infosec deep learning in action deep lear… · infosec deep learning in action satnam singh, phd...
TRANSCRIPT
![Page 1: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/1.jpg)
InfoSec Deep Learning in Action
Satnam Singh, PhDChief Data ScientistAcalvio Technologies
Nullcon 2020
![Page 2: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/2.jpg)
It is all about Money !!
Verizon Data Breach Report - 2019CrowdStrike Global Threat Report 2020
![Page 3: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/3.jpg)
ATT&CK Heatmap by OverWatch- CrowdStrike
attack.mitre.org
![Page 4: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/4.jpg)
TTPs Used by Adversaries in 2019- CrowdStrike
![Page 5: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/5.jpg)
atomicredteam.io
![Page 6: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/6.jpg)
car.mitre.org
![Page 7: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/7.jpg)
Enterprise Network
SOC segment
Engineering
Internet
SOC
Ops Segment
Sales
Operations
Cloud
Information Security Problem
1. Network Security 2. Endpoint Security 3. Application Security 4. Data Security 5. Cloud Security 6. Web Security 7. Mobile Security 8. IoT Security 9. Transaction Security 10.Messaging Security
![Page 8: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/8.jpg)
Basic Security Controls
• Boundary firewalls and internet gateways • Malware protection • Patch management • Whitelisting and execution control • Secure configuration • Password policy • User access control • Incident management
![Page 9: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/9.jpg)
Security Data Science
![Page 10: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/10.jpg)
Security Data Sources: Network Logs
Network Logs •Firewall •IDS/IPS •Network flow •DNS •Wi-fi
Use Cases
1. Unusual Volume of Network Activity
2. Substantial Increase in an Event/Port Activity
Easily into a few TBs of data per day
Data Sources: http://www.netresec.com/?page=PcapFiles http://www.unb.ca/cic/datasets/ids.html
![Page 11: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/11.jpg)
Endpoint Logs and Use CasesEndpoint Logs •File System Changes •Applications •Process •OS •Antivirus Alerts
Use Cases
1. Anomalous New Listening Ports/Services/Processes
2. Host with Excessive No. of Listening Ports/Services/Processes
![Page 12: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/12.jpg)
Authentication Logs and Use Cases
Authentication Logs Windows Events
Active Directory User Logs Privilege User
Use Cases
1. Excessive Failed Logins - Brute Force Attack
2. Default Account Usage
![Page 13: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/13.jpg)
400+ Use Case.. Splunk Security Essentials App
![Page 14: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/14.jpg)
Data Processing Pipeline
![Page 15: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/15.jpg)
Simplified Pipeline- Step 1: Log Processing
Ref: Splunk
![Page 16: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/16.jpg)
Step 2: Compute Statistics
Ref: Splunk
![Page 17: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/17.jpg)
Step 3: Anomaly Detection
a1
Baseline1
Baseline2
Anomaly1
Anomaly2
Anomaly3
a2
Anomaly
Ref: Splunk
![Page 18: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/18.jpg)
Deep Learning
![Page 19: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/19.jpg)
playground.tensorflow.org
![Page 20: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/20.jpg)
![Page 21: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/21.jpg)
![Page 22: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/22.jpg)
InfoSec DL Use Cases
![Page 23: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/23.jpg)
Use Cases
Network Security
1. Network intrusion detection (scanning, spoofing, etc.)
2. Application attack detection (OWASP-Top 10 attacks)
3. Phishing attack malicious URL detection
Endpoint Security
1. Malware detection and classification2. Spyware, Ransomware detection
User Security
1. User behaviour Analytics
2. Detection of suspicious sign-in activities, brute force attacks and infected devices
![Page 24: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/24.jpg)
Example 1: Cisco Encrypted Traffic Analysis
TK Keanini, “Machine Learning: The What and Why of AI,” RSA Conf’19
![Page 25: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/25.jpg)
Example 2: Malware Detection
Joshua Saxe, Sophos, “Deep Neural Networks for Hackers: Methods, Applications, and Open Source Tools,” BlackHat Conf’18
![Page 26: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/26.jpg)
Case Study 1: Tor Traffic Detection
![Page 27: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/27.jpg)
Tor Network
Source: Distill networks
Adversaries use tor traffic for port scans, dark web purchases, extortion and data exfiltration
![Page 28: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/28.jpg)
Tor-nonTor Traffic - Dataset
![Page 29: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/29.jpg)
Tor-nonTor Traffic - Dataset
Activity Details
Browsing HTTP, HTTPS traffic using Chrome and Firefox
Email Mails delivered via SMTP/S and received via POP3/SSL and IMAP/SSL, Thunderbird client
Chat Facebook, Hangout, ICQ and IAM chat activities
Audio-streaming Spotify audio streaming
Video-streaming Youtube and Vimeo services over Chrome and Firefox
File transfer Skype file transfers, FTP over SSH, FTP over SSL traffic sessions
VoIP Facebook, Hangout and Skype
![Page 30: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/30.jpg)
Demo Using Tensorflow and Keras
Tor Traffic
Classification
Unknown scripts
Feature f1
Feature f2
Non-Tor Traffic
![Page 31: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/31.jpg)
Feed Forward Neural Network
Input and output are independent
![Page 32: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/32.jpg)
Case Study 2: C&C Detection
![Page 33: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/33.jpg)
Command and Control Detection
C&C domain examples:• DGA based: gvludcvhcrjwmgq.in, uqvwxfrhhwreddf.yt• non DGA based: thisisyourchangeqq.com, homejobsinstitute.biz
RansomwareMalware
Enterprise Network
Main DB
Webserver
C&C server
Data
Command
Attacker
![Page 34: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/34.jpg)
Update Models
DNS data
Ranking of Malicious
C&C domains
C&C domains
Classify benign vs C&C domains using
LSTM
C&C Detection: Pipeline
![Page 35: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/35.jpg)
Recurrent Neural Network
Output is dependent on Previous output
![Page 36: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/36.jpg)
RNN - Memory
Source: Colah’s blog
![Page 37: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/37.jpg)
RNN - Missing Long Term Memory
RNN has Vanishing Gradient Problem
![Page 38: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/38.jpg)
How are Adversaries using ML/DL?
![Page 39: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/39.jpg)
• Discovery/Information gathering • By mining social data —>determine a group of people for
phishing attack • Identify security controls, network flow rules
• Automated phishing • SNAP_R tool by John Seymour and Philip Tully
• Password Guessing • PassGAN by Briland Hitaj et al.
Adversarial ML Use-cases
![Page 40: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/40.jpg)
MLsploit- Adversarial ML
GeorgiaTech & Intel https://mlsploit.github.io/
![Page 41: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/41.jpg)
Case study: Password Generation
![Page 42: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/42.jpg)
![Page 43: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/43.jpg)
• How the data will be collected? • Data processing pipeline, data security in-transit • Access to Security data lake?
• Combining security knowledge along with deep learning model • What to combine? How to combine?
• DL Model Training, Storage and Orchestration • Logging and RESTful APIs
Prototype to Product
![Page 44: InfoSec Deep Learning in Action Deep Lear… · InfoSec Deep Learning in Action Satnam Singh, PhD Chief Data Scientist Acalvio Technologies Nullcon 2020. It is all about Money !!](https://reader030.vdocuments.site/reader030/viewer/2022041022/5ed370637cbed65b2f38fc52/html5/thumbnails/44.jpg)
Team !!