This talk focuses on how AI can be leveraged to solve some of the subproblems in cybersecurity. The talk will start with a discussion on why there is a surge in data breaches, and cybersecurity attacks? Then I will discuss some of the use cases, data pipeline, and architectural details of AI solutions for the cybersecurity. Here is a detailed plan for the talk: (1) The current state of Information security and tools (5 mins). (2) A brief history and current status of using AI for the InfoSec (5 mins). Currently, security data science tools primarily process raw data from multiple data sources such as network flows, authentication logs, firewall logs, endpoints, and detect anomalous events. These tools generate a large number of false positives, and they need to be further investigated by security analysts. Specifically, I will address the following questions: - What is the foundation of current security data science tools? - What are the pros and cons of existing tools? (3) AI use cases, data pipeline, architecture, and data experiments (15 mins): Following questions will be addressed: - What are the different use cases that can be enabled by AI? - How would it transform the incident response? What's a typical data pipeline and architecture of cybersecurity AI solution? Demo 1: PowerShell Obfuscation Detection using Deep Learning Neural Networks Demo 2: Malicious URL Detection using Recurrent Neural Networks (4) Challenges and limitations of using AI alone for cybersecurity (5 mins) - AI generates too many false positives - Enterprises can investigate only 2-5% of alerts due to the limited number of security analysts Need for an automated response, not just detection (5) Our approach: fuse deception with AI (10 mins): A key objective of the deception is to deceive the inside-network attacks and threats to detect, engage, trap, and remediate them. Deception provides high fidelity alerts, and AI delivers an ability to construct context about the alert. By fusing deception and data science, security analysts can do proactive defense. We shall demonstrate our approach with specific case studies: - Demo 3- Detecting and Inferring threats in a high interaction decoy using AI engine (6) Q&A (5 mins)

1. AI for CyberSecurity
Satnam Singh, PhD
Chief Data Scientist
Acalvio Technologies
ODSC India
2019

2. Outline
• Information Security problem
• Deep learning for InfoSec
• Tor Traffic Detection
• CnC Detection
• Can we do something different?

3. Time to Act
Source: Verizon DBR, 2018

4. Data Breaches and Attacks
Source: M-Trends, 2019

5. Enterprise Network
SOC segment
Engineering
Internet
SOC
Ops Segment
Sales
Operations
Cloud
Information Security Problem
1. Network Security
2. Endpoint Security
3. Application Security
4. Data Security
5. Cloud Security
6. Web Security
7. Mobile Security
8. IoT Security
9. Transaction Security
10.Messaging Security

6. Ref: Momentum Cyber

7. Ref: Momentum Cyber

8. Basic Security Controls
• Boundary firewalls and internet gateways
• Malware protection
• Patch management
• Whitelisting and execution control
• Secure configuration
• Password policy
• User access control
• Incident management

9. Security Data Science

10. Security Data Sources
Network Logs
•Firewall
•IDS/IPS
•Network flow
•DNS
•Wi-fi
Easily into a few TBs of data per day
Endpoint Logs
•File System Changes
•Applications, Process,
OS logs
•Antivirus Alerts
Authentication Logs
• Windows Events
• Active Directory User Logs
• Privilege User

11. Evolution of Security Data Science
Time

12. Example 1: Cisco Encrypted Traffic Analysis
TK Keanini, “Machine Learning: The What and Why of AI,” RSA Conf’19

13. Example 2: Malware Detection
Joshua Saxe, Sophos, “Deep Neural Networks for Hackers: Methods, Applications,
and Open Source Tools,” BlackHat Conf’18

14. Example 3: MLsploit- Adversarial ML
GeorgiaTech & Intel https://mlsploit.github.io/

15. Deep Learning Use Cases
Network Security
1. Network intrusion detection (scanning, spoofing, etc.)
2. Application attack detection (OWASP-Top 10 attacks)
3. Phishing attack malicious URL detection
Endpoint Security
1. Malware detection and
classification
2. Spyware, Ransomware
detection
User Security
1. User behaviour Analytics
2. Detection of suspicious sign-in activities,
brute force attacks and infected devices

16. Case Study 1:
Tor Traffic Detection

17. Tor Network
Source: Distill networks
Adversaries use tor traffic for port scans, dark web
purchases, extortion and data exfiltration

18. Tor-nonTor Traffic - Dataset

19. Tor-nonTor Traffic - Dataset
Activity Details
Browsing HTTP, HTTPS traffic using Chrome and Firefox
Email Mails delivered via SMTP/S and received via POP3/SSL
and IMAP/SSL, Thunderbird client
Chat Facebook, Hangout, ICQ and IAM chat activities
Audio-streaming Spotify audio streaming
Video-streaming Youtube and Vimeo services over Chrome and Firefox
File transfer Skype file transfers, FTP over SSH, FTP over SSL traffic
sessions
VoIP Facebook, Hangout and Skype

20. Demo Using Tensorflow and Keras
Tor
Traffic
Classification
Unknown
scripts
Feature
f1
Feature f2
Non-Tor
Traffic

21. Case Study 2:
C&C Detection

22. Command and Control Detection
C&C domain examples:
• DGA based: gvludcvhcrjwmgq.in, uqvwxfrhhwreddf.yt
• non DGA based: thisisyourchangeqq.com, homejobsinstitute.biz
Ransomware
Malware
Enterprise Network
Main DB
Webserver
C&C server
Data
Command
Attacker

23. Update Models
DNS
data
Ranking of
Malicious
C&C
domains
C&C
domains
Classify benign vs
C&C domains using
LSTM
C&C Detection: Pipeline

24. Can we do something DIFFERENT?

25. 2. Speed up the Defender1. Slowdown the Attacker

26. Deception

28. Deception+DL

29. Deep Learning Engine

30. PowerShell Log Analyzer

31. • Pros of DL in InfoSec:
• Find hidden patterns in big data - “Needle in the haystack”
• Able to correlate across events
• Cons of DL in InfoSec:
• Too many False Positives !!
• No labels —> Using ML, DL becomes difficult
• DL+ Deception - A unique Solution to find hidden threats
Summary