SlideShare uma empresa Scribd logo

AI & ML in Cyber Security - Why Algorithms Are Dangerous

Raffael Marty
Raffael Marty

Every single security company is talking in some way or another about how they are applying machine learning. Companies go out of their way to make sure they mention machine learning and not statistics when they explain how they work. Recently, that's not enough anymore either. As a security company you have to claim artificial intelligence to be even part of the conversation. Guess what. It's all baloney. We have entered a state in cyber security that is, in fact, dangerous. We are blindly relying on algorithms to do the right thing. We are letting deep learning algorithms detect anomalies in our data without having a clue what that algorithm just did. In academia, they call this the lack of explainability and verifiability. But rather than building systems with actual security knowledge, companies are using algorithms that nobody understands and in turn discover wrong insights. In this talk I will show the limitations of machine learning, outline the issues of explainability, and show where deep learning should never be applied. I will show examples of how the blind application of algorithms (including deep learning) actually leads to wrong results. Algorithms are dangerous. We need to revert back to experts and invest in systems that learn from, and absorb the knowledge, of experts.

Internet
1 de 32
Baixar para ler offline
Raffael Marty AI & ML in Cyber Security Why Algorithms Are Dangerous Cancun, Mexico March, 2018
A Brief Summary 2 • We don’t have artificial intelligence (yet) • Algorithms are getting ‘smarter’, but experts are more important • Stop throwing algorithms on the wall - they are not spaghetti • Understand your data and your algorithms • Invest in people who know security (and have experience) • Build “export knowledge” absorbing systems • Focus on advancing insights
3 The master of Kennin temple was Mokurai. He had a little protégé named Toyo who was only twelve years old. Toyo saw how students entered the masters room each day and received instructions and guidance in Zen. The young boy wished to do zazen (meditation) as well. Upon convincing Mokuri, he went in front of the master who gave him the following koan to ponder: "You can hear the sound of two hands when they clap together," said Mokurai. "Now show me the sound of one hand."
Outline 4 An Example Let’s Get Practical Statistics, Machine Learning & AI Defining the Concepts 1 2 The Algorithmic Problem Understanding the Data and the Algorithms 3
5http://theconversation.com/your-questions-answered-on-artificial-intelligence-49645 Statistics
 Machine Learning &
 Artificial Intelligence
6 “Everyone calls their stuff ‘machine learning’ or even better ‘artificial intelligence’ - It’s not cool to use statistics!” 
 “Companies are throwing algorithms on the wall to see what sticks - see security analytics market”
ML and AI – What Is It? 7 • Machine Learning – Algorithmic ways to “describe” data o Supervised - learning from training data o Unsupervised - optimization problem to solve (clustering, dim reduction) • Deep Learning – a ‘newer’ machine learning algorithm o Eliminates the feature engineering step o Verifiability / explainability issues • Data Mining – Methods to explore data – automatically and interactively • Artificial Intelligence – “Just calling something AI doesn’t make it AI.” ”A program that doesn't simply classify or compute model parameters, but comes up with novel knowledge that a security analyst finds insightful.”
What “AI” Does Today 8 •Kick a human's ass at Go •Design more effective drugs •Make Siri smarter
Machine Learning Uses in Security 9 • Supervised o Malware classification (deep learning poster child) o Spam identification o MLSec project on firewall data • Unsupervised o DNS analytics (domain name classification, lookup frequencies, etc.) o Threat Intelligence feed curation (IOC prioritization, deduplication, …) o Tier 1 analyst automation (reducing 600M events to 100 incidents)* o User and Entity Behavior Analytics (UEBA) * See Respond Software Inc.
The Algorithmic Problem Understanding the Data and the Algorithms 10
Algorithms Are Dangerous 11
Famous AI (Algorithm) Failures 12 neil.fraser.name/writing/tank/ US government in October 2016 published a comprehensive report titled 
 “Preparing for the future of artificial intelligence”
What Makes Algorithms Dangerous? 13 • Algorithms make assumptions about the data • Assume ‘clean’ data (src/dst confusion, user feedback, etc.) • Often assume a certain type of data and their distribution • Don’t deal with outliers • Machine learning assumes enough, representative data • Needs contextual features (e.g., not just IP addresses) • Assume all input features are ‘normalized’ the same way • Algorithms are too easy to use these days (tensorflow, torch, ML on AWS, etc.) • The process is more important than the algorithm (e.g., feature engineering, supervision, drop outs, parameter choices, etc.) • Algorithms do not take domain knowledge into account • Defining meaningful and representative distance functions, for example • e.g., each L4 protocol exhibits different behavior. Train it separately. • e.g., interpretation is often unvalidated - beware of overfitting and biased models. • Ports look like numerical features, they are not, same is true for IPs, processIDs, HTTP return codes, etc.
Models Are Just Approximations 14 High Bias -  increasing the number of input features. How do you know in what case you operate? • ML explainability problem • Compute error margins model
 classifies future instances high 
 error failure
 to generalize High Variance reduce the number of input features, increasing the number of training examples
Cognitive Biases 15 • How biased is your data set? How do you know? • Only a single customer’s data • Learning from an ‘infected’ data set • Collection errors • Missing data (e.g., due to misconfiguration) • What’s the context the data operates in? • FTP although generally considered old and insecure, isn’t always problematic • Don’t trust your IDS (e.g. “UDP bomb”)
Don’t Use Machine Learning If … 16 • Not enough or no quality labeled data • Don’t use for network traffic analysis - you don’t have labeled data - really, you don’t! • No well trained domain experts and data scientists to oversee the implementation • Not enough domain expertise to engineer good features • Need to understand what ML actually learned (explainability) Also remember • Data cleanliness issues (timestamps, normalization across fields, etc.) • Operational challenges (scalability and adaptability) of implementing machine learning models in practice
Adversarial Machine Learning 17 • An example of an attack on deep learning
Example Let’s Get Practical 18
Network Traffic - Finding Anomalies / Attacks 19 • Given: Netflow • Task: Find anomalies / attacks 2 2005-10-22 23:09:45.903 -1.000 UDP 192.168.0.2 62569 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 3 2005-10-22 23:09:53.003 -1.000 UDP 192.168.0.2 52457 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 4 2005-10-22 23:09:58.435 -1.000 ICMP 192.168.2.2 0 -> 192.168.2.1 3.3 0 0 2 0 .A.... 192 0 0 5 2005-10-22 23:10:00.103 -1.000 UDP 192.168.0.2 59028 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 6 2005-10-22 23:10:03.839 -1.000 UDP 192.168.2.2 138 -> 192.168.2.255 138 0 0 2 0 .A.... 0 0 0 7 2005-10-22 23:10:04.971 -1.000 UDP 192.168.0.2 17500 -> 255.255.255.255 17500 0 0 1 0 .A.... 0 0 0 8 2005-10-22 23:10:04.971 -1.000 UDP 192.168.0.2 17500 -> 192.168.0.255 17500 0 0 1 0 .A.... 0 0 0 9 2005-10-22 23:10:07.207 -1.000 UDP 192.168.0.2 62319 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 10 2005-10-22 23:10:14.311 -1.000 UDP 192.168.0.2 50273 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 11 2005-10-22 23:10:21.403 -1.000 UDP 192.168.0.2 56243 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 12 2005-10-22 23:10:25.267 -1.000 ICMP 192.168.0.2 0 -> 192.168.2.1 8.0 0 0 1 0 .A.... 0 0 0 13 2005-10-22 23:10:28.043 0.004 ICMP 192.168.0.2 0 -> 192.168.2.2 8.0 0 0 1 2 .A.... 0 1338 1 14 2005-10-22 23:10:28.499 -1.000 UDP 192.168.0.2 62390 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 15 2005-10-22 23:10:35.019 -1.000 UDP 192.168.0.2 17500 -> 255.255.255.255 17500 0 0 1 0 .A.... 0 0 0 16 2005-10-22 23:10:35.019 -1.000 UDP 192.168.0.2 17500 -> 192.168.0.255 17500 0 0 1 0 .A.... 0 0 0 ?
Network Traffic - Deep Learning 20 • Solution: Deep Learning • No feature engineering - really? • Lots of data available • What are the labels? Most security problems can’t be solved with Deep Learning
Analytics Challenges 21 • Data cleansing • Wrong features -> wrong results • Distance functions (for unsupervised approaches) • Selecting the right algorithm (there is more than k-means!) • Algorithmic stability across iterations (iterative)? • Parameter choices for algorithm
VAST Challenge 2013 Submission – Spot the Problems? 22 dest port! Port 70000? src ports! http://vis.pku.edu.cn/people/simingchen/docs/vastchallenge13-mc3.pdf
Distance Functions 23 • Need a domain-centric similarity function • URLs (simple levenshtein distance versus domain based?) • Ports (and IPs, ASNs) are NOT numerical features • Treat user names as categories, not strings outlier?!
Distance Functions 24
Illustration of Parameter Choices and Their Failures • t-SNE clustering of network traffic from two types of machines perplexity = 3 epsilon = 3 No clear separation perplexity = 3 epsilon = 19 3 clusters instead of 2 perplexity = 93 epsilon = 19 What a mess
Illustration of Parameter Choices and Their Failures • Dangerous clusters
Network Traffic - Unsupervised Attempt 27 The graph shows an abstract space with colors being machine identified clusters. Preparation: • Feature engineering • Distance functions (what’s similar?) • Algorithm parameters Hard Questions: • What are these clusters? • What are good clusters? • What’s anomalous? What are the attacks?
The Real Problems 28 • Missing context • Asset inventory • User information • Missing expert knowledge • Domain expertise Possible Solutions • Enable data exploration • Improved Human Computer Interfaces & visualization • (Bayesian) Belief Networks
In Summary 29
Summary • Build solutions for actual problems with real data that produce actionable insight • Encode expert knowledge - leverage experienced experts • Use simple systems - how about letting users give input? Push problem to the edge • Don’t start with the algorithms - EVER • Start with the problem at hand and choose the right approach (hardly ever ML) • From the problem gather the right data and context • Use ML for problems where you have a large corpus of well labeled data • Chose meaningful distance functions • Verify your models - use visualization to help with that • Measure through user feedback, what you have implemented makes sense and pleases users • Allow for expert supervision - feedback loops • Share your insights with your peers – security is not your competitive advantage
BlackHat Workshop 31 Applied Machine Learning 
 for 
 Identity and Access Management August 4,5 & August 6,7 - Las Vegas, USA ML | AI | IAM http://secviz.org
Questions? 32 http://slideshare.net/zrlram @raffaelmarty "You can hear the sound of two hands when they clap together," said Mokurai. "Now show me the sound of one hand."

Recomendados

“AI techniques in cyber-security applications”. Flammini lnu susec19
“AI techniques in cyber-security applications”. Flammini lnu susec19“AI techniques in cyber-security applications”. Flammini lnu susec19
“AI techniques in cyber-security applications”. Flammini lnu susec19
Francesco Flammini
 
ethical hacking
ethical hackingethical hacking
ethical hacking
Sathish Bommisetti
 
Stanford AI Report 2023
Stanford AI Report 2023Stanford AI Report 2023
Stanford AI Report 2023
Kapil Khandelwal (KK)
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Vivek Mohbe
 
Final thesis presentation
Final thesis presentationFinal thesis presentation
Final thesis presentation
Pawan Singh
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
Raffael Marty
 
Gan seminar
Gan seminarGan seminar
Gan seminar
San Kim
 
Cyber security with ai
Cyber security with aiCyber security with ai
Cyber security with ai
Burhan Ahmed
 

Recomendados

“AI techniques in cyber-security applications”. Flammini lnu susec19
“AI techniques in cyber-security applications”. Flammini lnu susec19“AI techniques in cyber-security applications”. Flammini lnu susec19
“AI techniques in cyber-security applications”. Flammini lnu susec19
Francesco Flammini
 
ethical hacking
ethical hackingethical hacking
ethical hacking
Sathish Bommisetti
 
Stanford AI Report 2023
Stanford AI Report 2023Stanford AI Report 2023
Stanford AI Report 2023
Kapil Khandelwal (KK)
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Vivek Mohbe
 
Final thesis presentation
Final thesis presentationFinal thesis presentation
Final thesis presentation
Pawan Singh
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
Raffael Marty
 
Gan seminar
Gan seminarGan seminar
Gan seminar
San Kim
 
Cyber security with ai
Cyber security with aiCyber security with ai
Cyber security with ai
Burhan Ahmed
 
Artificial Intelligence for Cyber Security
Artificial Intelligence for Cyber SecurityArtificial Intelligence for Cyber Security
Artificial Intelligence for Cyber Security
Priyanshu Ratnakar
 
Cyber security and AI
Cyber security and AICyber security and AI
Cyber security and AI
DexterJanPineda
 
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
anant90
 
2020 12 nyu-workshop_cog_sec
2020 12 nyu-workshop_cog_sec2020 12 nyu-workshop_cog_sec
2020 12 nyu-workshop_cog_sec
Sara-Jayne Terp
 
Password Cracking with Rainbow Tables
Password Cracking with Rainbow TablesPassword Cracking with Rainbow Tables
Password Cracking with Rainbow Tables
Korhan Bircan
 
A Short Introduction to Generative Adversarial Networks
A Short Introduction to Generative Adversarial NetworksA Short Introduction to Generative Adversarial Networks
A Short Introduction to Generative Adversarial Networks
Jong Wook Kim
 
Machine Learning for Non-technical People
Machine Learning for Non-technical PeopleMachine Learning for Non-technical People
Machine Learning for Non-technical People
indico data
 
Adversarial Attacks and Defense
Adversarial Attacks and DefenseAdversarial Attacks and Defense
Adversarial Attacks and Defense
Kishor Datta Gupta
 
Data reduction techniques to analyze nsl kdd dataset
Data reduction techniques to analyze nsl kdd datasetData reduction techniques to analyze nsl kdd dataset
Data reduction techniques to analyze nsl kdd dataset
IAEME Publication
 
Applied Cryptography
Applied CryptographyApplied Cryptography
Applied Cryptography
Marcelo Martins
 
Transformers, LLMs, and the Possibility of AGI
Transformers, LLMs, and the Possibility of AGITransformers, LLMs, and the Possibility of AGI
Transformers, LLMs, and the Possibility of AGI
SynaptonIncorporated
 
Overview of Artificial Intelligence in Cybersecurity
Overview of Artificial Intelligence in CybersecurityOverview of Artificial Intelligence in Cybersecurity
Overview of Artificial Intelligence in Cybersecurity
Olivier Busolini
 
Artificial Intelligence
Artificial IntelligenceArtificial Intelligence
Artificial Intelligence
khanalbeeky2
 
Steganography
SteganographySteganography
Steganography
Girish Chandra
 
Introduction to AI
Introduction to AIIntroduction to AI
Introduction to AI
Sathittham Sangthong
 
AI
AIAI
AI
Robin Rohit
 
Honey encryption
Honey encryption Honey encryption
Honey encryption
SahadebBarman
 
Rootkit
RootkitRootkit
Rootkit
tech2click
 
AI and the Impact on Cybersecurity
AI and the Impact on CybersecurityAI and the Impact on Cybersecurity
AI and the Impact on Cybersecurity
Graham Mann
 
Artificial Intelligence in cybersecurity
Artificial Intelligence in cybersecurityArtificial Intelligence in cybersecurity
Artificial Intelligence in cybersecurity
SmartlearningUK
 
Rise of the machines -- Owasp israel -- June 2014 meetup
Rise of the machines -- Owasp israel -- June 2014 meetupRise of the machines -- Owasp israel -- June 2014 meetup
Rise of the machines -- Owasp israel -- June 2014 meetup
Shlomo Yona
 
influence of AI in IS
influence of AI in ISinfluence of AI in IS
influence of AI in IS
ISACA Riyadh
 

Mais conteúdo relacionado

Mais procurados

Artificial Intelligence for Cyber Security
Artificial Intelligence for Cyber SecurityArtificial Intelligence for Cyber Security
Artificial Intelligence for Cyber Security
Priyanshu Ratnakar
 

Mais procurados (20)

Artificial Intelligence for Cyber Security
Artificial Intelligence for Cyber SecurityArtificial Intelligence for Cyber Security
Artificial Intelligence for Cyber Security
 
Cyber security and AI
Cyber security and AICyber security and AI
Cyber security and AI
 
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
Adversarial Attacks on A.I. Systems — NextCon, Jan 2019
 
2020 12 nyu-workshop_cog_sec
2020 12 nyu-workshop_cog_sec2020 12 nyu-workshop_cog_sec
2020 12 nyu-workshop_cog_sec
 
Password Cracking with Rainbow Tables
Password Cracking with Rainbow TablesPassword Cracking with Rainbow Tables
Password Cracking with Rainbow Tables
 
A Short Introduction to Generative Adversarial Networks
A Short Introduction to Generative Adversarial NetworksA Short Introduction to Generative Adversarial Networks
A Short Introduction to Generative Adversarial Networks
 
Machine Learning for Non-technical People
Machine Learning for Non-technical PeopleMachine Learning for Non-technical People
Machine Learning for Non-technical People
 
Adversarial Attacks and Defense
Adversarial Attacks and DefenseAdversarial Attacks and Defense
Adversarial Attacks and Defense
 
Data reduction techniques to analyze nsl kdd dataset
Data reduction techniques to analyze nsl kdd datasetData reduction techniques to analyze nsl kdd dataset
Data reduction techniques to analyze nsl kdd dataset
 
Applied Cryptography
Applied CryptographyApplied Cryptography
Applied Cryptography
 
Transformers, LLMs, and the Possibility of AGI
Transformers, LLMs, and the Possibility of AGITransformers, LLMs, and the Possibility of AGI
Transformers, LLMs, and the Possibility of AGI
 
Overview of Artificial Intelligence in Cybersecurity
Overview of Artificial Intelligence in CybersecurityOverview of Artificial Intelligence in Cybersecurity
Overview of Artificial Intelligence in Cybersecurity
 
Artificial Intelligence
Artificial IntelligenceArtificial Intelligence
Artificial Intelligence
 
Steganography
SteganographySteganography
Steganography
 
Introduction to AI
Introduction to AIIntroduction to AI
Introduction to AI
 
AI
AIAI
AI
 
Honey encryption
Honey encryption Honey encryption
Honey encryption
 
Rootkit
RootkitRootkit
Rootkit
 
AI and the Impact on Cybersecurity
AI and the Impact on CybersecurityAI and the Impact on Cybersecurity
AI and the Impact on Cybersecurity
 
Artificial Intelligence in cybersecurity
Artificial Intelligence in cybersecurityArtificial Intelligence in cybersecurity
Artificial Intelligence in cybersecurity
 

Semelhante a AI & ML in Cyber Security - Why Algorithms Are Dangerous

BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6
Rod Soto
 
Algorithm Marketplace and the new "Algorithm Economy"
Algorithm Marketplace and the new "Algorithm Economy"Algorithm Marketplace and the new "Algorithm Economy"
Algorithm Marketplace and the new "Algorithm Economy"
Diego Oppenheimer
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
Raffael Marty
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
Raffael Marty
 
Machine Learning for Your Enterprise: Operations and Security for Mainframe E...
Machine Learning for Your Enterprise: Operations and Security for Mainframe E...Machine Learning for Your Enterprise: Operations and Security for Mainframe E...
Machine Learning for Your Enterprise: Operations and Security for Mainframe E...
Precisely
 
AI in the Enterprise: Past, Present & Future - StampedeCon AI Summit 2017
AI in the Enterprise: Past, Present & Future - StampedeCon AI Summit 2017AI in the Enterprise: Past, Present & Future - StampedeCon AI Summit 2017
AI in the Enterprise: Past, Present & Future - StampedeCon AI Summit 2017
StampedeCon
 
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...
Chris Hammerschmidt
 
On the Application of AI for Failure Management: Problems, Solutions and Algo...
On the Application of AI for Failure Management: Problems, Solutions and Algo...On the Application of AI for Failure Management: Problems, Solutions and Algo...
On the Application of AI for Failure Management: Problems, Solutions and Algo...
Jorge Cardoso
 
Network Automation Journey, A systems engineer NetOps perspective
Network Automation Journey, A systems engineer NetOps perspectiveNetwork Automation Journey, A systems engineer NetOps perspective
Network Automation Journey, A systems engineer NetOps perspective
Walid Shaari
 

Semelhante a AI & ML in Cyber Security - Why Algorithms Are Dangerous (20)

Rise of the machines -- Owasp israel -- June 2014 meetup
Rise of the machines -- Owasp israel -- June 2014 meetupRise of the machines -- Owasp israel -- June 2014 meetup
Rise of the machines -- Owasp israel -- June 2014 meetup
 
influence of AI in IS
influence of AI in ISinfluence of AI in IS
influence of AI in IS
 
Webinar: Machine Learning para Microcontroladores
Webinar: Machine Learning para MicrocontroladoresWebinar: Machine Learning para Microcontroladores
Webinar: Machine Learning para Microcontroladores
 
BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6
 
Algorithm Marketplace and the new "Algorithm Economy"
Algorithm Marketplace and the new "Algorithm Economy"Algorithm Marketplace and the new "Algorithm Economy"
Algorithm Marketplace and the new "Algorithm Economy"
 
are algorithms really a black box
are algorithms really a black boxare algorithms really a black box
are algorithms really a black box
 
INCOSE IS 2019: AI and Systems Engineering
INCOSE IS 2019: AI and Systems EngineeringINCOSE IS 2019: AI and Systems Engineering
INCOSE IS 2019: AI and Systems Engineering
 
2020 09-16-ai-engineering challanges
2020 09-16-ai-engineering challanges2020 09-16-ai-engineering challanges
2020 09-16-ai-engineering challanges
 
AI4SE: Challenges and opportunities in the integration of Systems Engineering...
AI4SE: Challenges and opportunities in the integration of Systems Engineering...AI4SE: Challenges and opportunities in the integration of Systems Engineering...
AI4SE: Challenges and opportunities in the integration of Systems Engineering...
 
Machine Learning Deep Learning AI and Data Science
Machine Learning Deep Learning AI and Data Science Machine Learning Deep Learning AI and Data Science
Machine Learning Deep Learning AI and Data Science
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
 
Machine Learning for Your Enterprise: Operations and Security for Mainframe E...
Machine Learning for Your Enterprise: Operations and Security for Mainframe E...Machine Learning for Your Enterprise: Operations and Security for Mainframe E...
Machine Learning for Your Enterprise: Operations and Security for Mainframe E...
 
Applications of Machine Learning and Metaheuristic Search to Security Testing
Applications of Machine Learning and Metaheuristic Search to Security TestingApplications of Machine Learning and Metaheuristic Search to Security Testing
Applications of Machine Learning and Metaheuristic Search to Security Testing
 
The Scope for Robotic Process Automation & Machine Learning in Telecom Operat...
The Scope for Robotic Process Automation & Machine Learning in Telecom Operat...The Scope for Robotic Process Automation & Machine Learning in Telecom Operat...
The Scope for Robotic Process Automation & Machine Learning in Telecom Operat...
 
H2O for IoT - Jo-Fai (Joe) Chow, H2O
H2O for IoT - Jo-Fai (Joe) Chow, H2OH2O for IoT - Jo-Fai (Joe) Chow, H2O
H2O for IoT - Jo-Fai (Joe) Chow, H2O
 
AI in the Enterprise: Past, Present & Future - StampedeCon AI Summit 2017
AI in the Enterprise: Past, Present & Future - StampedeCon AI Summit 2017AI in the Enterprise: Past, Present & Future - StampedeCon AI Summit 2017
AI in the Enterprise: Past, Present & Future - StampedeCon AI Summit 2017
 
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...
 
On the Application of AI for Failure Management: Problems, Solutions and Algo...
On the Application of AI for Failure Management: Problems, Solutions and Algo...On the Application of AI for Failure Management: Problems, Solutions and Algo...
On the Application of AI for Failure Management: Problems, Solutions and Algo...
 
Network Automation Journey, A systems engineer NetOps perspective
Network Automation Journey, A systems engineer NetOps perspectiveNetwork Automation Journey, A systems engineer NetOps perspective
Network Automation Journey, A systems engineer NetOps perspective
 

Mais de Raffael Marty

Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Raffael Marty
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Raffael Marty
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?
Raffael Marty
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
Raffael Marty
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty
 
Visualization for Security
Visualization for SecurityVisualization for Security
Visualization for Security
Raffael Marty
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty
 
Cyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock InsightCyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock Insight
Raffael Marty
 

Mais de Raffael Marty (20)

Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's Advantage
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security Data
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?
 
Understanding the "Intelligence" in AI
Understanding the "Intelligence" in AIUnderstanding the "Intelligence" in AI
Understanding the "Intelligence" in AI
 
Security Chat 5.0
Security Chat 5.0Security Chat 5.0
Security Chat 5.0
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
 
Security Insights at Scale
Security Insights at ScaleSecurity Insights at Scale
Security Insights at Scale
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Big Data Visualization
Big Data VisualizationBig Data Visualization
Big Data Visualization
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
 
Visualization for Security
Visualization for SecurityVisualization for Security
Visualization for Security
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
 
DAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxDAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization Linux
 
Cloud - Security - Big Data
Cloud - Security - Big DataCloud - Security - Big Data
Cloud - Security - Big Data
 
Cyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock InsightCyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock Insight
 
AfterGlow
AfterGlowAfterGlow
AfterGlow
 

Último

Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Priya Reddy
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理
F
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
Monica Sydney
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Monica Sydney
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书
F
 

Último (20)

Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
 
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxResearch Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 

AI & ML in Cyber Security - Why Algorithms Are Dangerous

  • 1. Raffael Marty AI & ML in Cyber Security Why Algorithms Are Dangerous Cancun, Mexico March, 2018
  • 2. A Brief Summary 2 • We don’t have artificial intelligence (yet) • Algorithms are getting ‘smarter’, but experts are more important • Stop throwing algorithms on the wall - they are not spaghetti • Understand your data and your algorithms • Invest in people who know security (and have experience) • Build “export knowledge” absorbing systems • Focus on advancing insights
  • 3. 3 The master of Kennin temple was Mokurai. He had a little protégé named Toyo who was only twelve years old. Toyo saw how students entered the masters room each day and received instructions and guidance in Zen. The young boy wished to do zazen (meditation) as well. Upon convincing Mokuri, he went in front of the master who gave him the following koan to ponder: "You can hear the sound of two hands when they clap together," said Mokurai. "Now show me the sound of one hand."
  • 4. Outline 4 An Example Let’s Get Practical Statistics, Machine Learning & AI Defining the Concepts 1 2 The Algorithmic Problem Understanding the Data and the Algorithms 3
  • 6. 6 “Everyone calls their stuff ‘machine learning’ or even better ‘artificial intelligence’ - It’s not cool to use statistics!” 
 “Companies are throwing algorithms on the wall to see what sticks - see security analytics market”
  • 7. ML and AI – What Is It? 7 • Machine Learning – Algorithmic ways to “describe” data o Supervised - learning from training data o Unsupervised - optimization problem to solve (clustering, dim reduction) • Deep Learning – a ‘newer’ machine learning algorithm o Eliminates the feature engineering step o Verifiability / explainability issues • Data Mining – Methods to explore data – automatically and interactively • Artificial Intelligence – “Just calling something AI doesn’t make it AI.” ”A program that doesn't simply classify or compute model parameters, but comes up with novel knowledge that a security analyst finds insightful.”
  • 8. What “AI” Does Today 8 •Kick a human's ass at Go •Design more effective drugs •Make Siri smarter
  • 9. Machine Learning Uses in Security 9 • Supervised o Malware classification (deep learning poster child) o Spam identification o MLSec project on firewall data • Unsupervised o DNS analytics (domain name classification, lookup frequencies, etc.) o Threat Intelligence feed curation (IOC prioritization, deduplication, …) o Tier 1 analyst automation (reducing 600M events to 100 incidents)* o User and Entity Behavior Analytics (UEBA) * See Respond Software Inc.
  • 10. The Algorithmic Problem Understanding the Data and the Algorithms 10
  • 12. Famous AI (Algorithm) Failures 12 neil.fraser.name/writing/tank/ US government in October 2016 published a comprehensive report titled 
 “Preparing for the future of artificial intelligence”
  • 13. What Makes Algorithms Dangerous? 13 • Algorithms make assumptions about the data • Assume ‘clean’ data (src/dst confusion, user feedback, etc.) • Often assume a certain type of data and their distribution • Don’t deal with outliers • Machine learning assumes enough, representative data • Needs contextual features (e.g., not just IP addresses) • Assume all input features are ‘normalized’ the same way • Algorithms are too easy to use these days (tensorflow, torch, ML on AWS, etc.) • The process is more important than the algorithm (e.g., feature engineering, supervision, drop outs, parameter choices, etc.) • Algorithms do not take domain knowledge into account • Defining meaningful and representative distance functions, for example • e.g., each L4 protocol exhibits different behavior. Train it separately. • e.g., interpretation is often unvalidated - beware of overfitting and biased models. • Ports look like numerical features, they are not, same is true for IPs, processIDs, HTTP return codes, etc.
  • 14. Models Are Just Approximations 14 High Bias -  increasing the number of input features. How do you know in what case you operate? • ML explainability problem • Compute error margins model
 classifies future instances high 
 error failure
 to generalize High Variance reduce the number of input features, increasing the number of training examples
  • 15. Cognitive Biases 15 • How biased is your data set? How do you know? • Only a single customer’s data • Learning from an ‘infected’ data set • Collection errors • Missing data (e.g., due to misconfiguration) • What’s the context the data operates in? • FTP although generally considered old and insecure, isn’t always problematic • Don’t trust your IDS (e.g. “UDP bomb”)
  • 16. Don’t Use Machine Learning If … 16 • Not enough or no quality labeled data • Don’t use for network traffic analysis - you don’t have labeled data - really, you don’t! • No well trained domain experts and data scientists to oversee the implementation • Not enough domain expertise to engineer good features • Need to understand what ML actually learned (explainability) Also remember • Data cleanliness issues (timestamps, normalization across fields, etc.) • Operational challenges (scalability and adaptability) of implementing machine learning models in practice
  • 17. Adversarial Machine Learning 17 • An example of an attack on deep learning
  • 19. Network Traffic - Finding Anomalies / Attacks 19 • Given: Netflow • Task: Find anomalies / attacks 2 2005-10-22 23:09:45.903 -1.000 UDP 192.168.0.2 62569 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 3 2005-10-22 23:09:53.003 -1.000 UDP 192.168.0.2 52457 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 4 2005-10-22 23:09:58.435 -1.000 ICMP 192.168.2.2 0 -> 192.168.2.1 3.3 0 0 2 0 .A.... 192 0 0 5 2005-10-22 23:10:00.103 -1.000 UDP 192.168.0.2 59028 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 6 2005-10-22 23:10:03.839 -1.000 UDP 192.168.2.2 138 -> 192.168.2.255 138 0 0 2 0 .A.... 0 0 0 7 2005-10-22 23:10:04.971 -1.000 UDP 192.168.0.2 17500 -> 255.255.255.255 17500 0 0 1 0 .A.... 0 0 0 8 2005-10-22 23:10:04.971 -1.000 UDP 192.168.0.2 17500 -> 192.168.0.255 17500 0 0 1 0 .A.... 0 0 0 9 2005-10-22 23:10:07.207 -1.000 UDP 192.168.0.2 62319 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 10 2005-10-22 23:10:14.311 -1.000 UDP 192.168.0.2 50273 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 11 2005-10-22 23:10:21.403 -1.000 UDP 192.168.0.2 56243 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 12 2005-10-22 23:10:25.267 -1.000 ICMP 192.168.0.2 0 -> 192.168.2.1 8.0 0 0 1 0 .A.... 0 0 0 13 2005-10-22 23:10:28.043 0.004 ICMP 192.168.0.2 0 -> 192.168.2.2 8.0 0 0 1 2 .A.... 0 1338 1 14 2005-10-22 23:10:28.499 -1.000 UDP 192.168.0.2 62390 -> 192.168.0.255 8612 0 0 1 0 .A.... 0 0 0 15 2005-10-22 23:10:35.019 -1.000 UDP 192.168.0.2 17500 -> 255.255.255.255 17500 0 0 1 0 .A.... 0 0 0 16 2005-10-22 23:10:35.019 -1.000 UDP 192.168.0.2 17500 -> 192.168.0.255 17500 0 0 1 0 .A.... 0 0 0 ?
  • 20. Network Traffic - Deep Learning 20 • Solution: Deep Learning • No feature engineering - really? • Lots of data available • What are the labels? Most security problems can’t be solved with Deep Learning
  • 21. Analytics Challenges 21 • Data cleansing • Wrong features -> wrong results • Distance functions (for unsupervised approaches) • Selecting the right algorithm (there is more than k-means!) • Algorithmic stability across iterations (iterative)? • Parameter choices for algorithm
  • 22. VAST Challenge 2013 Submission – Spot the Problems? 22 dest port! Port 70000? src ports! http://vis.pku.edu.cn/people/simingchen/docs/vastchallenge13-mc3.pdf
  • 23. Distance Functions 23 • Need a domain-centric similarity function • URLs (simple levenshtein distance versus domain based?) • Ports (and IPs, ASNs) are NOT numerical features • Treat user names as categories, not strings outlier?!
  • 25. Illustration of Parameter Choices and Their Failures • t-SNE clustering of network traffic from two types of machines perplexity = 3 epsilon = 3 No clear separation perplexity = 3 epsilon = 19 3 clusters instead of 2 perplexity = 93 epsilon = 19 What a mess
  • 26. Illustration of Parameter Choices and Their Failures • Dangerous clusters
  • 27. Network Traffic - Unsupervised Attempt 27 The graph shows an abstract space with colors being machine identified clusters. Preparation: • Feature engineering • Distance functions (what’s similar?) • Algorithm parameters Hard Questions: • What are these clusters? • What are good clusters? • What’s anomalous? What are the attacks?
  • 28. The Real Problems 28 • Missing context • Asset inventory • User information • Missing expert knowledge • Domain expertise Possible Solutions • Enable data exploration • Improved Human Computer Interfaces & visualization • (Bayesian) Belief Networks
  • 30. Summary • Build solutions for actual problems with real data that produce actionable insight • Encode expert knowledge - leverage experienced experts • Use simple systems - how about letting users give input? Push problem to the edge • Don’t start with the algorithms - EVER • Start with the problem at hand and choose the right approach (hardly ever ML) • From the problem gather the right data and context • Use ML for problems where you have a large corpus of well labeled data • Chose meaningful distance functions • Verify your models - use visualization to help with that • Measure through user feedback, what you have implemented makes sense and pleases users • Allow for expert supervision - feedback loops • Share your insights with your peers – security is not your competitive advantage
  • 31. BlackHat Workshop 31 Applied Machine Learning 
 for 
 Identity and Access Management August 4,5 & August 6,7 - Las Vegas, USA ML | AI | IAM http://secviz.org
  • 32. Questions? 32 http://slideshare.net/zrlram @raffaelmarty "You can hear the sound of two hands when they clap together," said Mokurai. "Now show me the sound of one hand."