Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Analytics Thrust Anthony D. Joseph (UCB) Rachel Greenstadt (Drexel), Ling Huang (Intel), Dawn Song (UCB), Doug Tygar (UCB)

Published byBenjamin Alvin Walters Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Analytics Thrust Anthony D. Joseph (UCB) Rachel Greenstadt (Drexel), Ling Huang (Intel), Dawn Song (UCB), Doug Tygar (UCB)"— Presentation transcript:

1 Security Analytics Thrust Anthony D. Joseph (UCB) Rachel Greenstadt (Drexel), Ling Huang (Intel), Dawn Song (UCB), Doug Tygar (UCB)

2 Outline Our view of Security Analytics Adversaries, Humans, and Machine Learning Joint research with McAfee Our proposed malware analysis pipeline Today’s Security Analytics talks

3 Our View of Security Analytics Using robust ML for adversary resistant security metrics and analytics  Pattern mining and prediction at scale on big data  Detecting malware, spam, and malicious sites/URLs  Identifying authors of User Generated Content and malware Also, Sybil detection in crowds and obfuscating authors of UGC  Detecting human biosignals – EEG, vision tracking, SAFE continuous authentication Helping the humans-in-the-loop (situational awareness)  End-users of systems  Crowds and human reviewers  Domain experts

4 Adversarial Exploitation of ML Traditional approach – Evading Adversary  Attacker determines decision boundary  Crafts (positive instance) content that is classified as negative Newer approach – Influencing Adversary  Patient attacker operates during periodic retraining stage by injecting “tricky” positive instances  Shifts decision boundary over time during retraining such that (positive instance) content is eventually classified as negative Need novel adaptive, robust ML techniques to defend against Influencing Adversaries

5 Synergy between Humans and ML Users – providing clear answers and usable security  Is this content spam or malicious?  What is the reasoning behind a security decision?  Can my UGC be identified as being mine?  Also, understanding how users reason about security Crowds – augmenting ML with human capabilities  Leveraging humans to disambiguate borderline instances (e.g., is this a malicious or benign application or website) Domain Experts – prioritizing a limited resource  Identifying when to rely on experts to evaluate model changes  Helping determine authorship identification for malware

6 Collaboration with McAfee Special academic-industry collaboration  Unique opportunity for academic access to massive scale real-world adversarial data  Pathway for research to yield real-world impact Two Robust ML research efforts  Current: Active protection  Future: Malicious URL/site detection (Site Advisor) Update:  Signed University-level NDAs with UC Berkeley and Drexel  Had meetings at Intel and UC Berkeley  Delivered prototype ML-based malware classification system that supports large-scale classification of polymorphic threats  Ongoing: Refining research focus and exploring Artemis sample dataset

7 Artemis and GTI collect voluminous “suspicious events and metadata” from millions of end host McAfee needs to:  Classify events into clean/dirty label  Cluster events into groups  Rank groups according to their suspiciousness level  Help identify malware families (authorship classification) Our planned efforts  Build a large-scale, online, adaptive ML system for automated malware classification with humans in the loop  Apply stylometry for forensic analysis and malware classification Artemis and GTI

8 Proposed Malware Analysis Pipeline Program code Mobile Apps Executables Machine Learning Malware Classification Models Machine Learning Feature Encoding Program Analysis Static/ Dynamic/ Human Analysis Program Features Feedback Further analysis Program Features Human: Domain Experts Data from McAfee’s GTI and Google’s VirusTotal Categorization and Prioritization are critical!

9 Security Analytics Talks (Session 1) Big data for security analytics  Using adaptive, large-scale ML to identify and classify malware families using code features Learning as an “attack”: De-anonymization  Automated analysis of encrypted traffic – Identifying the URLs/topics of SSL-encrypted web pages Learning for web-based malware detection  Not code features, rather: Where scripts and objects comes from, Who makes the requests, How user gets to the site

10 Security Analytics Talks (Session 2) Using Network Science to detect Sybils in social networks  Leveraging social structure to detect fake accounts and improve user authentication Learning as an “attack”: De-anonymization  Automated analysis and identification of underground forums users Understanding how End Users reason about Risk  Security, privacy, and a 9-dimensional model for users

11 Security Analytics Goals Developing tools combining machine learning and analysis to automatically extract features and build models Improving users’ experiences by translating the reasoning behind security decisions into human understandable concepts Designing robust algorithms for large-scale machine-learning in the presence of adversarial manipulation

Download ppt "Security Analytics Thrust Anthony D. Joseph (UCB) Rachel Greenstadt (Drexel), Ling Huang (Intel), Dawn Song (UCB), Doug Tygar (UCB)"

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Update on OCIs Cybersecurity Activities for CASC September 2011 Kevin Thompson.

Update on OCIs Cybersecurity Activities for CASC September 2011 Kevin Thompson.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,
1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW 2007 2008.09.09 Yue Zhang, Jason Hong, and Lorrie Cranor.

1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW Yue Zhang, Jason Hong, and Lorrie Cranor.
Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,

Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,
Anthony D. Joseph UC Berkeley SCRUB ISTC: Secure Computing Research for Users’ Benefit TRUST Autumn 2011 Conference.

Anthony D. Joseph UC Berkeley SCRUB ISTC: Secure Computing Research for Users’ Benefit TRUST Autumn 2011 Conference.
Secure and Trustworthy Cyberspace (SaTC) Program Sam Weber Program Director March 2012.

Secure and Trustworthy Cyberspace (SaTC) Program Sam Weber Program Director March 2012.
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
Semantic Web and Web Mining: Networking with Industry and Academia İsmail Hakkı Toroslu IST EVENT 2006.

Semantic Web and Web Mining: Networking with Industry and Academia İsmail Hakkı Toroslu IST EVENT 2006.
Adaptive Book: A Platform for teaching, learning and student modeling Ananda Gunawardena School of Computer Science Carnegie Mellon University.

Adaptive Book: A Platform for teaching, learning and student modeling Ananda Gunawardena School of Computer Science Carnegie Mellon University.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.

Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Présentation EPFL-Public | 2014 1 Ecole Polytechnique Fédérale de Lausanne EPFL.

Présentation EPFL-Public | Ecole Polytechnique Fédérale de Lausanne EPFL.
Automated malware classification based on network behavior

Automated malware classification based on network behavior
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
Advisor: Hsin-Hsi Chen Reporter: Chi-Hsin Yu Date: 2010.08.05.

Advisor: Hsin-Hsi Chen Reporter: Chi-Hsin Yu Date:
SECURITY IN CLOUD COMPUTING By Bina Bhaskar Anand Mukundan.

SECURITY IN CLOUD COMPUTING By Bina Bhaskar Anand Mukundan.

Similar presentations

Ads by Google