INTELLIGENT USE OF INTELLIGENCE
DESIGN TO DISCOVERCanSecWest 2014
Ping Yan : @pingpingya&
Thibault Reuille : @ThibaultReuille
1
Monday, March 17, 14
PING@pingpingya
Data Mining, Machine Learning
InfoSec2
Monday, March 17, 14
THIBAULT
Parisian, moved to Cali in 2010
Security and Visualization ?
Demoscene rocks !3
Monday, March 17, 14
4
Monday, March 17, 14
AGENDA
01100100011000010111010001100001
Use cases - Cryptolocker
Conclusion
5
Big Data
Intelligence
Monday, March 17, 14
6
Continuous monitoring of everything? Yeah, sure …
data != intelligence
THE HAYSTACK PROBLEM
Monday, March 17, 14
7
Monday, March 17, 14
8
Monday, March 17, 14
8
Monday, March 17, 14
9
Monday, March 17, 14
10
EXPLORATION PROCESS
Monday, March 17, 14
10
seed
EXPLORATION PROCESS
Monday, March 17, 14
10
seed
EXPLORATION PROCESS
Monday, March 17, 14
10
seed
EXPLORATION PROCESS
Monday, March 17, 14
10
seed
EXPLORATION PROCESS
Monday, March 17, 14
10
seed Raw
Refined
EXPLORATION PROCESS
Monday, March 17, 14
10
seed Raw
Refined
Intelligence
EXPLORATION PROCESS
Monday, March 17, 14
11
TIME SPACE
TRANSACTIONS/NETWORK Hunches
spiked in the past hour? clustered by geo?
Alice talked to Bob?
4-D APPROACH TO DATA
Monday, March 17, 14
12
22+
OPENDNS’S HAYSTACK
Monday, March 17, 14
13
Monday, March 17, 14
14
3D view !
Monday, March 17, 14
15
Security Graph 3D
Monday, March 17, 14
FRAMEWORK
16
Data Extraction
Monday, March 17, 14
FRAMEWORK
17
Visualization Engine
Monday, March 17, 14
PARTICLE PHYSICS
18
Force Directed Layout
Monday, March 17, 14
PARTICLES
19
Monday, March 17, 14
WHY ?Shape Algorithms populate our knowledge graph Creation is understood, output is complex Layout defined by model structure Closer to the “natural shape” of data Take advantage of the GPU to untangle information
Evolution Security Graph is dynamic, constantly changing Monitoring evolution over time
Investigation Humans are better at processing shapes than numbers Solid tool to build hypothesis / heuristics
20
Monday, March 17, 14
NATURAL CLUSTERING
21
Malicious domains hosting Nuclear exploit kits (pink) to Hosting IPs (Yellow) graph
Monday, March 17, 14
1. Infection2. Retrieve encryption key from CnC3. Encrypt data files4. Collect money
IP CnC fails quickly
DGA!
22
USE CASE #2 : CRYPTOLOCKER
Monday, March 17, 14
23
Monday, March 17, 14
24
CO-OCCURRENCES
Monday, March 17, 14
CO-OCCURRENCES
25
Monday, March 17, 14
ALGORITHM
26
Monday, March 17, 14
Ripple Effect on Co-occurrences
27
Monday, March 17, 14
USE CASE #3
28
Random Walk Live Demo
Monday, March 17, 14
FUTURE WORK
Over-TimeVisualizing data evolution over time (Currently in development)
ScalingPort Force-Directed algorithm to OpenCL
DetectionThreat pattern detection (Find sub-graph inside Security Graph)
Example: DGA “nests”
Modern Human-Computer interactionLeap Motion, Oculus, 3D glasses ...
29
Monday, March 17, 14
@pingpingya
@ThibaultReuillethibaultreuille.tumblr.com
Bloghttp://labs.umbrella.com
30
Monday, March 17, 14