We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published bySummer Ridgway
Modified over 2 years ago
© 2011 Cisco Systems, Inc. All rights reerved. 1 Applications of Machine Learning in Cisco Web Security Richard Wheeldon PhD BSc
2 © 2011 Cisco Systems, Inc. All rights reerved. Cisco Web Security Cisco, Ironport and ScanSafe Request time filtering Categorization and classification Reputation Response time filtering Malware types and attack vectors Malware detection Dynamic classification Other challenges
3 © 2011 Cisco Systems, Inc. All rights reerved. The Ubiquitous Speaker Slide Richard Wheeldon UCL Graduate in 1999 PhD from Birkbeck in 2003 Joined Cisco December Acknowledgements Steve Poulson - Bryan Feeney -
4 © 2011 Cisco Systems, Inc. All rights reerved. Cisco, Ironport and ScanSafe Cisco Worlds leading network company Ironport Leader in Anti-spam Provide Web Security Appliances ScanSafe World leader in Security as a Service Scans 1.8 billion web requests a day Blocks 32 million of them
5 © 2011 Cisco Systems, Inc. All rights reerved. Were local
6 © 2011 Cisco Systems, Inc. All rights reerved. Previous MSc projects Tree Kernels for CFG similarity Guangyan Song, 2010 Fast computation of the Kernel of a Tree and applications to Semi-Supervised Learning Malcolm Reynolds, 2009 Comparing N-gram features for web page classification Noureen Tejani, 2007
7 © 2011 Cisco Systems, Inc. All rights reerved. Were hiring Positions Software Developers QA, Operations, Research Locations ScanSafe UK - Bedfont Lakes, Reading, Staines, Edinburgh Galway, EMEA, US, Worldwide Graduate recruitment
8 © 2011 Cisco Systems, Inc. All rights reerved. 1. Availability Time our service is available to scan traffic % guaranteed availability 2. Latency Additional load time attributable to services Evaluated by 3 rd party analysis 3. False Positives Pages that were blocked but should not have 4. False Negatives Pages that were not blocked, but should have Scansafes SaaS
9 © 2011 Cisco Systems, Inc. All rights reerved. Risks of Unfiltered Content Software threats Malware Phishing Botnets Business threats Productivity Loss Bandwidth congestion Legal liability Data Leaks
10 © 2011 Cisco Systems, Inc. All rights reerved. The Web vs. Web Most web traffic is goodMost is bad Easy to find safe sitesEasy to get Spam Harder to get dangerous URLsHarder to get examples of good mail Blocking web sites is visibleBlocking is invisible Performance gain from white-listingPerformance gain from blocking Very Real-Time (<2s)Not Real-Time (
11 © 2011 Cisco Systems, Inc. All rights reerved. Request time filtering Motivation Quicker blocks save bandwidth and processing time If the request is made, the damage may be done Techniques Databases Reputation Rules Trained systems
12 © 2011 Cisco Systems, Inc. All rights reerved. Category-based filtering Responsible for most blocks High-risk and high-traffic Manual categorizers 10 million URLs 97% of traffic 2 million porn sites
13 © 2011 Cisco Systems, Inc. All rights reerved. Web Reputation Feeds Phishing sites Malware sites Heuristics In spam but not in ham Age of domain registration High traffic – e.g. Alexa 1000 Scanned but never blocked
14 © 2011 Cisco Systems, Inc. All rights reerved. Web Reputation in the WSA
15 © 2011 Cisco Systems, Inc. All rights reerved.
16 © 2011 Cisco Systems, Inc. All rights reerved. Keyword-based URL filtering Keyword rules Fitness -> Health Basketball -> Sport Pizzeria -> Food Restaurant -> Food Whore -> Porn Strange URLs whorepresents.com therapistfinder.com speedofart.com expertsexchange.com penisland.com powergenitalia.it
17 © 2011 Cisco Systems, Inc. All rights reerved. Recognizing Porn URLs Example of segmentation problem P('peni') X P('sland') P('penis') X P('land') P('pen') X P('island') Extends to classification P('penis') X P('land') X P(porn|'penis') X P(porn|'land') P('pen') X P('island') X P(not_porn|'pen') X P(not_porn|'island')
18 © 2011 Cisco Systems, Inc. All rights reerved. Phishing and Malware Examples Phishing examples Malicious examples: www1.scan-projectrf.cz.cc www1.scan-projectsi.cz.cc www1.scan-projectst.cz.cc www1.scan-projectte.cz.cc www1.scan-projectti.cz.cc
19 © 2011 Cisco Systems, Inc. All rights reerved. Searchahead If we can identify bad URLs we can warn before the user clicks. Over 90% of new sites are visited as the result of an Internet search Acceptable Uncategorized Prohibited Malicious
20 © 2011 Cisco Systems, Inc. All rights reerved. Response Time Scanning Trusted sites are targets Strength-in-depth combination of commercial scanners and in-house technology. Graphics Webmail New Web Pages Blogs Ad Links Links Comments Banner Ads Backdoors Rootkits Trojan Horses Keyloggers Worms
21 © 2011 Cisco Systems, Inc. All rights reerved. Exploited sites in recent years Facebook Times India Miami Dolphins Samsung
22 © 2011 Cisco Systems, Inc. All rights reerved. Nothing is safe – not even Twitter!
23 © 2011 Cisco Systems, Inc. All rights reerved. Signature Databases From 2006 to 2008, the F-Secure signature database grew from entries to 1.5 million The rate at which variants of viruses come out is growing rapidly No vendor can rely exclusively on signatures
24 © 2011 Cisco Systems, Inc. All rights reerved. Zero-hour protection Vendors take time to release signature updates Win32.IstBar.jl trojan Outbreak Intelligence (OI) provides proactive threat detection A huge data set of traffic to be leveraged
25 © 2011 Cisco Systems, Inc. All rights reerved. How does OI use Machine Learning? Approaches Malware detection Anomaly detection Dynamic categorization Techniques Employed Supervised Learning Unsupervised Learning Sandboxing
26 © 2011 Cisco Systems, Inc. All rights reerved. Dynamic Classification Document classification across 80 categories Increases coverage Language identification Identifies inappropriate content Porn is relatively easy Phishing is harder – but not impossible? Hate speech is harder still
27 © 2011 Cisco Systems, Inc. All rights reerved. DC for identifying malicious sites Automated tools generate malicious sites Fake escrow Fake pharmacy Mule recruitment Examples from Richard Claytons 2010 FOSDEM talk mercial+manager+of+a+large+corporation+engaged+in+electro nics+production%22http://www.google.com/search?q=%22before+that+was+a+com mercial+manager+of+a+large+corporation+engaged+in+electro nics+production%22 crow+service+on+the+internet%22http://www.google.com/search?q=%22as+the+most+trusted+es crow+service+on+the+internet%22
28 © 2011 Cisco Systems, Inc. All rights reerved. Malicious Executable Files The final stage of an attack is frequently downloading an executable Traditionally blocked using signatures We use a combination of signature-based scanners and machine-learning
30 © 2011 Cisco Systems, Inc. All rights reerved. Flash Symantec recently highlighted Flash for having one of the worst security records in We also know first hand that Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now. We dont want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash Steve Jobs, April 2010
31 © 2011 Cisco Systems, Inc. All rights reerved. The growing threat of Java Almost as common as Flash 90% of PCs have Java JDK downloads per month 3.48 Million JRE downloads per month Growth in known vulnerabilities 29 patched in a single update (Oct 2010) Growth in exploits reported by Sophos, Symantec, Microsoft and Cisco Signatures + Trained Scanlet
34 © 2011 Cisco Systems, Inc. All rights reerved. Obfuscation Attackers use obfuscation But so do legitimate vendors (e.g. Google) And large Web 2.0 libraries Techniques include Name changes String concatenation (eval) Dynamically loaded/generated/decrypted code (eval) Splitting functionality across files
35 © 2011 Cisco Systems, Inc. All rights reerved. Malicious Non-Executable Files There are a lot of file formats out there – documents, pictures, videos. For zero-day attacks, we have no data to compare against. Basically this is anomaly detection.
36 © 2011 Cisco Systems, Inc. All rights reerved. Development Constraints Low False Positive Rate Robust Tolerant against malformed data Language-agnostic Scalable 1.8 Billion requests per day on 1000 servers Low latency
37 © 2011 Cisco Systems, Inc. All rights reerved. Back-end processing If a technique is too slow for real-time scanning, that doesnt make it useless. Back end processing can generate lists of good and bad files and help evaluate new techniques.
38 © 2011 Cisco Systems, Inc. All rights reerved. Want to know more? Cisco 2Q10 Global Threat Report sco_threat_072610_959.pdf sco_threat_072610_959.pdf Richard Clayton : Evil on the Internet Internet)-FOSDEM-Talk-video.aspx Internet)-FOSDEM-Talk-video.aspx Kaspersky Lab Security News Service A plan for Spam
39 © 2011 Cisco Systems, Inc. All rights reerved. Still want to know more? Identifying Suspicious URLs : An Application of Large- Scale Online Learning Peter Norvig Google : Statistical Learning as the Ultimate Agile Development Tool Writing ClamAV Signatures Alain Zidouemba ppt ppt
40 © 2011 Cisco Systems, Inc. All rights reerved. Take Home Messages Web Security Challenging and interesting domain Many applications for Machine Learning ScanSafe and Cisco Many opportunities for collaboration Several opportunities for student projects
© 2011 Cisco Systems, Inc. All rights reerved. 41 Any Questions?
Machine Learning applied to Security Steve Poulson 25 th Feb 2010.
Challenges In The Morphing Threat Landscape Apr 2011, Arnhem Tamas Rudnai, Websense Security Labs.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
ZERO-DAY ATTACKS By Hiranmayi Pai Neeraj Jain. Table of Contents Introduction Evolution of Vulnerabilities and Threats Propagation of Zero-Day Threats.
ACT User Meeting June Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.
© Paradigm Publishing, Inc Excel 2013 Level 2 Unit 2Managing and Integrating Data and the Excel Environment Chapter 8Importing, Exporting, and Distributing.
1 Proofpoint, Inc. Proprietary and Confidential ©2010 Proofpoint Protection/Privacy Offering Proofpoint Privacy Accurately detect ePHI in s Integrated.
Norman SecureSurf Protect your users when surfing the Internet.
LittleOrange Internet Security an Endpoint Security Appliance.
1 #UPAugusta Today’s Topics What are Deadly IT Sins? Know them. Fear them. Fix them. #UPAugusta201 6.
© 2009 WatchGuard Technologies WatchGuard ReputationAuthority Rejecting Unwanted & Web Traffic at the Perimeter.
7 Effective Habits when using the Internet Philip O’Kane 1.
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 FireEye Overview Nathan Labadie Systems Engineer, US-Central FireEye.
THINK BEFORE YOU CLICK! Cyber Security is everybody’s responsibility Don Winaker Network Security Manager
Virus and anti virus. Intro too anti virus Microsoft Anti-Virus (MSAV) was an antivirus program introduced by Microsoft for its MS-DOS operating system.
Zahier Madhar – Pre sales Engineer Worry-Free Business Security 7.
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 29Slide 1 Configuration management l Managing the products of system change l Objectives.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
A lesson approach © 2011 The McGraw-Hill Companies, Inc. All rights reserved. a lesson approach Microsoft® PowerPoint 2010 © 2011 The McGraw-Hill Companies,
Copyright © 2003 Pearson Education, Inc. Slide 5-1.
Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.
TrustPort Net Gateway Web traffic protection. Keep It Secure Contents Latest security threats spam and malware Advantages of entry point.
EIS Bridge Tool and Staging Tables September 1, 2009 Instructor: Way Poteat Slide: 1.
We all know we need to stay safe while using the Internet, but we may not know just how to do that. In the past, Internet safety was mostly about.
10/14/2015 Introducing Worry-Free SecureSite. Copyright Trend Micro Inc. Agenda Problem –SQL injection –XSS Solution Market opportunity Target.
Murach's PHP and MySQL, C15© 2010, Mike Murach & Associates, Inc.Slide 1.
Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.
Copyright © 2003 Pearson Education, Inc. Slide 8-1 Created by Cheryl M. Hughes, Harvard University Extension School Cambridge, MA The Web Wizards Guide.
Profile. 1.Open an Internet web browser and type into the web browser address bar. 2.You will see a web page similar to the one on.
1 3GPP TSGs SA Meeting #49, San Antonio, Texas, USA, September 2010 SP © 3GPP Organizational Partners Satisfaction survey results In.
40 Tips Leveraging the New APICS.org to the Benefit of Your Organization, Members, and Customers! 1.
1 Network-Level Spam Detection Nick Feamster Georgia Tech.
Why should my organisation move to Internet Explorer 9? An upgrade guide for IT professionals.
Copyright © 2003 Pearson Education, Inc. Slide 9-1.
Mechelen - 06/02/2014 Telenet Security Day CYBER scrapings putting our 2 cents in.. Christian Van Heurck CERT.be coordinator CERT.be team.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Outline Infections 1) r57 shell 2) rogue software What Can We Do? 1) Seccheck 2) Virus total 3) Sandbox Prevention 1) Personal Software.
Year 6 mental test 10 second questions Addition and Subtraction Addition.
Chapter Nine Maintaining a Computer Part III: Malware.
Adware and Browser Hijacker – Symptoms and Preventions /killmalware /u/2/b/ /alexwaston14/viru s-removal/ /channel/UC90JNmv0 nAvomcLim5bUmnA.
1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.
Viruses, Worms and Spam Definitions Virus - unauthorized software, embedded in other programs and with the ability to propagate when the host program is.
Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.
Social 12/31/2013 | 1 Jessica Winters International Marketing & Social Media.
Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.
IT Computer Security JEOPARDY RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands.
© 2017 SlidePlayer.com Inc. All rights reserved.