Vulnerabilities such as Spectre and Meltdown continue to plague many production servers, based on Intel CPUs. Our solution involves software-based monitoring of hardware counters and sending that data to Apache Spark clusters for threat detection. We leverage Spark's support for support vector machine (SVM) inference. Our machine learning models are trained off-line by a data scientist within a Jupyter notebook environment. As new models are validated, they can be easily deployed to the Spark cluster from the notebook. We have standardized model export and import using the ONNX machine learning open file format. In our presentation, we will demo the full pipeline, from model training to deployment. We will discuss the various challenges when deploying ML-based cyber-threat detection at scale using Apache Spark. For example, we found that gaps in detection can occur when Spark models are updated. We will describe a novel data ingestion architecture, based on Apache Kafka, that we developed to deal with this issue.

1. WIFI SSID:SparkAISummit | Password: UnifiedAnalytics

2. George Williams, GSI Technology
Scaling ML-based
CyberThreat Detection
For Production Systems
#UnifiedAnalytics #SparkAISummit

3. Agenda
● Cybersecurity Trends
● ML + Cybersecurity + Production Systems
● GSI Technology
● Architecture
● Code
3#UnifiedAnalytics #SparkAISummit
Director of Data Science,
GSI Technology

4. 4#UnifiedAnalytics #SparkAISummit

5. 5#UnifiedAnalytics #SparkAISummit

6. Scary Trends
6#UnifiedAnalytics #SparkAISummit
There is a hacker attack now every 39 seconds
Denial-of-service attacks up 140%
Cost of breach at $150 million

7. Opportunities
7#UnifiedAnalytics #SparkAISummit
Cybersecurity spending tops $100 billion
Funding of cybersecurity startups up 25%
Shortfall of 3 million cybersecurity workers

8. Opportunities
8#UnifiedAnalytics #SparkAISummit
Cybersecurity spending tops $100 billion
Funding of cybersecurity startups up 25%
Shortfall of 3 million cybersecurity workers
Hottest tech jobs: Security DevOps Eng & Data Eng/Sci

9. 9#UnifiedAnalytics #SparkAISummit
ML + Cybersecurity + Production

10. 10#UnifiedAnalytics #SparkAISummit
ML + Cybersecurity

11. 11#UnifiedAnalytics #SparkAISummit
ML + Cybersecurity

12. 12#UnifiedAnalytics #SparkAISummit
ML + Cybersecurity
X

13. 13#UnifiedAnalytics #SparkAISummit
ML + Cybersecurity
X
When ML and Data Science are the death of a
good company: A cautionary tale.X

14. 14#UnifiedAnalytics #SparkAISummit
ML + Cybersecurity
● AI “Washing”
● Model Transparency
● Model Bias
● Adversarial Attacks

15. 15#UnifiedAnalytics #SparkAISummit
Adversarial Attack
Image From OpenAI

16. 16#UnifiedAnalytics #SparkAISummit
ML + Cybersecurity
ML is just another tool
and not a silver bullet
for cybersecurity!

17. 17#UnifiedAnalytics #SparkAISummit
Cybersecurity + Production

18. 18#UnifiedAnalytics #SparkAISummit
Cybersecurity + Production

19. 19#UnifiedAnalytics #SparkAISummit
ML + Production Systems

20. 20#UnifiedAnalytics #SparkAISummit
ML + Production Systems
Image from
Brendan Greg

21. 21#UnifiedAnalytics #SparkAISummit
ML + Production Systems
Image from
Brendan Greg

22. 22#UnifiedAnalytics #SparkAISummit
Putting It All Together...

23. 23#UnifiedAnalytics #SparkAISummit
Putting It All Together...

24. 24#UnifiedAnalytics #SparkAISummit
Why?
Custom Chip PCIe Boards Super Cluster

25. 25#UnifiedAnalytics #SparkAISummit
Chip SuperCluster Cloud
● Lots and lots of custom chips
● Linux OS
● Managed Hosting
○ Drug Discovery
○ Government
○ Aerospace

26. 26#UnifiedAnalytics #SparkAISummit
Defense In Depth
NETWORK
FILE SYSTEM
HOST

27. 27#UnifiedAnalytics #SparkAISummit
Defense In Depth
Perimeter Protection
Malware/AV Detection
Host Is Still Vulnerable
○ Credential Theft, Session Hijacking
○ Insider Threats
○ Active Monitoring !

28. 28#UnifiedAnalytics #SparkAISummit
Anomaly Detection
● Cache Side Channel
○ Spectre/Meltdown
● Control Flow Attacks
○ ROP
● Anomalous User Behavior
○ Exfiltration

29. 29#UnifiedAnalytics #SparkAISummit
Anomaly Detection
● Cache Side Channel
○ Spectre/Meltdown ← CPU Performance Counters
● Control Flow Attacks
○ ROP ← Call Stack Sampling
● Anomalous User Behavior
○ Exfiltration ← File System Monitoring

30. 30#UnifiedAnalytics #SparkAISummit
Supervised and Unsupervised
X
2
X
2
X
1
X
1
Boundary
Clusters

31. Data Pipeline
31#UnifiedAnalytics #SparkAISummit
Spark ClusterData Source

32. Raw Data Source
32#UnifiedAnalytics #SparkAISummit
perf
○ Hardware stats
eBPF
○ Latest linux kernels
Python interface
○ BCC library

33. Perf, eBPF Kafka
33#UnifiedAnalytics #SparkAISummit

34. Kafka Ingestion
34#UnifiedAnalytics #SparkAISummit
Real-Time Data
○ For ML Inference
Historical Data
○ For ML Training
○ For Baselining (AD)

35. Training and Inference
35#UnifiedAnalytics #SparkAISummit
Baseline
○ For AD
ML Training
○ SVM
○ Regression
○ Auto-Encoder

36. Cache Side Channel Model
36#UnifiedAnalytics #SparkAISummit

37. Scenario: Cache Side Channel
Attack Detector
37#UnifiedAnalytics #SparkAISummit

38. Scenario: Cache Side Channel
Attack Detector
38#UnifiedAnalytics #SparkAISummit
normal
POC
production

39. Scenario: Cache Side Channel
Attack Detector
39#UnifiedAnalytics #SparkAISummit
normal
POC
production
TRAINING DATA
INFERENCE DATA

40. Code: Baseline Data
40#UnifiedAnalytics #SparkAISummit

41. Code: Training
41#UnifiedAnalytics #SparkAISummit

42. Code: Inference
42#UnifiedAnalytics #SparkAISummit

43. 43#UnifiedAnalytics #SparkAISummit
More...
● Model Validation (FP,FN), Hyperparameters ??
● Automated and Continuous Learning
● Adversarial Attacks
● Persistence: Models (ONNX), Forensics (Cass)
● Structured Streaming, Pipelines
● Networking/Local Inference

44. Schedule / Contact
Chip Cluster: Q4 2019
Github: HoneycombSecurity Project
Medium: GSI Technology Blog
Twitter: @cgeorgewilliams
44#UnifiedAnalytics #SparkAISummit

45. DON’T FORGET TO RATE
AND REVIEW THE SESSIONS
SEARCH SPARK + AI SUMMIT
The picture can't be displayed.