Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.
PARADIGMSHIFTININFORMATIONSECURITYANDPRIVACYWITHARTIFICIALINTELLIGENCEANDMACHINELEARNING
P r e d i c t – P r e p a r e – P r e v e n t – D e t e c t
DraganPleskonjic
1
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.
INPRESECINITIATOR /FOUNDER• Richexperienceincreatingandmanagingstart-ups,new
businessesdevelopment
• Leadingmanagementpositionsininternationalcorporations
• Expertiseininformationsecurity,computersoftwareandnetworksindustry
• Prolificacademiccareer: AdjunctProfessorship,authorshipofbooks,scientificpapersandjournals’articles
• Scientificandsecurityleader,researcher,advisor,architect
• InventorwithasetofU.S.patentsgrantedandseveralpatentapplicationspending (USPTO,CIPO,EPO,WIPO)
• Entrepreneur,leader,motivator,visionary
DraganPleskonjic
2
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.
• Informationsecurityiscomplicated,andhardtogetright.I'manexpertinthefield,andit'shardforme.It'shardforthedirectoroftheCIA.Andit'shardforyou.
— BruceSchneier,calleda"securityguru"byTheEconomist
• Machinelearningplaysapartineverystageofyourlife.
PedroDomingos,Professorandauthorofbook:— „TheMasterAlgorithm:HowtheQuestfortheUltimateLearning
MachineWillRemakeOurWorld“
• Confidentiality,Integrity,Availability(CIA)+authenticity,accountability,non-repudiation,reliability
• DAD - Disclosure,AlterationDestruction
3
InformationSecurity
Confidiality
Integrity Availability
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.
SQLInjectiononcarlicenseplates
4
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.5
The Cyber Threat Landscape
Threats
AttackMethodology
Attackers
Methodologies used to attack a target and potential tools/techniques that can
be used to conduct the attack
Types of threats
Recon
Attack
Exploit
Social Engineering
Tools and techniques
ScannersSniffersPacket Crafters
Exploit VulnerabilitiesCompromise ApplicationsCrack Passwords
ConfidentialityIntegrityAvailability
Via TechnologyVia Human
Rootkit
NessusWeb Attacks
Trojan Horse
Botnets
Physical Threat Worms
Zombies
Metasploit
Viruses
Social Networks
SQL Attack
Phishing
Backdoors
PharmingSpear Phishing
Wireless
Mobile
Cross-Site Scripting
Distributed Denial of Service
Cain and Abel
Wireshark
Spam
Buffer Overflow
Database Attacks
Defensive Mountain Range
Different ways to protect our systems
Targeted Capabilities
Systems and Information to protect
Advanced Persistent Threat (APT)
Cyber Warfare
Digital Spying
ChinaRussia
Espionage
Phishing
Organized CrimeNigerian
Scams
Russian Business Network
Custom Bank Attacks
Disgruntled
InsidersFinancially Motivated Unintentional
Hacktivism
Script Kiddies
Political Cultural
Religious
National PrideTerrorist
Social Hacking
Group Membership
Challenge Status
Curiosity
Entertainment
Defense-In-Depth ToolsEncryptionIntrusion Prevention SystemFirewallsAnti-VirusMetrics
Security Operations CenterIncident Response TeamVulnerability AssessmentsPenetration TestsLog CorrelationForensics
Configuration ManagementPatchingPoliciesAccess Control
Identity ManagementAuthenticateAuthorizeAudit / Compliance
Risk ManagementSituational AwarenessDisaster RecoveryContinuity of OperationsDue Care / Diligence
Key Education TechniquesTrainingApplied GuidanceCampaigns
Critical Infrastructure
Production Sites
Headquarters
DCA Development Hubs
E-Mail Organization
Manufacturing
Corporate
Trade Secret Proprietary
Finance
Proposals
Policies
Personal
Credit Card
Bank
Credit Health
PII
Social Networks
Spending Habits
Information Technology
Windows
VoIP
Cloud
Applications
Configuration
Web PagesArchitecture
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.
• Numberofsecuritybreachesisrapidlyincreasing• Organizationsarenotabletocopewithallofthreats,
attacksandrisksanymore:– significantamountofmanualwork– lackoffocusandconcentrationleadingtoerrors– lackofskilledprofessionalsandtools– increasingcost
• Thereisnotruepredictiveapproachonthemarket!• Latedetection- costsofbreachareskyrocketing!
TheProblem
6
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.7
ShifttheParadigmandDefenseinDepth
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.
OurApproach• INPRESEC’s
INTELLIGENT PREDICTIVE SECURITY
• CHALLENGES WE ARE ADDRESSING
ClassificationPrediction
8
Σ
ArtificialIntelligenceMachineLearning
PredictiveAnalyticsBigData
ThreatIntelligenceBETTER INFORMATION SECURITY
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.
• Supervised• Unsupervised• ReinforcementLearning
• PrincipalComponentAnalysis(PCA)
9
MachineLearning
Source:http://drewconway.com/zia/2013/3/26/the-data-science-venn-diagram
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.10
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.
• Keras:ThePythonDeepLearninglibrary– TensorFlow - Anopen-sourcesoftwarelibraryforMachineIntelligence– Theano - Pythonlibrarythatallowsyoutodefine,optimize,andevaluatemathematical
expressionsinvolvingmulti-dimensionalarraysefficiently.• scikit-learn - MachineLearninginPython• Matlab - StatisticsandMachineLearningToolbox• Weka- Collectionofmachinelearningalgorithmsfordataminingtasks.• NeuroSolutions - NeuralNetworkSoftware• ApacheMahout™- Scalablemachinelearninganddatamining• Appache Spark™MachineLearningLibrary(MLlib) - scalablemachinelearninglibrary
consistingofcommonlearningalgorithmsandutilities,includingclassification,regression,clustering,collaborativefiltering,dimensionalityreduction,aswellasunderlyingoptimizationprimitives
• …
MachineLearningTools
11
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.
• ClassificationofeventsALLOWED/NOT ALLOWED
Actionbasedontheresult
• CommonPlatform&modulesfor:– Intrusion– DataLeak– Fraud– Malware– Malfunction– …
• Prediction
• Solutioncomponents:SENSOR,AGENT,SERVER,ADMIN,TRAINER,PREDICTION MODULE
• Deployment:– Servicemodel:Securityas
anINPRESEChostedandmanagedservice
– Productmodel:hostedbyclient,servicedbyus
12
OurSolution
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.
KeyINPRESECSolutionElements
13
INPRESECAGENT• Software installedonacomputer(server,desktop,laptop),
mobiledevice(smartphone,tabletetc.)ornetworkdevices(routers,firewalls,etc.),classificationbasedonML– hostbasedsystem
INPRESECSERVER• Software- integratesfunctionsofsensors&agents• CollectsdatafromSensors&Agents,analysis,
classifying,learning&correlationandactions,basedonML
• CanbelinkedtoSOC/CERTcentersortoothersecurityelements(AV,DLP,SIEM,...)
INPRESECADMIN
• Dashboard,ConfigurationConsole,Management,Monitoring&ReportingTools.
• Sendsalertsorotherinfothroughvariouscommunicationmeans
INPRESECTRAINER• Software – trainingsystembasedonML
INPRESECPREDICTION MODULE
• Software – datafeedwithprobabilitiesofsecurityeventsinfuture,
• Predictionbasedonvariousdatasources,ThreatIntelligence(TI),predictiveanalyticsandML
INPRESECSENSOR• Software,canbeapplianceanalysesnetworktraffic&
possiblesecurityviolations,classificationbasedonMachineLearning(ML)- network-basedsystem
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.
SENSOR,AGENT,SERVER,ADMIN,TRAINER,PREDICTION MODULE
• Software,canbeapplianceanalysesnetworktraffic&possiblesecurityviolations,classificationbasedonMachineLearning(ML)-network-basedsystem
14
SolutionComponents- Sensor
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.
SENSOR,AGENT,TRAINERSERVER,ADMIN,TRAINER,PREDICTION MODULE
• Software installedonacomputer(server,desktop,laptop),mobiledevice(smartphone,tabletetc.)ornetworkdevices(routers,firewalls,etc.),classificationbasedonML–hostbasedsystem
15
SolutionComponents- Agent
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.
SENSOR,AGENT,TRAINER
SERVER,ADMIN,TRAINER,PREDICTION MODULE
• Software- integratesfunctionsofsensors&agents– CollectsdatafromSensors&Agents,analysis,
classifying,learning&correlationandactions,basedonML
– CanbelinkedtoSOC/CERTcentersortoothersecurityelements(AV,DLP,SIEM,...)
16
SolutionComponents– ServerandAdmin
SENSOR,AGENT,
SERVER,ADMIN,TRAINER,PREDICTION MODULE
• Software- Dashboard,ConfigurationConsole,Management,Monitoring&ReportingTools.– Sendsalertsorotherinfothroughvarious
communicationmeans
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.
SENSOR,AGENT,SERVER,ADMIN,TRAINER,PREDICTION MODULE
• Software – trainingsystembasedonML– Uses“securityanalystintheloop”annotationsas
additionalinputtodatasets– Createsnewmodelsbasedoninputsfromlivesystem
andannotatedvectors– Whennewmodelwithbetteraccuracyiscreated,
postsittoserverfordownloadbysensorsandagents– Bymachinelearning,systemprovidescontinual
improvementadaptingtovarietyofthreats,attacks,aswellasspecificrequirementsthatcustomersmayhave.
17
SolutionComponents– TrainerandPredictionModule
SENSOR,AGENT,SERVER,ADMIN,TRAINER,PREDICTION MODULE
• Software – datafeedwithprobabilitiesofsecurityeventsinfuture,– Predictionbasedonvariousdatasources,Threat
Intelligence(TI),predictiveanalyticsandML– Usingvariousparametersand inputdatafromsetof
internalandexternal sources,itanalysesthemand,throughsetof ourproprietaryalgorithms,givesprobabilities ofpossiblethreatsandattacks.
– Thesedatawill belaterdistributedasinputtooursystemand helptosetalertlevels,thresholds,prevention measuresetc.
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.
PossibleNetworkLayout
18
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.
• „Securityanalystintheloop“concept– Supervisedlearning– solution becomesmoreandmorecleverduringtimeandrequiresless
humanintervention
• Decreasegreyareaduringtime,eventuallytoreachA = B• Teamfocusesandmoreinnovativeandinterestingwork
MachineLearning->IncreasedEfficiency
19
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.
• VariousIDS/IPSdatasetsandtestvectorsavailableonInternet
• Createdbyusfrom:– Testingenvironments– Realenvironments
• Createdbyus– datasetgenerationscripts:– “clean”onesi.e.regular,nointrusionsorotherissues– Withanomalies,attack,intrusions,dataleaks,malwareandsimilarmalfunctions
Datasets– howtoobtain/create
20
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.
Labeleddatasetexample(redacted)
21
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.
SensitivityandSpecificity
22
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.
ReceiverOperatingCharacteristic(ROC)curve
23
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.24
Comparisonwithtraditionalsystems• Paradigmshift: predicts,prevent,prepare- goesaheadofhackers.
• Betteraccuracy,betterperformances.
• Automaticlearning, continualimprovementprocess.
• Lightweightmaintenance.Removesrepetitivework.
• Significantlybetterinhandlingnewthreats(zeroday).
• Multilayer/ multilevel,assuresholisticapproach.• Detects:widespectraofthreatsandattacksintrusions,dataleak,malware,fraudand
othermalfunctions.
Predict
PreventPrepare
Detect
React
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.
Onemorething:
• WhiletheroleofMLandAIincybersecurityiscertainlyintheearlystagesandstillneedstoevolve,hackerswillquicklylearntoturnmachinelearningintoadistinctadvantage
=>AI&MLcanbemisusedasnewthreatattackvector
25
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.
DEMO
26
Copyright©2015- 2017DraganPleskonjic,INPRESEC.Allrightsreserved.Confidential.
THANKYOU,QUESTIONS
Contact:
DraganPleskonjic,INPRESECInitiatorandFounder
§ E-mail:[email protected] [email protected]§ Twitter:@DPleskonjic§ Personalwebsite:www.dragan-pleskonjic.com§ LinkedInprofile:https://www.linkedin.com/in/draganpleskonjic/
27