Security Analytics Thrust Anthony D. Joseph (UCB) Rachel Greenstadt (Drexel), Ling Huang (Intel), Dawn Song (UCB), Doug Tygar (UCB)

Slides:

Advertisements

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

Advertisements

Update on OCIs Cybersecurity Activities for CASC September 2011 Kevin Thompson.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,

1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW Yue Zhang, Jason Hong, and Lorrie Cranor.

Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,

Anthony D. Joseph UC Berkeley SCRUB ISTC: Secure Computing Research for Users’ Benefit TRUST Autumn 2011 Conference.

Secure and Trustworthy Cyberspace (SaTC) Program Sam Weber Program Director March 2012.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

Semantic Web and Web Mining: Networking with Industry and Academia İsmail Hakkı Toroslu IST EVENT 2006.

Adaptive Book: A Platform for teaching, learning and student modeling Ananda Gunawardena School of Computer Science Carnegie Mellon University.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

Présentation EPFL-Public | Ecole Polytechnique Fédérale de Lausanne EPFL.

Automated malware classification based on network behavior

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.

Advisor: Hsin-Hsi Chen Reporter: Chi-Hsin Yu Date:

SECURITY IN CLOUD COMPUTING By Bina Bhaskar Anand Mukundan.

WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.

Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.

A Framework for Automated Web Application Security Evaluation

Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

OSN Research As If Sociology Mattered Krishna P. Gummadi Networked Systems Research Group MPI-SWS.

Adaptive News Access Daniel Billsus Presented by Chirayu Wongchokprasitti.

Security Evaluation of Pattern Classifiers under Attack.

Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.

Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.

Printing: This poster is 48” wide by 36” high. It’s designed to be printed on a large-format printer. Customizing the Content: The placeholders in this.

 Two types of malware propagating through social networks, Cross Site Scripting (XSS) and Koobface worm.  How these two types of malware are propagated.

Man vs. Machine: Adversarial Detection of Malicious Crowdsourcing Workers Gang Wang, Tianyi Wang, Haitao Zheng, Ben Y. Zhao, UC Santa Barbara, Usenix Security.

Semantics for Cybersecurity and Privacy Tim Finin, UMBC Joint work with Anupam Joshi, Karuna Joshi, Zareen Syed andmany UMBC graduate students

Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.

BEHAVIORAL TARGETING IN ON-LINE ADVERTISING: AN EMPIRICAL STUDY AUTHORS: JOANNA JAWORSKA MARCIN SYDOW IN DEFENSE: XILING SUN & ARINDAM PAUL.

Network security Product Group 2 McAfee Network Security Platform.

Lexical Feature Based Phishing URL Detection Using Online Learning Reporter: Jing Chiu Advisor: Yuh-Jye Lee /3/17Data.

Actualog Social PIM Helps Companies to Manage and Share Product Information Using Secure, Scalable Ease of Microsoft Azure MICROSOFT AZURE ISV PROFILE:

Printing: This poster is 48” wide by 36” high. It’s designed to be printed on a large-format printer. Customizing the Content: The placeholders in this.

Powered by Microsoft Azure, PointMatter Is a Flexible Solution to Move and Share Data between Business Groups and IT MICROSOFT AZURE ISV PROFILE: LOGICMATTER.

Tracking Malicious Regions of the IP Address Space Dynamically.

Identifying “Best Bet” Web Search Results by Mining Past User Behavior Author: Eugene Agichtein, Zijian Zheng (Microsoft Research) Source: KDD2006 Reporter:

Text Information Management ChengXiang Zhai, Tao Tao, Xuehua Shen, Hui Fang, Azadeh Shakery, Jing Jiang.

Mining of Massive Datasets Edited based on Leskovec’s from

Artificial Intelligence. Real Threat Prevention.

Unveiling Zeus Automated Classification of Malware Samples Abedelaziz Mohaisen Omar Alrawi Verisign Inc, VA, USA Verisign Labs, VA, USA

AZURE MACHINE LEARNING Bringing New Value To Old Data SQL Saturday #

Cyber Security for the real world Tim Brown Dell Fellow and CTO Dell Security Solutions.

Discover How You Can Increase Collaboration with External Partners While Reducing Your Cost in Managing an Extranet from the Azure Cloud MICROSOFT AZURE.

Visual Analytics for Cyber Defense Decision-Making Anita D’Amico, Ph.D. Secure Decisions division of Applied Visions, Inc.

Introduction to Machine Learning, its potential usage in network area,

Data mining in web applications

A Generic Approach to Big Data Alarms Prioritization

Free for All! Assessing User Data Exposure to Advertising Libraries on Android Campbell Foskin.

Machine Learning for Computer Security

A lustrum of malware network communication: Evolution & insights

BioCatch Fights Financial Fraud and Detects Online Threats via Behavioral Biometrics, All Powered by the Microsoft Azure Platform MICROSOFT AZURE TECH.

Twitter Augmented Android Malware Detection

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

Wenjing Lou Complex Networks and Security Research (CNSR) Lab

Dieudo Mulamba November 2017

AI in Cyber-security: Examples of Algorithms & Techniques

Partner Logo Reblaze Utilizes Microsoft Azure Cloud Technology to Provide Web Assets with a Comprehensive, Robust, Protective Shield Against Internet Threats.

Facebook Immune System

Binghui Wang, Le Zhang, Neil Zhenqiang Gong

Graph-based Security and Privacy Analytics via Collective Classification with Joint Weight Learning and Propagation Binghui Wang, Jinyuan Jia, and Neil.

When Machine Learning Meets Security – Secure ML or Use ML to Secure sth.? ECE 693.

TRANCO: A Research-Oriented Top Sites Ranking Hardened Against Manipulation By Prudhvi raju G id:

Presentation transcript:

Security Analytics Thrust Anthony D. Joseph (UCB) Rachel Greenstadt (Drexel), Ling Huang (Intel), Dawn Song (UCB), Doug Tygar (UCB)

Outline Our view of Security Analytics Adversaries, Humans, and Machine Learning Joint research with McAfee Our proposed malware analysis pipeline Today’s Security Analytics talks

Our View of Security Analytics Using robust ML for adversary resistant security metrics and analytics  Pattern mining and prediction at scale on big data  Detecting malware, spam, and malicious sites/URLs  Identifying authors of User Generated Content and malware Also, Sybil detection in crowds and obfuscating authors of UGC  Detecting human biosignals – EEG, vision tracking, SAFE continuous authentication Helping the humans-in-the-loop (situational awareness)  End-users of systems  Crowds and human reviewers  Domain experts

Adversarial Exploitation of ML Traditional approach – Evading Adversary  Attacker determines decision boundary  Crafts (positive instance) content that is classified as negative Newer approach – Influencing Adversary  Patient attacker operates during periodic retraining stage by injecting “tricky” positive instances  Shifts decision boundary over time during retraining such that (positive instance) content is eventually classified as negative Need novel adaptive, robust ML techniques to defend against Influencing Adversaries

Synergy between Humans and ML Users – providing clear answers and usable security  Is this content spam or malicious?  What is the reasoning behind a security decision?  Can my UGC be identified as being mine?  Also, understanding how users reason about security Crowds – augmenting ML with human capabilities  Leveraging humans to disambiguate borderline instances (e.g., is this a malicious or benign application or website) Domain Experts – prioritizing a limited resource  Identifying when to rely on experts to evaluate model changes  Helping determine authorship identification for malware

Collaboration with McAfee Special academic-industry collaboration  Unique opportunity for academic access to massive scale real-world adversarial data  Pathway for research to yield real-world impact Two Robust ML research efforts  Current: Active protection  Future: Malicious URL/site detection (Site Advisor) Update:  Signed University-level NDAs with UC Berkeley and Drexel  Had meetings at Intel and UC Berkeley  Delivered prototype ML-based malware classification system that supports large-scale classification of polymorphic threats  Ongoing: Refining research focus and exploring Artemis sample dataset

Artemis and GTI collect voluminous “suspicious events and metadata” from millions of end host McAfee needs to:  Classify events into clean/dirty label  Cluster events into groups  Rank groups according to their suspiciousness level  Help identify malware families (authorship classification) Our planned efforts  Build a large-scale, online, adaptive ML system for automated malware classification with humans in the loop  Apply stylometry for forensic analysis and malware classification Artemis and GTI

Proposed Malware Analysis Pipeline Program code Mobile Apps Executables Machine Learning Malware Classification Models Machine Learning Feature Encoding Program Analysis Static/ Dynamic/ Human Analysis Program Features Feedback Further analysis Program Features Human: Domain Experts Data from McAfee’s GTI and Google’s VirusTotal Categorization and Prioritization are critical!

Security Analytics Talks (Session 1) Big data for security analytics  Using adaptive, large-scale ML to identify and classify malware families using code features Learning as an “attack”: De-anonymization  Automated analysis of encrypted traffic – Identifying the URLs/topics of SSL-encrypted web pages Learning for web-based malware detection  Not code features, rather: Where scripts and objects comes from, Who makes the requests, How user gets to the site

Security Analytics Talks (Session 2) Using Network Science to detect Sybils in social networks  Leveraging social structure to detect fake accounts and improve user authentication Learning as an “attack”: De-anonymization  Automated analysis and identification of underground forums users Understanding how End Users reason about Risk  Security, privacy, and a 9-dimensional model for users

Security Analytics Goals Developing tools combining machine learning and analysis to automatically extract features and build models Improving users’ experiences by translating the reasoning behind security decisions into human understandable concepts Designing robust algorithms for large-scale machine-learning in the presence of adversarial manipulation