Date post: | 24-Jan-2017 |
Category: |
Technology |
Upload: | ai-frontiers |
View: | 359 times |
Download: | 1 times |
Deep Learning In Security:An Empirical Example in User & Entity Behavior Analytics (UEBA)
Jisheng Wang, Min-Yi Shen
2© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
Jisheng Wang, Chief Scientist in Niara
• Over 12-year experiences of applying machine learning and big data technology to security
• Ph.D from Penn State – ML in security with 100GB data
• Technical Leader in Cisco – Security Intelligence Operations (SIO) with 10B/day
• Lead the overall big data analytics innovation and development in Niara
Niara
• Recognized leader by Gartner in user and entity behavior analytics (UEBA)
• Re-invent enterprise security analytics for attack detection and incident response
ME, US
3© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
USER & ENTITY BEHAVIOR ANALYTICS
UEBA SECURITYwhy this matters
UEBA SOLUTION how to detect attacks before damage is done
BEYOND DEEP LEARNINGhow to build a comprehensive solution
YOU
ARE
HERE
4© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
PROBLEM THE SECURITY GAP
PREVENTION & DETECTION (US $B)
SECURITY SPEND
# BREACHES
DATA BREACHES
5© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
PROBLEM CAUSE OF THE GAP
ATTACKERSARE QUICKLY INNOVATING &
ADAPTING
BATTLEFIELDWITH IOT AND CLOUD, SECURITY
IS BORDERLESS
6© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
PROBLEM ADDRESSING THE CAUSE
ATTACKERSARE QUICKLY INNOVATING &
ADAPTING
DEEP LEARNINGSOLUTIONS MUST BE
RESPONSIVE TO CHANGES
7© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
PROBLEM ADDRESSING THE CAUSE
BATTLEFIELDWITH IOT AND CLOUD, SECURITY
IS BORDERLESS
INSIDER BEHAVIORLOOK AT BEHAVIOR CHANGE OF
INSIDE USERS AND MACHINES
8© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
USER & ENTITY BEHAVIOR ANALYTICS (UEBA)
MACHINE LEARNING DRIVEN
BEHAVIOR ANALYTICS IS
A NEW WAY TO COMBAT ATTACKERS
1
2
3
Machine driven, not only human driven
Detect compromised users, not only attackers
Post-infection detection, not only prevention
9© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
REAL WORLD NEWS WORTHY EXAMPLES
COMPROMISED40 million credit cards were stolen
from Target’s severs
STOLEN CREDENTIALS
NEGLIGENTDDoS attack from 10M+ hacked home
devices took down major websites
ALL USED THE SAME PASSWORD
MALICIOUSEdward Snowden stole more than 1.7 million
classified documents
INTENDED TO LEAK INFORMATION
10© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
USER & ENTITY BEHAVIOR ANALYTICS
UEBA SECURITYwhy this matters
UEBA SOLUTION how to detect attacks before damage is done
BEYOND DEEP LEARNINGhow to build a comprehensive solution
YOU
ARE
HERE
11© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
REAL WORLD ATTACKS CAUGHT BY NIARA
SCANNING ATTACKscan servers in the data center to find
out vulnerable targets
DETECTED WITH AD LOGS
EXFILTRATION OF DATAupload a large file to cloud server hosted in
new country never accessed before
DETECTED WITH WEB PROXY LOGS
DATA DOWNLOADdownload data from internal document
repository which is not typical for the host
DETECTED WITH NETWORK TRAFFIC
12© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
BEHAVIOR ENCODING – USER
User 1 User 2
13© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
BEHAVIOR ENCODING – USER VS MACHINE
User Machine
14© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
BEHAVIOR ANOMALY USER | EXFILTRATION
User – Before Compromise User – Post Compromise
15© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
BEHAVIOR ANOMALY MACHINE | DATA DOWNLOAD
Dropcam – Before Compromise Dropcam – Post Compromise
16© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
BEHAVIOR DETECTION ARCHITECTURE
Stream Data
Pre-processing
Behavior
Encoding
Input
Data
User
Activities
Labeled
User
Behavior
Repository
Apache Spark
Behavior Anomaly
Detection
CNN Training
Behavior
Classifier
Tensorflow
17© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
CNN – COMPUTATION GRAPH
Behavior
Image
(24x60x9
)
8x20
Convolution
User
Labels
Feature
Maps
(24x60x40)
Feature
Maps
(12x30x40)
Feature
Maps
(12x30x80)
Feature
Maps
(6x15x80)
Output
Layer
1024
Nodes
2x2
Pooling
4x10
Convolution
2x2
Pooling
Fully
Connected
Fully
Connected
with Dropout
Feature Extraction Classification
18© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
CNN – PROGRESSION OF TRAINING ERROR
Tra
inin
g E
rro
r
# of minibatches (100 profiles/batch)
19© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
USER & ENTITY BEHAVIOR ANALYTICS
UEBA SECURITYwhat is UEBA
UEBA SOLUTIONinfrastructure needed to deep learning
BEYOND DEEP LEARNINGhow to build a comprehensive solution
YOU
ARE
HERE
20© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
BEYOND DEEP LEARNING ENSEMBLE LEARNING
Behavioral
Analytics
Internal Resource Access
Finance servers
Authentication
AD logins
Remote Access
VPN logins
External Activity
C&C, personal email
SaaS Activity
Office 365, Box
Cloud IaaS
AWS, Azure
Physical Access
badge logs
Exfiltration
DLP, Email
Ensemble
approach using a
mix of different
models over
various types of
behaviors from the
same entity
21© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
BEYOND DEEP LEARNING REINFORCEMENT LEARNING
Models
Alerts
User
Feedback
Interactive Learning
Local
Context
Input
Data
Self Learning
Initial Parameters
22© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
USER & ENTITY BEHAVIOR ANALYTICS
UEBA SECURITYwhat is UEBA
UEBA SOLUTIONinfrastructure needed to deep learning
BEYOND DEEP LEARNINGhow to build a comprehensive solution
Thank You