Presentation is loading. Please wait.

Presentation is loading. Please wait.

Machine Learning for Enterprise Security

Published byBennett Walton Modified over 6 years ago

Similar presentations

Presentation on theme: "Machine Learning for Enterprise Security"— Presentation transcript:

1 Machine Learning for Enterprise Security
Pratyusa K. Manadhata Hewlett Packard Labs

2 Outline Focus on problems, not on ML techniques
Evolution of enterprise security Uses of machine learning Strengths and weaknesses Trends and research opportunities Focus on problems, not on ML techniques

3 Enterprise security Users Information Interactions Infrastructure

4 A Security framework Prevent Detect Recover

5 1st Generation: Point products

6 IDS AntiVirus Proxy Firewall Unified UI False positive reduction
2nd Generation: Security information and event management systems (SIEM) IDS AntiVirus Proxy Firewall Unified UI False positive reduction

7 3rd Generation: Security Operations Centers

8 1st Generation Point Products

9 Do one thing and do it “well”
Anti-malware products Data leakage prevention products Firewalls Application firewalls Intrusion detection systems (IDS/IPS) Domain/IP Blacklists Sandboxes Web proxies …. Some examples of point products

10 + Product structure Platform Intelligence AV Firewall IDS …
AV Signatures Firewall Rules IDS Signatures ..

11 Anti-Malware products
Benign Samples Label Malware Signature Generation Signature Matching Back End Front End

12 Machine Learning: Detect similarity at scale
Sample labelling Similarity Machine Learning: Detect similarity at scale

13 Similarity is key in other detection mechanisms too
No “true” indicators of good/bad exist

14 Static analysis: looks similarity
Features: PE Headers, instruction sequences,.. Classification/Clustering False positives False negatives – easy to evade

15 Dynamic analysis: behavior similarity
Features: system call sequences, API sequences, .. Classification/clustering Computational challenges Hard to run samples

16 Reputation analysis: behavior similarity
Program behavior data from end points, no need for samples Features: popularity, source, destinations,… Lightweight data collection Lagging detection

17 Front end detection: False positive-false negative trade-off
File hash Strings Behavior signatures Almost no machine learning on end devices

18 Complex and Fragile

19 Malicious domain detection
Many Methods/Papers Features Classification/clustering/regression Graph analysis Pattern mining and matching Statistical analysis Syntactic properties of a domain name string HTTP/DNS protocol properties Access patterns Registration information Association with malware

20 opmsecurity.org A command & control domain used in the OPM breach
source:

21 Observations and opportunities
ML helps with scalability, but not much with accuracy Complex and fragile systems ML on end devices instead of signature matching

22 2nd Generation Security Information and Event Management

23 Correlation Reduce alerts by grouping Reduce false alarms IPS
Firewall Anti-Malware Reduce alerts by grouping Reduce false alarms

24 Security Information and Event Management
firewalls IDS/IPS Web servers Active directory Anti-virus VPN DHCP Billions of events / day Filtering & Correlation A few hundred events / day

25 How to generate correlation rules?

26 Market-basket Analysis

27 Rules are heuristics driven/manually generated
Observations Rules are heuristics driven/manually generated Correlation window order of minutes

28 3rd Generation Security Operations Centers

29 A large enterprise network
enterprise HPN Routers 1,500+ 41K+ servers owned by HP IT 2.5B security events logged per day with 11.5M+ Internet mails per day sent/received HP IT supports 6 NGDC and 86 MCS 450,000 end points protected with anti-virus Manage 150K+ mobile devices 140+ Windows Domain Controllers 597 IPS sensors deployed 1.2 million connected devices 15K+ HPN switches 2,000+ HP IT managed firewalls 450,000 mailboxes managed 300K+ employees + contractors 39,000,000 IP Addresses including 2 contiguous Class A’s 970K+ scanned devices for vulnerabilities 440K+ PCs deployed

30 Reducing false negatives
AV DLP Firewall IDS LDAP DHCP DNS HTTP

31 Advanced persistent threat (APT) detection
Infiltration Discovery Exfiltration Remote Control

32 Suspicious DNS traffic
Periodic DNS activity Bursty DNS activity Suspicious DNS traffic Infiltration Discovery Exfiltration Remote Control Internal DNS/LDAP traffic DNS Exfiltration HTTP/HTTPS File formats

33 The data analysis approach holds promise
Compromised account detection Lateral movement detection Anomalous user behavior Insider threat Preemptive detection – detecting early stages of an attack

34 Security Analytics

35 Magic Data Lake DNS HTTP IDS .. .. AV

36 Scalable, Reliable, and Timely Detection

37 Challenges Infer human intent Adapt Reduce false alarms
Preserve privacy

38 4th Generation Remediation & Recovery

39 Analyst sees an alert

40 Analyst builds a context

41 Analyst follows a remediation plan
Quarantine the infected machine Schedule/ run clean up tools Schedule/ run reimaging

42 A few minutes per alert

43 http://www. darkreading

44 Repetitive, Manual, and Error Prone
SOCs don’t scale Repetitive, Manual, and Error Prone

45 Machine learning to the rescue???
Again, ML could help us in recovery and remediation We may be able to automate some of the tasks that analysts do For example, based on alerts, a ML algorithm might be able to build the context and prescribe a remediation plan This is an area that needs lot of investigation

46 Context building as a learning problem
Predict the information needed for each alert alert characteristics source/destination protocol vulnerability

47 Remediation plan as another learning problem
Predict remediation action for each alert context information device characteristics user characteristics location connectivity business needs

48 Incorporate analyst feedback

49 Summary

50 Current state ML has played a key role since early days of enterprise security ML helps achieve scale, but FPs/FNs remain One of the better tools at our disposal for enterprise security

51 Future: ML targeted toward enterprise security
Detection Recovery/Remediation ML/AI/SA DNS HTTP IDS .. .. AV

52 Point products: Old problems require new solutions
Targeted new techniques False positives/False negatives Resource aware – power Advances in hardware and systems software

53 Security analytics and remediation: New problems
Targeted ML techniques for scalable and reliable detection Holistic approach to detection and remediation Incorporate user feedback

54 And finally, be judicious in using ML

55 Thank You Pratyusa K. Manadhata

Download ppt "Machine Learning for Enterprise Security"

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Security that is... Ergonomic, Economical and Efficient! In every way! Stonesoft SSL VPN SSL VPN.

Security that is... Ergonomic, Economical and Efficient! In every way! Stonesoft SSL VPN SSL VPN.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.

Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.

1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.
Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.

Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.
Chapter 5: Implementing Intrusion Prevention

Chapter 5: Implementing Intrusion Prevention
Network Security Technologies CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University.

Network Security Technologies CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University.
Intrusion Detection Systems. 1980-Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.

Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.

Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.

Similar presentations

Ads by Google