Presentation is loading. Please wait.

Presentation is loading. Please wait.

Defense Against the Dark Arts Defense Against The Dark Arts Eric Peterson Research Manager McAfee 24 – 26 February, 2015.

Published byJob Carr Modified over 9 years ago

Similar presentations

Presentation on theme: "Defense Against the Dark Arts Defense Against The Dark Arts Eric Peterson Research Manager McAfee 24 – 26 February, 2015."— Presentation transcript:

1 Defense Against the Dark Arts Defense Against The Dark Arts Eric Peterson Research Manager McAfee 24 – 26 February, 2015

2 Defense Against the Dark Arts Lecture Wrap-up, Classification Lab

3 Defense Against the Dark Arts Lecture wrap-up SMTP conversation Email Header Reading Data Model – Spam/Ham The “Data Scientific Method” Classification Lab Break out into groups Pass classifications to team delegates Delegates present results How many ham? How many spam? What were the 3 most effective classifications? Discuss the process – what worked and what didn’t? Identify areas of subjectivity/ambiguity

4 Defense Against the Dark Arts

5

6

7

8

9 1. Start with data. 2. Develop intuitions about the data and the questions it can answer. 3. Formulate your question. 4.Leverage your current data to better understand if it is the right question to ask. If not, iterate until you have a testable hypothesis. 5. Create a framework where you can run tests/experiments. 6. Analyze the results to draw insights about the question. Credit: “Data Driven” – DJ Patil & Hilary Mason

10 Defense Against the Dark Arts Classify the data

11 Defense Against the Dark Arts The provded message_data table has 100k rows of real-world message meta data Use the tools and techniques covered to make spam/ham decisions for all records Open-book (team, google, peers, instructor) At the end of the lab session, we will: Discuss the process – what worked and what didn’t? Identify areas of subjectivity/ambiguity Present the data for comparison to real-world results

12 Defense Against the Dark Arts Useful operators: COUNT() DISTINCT() SPLIT_PART() GROUP BY $col ORDER BY $col Classify by subject: update message_data set is_spam = 'x' where subject ~ E'regex' Classify by source_ip: update message_data set is_spam = 'x' where source_ip in ('1.2.3.4', '5.6.7.8'... ) Bonus Questions: How many distinct rules fired on messages in the sample set? What was the most prevalent TLD in from addresses? What were the top 25 rules, by hit count?

13 Defense Against the Dark Arts Present your results!

14 Defense Against the Dark Arts Day 1 History Botnets 419, Canadian Pharm, P&D Terminology/Technology Spam/Ham RBL Heuristics Bayesian/Probability Tools SQL Regular Expression DIG/WHOIS Day 2 Research Techniques Parsing/Aggregation Intro to SQL for Research SELECTs Intro to Regular Expression The Regex Coach

15 Defense Against the Dark Arts Spam is pervasive - Digital & Printed media, Audio/Visual Many aspects of Security can be reduced to finding the least common denominator among large data sets Automate “Finding the needle” Classification accuracy is directly tied to the depth in which we are able to describe samples Education is key – share your knowledge!

16 Defense Against the Dark Arts Eric_Peterson@mcafee.com

17 Defense Against the Dark Arts Eric_Peterson@mcafee.com

18 Defense Against the Dark Arts Spamhaus RBL McAfee RBL The Regex Coach Trustedsource.org Domaintools.net Reputationauthority.org Yougetsignal.com/tools/web-sites-on-web-server/ Spamassassin.apache.org PostgreSQL

19 Defense Against the Dark Arts SQL CTE – Common Table Expression WITH a as ( SELECT b from table WHERE b ~ E’[regex]’) LIMIT 10) SELECT a.b, count(*) FROM a GROUP BY 1 ORDER BY 2 DESC LIMIT 10

20 Defense Against the Dark Arts Top100 Rules WITH rules as ( SELECT heur_symbols as rule_id FROM message_data WHERE heur_symbols is not null limit 100000) SELECT regexp_split_to_table(rules.rule_id, ','), count(*) FROM rules GROUP BY 1 ORDER BY 2 DESC LIMIT 100

Download ppt "Defense Against the Dark Arts Defense Against The Dark Arts Eric Peterson Research Manager McAfee 24 – 26 February, 2015."

Similar presentations

Ability-Based Education at Alverno College. Proposed Outcomes for Session 1. To introduce you to Alvernos approach to designing integrative general education.

Ability-Based Education at Alverno College. Proposed Outcomes for Session 1. To introduce you to Alvernos approach to designing integrative general education.
Designing Experiments Using the Scientific Method

Designing Experiments Using the Scientific Method
Working with Tables 1 of 5. Working with Tables 2 of 5.

Working with Tables 1 of 5. Working with Tables 2 of 5.
The Nature of Science.

The Nature of Science.
Responding driven sampling Introduction to the course.

Responding driven sampling Introduction to the course.
Using Assessment to Inform Instruction: Small Group Time

Using Assessment to Inform Instruction: Small Group Time
IS5152 Decision Making Technologies

IS5152 Decision Making Technologies
Welcome to SCIE 0900 Instructor: Bernadine Cutsor

Welcome to SCIE 0900 Instructor: Bernadine Cutsor
The research process Psych 231: Research Methods in Psychology.

The research process Psych 231: Research Methods in Psychology.
1 Review SQL Exercise: UPDATE StudentTable SET LetterScore = ’A’ WHERE Score >= ‘90’. Original Table: StudentTable StudentNumberStudentNameScoreLetterScore.

1 Review SQL Exercise: UPDATE StudentTable SET LetterScore = ’A’ WHERE Score >= ‘90’. Original Table: StudentTable StudentNumberStudentNameScoreLetterScore.
Lecture # 24 SCIENCE 1 ASSOCIATE DEGREE IN EDUCATION Process Skills in Science.

Lecture # 24 SCIENCE 1 ASSOCIATE DEGREE IN EDUCATION Process Skills in Science.
Spam Filtering Techniques Arnold Perez Joseph Tilley.

Spam Filtering Techniques Arnold Perez Joseph Tilley.
Involving students in classroom discussions Christina Belanger South Dakota School of Mines & Technology.

Involving students in classroom discussions Christina Belanger South Dakota School of Mines & Technology.
Theatre Design and Technology II/III/IV Course Expectations.

Theatre Design and Technology II/III/IV Course Expectations.
S PAMMING B OTNETS : S IGNATURES AND C HARACTERISTICS Introduction of AutoRE Framework.

S PAMMING B OTNETS : S IGNATURES AND C HARACTERISTICS Introduction of AutoRE Framework.
Creating Databases SELECT. UPDATE. Demonstrate projects. Classwork / Homework: Prepare to choose teams & projects.

Creating Databases SELECT. UPDATE. Demonstrate projects. Classwork / Homework: Prepare to choose teams & projects.
Most scientific advances result from carefully planned investigation. Scientific Method a logical approach to solving problems. Observing collecting data.

Most scientific advances result from carefully planned investigation. Scientific Method a logical approach to solving problems. Observing collecting data.
About Stratascope 2009 REVENUE ACCELERATORS. Copyright 2009 Stratascope Inc. All Rights Reserved Services Client Research Portal –Industries, Markets,

About Stratascope 2009 REVENUE ACCELERATORS. Copyright 2009 Stratascope Inc. All Rights Reserved Services Client Research Portal –Industries, Markets,
TCOM 515 Lecture 6.

TCOM 515 Lecture 6.
1 Pedagogical implications of mobile technologies Diana Laurillard WLE Symposium on M-Learning 9 February 2007.

1 Pedagogical implications of mobile technologies Diana Laurillard WLE Symposium on M-Learning 9 February 2007.

Similar presentations

Ads by Google