PARADIGM SHIFT IN INFORMATION SECURITY AND PRIVACY … · • Software–data feed with probabilities of security events in future, – Prediction based on various data sources, Threat

Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.

PARADIGMSHIFTININFORMATIONSECURITYANDPRIVACYWITHARTIFICIALINTELLIGENCEANDMACHINELEARNING

P r e d i c t – P r e p a r e – P r e v e n t – D e t e c t

DraganPleskonjic

1


INPRESECINITIATOR /FOUNDER• Richexperienceincreatingandmanagingstart-ups,new

businessesdevelopment

• Leadingmanagementpositionsininternationalcorporations

• Expertiseininformationsecurity,computersoftwareandnetworksindustry

• Prolificacademiccareer: AdjunctProfessorship,authorshipofbooks,scientificpapersandjournals’articles

• Scientificandsecurityleader,researcher,advisor,architect

• InventorwithasetofU.S.patentsgrantedandseveralpatentapplicationspending (USPTO,CIPO,EPO,WIPO)

• Entrepreneur,leader,motivator,visionary

DraganPleskonjic

2


• Informationsecurityiscomplicated,andhardtogetright.I'manexpertinthefield,andit'shardforme.It'shardforthedirectoroftheCIA.Andit'shardforyou.

— BruceSchneier,calleda"securityguru"byTheEconomist

• Machinelearningplaysapartineverystageofyourlife.

PedroDomingos,Professorandauthorofbook:— „TheMasterAlgorithm:HowtheQuestfortheUltimateLearning

MachineWillRemakeOurWorld“

• Confidentiality,Integrity,Availability(CIA)+authenticity,accountability,non-repudiation,reliability

• DAD - Disclosure,AlterationDestruction

3

InformationSecurity

Confidiality

Integrity Availability


SQLInjectiononcarlicenseplates

4

Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.5

The Cyber Threat Landscape

Threats

AttackMethodology

Attackers

Methodologies used to attack a target and potential tools/techniques that can

be used to conduct the attack

Types of threats

Recon

Attack

Exploit

Social Engineering

Tools and techniques

ScannersSniffersPacket Crafters

Exploit VulnerabilitiesCompromise ApplicationsCrack Passwords

ConfidentialityIntegrityAvailability

Via TechnologyVia Human

Rootkit

NessusWeb Attacks

Trojan Horse

Botnets

Physical Threat Worms

Zombies

Metasploit

Viruses

Social Networks

SQL Attack

Phishing

Backdoors

PharmingSpear Phishing

Wireless

Mobile

Cross-Site Scripting

Distributed Denial of Service

Cain and Abel

Wireshark

Spam

Buffer Overflow

Database Attacks

Defensive Mountain Range

Different ways to protect our systems

Targeted Capabilities

Systems and Information to protect

Advanced Persistent Threat (APT)

Cyber Warfare

Digital Spying

ChinaRussia

Espionage

Phishing

Organized CrimeNigerian

Scams

Russian Business Network

Custom Bank Attacks

Disgruntled

InsidersFinancially Motivated Unintentional

Hacktivism

Script Kiddies

Political Cultural

Religious

National PrideTerrorist

Social Hacking

Group Membership

Challenge Status

Curiosity

Entertainment

Defense-In-Depth ToolsEncryptionIntrusion Prevention SystemFirewallsAnti-VirusMetrics

Security Operations CenterIncident Response TeamVulnerability AssessmentsPenetration TestsLog CorrelationForensics

Configuration ManagementPatchingPoliciesAccess Control

Identity ManagementAuthenticateAuthorizeAudit / Compliance

Risk ManagementSituational AwarenessDisaster RecoveryContinuity of OperationsDue Care / Diligence

Key Education TechniquesTrainingApplied GuidanceCampaigns

Critical Infrastructure

Production Sites

Headquarters

DCA Development Hubs

E-Mail Organization

Manufacturing

Corporate

Trade Secret Proprietary

Finance

Proposals

Policies

Personal

Credit Card

Bank

Credit Health

PII

Social Networks

Spending Habits

Information Technology

Windows

VoIP

Cloud

Applications

Configuration

Web PagesArchitecture


• Numberofsecuritybreachesisrapidlyincreasing• Organizationsarenotabletocopewithallofthreats,

attacksandrisksanymore:– significantamountofmanualwork– lackoffocusandconcentrationleadingtoerrors– lackofskilledprofessionalsandtools– increasingcost

• Thereisnotruepredictiveapproachonthemarket!• Latedetection- costsofbreachareskyrocketing!

TheProblem

6


ShifttheParadigmandDefenseinDepth


OurApproach• INPRESEC’s

INTELLIGENT PREDICTIVE SECURITY

• CHALLENGES WE ARE ADDRESSING

ClassificationPrediction

8

Σ

ArtificialIntelligenceMachineLearning

PredictiveAnalyticsBigData

ThreatIntelligenceBETTER INFORMATION SECURITY


• Supervised• Unsupervised• ReinforcementLearning

• PrincipalComponentAnalysis(PCA)

9

MachineLearning

Source:http://drewconway.com/zia/2013/3/26/the-data-science-venn-diagram



• Keras:ThePythonDeepLearninglibrary– TensorFlow - Anopen-sourcesoftwarelibraryforMachineIntelligence– Theano - Pythonlibrarythatallowsyoutodefine,optimize,andevaluatemathematical

expressionsinvolvingmulti-dimensionalarraysefficiently.• scikit-learn - MachineLearninginPython• Matlab - StatisticsandMachineLearningToolbox• Weka- Collectionofmachinelearningalgorithmsfordataminingtasks.• NeuroSolutions - NeuralNetworkSoftware• ApacheMahout™- Scalablemachinelearninganddatamining• Appache Spark™MachineLearningLibrary(MLlib) - scalablemachinelearninglibrary

consistingofcommonlearningalgorithmsandutilities,includingclassification,regression,clustering,collaborativefiltering,dimensionalityreduction,aswellasunderlyingoptimizationprimitives

• …

MachineLearningTools

11


• ClassificationofeventsALLOWED/NOT ALLOWED

Actionbasedontheresult

• CommonPlatform&modulesfor:– Intrusion– DataLeak– Fraud– Malware– Malfunction– …

• Prediction

• Solutioncomponents:SENSOR,AGENT,SERVER,ADMIN,TRAINER,PREDICTION MODULE

• Deployment:– Servicemodel:Securityas

anINPRESEChostedandmanagedservice

– Productmodel:hostedbyclient,servicedbyus

12

OurSolution


KeyINPRESECSolutionElements

13

INPRESECAGENT• Software installedonacomputer(server,desktop,laptop),

mobiledevice(smartphone,tabletetc.)ornetworkdevices(routers,firewalls,etc.),classificationbasedonML– hostbasedsystem

INPRESECSERVER• Software- integratesfunctionsofsensors&agents• CollectsdatafromSensors&Agents,analysis,

classifying,learning&correlationandactions,basedonML

• CanbelinkedtoSOC/CERTcentersortoothersecurityelements(AV,DLP,SIEM,...)

INPRESECADMIN

• Dashboard,ConfigurationConsole,Management,Monitoring&ReportingTools.

• Sendsalertsorotherinfothroughvariouscommunicationmeans

INPRESECTRAINER• Software – trainingsystembasedonML

INPRESECPREDICTION MODULE

• Software – datafeedwithprobabilitiesofsecurityeventsinfuture,

• Predictionbasedonvariousdatasources,ThreatIntelligence(TI),predictiveanalyticsandML

INPRESECSENSOR• Software,canbeapplianceanalysesnetworktraffic&

possiblesecurityviolations,classificationbasedonMachineLearning(ML)- network-basedsystem


SENSOR,AGENT,SERVER,ADMIN,TRAINER,PREDICTION MODULE

• Software,canbeapplianceanalysesnetworktraffic&possiblesecurityviolations,classificationbasedonMachineLearning(ML)-network-basedsystem

14

SolutionComponents- Sensor


SENSOR,AGENT,TRAINERSERVER,ADMIN,TRAINER,PREDICTION MODULE

• Software installedonacomputer(server,desktop,laptop),mobiledevice(smartphone,tabletetc.)ornetworkdevices(routers,firewalls,etc.),classificationbasedonML–hostbasedsystem

15

SolutionComponents- Agent


SENSOR,AGENT,TRAINER

SERVER,ADMIN,TRAINER,PREDICTION MODULE

• Software- integratesfunctionsofsensors&agents– CollectsdatafromSensors&Agents,analysis,

classifying,learning&correlationandactions,basedonML

– CanbelinkedtoSOC/CERTcentersortoothersecurityelements(AV,DLP,SIEM,...)

16

SolutionComponents– ServerandAdmin

SENSOR,AGENT,

SERVER,ADMIN,TRAINER,PREDICTION MODULE

• Software- Dashboard,ConfigurationConsole,Management,Monitoring&ReportingTools.– Sendsalertsorotherinfothroughvarious

communicationmeans



• Software – trainingsystembasedonML– Uses“securityanalystintheloop”annotationsas

additionalinputtodatasets– Createsnewmodelsbasedoninputsfromlivesystem

andannotatedvectors– Whennewmodelwithbetteraccuracyiscreated,

postsittoserverfordownloadbysensorsandagents– Bymachinelearning,systemprovidescontinual

improvementadaptingtovarietyofthreats,attacks,aswellasspecificrequirementsthatcustomersmayhave.

17

SolutionComponents– TrainerandPredictionModule


• Software – datafeedwithprobabilitiesofsecurityeventsinfuture,– Predictionbasedonvariousdatasources,Threat

Intelligence(TI),predictiveanalyticsandML– Usingvariousparametersand inputdatafromsetof

internalandexternal sources,itanalysesthemand,throughsetof ourproprietaryalgorithms,givesprobabilities ofpossiblethreatsandattacks.

– Thesedatawill belaterdistributedasinputtooursystemand helptosetalertlevels,thresholds,prevention measuresetc.


PossibleNetworkLayout

18


• „Securityanalystintheloop“concept– Supervisedlearning– solution becomesmoreandmorecleverduringtimeandrequiresless

humanintervention

• Decreasegreyareaduringtime,eventuallytoreachA = B• Teamfocusesandmoreinnovativeandinterestingwork

MachineLearning->IncreasedEfficiency

19


• VariousIDS/IPSdatasetsandtestvectorsavailableonInternet

• Createdbyusfrom:– Testingenvironments– Realenvironments

• Createdbyus– datasetgenerationscripts:– “clean”onesi.e.regular,nointrusionsorotherissues– Withanomalies,attack,intrusions,dataleaks,malwareandsimilarmalfunctions

Datasets– howtoobtain/create

20


Labeleddatasetexample(redacted)

21


SensitivityandSpecificity

22


ReceiverOperatingCharacteristic(ROC)curve

23


Comparisonwithtraditionalsystems• Paradigmshift: predicts,prevent,prepare- goesaheadofhackers.

• Betteraccuracy,betterperformances.

• Automaticlearning, continualimprovementprocess.

• Lightweightmaintenance.Removesrepetitivework.

• Significantlybetterinhandlingnewthreats(zeroday).

• Multilayer/ multilevel,assuresholisticapproach.• Detects:widespectraofthreatsandattacksintrusions,dataleak,malware,fraudand

othermalfunctions.

Predict

PreventPrepare

Detect

React


Onemorething:

• WhiletheroleofMLandAIincybersecurityiscertainlyintheearlystagesandstillneedstoevolve,hackerswillquicklylearntoturnmachinelearningintoadistinctadvantage

=>AI&MLcanbemisusedasnewthreatattackvector

25


DEMO

26


THANKYOU,QUESTIONS

Contact:

DraganPleskonjic,INPRESECInitiatorandFounder

§ E-mail:[email protected] [email protected]§ Twitter:@DPleskonjic§ Personalwebsite:www.dragan-pleskonjic.com§ LinkedInprofile:https://www.linkedin.com/in/draganpleskonjic/

27

Documents

PARADIGM SHIFT IN INFORMATION SECURITY AND PRIVACY … · • Software–data feed with probabilities of security events in future, – Prediction based on various data sources, Threat