4. Outline 4 An Example Let’s Get Practical Statistics, Machine Learning & AI Defining the Concepts 1 2 The Algorithmic Problem Understanding the Data and the Algorithms 3
  • 6. 6 “Everyone calls their stuff ‘machine learning’ or even better ‘artificial intelligence’ - It’s not cool to use statistics!” 
 “Companies are throwing algorithms on the wall to see what sticks - see security analytics market”
  • 7. ML and AI – What Is It? 7 • Machine Learning – Algorithmic ways to “describe” data o Supervised - learning from training data o Unsupervised - optimization problem to solve (clustering, dim reduction) • Deep Learning – a ‘newer’ machine learning algorithm o Eliminates the feature engineering step o Verifiability / explainability issues • Data Mining – Methods to explore data – automatically and interactively • Artificial Intelligence – “Just calling something AI doesn’t make it AI.” ”A program that doesn't simply classify or compute model parameters, but comes up with novel knowledge that a security analyst finds insightful.”
  • 8. What “AI” Does Today 8 •Kick a human's ass at Go •Design more effective drugs •Make Siri smarter
  • 9. Machine Learning Uses in Security 9 • Supervised o Malware classification (deep learning poster child) o Spam identification o MLSec project on firewall data • Unsupervised o DNS analytics (domain name classification, lookup frequencies, etc.) o Threat Intelligence feed curation (IOC prioritization, deduplication, …) o Tier 1 analyst automation (reducing 600M events to 100 incidents)* o User and Entity Behavior Analytics (UEBA) * See Respond Software Inc.
  • 10. The Algorithmic Problem Understanding the Data and the Algorithms 10
  • 12. Famous AI (Algorithm) Failures 12 neil.fraser.name/writing/tank/ US government in October 2016 published a comprehensive report titled 
 “Preparing for the future of artificial intelligence”
  • 13. What Makes Algorithms Dangerous? 13 • Algorithms make assumptions about the data • Assume ‘clean’ data (src/dst confusion, user feedback, etc.) • Often assume a certain type of data and their distribution • Don’t deal with outliers • Machine learning assumes enough, representative data • Needs contextual features (e.g., not just IP addresses) • Assume all input features are ‘normalized’ the same way • Algorithms are too easy to use these days (tensorflow, torch, ML on AWS, etc.) • The process is more important than the algorithm (e.g., feature engineering, supervision, drop outs, parameter choices, etc.) • Algorithms do not take domain knowledge into account • Defining meaningful and representative distance functions, for example • e.g., each L4 protocol exhibits different behavior. Train it separately. • e.g., interpretation is often unvalidated - beware of overfitting and biased models. • Ports look like numerical features, they are not, same is true for IPs, processIDs, HTTP return codes, etc.
  • 14. Models Are Just Approximations 14 High Bias -  increasing the number of input features. How do you know in what case you operate? • ML explainability problem • Compute error margins model
 classifies future instances high 
 error failure
 to generalize High Variance reduce the number of input features, increasing the number of training examples
  • 15. Cognitive Biases 15 • How biased is your data set? How do you know? • Only a single customer’s data • Learning from an ‘infected’ data set • Collection errors • Missing data (e.g., due to misconfiguration) • What’s the context the data operates in? • FTP although generally considered old and insecure, isn’t always problematic • Don’t trust your IDS (e.g. “UDP bomb”)
  • 16. Don’t Use Machine Learning If … 16 • Not enough or no quality labeled data • Don’t use for network traffic analysis - you don’t have labeled data - really, you don’t! • No well trained domain experts and data scientists to oversee the implementation • Not enough domain expertise to engineer good features • Need to understand what ML actually learned (explainability) Also remember • Data cleanliness issues (timestamps, normalization across fields, etc.) • Operational challenges (scalability and adaptability) of implementing machine learning models in practice
  • 17. Adversarial Machine Learning 17 • An example of an attack on deep learning
  • 19. Network Traffic - Finding Anomalies / Attacks 19 • Given: Netflow • Task: Find anomalies / attacks 2 2005-10-22 23:09:45.903 -1.000 UDP 192.168.0.2 62569 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 3 2005-10-22 23:09:53.003 -1.000 UDP 192.168.0.2 52457 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 4 2005-10-22 23:09:58.435 -1.000 ICMP 192.168.2.2 0 -> 192.168.2.1 3.3 0 0 2 0 .A.... 192 0 0 5 2005-10-22 23:10:00.103 -1.000 UDP 192.168.0.2 59028 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 6 2005-10-22 23:10:03.839 -1.000 UDP 192.168.2.2 138 -> 192.168.2.255 138 0 0 2 0 .A.... 0 0 0 7 2005-10-22 23:10:04.971 -1.000 UDP 192.168.0.2 17500 -> 255.255.255.255 17500 0 0 1 0 .A.... 0 0 0 8 2005-10-22 23:10:04.971 -1.000 UDP 192.168.0.2 17500 -> 192.168.0.255 17500 0 0 1 0 .A.... 0 0 0 9 2005-10-22 23:10:07.207 -1.000 UDP 192.168.0.2 62319 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 10 2005-10-22 23:10:14.311 -1.000 UDP 192.168.0.2 50273 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 11 2005-10-22 23:10:21.403 -1.000 UDP 192.168.0.2 56243 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 12 2005-10-22 23:10:25.267 -1.000 ICMP 192.168.0.2 0 -> 192.168.2.1 8.0 0 0 1 0 .A.... 0 0 0 13 2005-10-22 23:10:28.043 0.004 ICMP 192.168.0.2 0 -> 192.168.2.2 8.0 0 0 1 2 .A.... 0 1338 1 14 2005-10-22 23:10:28.499 -1.000 UDP 192.168.0.2 62390 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 15 2005-10-22 23:10:35.019 -1.000 UDP 192.168.0.2 17500 -> 255.255.255.255 17500 0 0 1 0 .A.... 0 0 0 16 2005-10-22 23:10:35.019 -1.000 UDP 192.168.0.2 17500 -> 192.168.0.255 17500 0 0 1 0 .A.... 0 0 0 ?
  • 20. Network Traffic - Deep Learning 20 • Solution: Deep Learning • No feature engineering - really? • Lots of data available • What are the labels? Most security problems can’t be solved with Deep Learning
  • 21. Analytics Challenges 21 • Data cleansing • Wrong features -> wrong results • Distance functions (for unsupervised approaches) • Selecting the right algorithm (there is more than k-means!) • Algorithmic stability across iterations (iterative)? • Parameter choices for algorithm
  • 22. VAST Challenge 2013 Submission – Spot the Problems? 22 dest port! Port 70000? src ports! http://vis.pku.edu.cn/people/simingchen/docs/vastchallenge13-mc3.pdf
  • 23. Distance Functions 23 • Need a domain-centric similarity function • URLs (simple levenshtein distance versus domain based?) • Ports (and IPs, ASNs) are NOT numerical features • Treat user names as categories, not strings outlier?!
  • 25. Illustration of Parameter Choices and Their Failures • t-SNE clustering of network traffic from two types of machines perplexity = 3 epsilon = 3 No clear separation perplexity = 3 epsilon = 19 3 clusters instead of 2 perplexity = 93 epsilon = 19 What a mess
  • 26. Illustration of Parameter Choices and Their Failures • Dangerous clusters
  • 27. Network Traffic - Unsupervised Attempt 27 The graph shows an abstract space with colors being machine identified clusters. Preparation: • Feature engineering • Distance functions (what’s similar?) • Algorithm parameters Hard Questions: • What are these clusters? • What are good clusters? • What’s anomalous? What are the attacks?
  • 28. The Real Problems 28 • Missing context • Asset inventory • User information • Missing expert knowledge • Domain expertise Possible Solutions • Enable data exploration • Improved Human Computer Interfaces & visualization • (Bayesian) Belief Networks
  • 30. Summary • Build solutions for actual problems with real data that produce actionable insight • Encode expert knowledge - leverage experienced experts • Use simple systems - how about letting users give input? Push problem to the edge • Don’t start with the algorithms - EVER • Start with the problem at hand and choose the right approach (hardly ever ML) • From the problem gather the right data and context • Use ML for problems where you have a large corpus of well labeled data • Chose meaningful distance functions • Verify your models - use visualization to help with that • Measure through user feedback, what you have implemented makes sense and pleases users • Allow for expert supervision - feedback loops • Share your insights with your peers – security is not your competitive advantage
  • 31. BlackHat Workshop 31 Applied Machine Learning 
 for 
 Identity and Access Management August 4,5 & August 6,7 - Las Vegas, USA ML | AI | IAM http://secviz.org
  • 32. Questions? 32 http://slideshare.net/zrlram @raffaelmarty "You can hear the sound of two hands when they clap together," said Mokurai. "Now show me the sound of one hand."