Presentation is loading. Please wait.

Presentation is loading. Please wait.

Practical Machine Learning for Cloud Intrusion Detection

Published byMicheline Carbonneau Modified over 6 years ago

Similar presentations

Presentation on theme: "Practical Machine Learning for Cloud Intrusion Detection"— Presentation transcript:

1 Practical Machine Learning for Cloud Intrusion Detection
Challenges and the Way Forward Ram Shankar Siva Kumar Andrew Wicker Matt Swann Hello – My name is Ram, and I am a Senior ML Engineer in Azure Security Data Science. This work was done in collaboration with Andrew Wicker and Matt Swann. This paper draws on our collective knowledge to secure Microsoft’s cloud solution, Azure, focusing more on qualitative experience as opposed to specific algorithms and results. Machine Learning and Computer Security – NIPS 2017

2 Plug: We are hiring!! Contact:

3 Cloud IDS: Why should you care?
$5.9B 85% of Enterprise IT organizations will commit to multicloud architecture by 2018 [IDCFutureScape 2017] Security is an important competitive Cloud Differentiator [csoonline2016] Intrusion detection systems are expected to grow to USD 5.93 billion by 2021 at a compound annual growth rate of 12% [Gartner2016] Net-Net: Important Problem for the Industry Source

4 Anomalous Login Detection System
Motivating Example “Detect anomalous security logons from developers to the infrastructure system” Anomalous Login Detection System

5 Anomalous Login Detection System
Motivating Example “Detect anomalous security logons from developers to the infrastructure system” Anomalous Login Detection System

6 Cloud Setting Cloud Azure Developers Security Analysts
Internal Platform

7 Anomalous Login Detection System
Cloud Setting Cloud Azure Developers Security Analysts Internal Platform Anomalous Login Detection System

8 Anomalous Login Detection System
Cloud Setting Cloud Azure Developers Security Analysts Internal Platform Anomalous Login Detection System

9 Challenge: The Cloud Infrastructure hosts both platform and customers
The first challenge when building cloud IDS systems, is that the infrastructure that keeps the Cloud up and running is massive Azure is supported by 300+ services – ranging from Resource manager that enables deploying and managing VMs to Storage to Compute. Azure is architected in a way, such that the same backend services support different flavors of the cloud -> Whether public or private or hybrid, it is the same code So, net-net: The telemetry generated by these logs are in the order for pBs To add to the challenge, the cloud is also dynamic – the cloud as it is now, is very different from -> VMs are constantly deployed -> Developers constantly push out new features

10 Customer administrator
Customer Storage Account Anomalous Login Detection System Customer logs External Customers Central Repository Anomalous Login Detection System Azure Developers Cloud Service logs The data center that supports Azure infrastructure, has two personnas interacting with it: The External customers who pay Azure, to host services or rent infrastructure. The Azure Developers who maintain and develop Azure’s infrastructure The logs from the data center, is collected by Azure Monintoring system, and depending on the situation it is piped in one of two ways: -> Customer’s activity logs goes to their storage account, where detection systems monitor for compromise. The end consumer of this alert, are admin’s of the -> The internal developer’s activity are collected to a central repository where detection systems monitor for malicious activity. The end consumer of this alert are Microsoft’s Security Analyst Remove any Customer Identifiable Information Internal Security Analyst + Appropriate Service team Attacker Data Center generate logs

11 Challenge: The Cloud Backend is built on different, composite services
Microsoft Azure Microsoft Azure 300+ Services The first challenge when building cloud IDS systems, is that the infrastructure that keeps the Cloud up and running is massive Azure is supported by 300+ services – ranging from Resource manager that enables deploying and managing VMs to Storage to Compute. Azure is architected in a way, such that the same backend services support different flavors of the cloud -> Whether public or private or hybrid, it is the same code So, net-net: The telemetry generated by these logs are in the order for pBs 300+ different backend infrastructure services to ensure correct functionality Same backend service, supports many “flavors” of cloud Infrastructure as a Service vs. Platform as a Service Private Cloud vs. Public Cloud vs. Hybrid Cloud Each service architected differently Backend Service for Storage different from Backend service for Compute Logging for each service is different To add to the challenge, the cloud is also dynamic – the cloud as it is now, is very different from -> VMs are constantly deployed -> Developers constantly push out new features Encryption Encryption Storage Storage Identity Identity Compute Compute ….and many many more! ….and many many more!

12 Storage Service Anomalous Login Detection System
Data Center 1 Storage Dev Storage Service Logs Storage Service Anomalous Login Detection System Central Repository Internal Security Analyst + Appropriate Service team Compute Service Logs Compute Service Anomalous Login Detection System Compute Dev Identity Service Logs Identity Service Anomalous Login Detection System Data Center 2 Encryption Service Logs Identity Dev Encyption Service Anomalous Login Detection System Data Center 3 Encryption Dev Attacker

13 Challenge: The Cloud Backend is Geo-distributed

14 Geo-distributed = Compliance and Localization
Building Privacy compliant Models has three challenges Privacy Laws vary across regions IP address is treated as EII in some regions vs. not EII in other region Privacy Laws now ask for “retroactive modification” Privacy laws are not static Model Localization is important Weekend in Middle East != Weekend in Americas Product adoption happens at different rate across different regions Data distribution is different!

15 Storage Service Anomalous Login Detection System - AMERICAS
Central Repository Scrubbed per US Policy Internal Security Analyst + Storage Service Team Storage Service Anomalous Login - AUSTRALIA Scrubbed per EU Policy Storage Dev Storage Service Anomalous Login - EUROPE World Map source:

16 Other Challenges… Vertically and Horizontally Siloed Model Compliance
Dynamic Environment Model Compliance Vertically and Horizontally Siloed Tribal/Domain Knowledge Driven Model Evaluation Explainability

17 The Way Forward

18 Future is Attack Disruption
“Compromises are measured in minutes 98% of time…median time for detection is in the order of months” [Verizon2017] Call to focus from Attack Detection to Attack Disruption Open Question: Is there a place for intelligence across the blue team kill chain? Can Machine Learning help towards automatic remediation? Can Natural Language processing help analysts triage alerts better? Can recommender engines guide the next steps in investigations?

Download ppt "Practical Machine Learning for Cloud Intrusion Detection"

Similar presentations

The Microsoft Cloud Azure Platform This presentation incorporates some content from Microsoft.

The Microsoft Cloud Azure Platform This presentation incorporates some content from Microsoft.
Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.

Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Mark Estberg, John Howie Senior Directors Microsoft Corporation SESSION CODE: SIA317.

Mark Estberg, John Howie Senior Directors Microsoft Corporation SESSION CODE: SIA317.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.

Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.

Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.
Datalayer Notebook Allows Data Scientists to Play with Big Data, Build Innovative Models, and Share Results Easily on Microsoft Azure MICROSOFT AZURE ISV.

Datalayer Notebook Allows Data Scientists to Play with Big Data, Build Innovative Models, and Share Results Easily on Microsoft Azure MICROSOFT AZURE ISV.
1© Copyright 2014 EMC Corporation. All rights reserved. Applying the Power of Data Analytics to Cyber Security Dr. Robert W. Griffin Chief Security Architect.

1© Copyright 2014 EMC Corporation. All rights reserved. Applying the Power of Data Analytics to Cyber Security Dr. Robert W. Griffin Chief Security Architect.
You will provide oversight, leadership and direction to a group of IT professionals responsible for architecting, implementing and supporting a broad range.

You will provide oversight, leadership and direction to a group of IT professionals responsible for architecting, implementing and supporting a broad range.
Microsoft Azure and ServiceNow: Extending IT Best Practices to the Microsoft Cloud to Give Enterprises Total Control of Their Infrastructure MICROSOFT.

Microsoft Azure and ServiceNow: Extending IT Best Practices to the Microsoft Cloud to Give Enterprises Total Control of Their Infrastructure MICROSOFT.
READ ME FIRST Use this template to create your Partner datasheet for Azure Stack Foundation. The intent is that this document can be saved to PDF and provided.

READ ME FIRST Use this template to create your Partner datasheet for Azure Stack Foundation. The intent is that this document can be saved to PDF and provided.
AuraPortal Cloud Helps Empower Organizations to Organize and Control Their Business Processes via Applications on the Microsoft Azure Cloud Platform MICROSOFT.

AuraPortal Cloud Helps Empower Organizations to Organize and Control Their Business Processes via Applications on the Microsoft Azure Cloud Platform MICROSOFT.
Stop Cyber Threats With Adaptive Micro-Segmentation

Stop Cyber Threats With Adaptive Micro-Segmentation
DocFusion 365 Intelligent Template Designer and Document Generation Engine on Azure Enables Your Team to Increase Productivity MICROSOFT AZURE APP BUILDER.

DocFusion 365 Intelligent Template Designer and Document Generation Engine on Azure Enables Your Team to Increase Productivity MICROSOFT AZURE APP BUILDER.
Barracuda Networks Creates Next-Generation Security Solutions That Enable Customers to Accelerate Their Adoption of Microsoft Azure MICROSOFT AZURE APP.

Barracuda Networks Creates Next-Generation Security Solutions That Enable Customers to Accelerate Their Adoption of Microsoft Azure MICROSOFT AZURE APP.
Journey to Microsoft Secure Cloud

Journey to Microsoft Secure Cloud
Simplifying Hybrid Cloud Protection with Azure Security Center

Simplifying Hybrid Cloud Protection with Azure Security Center
Ralleo Enterprise-Grade Solution for Managing Change and Business Transformation Provides Opportunities to Better Analyze Real-Time Data MICROSOFT AZURE.

Ralleo Enterprise-Grade Solution for Managing Change and Business Transformation Provides Opportunities to Better Analyze Real-Time Data MICROSOFT AZURE.
Partner Logo Veropath Offers a Next-Gen Expense Management SaaS Technology Solution, Built Specifically to Harness Big Data Analytics Capabilities in Azure.

Partner Logo Veropath Offers a Next-Gen Expense Management SaaS Technology Solution, Built Specifically to Harness Big Data Analytics Capabilities in Azure.
New Heights by Guiding Them into the Cloud

New Heights by Guiding Them into the Cloud

Similar presentations

Ads by Google