exploiting sequence of events for potential attack
play

Exploiting Sequence of Events for Potential Attack Detection in - PowerPoint PPT Presentation

Dec 21, 2022 •273 likes •636 views

Exploiting Sequence of Events for Potential Attack Detection in Network Security using Machine Learning Ashrith Barthur, PhD Security Research @cyberbaggage H 2 O .ai Machine Intelligence Sequence of Events (SoE) What is a Sequence of

  1. Exploiting Sequence of Events for Potential Attack Detection in Network Security using Machine Learning Ashrith Barthur, PhD Security Research @cyberbaggage H 2 O .ai Machine Intelligence

  2. Sequence of Events (SoE) • What is a Sequence of Events? o A set of events, that usually includes sub-events that help you achieve a goal. H 2 O .ai Machine Intelligence

  3. SoE - In Depth o An individual event is usually a set of sub-events that we/machines do to achieve a state. • E.g. Entering username and password and hit enter - login event. o An event by itself does not say much. • E.g. Did you login to Google? Facebook? o So an event needs a context. • E.g. Enter www.google.com - page load event. • Enter username and password - login event. H 2 O .ai Machine Intelligence

  4. SoE - Importance o If you are predicting loan default / fraud then a sequence of events are not that important. o But when you are classifying a potential attack /malicious behaviour, sequence of events is important. H 2 O .ai Machine Intelligence

  5. SoE - Importance o Is this not just about building related features? o Not so. o This is actually chaining data from different sources and making them a sequence, by actual data joins, or algorithmically. H 2 O .ai Machine Intelligence

  6. Why Do We Need a Sequence of Events While Identifying Potential Attack? - Answer lies in how attacks occur, Anatomy . H 2 O .ai Machine Intelligence

  7. Classification of Attacks • Short Term Goals o DDoS - for different layers o Physical Attacks • Long Term Goals o Network/Service Reconnaissance o Enterprise Service attacks - attack on infrastructure o Phishing, Spear Phishing (more focussed) o Social Engineering - Out-of-loop • H 2 O .ai Machine Intelligence

  8. Anatomy of An Attack - Short Term • Identify Target • Identify Service of Attack • Overwhelm the service • Post-Attack Analysis o Attack mechanism is simple. o Variations occur in source of attack, protocols levels. o Relatively short lived. o Damage quantifiable. H 2 O .ai Machine Intelligence

  9. Anatomy of An Attack - Long Term • Identify Target • Reconnaissance • Identify Infrastructure Vulnerability / Or means of phishing • Network Foothold • Lateral movement and service compromises • Data Exfiltration/ Network Squatting, or passive sniffing. H 2 O .ai Machine Intelligence

  10. Anatomy of An Attack - Long Term (cont) • Post-Attack Analysis ( Usually an Illusion ) o Attack might still continue o Variations can occur based on services, new vulnerabilities, new softwares, unused access, network segments without VLANs, un-closed, outdated wall sockets, etc. o Usually very long term o Damage assessment is not usually accurate. • H 2 O .ai Machine Intelligence

  11. How are these two attack variants used? H 2 O .ai Machine Intelligence

  12. Usage • Used Together, if needed. • Short Term Attacks are used as: o A means of Reconnaissance o A method of shielding another attack, or breaking down some basic protection before an attack is launched. o It is also used to shield any detection of data exfiltration H 2 O .ai Machine Intelligence

  13. Usage • As you can clearly see a potential attack is set of connected events. • Identifying only one event might not yield much information. o E.g. An access to the database in itself is hardly a potential attack identifier. o Accessing the database outside work-hours too is hardly an identifier as people all around the world might be working on the same database. H 2 O .ai Machine Intelligence

  14. Current Day Solutions. 1. Solutions do exist that correlate events 2. But are limited 3. They are purely rule-based, and mostly stateless. 4. Hardly capable of smartly identifying events related across time. - A must for identifying long term attacks. H 2 O .ai Machine Intelligence

  15. CSec Solution Evolution Rule-based Feature-based Pure Data Driven Model Model Model H 2 O .ai Machine Intelligence

  16. CSec Solution Evolution Feature-based Model H 2 O .ai Machine Intelligence

  17. CSec Solution Evolution Feature-based Model ● Using a feature based model we look for anomalies / potential attacks by: ○ First marking the kind of traffic it is. ○ And the likelihood of it being malicious ● These anomalies are further verified by having a human analyse the outcome of the model. H 2 O .ai Machine Intelligence

  18. Features - ( Used in Feature-based Model ) 1. Features are meta data (Extracted from the data) 2. They help algorithms capture information from the data. 3. Feature engineering is a form of language translation: Between raw data and the algorithm. 4. Build much better features for your supervised models. H 2 O .ai Machine Intelligence

  19. Source of Data 1. Past Attack 2. Past Traffic 3. Current Traffic 4. Application Logs 5. System logs 6. PCAP files - raw network capture files. 7. ASA, IDS, etc. H 2 O .ai Machine Intelligence

  20. Features - Example 1. Average length of connection (too small, too large) 2. Average number of DNS requests (within network/outside network) 3. Average number of new domains 4. Change in MTU ratio vs. Windows/Mac/*Nix machine churn. 5. Packet Utilization - segmentation 6. Window Size 7. Arrival Jitter Variance H 2 O .ai Machine Intelligence

  21. Features - Example average tcp connect length by protocol 7 Days H 2 O .ai Machine Intelligence

  22. Features: Advantages 1. Designed Features Highlight Transactional Behaviour 2. Features Continuously Track Network’s Transactional Behaviour 3. Rules Variables can only Identify Threshold Changes H 2 O .ai Machine Intelligence

  23. Feature-based Model: Advantages 1. Uses AI - artificial intelligence 2. AI with features uses a consistent and objective approach 3. Quick classification 4. Multiclass - quickly identifies types of traffic - event. 5. Low false positive rate - tweaked based on risk appetite. H 2 O .ai Machine Intelligence

  24. Limitation of the Model 1. A single traffic classification 2. A single likelihood for the specific type of traffic. 3. It still needs to be verified by a security analyst a. An analyst needs to go through large amounts of data for identification H 2 O .ai Machine Intelligence

  25. Identification and Labeling Two different methods 1. Completely Manual 2. Assisted by Clustering H 2 O .ai Machine Intelligence

  26. Manual Labeling Logs Information Analytical Inputs: 1. Behavioural Input 2. Univariate Alert score 3. Threat score Suspicious Not Suspicious H 2 O .ai Machine Intelligence

  27. Assisted Labeling ● The approach of Manually Labeling is slow. ● Therefore, we involve an assisted Labeling approach. H 2 O .ai Machine Intelligence

  28. Assisted Labeling Clustering Output Sampling Clustering output labeling Clustering Classification H2O Unsupervised Output Algorithm 1. Algo tuning 1. Features SoC Analyst Logs/Pcap H 2 O .ai Machine Intelligence

  29. Model Deployment Suspicious Data with Features H2O Machine Learning Algorithm Not Suspicious 1. Traffic logs 2. Pcap Info 3. Alert systems H 2 O .ai Machine Intelligence

  30. Limitation of This Approach 1. Slow 2. Loss of Classification information H 2 O .ai Machine Intelligence

  31. Loss of Classification of Information Output Class 1 Class 2 Class 3 Class 4 Class 5 Class 6 Class Class 1 0.7 0.2 0.05 0.04 0.0 0.0 Class 1 0.7 0.2 0.05 0.04 0.0 0.0 ... ... ... ... ... ... ... Class 1 0.55 0.0 0.0 0.0 0.0 0.45 ... ... ... ... ... ... ... H 2 O .ai Machine Intelligence

  32. Loss of Classification of Information ● In a multiclass ML problem we get probability scores for all possible candidates ● But we disregard all scores except the highest score. ● Benign events and potential attacks get class-probabilities in a multi-classification. ● Events that are benign, in a given class e.g. Class 1, tend to have similar scores. ● Events that are potential attacks in a certain class e.g. Class 1 , tend to have different scores when compared to benign events. H 2 O .ai Machine Intelligence

  33. Model Improvement ● We exploited this information from the multi-classification. ● The classes in multi-classification are the sequence of events . ● We passed the probability scores thru an autoencoder. ● By exploiting the multi-classification probability values we calculated reconstruction errors. ● Using reconstruction errors we were able to classify traffic that seemed anomalous - potential attack, and benign. H 2 O .ai Machine Intelligence

  34. Model Improvement - Advantages ● FAST! ● Results reinforced with bit more information. ● Reinforced events are the sequence of events. ● Analyst looks at a smaller set of data and can quickly identify potential attacks. H 2 O .ai Machine Intelligence

  35. Thank You Questions? H 2 O .ai Machine Intelligence

Recommend

Motivation and Overview Towards Defining and Exploiting 12.3.40.65 GET index.jsp Behaviorally

Motivation and Overview Towards Defining and Exploiting 12.3.40.65 GET index.jsp Behaviorally

Motivation and Overview Towards Defining and Exploiting 12.3.40.65 GET index.jsp Behaviorally related Similarities in Web Application Use 12.3.40.65 GET login.jsp View user sessions as use cases sequence of events 12.3.40.65 GET reg.jsp?

224 views • 3 slides
The eI4Africa EU/FP7 Project Exploiting e-Infrastructures potential to boost RTDI in Africa

The eI4Africa EU/FP7 Project Exploiting e-Infrastructures potential to boost RTDI in Africa

The eI4Africa EU/FP7 Project Exploiting e-Infrastructures potential to boost RTDI in Africa info@ei4africa.eu www.ei4africa.eu African Pharmacological Science Gateway Jaran Eriksen| Karolinska 13/11/2013- 2 Institutet|eI4Africa

620 views • 23 slides
8.3 Mining Sequence Patterns in Transactional Databases 499 the items in s 2 , and so on. An item

8.3 Mining Sequence Patterns in Transactional Databases 499 the items in s 2 , and so on. An item

Chapter 8 Mining Stream, Time-Series, and Sequence Data 498 8.3 Mining Sequence Patterns in Transactional Databases A sequence database consists of sequences of ordered elements or events, recorded with or without a concrete notion of time. There

555 views • 31 slides
Plot the definition The organized sequence of events that make up a story Every plot is

Plot the definition The organized sequence of events that make up a story Every plot is

Plot the definition The organized sequence of events that make up a story Every plot is made up of a series of events that are related to one another. Plot the diagram 3 4 2 1 5 1. Exposition Usually occurs at the beginning

570 views • 12 slides
Potential Toolkit to Attack Nonperturbative Aspects of QFT -Resurgence and related topics- Sep

Potential Toolkit to Attack Nonperturbative Aspects of QFT -Resurgence and related topics- Sep

YITP-iTHEMS molecule-type international workshop Potential Toolkit to Attack Nonperturbative Aspects of QFT -Resurgence and related topics- Sep 7-25, 2020 Opening remarks & Brief introduction to Resurgence Tatsuhiro MISUMI Masaru Hongo,

504 views • 47 slides
Computatio ion Reuse in in DNNs by Exploiting Input Sim imilarity Marc Riera , Jose Maria

Computatio ion Reuse in in DNNs by Exploiting Input Sim imilarity Marc Riera , Jose Maria

Computatio ion Reuse in in DNNs by Exploiting Input Sim imilarity Marc Riera , Jose Maria Arnau, Antonio Gonzlez Sequence Processing Applications Speech Audio Signal 4/06/2018 ISCA 2018 2 Sequence Processing Applications 4/06/2018 ISCA

473 views • 22 slides
Sequence to Sequence models: Connectionist Temporal Classification 1 Sequence-to-sequence

Sequence to Sequence models: Connectionist Temporal Classification 1 Sequence-to-sequence

Deep Learning Sequence to Sequence models: Connectionist Temporal Classification 1 Sequence-to-sequence modelling Problem: A sequence goes in A different sequence comes out E.g. Speech recognition:

1.86k views • 172 slides
COVID-19 Compliance 2 July 2020 COVID-19 Our Journey Sequence of Events From little to no

COVID-19 Compliance 2 July 2020 COVID-19 Our Journey Sequence of Events From little to no

COVID-19 Compliance 2 July 2020 COVID-19 Our Journey Sequence of Events From little to no knowledge of what COVID-19 is: 13 December 2019, Chinese authorities alerted the World Health Organization of pneumonia cases in Wuhan City,

400 views • 28 slides
Optical Backside Attack with Nanoscale Potential C. Boit TUB Technische Universitt Berlin From

Optical Backside Attack with Nanoscale Potential C. Boit TUB Technische Universitt Berlin From

Optical Backside Attack with Nanoscale Potential C. Boit TUB Technische Universitt Berlin From backside, all nodes act alike Optical interaction through frontside: each node has individual signature due to interconnect intransparency Access

443 views • 20 slides
IC CE E I Cx Project Sequence of Events INTERNATIONAL COMMISSIONING ENGINEERS ICE Activities

IC CE E I Cx Project Sequence of Events INTERNATIONAL COMMISSIONING ENGINEERS ICE Activities

IC CE E I Cx Project Sequence of Events INTERNATIONAL COMMISSIONING ENGINEERS ICE Activities OAC Activities RFP to ICE ICE response to RFP Owner issues Cx contract Initialization Letter to Architect "SD" documents Review

211 views • 3 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Storm of 10 November, 1998: The sequence of events in greater detail. 500-hPa height (contours)

Storm of 10 November, 1998: The sequence of events in greater detail. 500-hPa height (contours)

Storm of 10 November, 1998: The sequence of events in greater detail. 500-hPa height (contours) and absolute vorticity (coloured shading), 12 UTC Nov. 9, 1998. The pronounced long-wave trough over western North Amer- ica has several smaller

756 views • 47 slides
NTRU Prime A field-based system that reduces (potential) attack surface, while still being fast

NTRU Prime A field-based system that reduces (potential) attack surface, while still being fast

NTRU Prime A field-based system that reduces (potential) attack surface, while still being fast and compact Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal 29 June 2018 Bernstein, Chuengsatiansup,

1.18k views • 36 slides
DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDS Guoming Zhang, Chen Yan, Xiaoyu Ji, Tianchen Zhang,

DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDS Guoming Zhang, Chen Yan, Xiaoyu Ji, Tianchen Zhang,

DOLPHIN ATTACK: INAUDIBLE VOICE COMMANDS Guoming Zhang, Chen Yan, Xiaoyu Ji, Tianchen Zhang, Taimin Zhang, and Wenyuan Xu Zhejiang University BACKGROUND- DOLPHIN ATTACK An approach to inject inaudible voice commands at VCS by exploiting the

481 views • 28 slides
Defeating Android security solutions by exploiting fuzzy hashing (updated) Arash Vahidi RISE

Defeating Android security solutions by exploiting fuzzy hashing (updated) Arash Vahidi RISE

Defeating Android security solutions by exploiting fuzzy hashing (updated) Arash Vahidi RISE resund Security Day, 2019 The early morning opening slide... There are two types of crypto talks... 1. We present a third preimage attack on

435 views • 21 slides
CyTime TM Event Manager Event Management for Critical Power Applications Why Sequence of Events

CyTime TM Event Manager Event Management for Critical Power Applications Why Sequence of Events

CyTime TM Event Manager Event Management for Critical Power Applications Why Sequence of Events Recording? For meaningful data analysis, devices must share a common (precise) time reference More data points captured during an electrical

358 views • 25 slides
National Seminar The Gambias tourism sector: Measuring its value chain and exploiting its

National Seminar The Gambias tourism sector: Measuring its value chain and exploiting its

National Seminar The Gambias tourism sector: Measuring its value chain and exploiting its potential Coco Ocean Resort 23 rd May, 2019 Presenter: Ya Awa Nyassi Senior Planner Ministry of Tourism & Culture of The Gambia

758 views • 9 slides
Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data Gerome Miklau University of Massachusetts, Amherst DIMACS Workshop on Recent Work on Di ff erential Privacy across Computer Science October 2012

1.39k views • 136 slides
Early DoS and Worms Examples of recent worms and DoS attacks Slammer Worm Shaft DoS attack

Early DoS and Worms Examples of recent worms and DoS attacks Slammer Worm Shaft DoS attack

Outline Introduction to worms Potential damage that *could* be caused (theoretical) Early DoS and Worms Examples of recent worms and DoS attacks Slammer Worm Shaft DoS attack Ben Wilde Mstream DoS attack 7 February, 2005

718 views • 14 slides
SEQ 3 : Differentiable Sequence-to-Sequence-to-Sequence Autoencoder for Unsupervised Abstractive

SEQ 3 : Differentiable Sequence-to-Sequence-to-Sequence Autoencoder for Unsupervised Abstractive

SEQ 3 : Differentiable Sequence-to-Sequence-to-Sequence Autoencoder for Unsupervised Abstractive Sentence Compression Christos Baziotis, Ion Androutsopoulos, Ioannis Konstas, Alexandros Potamianos Ed nburgh NLP University of Edinburgh Natural

772 views • 51 slides
CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security

CPU Side-Channel Attacks the Meltdown Attack Heechul Yun 1 This Week: Hardware Security Introduction Meltdown Papers Spectre Attacks: Exploiting Speculative Execution, IEEE Security and Privacy (S&P), 2019 (Dustin)

726 views • 44 slides
Asynchronous sequence circuits An asynchronous sequence machine is a sequence circuit without

Asynchronous sequence circuits An asynchronous sequence machine is a sequence circuit without

Asynchronous sequence circuits An asynchronous sequence machine is a sequence circuit without flip-flops Asynchronous sequence machines are based on combinational gates with feedback Upon analysis it is assumed : Only one signal at a

1.34k views • 66 slides
Dr. Charlie Bavington GlycoMar Limited www.glycomar.com Exploiting marine glycobiology to

Dr. Charlie Bavington GlycoMar Limited www.glycomar.com Exploiting marine glycobiology to

Dr. Charlie Bavington GlycoMar Limited www.glycomar.com Exploiting marine glycobiology to advance human health Company Profile Opportunities for utilisation of shellfish by- products Current products Potential / future products Some global

343 views • 20 slides
Sequence to Sequence models: Attention Models 1 Sequence-to-sequence modelling Problem:

Sequence to Sequence models: Attention Models 1 Sequence-to-sequence modelling Problem:

Deep Learning Sequence to Sequence models: Attention Models 1 Sequence-to-sequence modelling Problem: A sequence goes in A different sequence comes out E.g. Speech recognition: Speech goes in, a word

2.23k views • 167 slides

More recommend