Embed Size (px)
Citation preview
TK KeaniniDistinguished EngineerJune 2018
And the Peak of Inflated Expectations
Machine Learning
Time
Expecta
tions
Innovation Trigger Peak of Inflated Expectations Trough of Disillusionment Slope of Enlightenment Plateau of Productivity
Sourc
e: G
artn
er (J
uly
, 20
17
)
M A C H I N E L E A R N I N G
Gartner Hype Cycle for Emerging Technologies | 2017
Vendors Got Us Here
“Our machines detect threats others cannot”
“100% predictive”“Advanced Threats are no match for A.I.”
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Silver Bullet Marketing
No Explanation or Discussion
Limited Guidance
How We Disservice Machine Learning
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pulbic
MACHINE LEARNING
What it is
“Field of study that gives computers the ability to learn without being explicitly programmed.”Arthur Samuel’s definition of machine learning in 1959
bayesianbayesian
regressionregression
machine learningalgorithmsmachine learning
algorithms
regularizationregularizationclusteringclustering
neural networkneural networkdeep learningdeep learning
ensembleensemblerule systemrule system
decision treedecision tree
instance basedinstance based
dimensionality reductiondimensionality reductionN E R D A L E R T
Let’s define the helpful data science terms
classifierclassifierground truthground truth
bayesianbayesian
regressionregression
machine learningalgorithmsmachine learning
algorithms
regularizationregularizationclusteringclustering
neural networkneural networkdeep learningdeep learning
ensembleensemblerule systemrule system
decision treedecision tree
instance basedinstance based
dimensionality reductiondimensionality reduction
classifierclassifierground truthground truth
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Machine Learning
Artificial Intelligence
Machine Learning
Supervised Learning
Unsupervised Learning
Reinforcement Learning
The Big Picture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Machine Learning
Common Techniques
Unsupervised Learning
Reinforcement Learning
Supervised Learning
When you know the question you are trying to ask and have examples of it being asked and answered correction
“The other” categoryTrial and error behavior effective in game scenarios
You don't have answers and may not
fully know the questions
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
E
Supervised Learning Unsupervised Learning Other(Reinforcement Learning, etc.)
75% 15% 10%
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
a
Use in combination with Machine Learning
What did we do before Machine Learning?
Simple Pattern Matching
Statistical Methods Rules and First Order Logic (FoL)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
MACHINE LEARNING
Techniques
“Field of study that gives computers the ability to learn without being explicitly programmed.”
“Field of study that gives computers the ability to be implicitly programmed.”
Translation
Classifier Prediction
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Training Data
Training Classifiers
Machine Learning Algorithm
New Data
Ground Truth Used in Supervised LearningThe 'Ground Truth' is the pairing of example questions and answers.
If you can phrase a problem as 'we know this is right, learn a way to answer more questions of this type'.
Success depends greatly on the dataset expressing the Question -> Answer mapping.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
MACHINE LEARNING
Pitfalls
One Size Does Not Fit All
Other ML Application Security
N E R D A L E R T
Warning: Success in one domain does not guarantee success in another© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What Is At Stake Matters
Because you watched Deadpool, you might like…
Deadpool X-Men: First Class The Flash Captain America: The First Avenger
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
How did you come to that conclusion?
“The Explainability Problem”
Normal WorkflowCFO daily calendar
Irregular ActivityML detects “suspicious”
activity and suggests remediation
QuarantinedHowever, ML cannot
articulate *why* it wants to remediate
Loss of time and resources
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
MACHINE LEARNING
For Security
PrecisionWhen my classifier predicts an instance in a certain class, how often does the instance belong to that class?
AccuracyHow often does my classifier give me the correct answer?
How We Know Machine Learning is Working
N E R D A L E R T
Root mean square error & Logical RegressionTranslation: On average, how far away are my predictions from what we later know to be true values?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why is Machine Learning so useful in Security?
Evolving SecurityThe security domain is always evolving,
has a large amount of variability,
and is not well-understood
StaticWith limited variability or is
well-understood
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Insider Threats and Behavioral Security Analytics
DetectingThrough novelty and outliers
AttackersThey’re not breaking in,
they are logging in
EventsTurn weak signals into a
strong one
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Classify the Observable World and Infer the Rest
Normal ActivityWeird Stuff(but not threat related)
Threat Actor Activity
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Billions of connections
• Statistical Methods
• Information-Theoretical Methods
• 70+ Unsupervised Anomaly Detectors
• Dynamic Adaptive Ensemble Creation
• Multiple-Instance Learning
• Neural Networks
• Rule Mining
• Random Forests
• Boosting
• ML: Supervised Learning
• Probabilistic Threat Propagation
• Graph-Statistical Methods
• Random Graphs
• Graph Methods
• Supervised Classifier Training
Anomaly Detectionand Trust Modeling
Event Classificationand Entity Modeling
RelationshipModeling
Cascade of specialized layers of Machine Learning algorithms
Multi-layer Analytical Pipeline
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
5
Security that Shows its Work
5
Oct.
3
3 Spam tracking#CSPM02
New
3
Oct.
4
C&
C u
rl
8 Information Stealer#CDCH01
Oct.
15
Anom
alo
us
htt
p
37
Oct.
16
Heavy
uplo
ader
Dro
pbox.c
om
78
Oct.
25
Oct.
28
Malic
ious
htt
p
Recurr
ing
8Malware: salityDec. 9 | 28 days
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Measure the Right Things
Efficacy of the Assertions
True/False Positive
True/False Negative
Root Mean Squared Error
Overfitting/Undefitting
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Measure the Right Things
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Conclusion
How are you applying Machine Learning in your product and why?
How do you measure its effectiveness?
What to Ask Your Vendor
Regarding supervised learning, what are you using for ’ground truth’?
What non-machine learning are you using and why?
What papers or open-source have you published regarding your analytics?
For the ML based assertions, what entailments are provided?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Pulbic
Be Pragmatic
Entailments
Success is Domain Specific
Analytical pipeline, over single technique
A Good Machine Learning Approach
Measure helpfulness, not mathematical accuracy
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
N E R D A L E R T
Thank you!
