Presentation is loading. Please wait.

Presentation is loading. Please wait.

Transfer Learning: Analyst-Sourcing Behavioral Classification

Published byMiguel Minho Custódio Modified over 6 years ago

Similar presentations

Presentation on theme: "Transfer Learning: Analyst-Sourcing Behavioral Classification"— Presentation transcript:

1 Transfer Learning: Analyst-Sourcing Behavioral Classification
Tim Mather, security guy Ignacio Arnaldo, data science guy

2 Problem: advanced attacks
Recon Weaponize Deliver Exploit Control Execute Maintain Neither SIEMs nor MSSPs can deliver high-fidelity alerts for targeted, well thought out attacks that effectively utilize the threat ecosystem. SIEMs and MSSPs rely on signatures, rules, and people. Results - False positives False Negatives High Demand for Investigation/Incident talent

3 Massive data to explore
Billions or trillions of combinations Very, very few of those are bad Analysts spend 99% of the time chasing false positives Miss > 80% of attacks

4 Trained AI pinpoints attacks
Use trained AI models to parse data and point out threats Analyst gets high fidelity alerts

5 Label acquisition is the key
Analyze behavior of all entities (users, IPs, etc.) Engage the human expert (active learning) Continuously absorb feedback from analyst and from external sources Continuous model updates: To identify new attacks To identify variations of existing attacks To improve detection of existing attacks

6 Custom models to detect attacks
Threat Intel Recommenders Top k events Trained attacks Novelty Similarity Uncertainty Graph analysis Classifiers Security Analyst Matrix decomposition Deep auto-encoders Copula analysis

7 Active Contextual Modeling
Analyst Contextual Modeler Rare Event Model Behaviors Action Raw Data Predictions Labels Outliers ACM Humans give examples and machines create predictive models Alerts are generated by models; humans give feedback and machines update models Real time detection of ATA’s Key IP – train AI (supervised learning) in real time, in thin training space Behaviors

8 ACM enables transfer learning
Local model training is accelerated using global training data Enable global set of analysts to collaborate No private data is ever exchanged

9 Transfer learning: make every label count
Share models across organizations Share labeled data across organizations

10 Shared label repository
Entity Customer feature 1 ... feature p label User 1 0.1 True Attack 1 Source IP 4 0.4 False Normal 2.1 Attack 3 Shared “global” repository of labeled data Systematic download of labeled data from global to local repository Systematic upload of labeled data from local to global repository Label Server

11 Detecting various stages
Domain Attack Stage microsoft[.]com-1au-ill1[.]claim-your-daily-reward[.]beautifuldoor[.]xyz Delivery apple[.]com-internet-websecurity[.]download CnC (DGA) Box.com Exfiltration Trained models to detect: Delivery, C&C, Lateral movement and Exfiltration Entities modeled: Src_IP, Dest_IP, User, Domain, Connection (SIP / DIP), Src_IP to Domain, User access, etc. Models trained / updated locally using analyst’s feedback Facilitates automated response (e.g., OpenC2)

12 Results Automatic detection - 10x better attack detection
Efficient investigation - 80% faster investigation Facilitated response – Reduce dwell time to hours

13 Next steps Enlarge the shared label repository with data from all our deployments (POCs + customers). The goal is to have 5 to 10 deployments labeling data on a regular basis. Use external labels to improve selection of examples shown to the analyst for labeling. This will result in better label acquisition at each customer. Study and compare domain adaptation techniques to maximize benefits of external labels. Strategies to dedup / correct attack categories (although we provide a predefined set of categories, analysts create new classes and will make mistakes).

14 Your questions please!

15 Thank You

16 [In progress] click2freeupdatesthebest.download
click2freeupdatesthebest.info click2freeupdatesthebest.pw click2freeupdatethebest.download click2freeupdatethebest.info click2freeupdatethebest.pw click2freeupdatingthebest.info click2freeupdatingthebest.pw clickforbest2upgrading4u.info clickforbestandfree2update.info clickforbestandfree2updates.pw clickforbestandfree2upgrade.pw clickforbestandfree2upgrading.pro clickforbestandmost2freeupdate.info clickforbestandmost2freeupdate.pro clickforbestandmost2freeupdate.win clickforbestandmost2freeupdates.bid clickforbestandmost2freeupdates.pro clickforbestandmost2freeupdates.top clickforbestandmost2freeupdating.download clickforbestandmost2freeupdating.pro clickforbestandmostfreeupdate.pw clickforbestandprepared4upgrade.pw clickforbestandsafe2upgrades.pro clickforbestandsafe2upgrades.pw clickforbestandsafe4upgrade.pw clickforbestandsafeupdates.pw clickforfreeandbest2updateever.pw clickforfreeandbest2updatingever.info clickforfreeandbestupdate.info clickforfreeandbestupdate.pw clickforfreeandbestupdates.pw clickforfreeandreadyforupgrades.pw clickforfreeandsafe4update.info clickforfreeandsafe4upgrading.pro clickforfreeandsafeallupdating.pro clickforfreeandsafeupgrading.pro clickforfreeservice4upgradesmacandpc.pw clickforfreesystemsupdating.info clickforfreeupdatesthebest.info clickforfreeupdatethebest.pw clickforsafeandbest2updating.info clickforsafeandbest2upgrade4now.pw clickforsafeandbest2upgrade4now.top clickforsafeandbest2upgrades4now.pro clickforsafeandbest2upgrades4now.win clickforsafeandbest2upgrading4now.top clickforsafeandbest4updating.info clickforsafeandbestforupgrade4free.info clickforsafeandbestforupgrading4free.info clickforsafeandbestupgrade4now.bid clickforsafeandbestupgrade4now.pw clickforsafeandbestupgrades4now.bid clickforsafeandbestupgrades4now.info clickforsafeandbestupgrades4now.top clickforsafeandbestupgrading4now.pro clickforsafeandbestupgrading4now.win clickforsafeandsetforupgrade.info clickforsafeandsetof4upgrading.top clickforsafereadyforupgradepcandmac.pw clickforsafesystem4upgrades.info clickforsafesystem4upgrades.pro clickforsafesystem4upgrading.pro clickforthebestandbiggestpcandmacupdates.pw clickforthebestandbiggestpcandmacupdating.club clickforultimateandsafeforupgrades.info clicksafe2upgrade.download clicksafeforyour2updatingpcandmacs.pw clicksafeforyourforupdating.pro clicksafeforyourupdatespcandmacs.pw clicksafeupgrade.pro clickthebesttoupdates4now.download clickthebesttoupdates4now.pro clickthebesttoupdating4now.pro clickthebestupdate4now.download clickthebestupdate4now.pro

Download ppt "Transfer Learning: Analyst-Sourcing Behavioral Classification"

Similar presentations

Security Life Cycle for Advanced Threats

Security Life Cycle for Advanced Threats
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Data Mining and Intrusion Detection

Data Mining and Intrusion Detection
Microsoft Ignite /16/2017 4:54 PM

Microsoft Ignite /16/2017 4:54 PM
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar 2005-02-0129 Aneela Laeeq 2005-02-0023.

Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar Aneela Laeeq
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Department Of Computer Engineering

Department Of Computer Engineering
URLDoc: Learning to Detect Malicious URLs using Online Logistic Regression Presented by : Mohammed Nazim Feroz 11/26/2013.

URLDoc: Learning to Detect Malicious URLs using Online Logistic Regression Presented by : Mohammed Nazim Feroz 11/26/2013.
Jay Stokes, Microsoft Research John Platt, Microsoft Research Joseph Kravis, Microsoft Network Security Michael Shilman, ChatterPop, Inc. ALADIN: Active.

Jay Stokes, Microsoft Research John Platt, Microsoft Research Joseph Kravis, Microsoft Network Security Michael Shilman, ChatterPop, Inc. ALADIN: Active.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
Thesis Proposal PrActive Learning: Practical Active Learning, Generalizing Active Learning for Real-World Deployments.

Thesis Proposal PrActive Learning: Practical Active Learning, Generalizing Active Learning for Real-World Deployments.
Using Identity Credential Usage Logs to Detect Anomalous Service Accesses Daisuke Mashima Dr. Mustaque Ahamad College of Computing Georgia Institute of.

Using Identity Credential Usage Logs to Detect Anomalous Service Accesses Daisuke Mashima Dr. Mustaque Ahamad College of Computing Georgia Institute of.
Time lag between discovering issue and resolving Difficult to find solutions and patches that can help resolve issue Service outages expensive and.

Time lag between discovering issue and resolving Difficult to find solutions and patches that can help resolve issue Service outages expensive and.
INTERACTIVE ANALYSIS OF COMPUTER CRIMES PRESENTED FOR CS-689 ON 10/12/2000 BY NAGAKALYANA ESKALA.

INTERACTIVE ANALYSIS OF COMPUTER CRIMES PRESENTED FOR CS-689 ON 10/12/2000 BY NAGAKALYANA ESKALA.
Exploiting Context Analysis for Combining Multiple Entity Resolution Systems -Ramu Bandaru Zhaoqi Chen Dmitri V.kalashnikov Sharad Mehrotra.

Exploiting Context Analysis for Combining Multiple Entity Resolution Systems -Ramu Bandaru Zhaoqi Chen Dmitri V.kalashnikov Sharad Mehrotra.
Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.

Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.
Understanding the Human Network Martin Kruger LCDR Jodie Gooby November 2008.

Understanding the Human Network Martin Kruger LCDR Jodie Gooby November 2008.
Leveraging Asset Reputation Systems to Detect and Prevent Fraud and Abuse at LinkedIn Jenelle Bray Staff Data Scientist Strata + Hadoop World New York,

Leveraging Asset Reputation Systems to Detect and Prevent Fraud and Abuse at LinkedIn Jenelle Bray Staff Data Scientist Strata + Hadoop World New York,

Similar presentations

Ads by Google