SlideShare ist ein Scribd-Unternehmen logo

A Game between Adversary and AI Scientist

Satnam Singh
Satnam Singh

Designing a game between an adversary and defender has been a challenge because the adversary's tactics and strategies are unobservable. However, if the defender is powered by AI-based tools to get observations about adversary actions and tactics, then a real game can be played. This talk shares a research on game theory and AI for information security.

Daten & Analysen
1 von 31
Downloaden Sie, um offline zu lesen
Satnam, Arunabha, Deepak, Waseem, Nirmesh, Santosh, Balamurali, Narayana Acalvio Technologies NULLCON March 3, 2018 A Game between Adversary and AI Scientist
Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA Technologies • Author- Patents, Tech Pubs and Tech Talks • Rock Climber
Outline • Define the Problem • A possible solution - research work • Demos • Under the hood
Problem
Can we play a game with adversary? Can we engage with adversary?
Is adversary visible to defender? - Extensive reconnaissance of target and defender - Using the same tools and techniques as defender
Is he a “Returning” Adversary? —> Compare Tools, Tactics and Procedures (TTPs)
InfoSec Game: Assumptions • Unlike Chess, cyber game has infinite state space —> Use Mitre ATT@CK model to define the state space
Adversary Tactics
Mitre ATT@CK Model
Defender’s Tools are at Perimeter Need new tools to detect adversary INSIDE the NETWORK
Deceptions in Enterprise • Deceptions (D) • Emulations of Hosts, Applications, Database Servers, etc. • Real VM Hosts, Applications, etc. • Browser Cookies, Registry entries, etc. • Vulnerability in OS/ Application, Shares, etc. MUM-EPS-4343 Enterprise Network SOC segment Engineering Fiber Deceptions SOC Ops Segment Sales Operations MUM-EPS-4322 MUM-EPS-4453 SFO-GAMMA-2318 SFO-GAMMA-3123 BENG-ALPHA-4323 BENG-ALPHA-5662
AI Engine Process Registry Bro … HIDS Log AI Engine
Game: Demos
1: Recon - nmap • Defender detects it and provides a few RDP credentials on the endpoints Adversary Defender • Adversary performs recon and nmap to find out to the neighbourhood Demo>>
2: Obfuscated PowerShell Script • Adversary obfuscates PowerShell attack and executes in another host Adversary Defender • Defender detects obfuscated PowerShell commands Demo>>
3: Credentials Dump using PowerSploit and Mimikatz Adversary • Attacker dumps credentials using PowerSpoit and Mimikartz Defender • Defender detects PowerSploit and Mimikartz activities Demo>>
4: Data Exfilteration via DNS Tunnel • Adversary uses DNS Tunnel using DNSCat2 to exfiltrate the credentials Adversary Defender • Defender detects the DNS tunnel using AI Demo>>
Under the Hood
High Interaction AI Engine Adversary D Process Registry Winevent … HIDS Log HISH AI Engines Summarisation DNS Tunnel Detector Powershell Log Analyser
HISH AI: HIDS Log Summarisation Summarised Notables Event Summarisation • Summarise attacker’s activities - New services, processes, tasks and changes etc. - File system changes, registry entries, etc. - Shell commands, Windows event and authentication logs etc.File Event Logs . . . Process Logs Registry Logs Win Events Logs
HISH-AI: Summarisation Engine Raw Log Preprocessing Registry Logs File Logs . . . Process Logs Services Logs Bro Logs Rule & Baseline Based Filtering Domain Knowledge Rules Learned Baseline Baseline Summarised Notables Attack Scenarios Input Logs Output Notables Incident 1 60K 16 Incident 2 6K 5 Incident 3 70K 6 Process-based Summarisation
HISH-AI: PowerShell Log Engine PreProcessing Command N-GRAM Character N-GRAM Obfuscation Detection Model Tactic Detection Model Obfuscation Prediction Tactic Prediction (Privilege Escalation, Lateral Movement, Exfiltration) PowerShell Logs Tensorflow ANN Classifier
HISH-AI:Data exfiltration using DNS Tunnel dns tunnel server (dnstunnel.com) dns traffic local dns server dns tunnel client web traffic data.dnstunnel.com dns query: data.dnstunnel.com DNS Tunnelling Tools Iodine, dnscat2, Ozyman Enterprise Network
HISH-AI: DNS Tunnel Detection DNS logs Flow-based features Deep learning based ModelPacket metadata- based features DNS Tunnel prediction Model update TensorFlow DNS tunnel detection output: • IP and domain of tunnelling server: dnstunnel.com • tunnel start time: 26-02-2018 19:43:37 • tunnel end time: 26-02-2018 19:53:37
Game Theory
Formally Defining A Game Defining Game - The Normal Form Finite 2-person normal form game: <N,A,u>: - Players: N={Adversary, Defender} is a finite set of 2 players, indexed by i - Action set for player i — Ai a={a1,...,an} - Utility function or Payoff function for player i: ui u=(u1,...,un) is a profile of utility functions
InfoSec Game Carry out attack Quit Allow the attack 1,2 2,1 Block the adversary 2,2 2,0 Adversary Defender • Too simplistic • How to scale it for the real world? • How do we learn in real time? • "Row" player is Defender, "column" player is Adversary
Model as Reinforcement Learning Problem • Break the problem into Subproblems and learn in real-time • Model it as Reinforcement Learning Problem
Summary • Playing a game needs “Visibility” of the adversary • Need to surface signal in low SNR • Fusion of Deception+AI gives a way to engage with the adversary
Questions? @satnam74s

Empfohlen

Fluturas presentation @ Big Data Conclave
Fluturas presentation @ Big Data ConclaveFluturas presentation @ Big Data Conclave
Fluturas presentation @ Big Data Conclavefluturads
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?Raffael Marty
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
Big data on_aws in korea by abhishek sinha (lunch and learn)
Big data on_aws in korea by abhishek sinha (lunch and learn)Big data on_aws in korea by abhishek sinha (lunch and learn)
Big data on_aws in korea by abhishek sinha (lunch and learn)Amazon Web Services Korea
 
Intelligent Monitoring
Intelligent MonitoringIntelligent Monitoring
Intelligent MonitoringIntelie
 
Emerging Prevalence of Data Streaming in Analytics and it's Business Signific...
Emerging Prevalence of Data Streaming in Analytics and it's Business Signific...Emerging Prevalence of Data Streaming in Analytics and it's Business Signific...
Emerging Prevalence of Data Streaming in Analytics and it's Business Signific...Amazon Web Services
 
The hidden engineering behind machine learning products at Helixa
The hidden engineering behind machine learning products at HelixaThe hidden engineering behind machine learning products at Helixa
The hidden engineering behind machine learning products at HelixaAlluxio, Inc.
 
Analytics in Your Enterprise
Analytics in Your EnterpriseAnalytics in Your Enterprise
Analytics in Your EnterpriseWSO2
 

Empfohlen

Fluturas presentation @ Big Data Conclave
Fluturas presentation @ Big Data ConclaveFluturas presentation @ Big Data Conclave
Fluturas presentation @ Big Data Conclavefluturads
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?Raffael Marty
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
Big data on_aws in korea by abhishek sinha (lunch and learn)
Big data on_aws in korea by abhishek sinha (lunch and learn)Big data on_aws in korea by abhishek sinha (lunch and learn)
Big data on_aws in korea by abhishek sinha (lunch and learn)Amazon Web Services Korea
 
Intelligent Monitoring
Intelligent MonitoringIntelligent Monitoring
Intelligent MonitoringIntelie
 
Emerging Prevalence of Data Streaming in Analytics and it's Business Signific...
Emerging Prevalence of Data Streaming in Analytics and it's Business Signific...Emerging Prevalence of Data Streaming in Analytics and it's Business Signific...
Emerging Prevalence of Data Streaming in Analytics and it's Business Signific...Amazon Web Services
 
The hidden engineering behind machine learning products at Helixa
The hidden engineering behind machine learning products at HelixaThe hidden engineering behind machine learning products at Helixa
The hidden engineering behind machine learning products at HelixaAlluxio, Inc.
 
Analytics in Your Enterprise
Analytics in Your EnterpriseAnalytics in Your Enterprise
Analytics in Your EnterpriseWSO2
 
Strata Presentation: One Billion Objects in 2GB: Big Data Analytics on Small ...
Strata Presentation: One Billion Objects in 2GB: Big Data Analytics on Small ...Strata Presentation: One Billion Objects in 2GB: Big Data Analytics on Small ...
Strata Presentation: One Billion Objects in 2GB: Big Data Analytics on Small ...randyguck
 
Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"Demi Ben-Ari
 
Elasticsearch Performance Testing and Scaling @ Signal
Elasticsearch Performance Testing and Scaling @ SignalElasticsearch Performance Testing and Scaling @ Signal
Elasticsearch Performance Testing and Scaling @ SignalJoachim Draeger
 
Lecture 02: Layered Architecture of Game Engine | GAMES104 - Modern Game Engi...
Lecture 02: Layered Architecture of Game Engine | GAMES104 - Modern Game Engi...Lecture 02: Layered Architecture of Game Engine | GAMES104 - Modern Game Engi...
Lecture 02: Layered Architecture of Game Engine | GAMES104 - Modern Game Engi...Piccolo Engine
 
게임을 위한 아마존웹서비스(AWS) (김일호 솔루션즈 아키텍트, AWS) :: Gaming on AWS 2018
게임을 위한 아마존웹서비스(AWS) (김일호 솔루션즈 아키텍트, AWS) :: Gaming on AWS 2018게임을 위한 아마존웹서비스(AWS) (김일호 솔루션즈 아키텍트, AWS) :: Gaming on AWS 2018
게임을 위한 아마존웹서비스(AWS) (김일호 솔루션즈 아키텍트, AWS) :: Gaming on AWS 2018Amazon Web Services Korea
 
SplunkLive! Salt Lake City June 2013 - Ancestry.com
SplunkLive! Salt Lake City June 2013 - Ancestry.comSplunkLive! Salt Lake City June 2013 - Ancestry.com
SplunkLive! Salt Lake City June 2013 - Ancestry.comSplunk
 
Snowplow: open source game analytics powered by AWS
Snowplow: open source game analytics powered by AWSSnowplow: open source game analytics powered by AWS
Snowplow: open source game analytics powered by AWSGiuseppe Gaviani
 
WSO2 Analytics Platform: The one stop shop for all your data needs
WSO2 Analytics Platform: The one stop shop for all your data needsWSO2 Analytics Platform: The one stop shop for all your data needs
WSO2 Analytics Platform: The one stop shop for all your data needsSriskandarajah Suhothayan
 
WSO2Con USA 2015: WSO2 Analytics Platform - The One Stop Shop for All Your Da...
WSO2Con USA 2015: WSO2 Analytics Platform - The One Stop Shop for All Your Da...WSO2Con USA 2015: WSO2 Analytics Platform - The One Stop Shop for All Your Da...
WSO2Con USA 2015: WSO2 Analytics Platform - The One Stop Shop for All Your Da...WSO2
 
Neo4j: What's Under the Hood & How Knowing This Can Help You
Neo4j: What's Under the Hood & How Knowing This Can Help You Neo4j: What's Under the Hood & How Knowing This Can Help You
Neo4j: What's Under the Hood & How Knowing This Can Help You Neo4j
 
Which library should you choose for data-science? That's the question!
Which library should you choose for data-science? That's the question!Which library should you choose for data-science? That's the question!
Which library should you choose for data-science? That's the question!Anastasia Bobyreva
 
Towards a Practice of Token Engineering
Towards a Practice of Token EngineeringTowards a Practice of Token Engineering
Towards a Practice of Token EngineeringTrent McConaghy
 
Azure Stream Analytics : Analyse Data in Motion
Azure Stream Analytics : Analyse Data in MotionAzure Stream Analytics : Analyse Data in Motion
Azure Stream Analytics : Analyse Data in MotionRuhani Arora
 
Discover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiDiscover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiJeremy Li
 
Building search and discovery services for Schibsted (LSRS '17)
Building search and discovery services for Schibsted (LSRS '17)Building search and discovery services for Schibsted (LSRS '17)
Building search and discovery services for Schibsted (LSRS '17)Sandra Garcia
 
MLOps journey at Swisscom: AI Use Cases, Architecture and Future Vision
MLOps journey at Swisscom: AI Use Cases, Architecture and Future VisionMLOps journey at Swisscom: AI Use Cases, Architecture and Future Vision
MLOps journey at Swisscom: AI Use Cases, Architecture and Future VisionBATbern
 
Artificial Intelligence - AI For Everyone
Artificial Intelligence - AI For EveryoneArtificial Intelligence - AI For Everyone
Artificial Intelligence - AI For EveryoneSridhar Seshadri
 
STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!treyka
 
Advanced Open IoT Platform for Prevention and Early Detection of Forest Fires
Advanced Open IoT Platform for Prevention and Early Detection of Forest FiresAdvanced Open IoT Platform for Prevention and Early Detection of Forest Fires
Advanced Open IoT Platform for Prevention and Early Detection of Forest FiresIvo Andreev
 
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Priyanka Aash
 
InfoSec Deep Learning in Action
InfoSec Deep Learning in ActionInfoSec Deep Learning in Action
InfoSec Deep Learning in ActionSatnam Singh
 
Probabilistic signals and systems satnam singh
Probabilistic signals and systems satnam singhProbabilistic signals and systems satnam singh
Probabilistic signals and systems satnam singhSatnam Singh
 

Weitere ähnliche Inhalte

Ähnlich wie A Game between Adversary and AI Scientist

Strata Presentation: One Billion Objects in 2GB: Big Data Analytics on Small ...
Strata Presentation: One Billion Objects in 2GB: Big Data Analytics on Small ...Strata Presentation: One Billion Objects in 2GB: Big Data Analytics on Small ...
Strata Presentation: One Billion Objects in 2GB: Big Data Analytics on Small ...randyguck
 
Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"Demi Ben-Ari
 
Elasticsearch Performance Testing and Scaling @ Signal
Elasticsearch Performance Testing and Scaling @ SignalElasticsearch Performance Testing and Scaling @ Signal
Elasticsearch Performance Testing and Scaling @ SignalJoachim Draeger
 
Lecture 02: Layered Architecture of Game Engine | GAMES104 - Modern Game Engi...
Lecture 02: Layered Architecture of Game Engine | GAMES104 - Modern Game Engi...Lecture 02: Layered Architecture of Game Engine | GAMES104 - Modern Game Engi...
Lecture 02: Layered Architecture of Game Engine | GAMES104 - Modern Game Engi...Piccolo Engine
 
게임을 위한 아마존웹서비스(AWS) (김일호 솔루션즈 아키텍트, AWS) :: Gaming on AWS 2018
게임을 위한 아마존웹서비스(AWS) (김일호 솔루션즈 아키텍트, AWS) :: Gaming on AWS 2018게임을 위한 아마존웹서비스(AWS) (김일호 솔루션즈 아키텍트, AWS) :: Gaming on AWS 2018
게임을 위한 아마존웹서비스(AWS) (김일호 솔루션즈 아키텍트, AWS) :: Gaming on AWS 2018Amazon Web Services Korea
 
SplunkLive! Salt Lake City June 2013 - Ancestry.com
SplunkLive! Salt Lake City June 2013 - Ancestry.comSplunkLive! Salt Lake City June 2013 - Ancestry.com
SplunkLive! Salt Lake City June 2013 - Ancestry.comSplunk
 
Snowplow: open source game analytics powered by AWS
Snowplow: open source game analytics powered by AWSSnowplow: open source game analytics powered by AWS
Snowplow: open source game analytics powered by AWSGiuseppe Gaviani
 
WSO2 Analytics Platform: The one stop shop for all your data needs
WSO2 Analytics Platform: The one stop shop for all your data needsWSO2 Analytics Platform: The one stop shop for all your data needs
WSO2 Analytics Platform: The one stop shop for all your data needsSriskandarajah Suhothayan
 
WSO2Con USA 2015: WSO2 Analytics Platform - The One Stop Shop for All Your Da...
WSO2Con USA 2015: WSO2 Analytics Platform - The One Stop Shop for All Your Da...WSO2Con USA 2015: WSO2 Analytics Platform - The One Stop Shop for All Your Da...
WSO2Con USA 2015: WSO2 Analytics Platform - The One Stop Shop for All Your Da...WSO2
 
Neo4j: What's Under the Hood & How Knowing This Can Help You
Neo4j: What's Under the Hood & How Knowing This Can Help You Neo4j: What's Under the Hood & How Knowing This Can Help You
Neo4j: What's Under the Hood & How Knowing This Can Help You Neo4j
 
Which library should you choose for data-science? That's the question!
Which library should you choose for data-science? That's the question!Which library should you choose for data-science? That's the question!
Which library should you choose for data-science? That's the question!Anastasia Bobyreva
 
Towards a Practice of Token Engineering
Towards a Practice of Token EngineeringTowards a Practice of Token Engineering
Towards a Practice of Token EngineeringTrent McConaghy
 
Azure Stream Analytics : Analyse Data in Motion
Azure Stream Analytics : Analyse Data in MotionAzure Stream Analytics : Analyse Data in Motion
Azure Stream Analytics : Analyse Data in MotionRuhani Arora
 
Discover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiDiscover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiJeremy Li
 
Building search and discovery services for Schibsted (LSRS '17)
Building search and discovery services for Schibsted (LSRS '17)Building search and discovery services for Schibsted (LSRS '17)
Building search and discovery services for Schibsted (LSRS '17)Sandra Garcia
 
MLOps journey at Swisscom: AI Use Cases, Architecture and Future Vision
MLOps journey at Swisscom: AI Use Cases, Architecture and Future VisionMLOps journey at Swisscom: AI Use Cases, Architecture and Future Vision
MLOps journey at Swisscom: AI Use Cases, Architecture and Future VisionBATbern
 
Artificial Intelligence - AI For Everyone
Artificial Intelligence - AI For EveryoneArtificial Intelligence - AI For Everyone
Artificial Intelligence - AI For EveryoneSridhar Seshadri
 
STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!treyka
 
Advanced Open IoT Platform for Prevention and Early Detection of Forest Fires
Advanced Open IoT Platform for Prevention and Early Detection of Forest FiresAdvanced Open IoT Platform for Prevention and Early Detection of Forest Fires
Advanced Open IoT Platform for Prevention and Early Detection of Forest FiresIvo Andreev
 
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Priyanka Aash
 

Ähnlich wie A Game between Adversary and AI Scientist (20)

Strata Presentation: One Billion Objects in 2GB: Big Data Analytics on Small ...
Strata Presentation: One Billion Objects in 2GB: Big Data Analytics on Small ...Strata Presentation: One Billion Objects in 2GB: Big Data Analytics on Small ...
Strata Presentation: One Billion Objects in 2GB: Big Data Analytics on Small ...
 
Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"
 
Elasticsearch Performance Testing and Scaling @ Signal
Elasticsearch Performance Testing and Scaling @ SignalElasticsearch Performance Testing and Scaling @ Signal
Elasticsearch Performance Testing and Scaling @ Signal
 
Lecture 02: Layered Architecture of Game Engine | GAMES104 - Modern Game Engi...
Lecture 02: Layered Architecture of Game Engine | GAMES104 - Modern Game Engi...Lecture 02: Layered Architecture of Game Engine | GAMES104 - Modern Game Engi...
Lecture 02: Layered Architecture of Game Engine | GAMES104 - Modern Game Engi...
 
게임을 위한 아마존웹서비스(AWS) (김일호 솔루션즈 아키텍트, AWS) :: Gaming on AWS 2018
게임을 위한 아마존웹서비스(AWS) (김일호 솔루션즈 아키텍트, AWS) :: Gaming on AWS 2018게임을 위한 아마존웹서비스(AWS) (김일호 솔루션즈 아키텍트, AWS) :: Gaming on AWS 2018
게임을 위한 아마존웹서비스(AWS) (김일호 솔루션즈 아키텍트, AWS) :: Gaming on AWS 2018
 
SplunkLive! Salt Lake City June 2013 - Ancestry.com
SplunkLive! Salt Lake City June 2013 - Ancestry.comSplunkLive! Salt Lake City June 2013 - Ancestry.com
SplunkLive! Salt Lake City June 2013 - Ancestry.com
 
Snowplow: open source game analytics powered by AWS
Snowplow: open source game analytics powered by AWSSnowplow: open source game analytics powered by AWS
Snowplow: open source game analytics powered by AWS
 
WSO2 Analytics Platform: The one stop shop for all your data needs
WSO2 Analytics Platform: The one stop shop for all your data needsWSO2 Analytics Platform: The one stop shop for all your data needs
WSO2 Analytics Platform: The one stop shop for all your data needs
 
WSO2Con USA 2015: WSO2 Analytics Platform - The One Stop Shop for All Your Da...
WSO2Con USA 2015: WSO2 Analytics Platform - The One Stop Shop for All Your Da...WSO2Con USA 2015: WSO2 Analytics Platform - The One Stop Shop for All Your Da...
WSO2Con USA 2015: WSO2 Analytics Platform - The One Stop Shop for All Your Da...
 
Neo4j: What's Under the Hood & How Knowing This Can Help You
Neo4j: What's Under the Hood & How Knowing This Can Help You Neo4j: What's Under the Hood & How Knowing This Can Help You
Neo4j: What's Under the Hood & How Knowing This Can Help You
 
Which library should you choose for data-science? That's the question!
Which library should you choose for data-science? That's the question!Which library should you choose for data-science? That's the question!
Which library should you choose for data-science? That's the question!
 
Towards a Practice of Token Engineering
Towards a Practice of Token EngineeringTowards a Practice of Token Engineering
Towards a Practice of Token Engineering
 
Azure Stream Analytics : Analyse Data in Motion
Azure Stream Analytics : Analyse Data in MotionAzure Stream Analytics : Analyse Data in Motion
Azure Stream Analytics : Analyse Data in Motion
 
Discover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiDiscover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy Li
 
Building search and discovery services for Schibsted (LSRS '17)
Building search and discovery services for Schibsted (LSRS '17)Building search and discovery services for Schibsted (LSRS '17)
Building search and discovery services for Schibsted (LSRS '17)
 
MLOps journey at Swisscom: AI Use Cases, Architecture and Future Vision
MLOps journey at Swisscom: AI Use Cases, Architecture and Future VisionMLOps journey at Swisscom: AI Use Cases, Architecture and Future Vision
MLOps journey at Swisscom: AI Use Cases, Architecture and Future Vision
 
Artificial Intelligence - AI For Everyone
Artificial Intelligence - AI For EveryoneArtificial Intelligence - AI For Everyone
Artificial Intelligence - AI For Everyone
 
STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!
 
Advanced Open IoT Platform for Prevention and Early Detection of Forest Fires
Advanced Open IoT Platform for Prevention and Early Detection of Forest FiresAdvanced Open IoT Platform for Prevention and Early Detection of Forest Fires
Advanced Open IoT Platform for Prevention and Early Detection of Forest Fires
 
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
 

Mehr von Satnam Singh

InfoSec Deep Learning in Action
InfoSec Deep Learning in ActionInfoSec Deep Learning in Action
InfoSec Deep Learning in ActionSatnam Singh
 
Probabilistic signals and systems satnam singh
Probabilistic signals and systems satnam singhProbabilistic signals and systems satnam singh
Probabilistic signals and systems satnam singhSatnam Singh
 
Threat Hunting with Deceptive Defense and Splunk Enterprise Security
Threat Hunting with Deceptive Defense and Splunk Enterprise SecurityThreat Hunting with Deceptive Defense and Splunk Enterprise Security
Threat Hunting with Deceptive Defense and Splunk Enterprise SecuritySatnam Singh
 
Deep learning fundamentals workshop
Deep learning fundamentals workshopDeep learning fundamentals workshop
Deep learning fundamentals workshopSatnam Singh
 
Deception-Triggered Security Data Science to Detect Adversary Movements
Deception-Triggered Security Data Science to Detect Adversary MovementsDeception-Triggered Security Data Science to Detect Adversary Movements
Deception-Triggered Security Data Science to Detect Adversary MovementsSatnam Singh
 
AI for CyberSecurity
AI for CyberSecurityAI for CyberSecurity
AI for CyberSecuritySatnam Singh
 
Using Deception to Detect and Profile Hidden Threats
Using Deception to Detect and Profile Hidden ThreatsUsing Deception to Detect and Profile Hidden Threats
Using Deception to Detect and Profile Hidden ThreatsSatnam Singh
 
HawkEye : A Real-time Anomaly Detection System
HawkEye : A Real-time Anomaly Detection SystemHawkEye : A Real-time Anomaly Detection System
HawkEye : A Real-time Anomaly Detection SystemSatnam Singh
 
India software developers conference 2013 Bangalore
India software developers conference 2013 BangaloreIndia software developers conference 2013 Bangalore
India software developers conference 2013 BangaloreSatnam Singh
 
The Fifth Elephant - 2013 Talk - "Smart Analytics in Smartphones"
The Fifth Elephant - 2013 Talk - "Smart Analytics in Smartphones"The Fifth Elephant - 2013 Talk - "Smart Analytics in Smartphones"
The Fifth Elephant - 2013 Talk - "Smart Analytics in Smartphones"Satnam Singh
 
Big Data Analytics Insights Conference- Satnam
Big Data Analytics Insights Conference- SatnamBig Data Analytics Insights Conference- Satnam
Big Data Analytics Insights Conference- SatnamSatnam Singh
 

Mehr von Satnam Singh (11)

InfoSec Deep Learning in Action
InfoSec Deep Learning in ActionInfoSec Deep Learning in Action
InfoSec Deep Learning in Action
 
Probabilistic signals and systems satnam singh
Probabilistic signals and systems satnam singhProbabilistic signals and systems satnam singh
Probabilistic signals and systems satnam singh
 
Threat Hunting with Deceptive Defense and Splunk Enterprise Security
Threat Hunting with Deceptive Defense and Splunk Enterprise SecurityThreat Hunting with Deceptive Defense and Splunk Enterprise Security
Threat Hunting with Deceptive Defense and Splunk Enterprise Security
 
Deep learning fundamentals workshop
Deep learning fundamentals workshopDeep learning fundamentals workshop
Deep learning fundamentals workshop
 
Deception-Triggered Security Data Science to Detect Adversary Movements
Deception-Triggered Security Data Science to Detect Adversary MovementsDeception-Triggered Security Data Science to Detect Adversary Movements
Deception-Triggered Security Data Science to Detect Adversary Movements
 
AI for CyberSecurity
AI for CyberSecurityAI for CyberSecurity
AI for CyberSecurity
 
Using Deception to Detect and Profile Hidden Threats
Using Deception to Detect and Profile Hidden ThreatsUsing Deception to Detect and Profile Hidden Threats
Using Deception to Detect and Profile Hidden Threats
 
HawkEye : A Real-time Anomaly Detection System
HawkEye : A Real-time Anomaly Detection SystemHawkEye : A Real-time Anomaly Detection System
HawkEye : A Real-time Anomaly Detection System
 
India software developers conference 2013 Bangalore
India software developers conference 2013 BangaloreIndia software developers conference 2013 Bangalore
India software developers conference 2013 Bangalore
 
The Fifth Elephant - 2013 Talk - "Smart Analytics in Smartphones"
The Fifth Elephant - 2013 Talk - "Smart Analytics in Smartphones"The Fifth Elephant - 2013 Talk - "Smart Analytics in Smartphones"
The Fifth Elephant - 2013 Talk - "Smart Analytics in Smartphones"
 
Big Data Analytics Insights Conference- Satnam
Big Data Analytics Insights Conference- SatnamBig Data Analytics Insights Conference- Satnam
Big Data Analytics Insights Conference- Satnam
 

Kürzlich hochgeladen

Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023ymrp368
 
Brighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data StorytellingBrighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data StorytellingNeil Barnes
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Mature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxMature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxolyaivanovalion
 
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service AmravatiVIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service AmravatiSuhani Kapoor
 
Carero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxCarero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxolyaivanovalion
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptxAnupama Kate
 
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...Delhi Call girls
 
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiLow Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiSuhani Kapoor
 
Week-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionWeek-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionfulawalesam
 
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...Suhani Kapoor
 
B2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docxB2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docxStephen266013
 
Introduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxIntroduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxfirstjob4
 
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...Suhani Kapoor
 
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAl Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAroojKhan71
 
Ravak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxRavak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxolyaivanovalion
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxolyaivanovalion
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxJohnnyPlasten
 

Kürzlich hochgeladen (20)

꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
 
Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023
 
Brighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data StorytellingBrighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data Storytelling
 
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Mature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxMature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptx
 
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service AmravatiVIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
 
Carero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxCarero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptx
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx
 
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
 
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiLow Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
 
Week-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionWeek-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interaction
 
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
 
B2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docxB2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docx
 
Introduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxIntroduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptx
 
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
 
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAl Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
 
Ravak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxRavak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptx
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFx
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptx
 

A Game between Adversary and AI Scientist

  • 1. Satnam, Arunabha, Deepak, Waseem, Nirmesh, Santosh, Balamurali, Narayana Acalvio Technologies NULLCON March 3, 2018 A Game between Adversary and AI Scientist
  • 2. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA Technologies • Author- Patents, Tech Pubs and Tech Talks • Rock Climber
  • 3. Outline • Define the Problem • A possible solution - research work • Demos • Under the hood
  • 5. Can we play a game with adversary? Can we engage with adversary?
  • 6. Is adversary visible to defender? - Extensive reconnaissance of target and defender - Using the same tools and techniques as defender
  • 7. Is he a “Returning” Adversary? —> Compare Tools, Tactics and Procedures (TTPs)
  • 8. InfoSec Game: Assumptions • Unlike Chess, cyber game has infinite state space —> Use Mitre ATT@CK model to define the state space
  • 11. Defender’s Tools are at Perimeter Need new tools to detect adversary INSIDE the NETWORK
  • 12. Deceptions in Enterprise • Deceptions (D) • Emulations of Hosts, Applications, Database Servers, etc. • Real VM Hosts, Applications, etc. • Browser Cookies, Registry entries, etc. • Vulnerability in OS/ Application, Shares, etc. MUM-EPS-4343 Enterprise Network SOC segment Engineering Fiber Deceptions SOC Ops Segment Sales Operations MUM-EPS-4322 MUM-EPS-4453 SFO-GAMMA-2318 SFO-GAMMA-3123 BENG-ALPHA-4323 BENG-ALPHA-5662
  • 13. AI Engine Process Registry Bro … HIDS Log AI Engine
  • 15. 1: Recon - nmap • Defender detects it and provides a few RDP credentials on the endpoints Adversary Defender • Adversary performs recon and nmap to find out to the neighbourhood Demo>>
  • 16. 2: Obfuscated PowerShell Script • Adversary obfuscates PowerShell attack and executes in another host Adversary Defender • Defender detects obfuscated PowerShell commands Demo>>
  • 17. 3: Credentials Dump using PowerSploit and Mimikatz Adversary • Attacker dumps credentials using PowerSpoit and Mimikartz Defender • Defender detects PowerSploit and Mimikartz activities Demo>>
  • 18. 4: Data Exfilteration via DNS Tunnel • Adversary uses DNS Tunnel using DNSCat2 to exfiltrate the credentials Adversary Defender • Defender detects the DNS tunnel using AI Demo>>
  • 20. High Interaction AI Engine Adversary D Process Registry Winevent … HIDS Log HISH AI Engines Summarisation DNS Tunnel Detector Powershell Log Analyser
  • 21. HISH AI: HIDS Log Summarisation Summarised Notables Event Summarisation • Summarise attacker’s activities - New services, processes, tasks and changes etc. - File system changes, registry entries, etc. - Shell commands, Windows event and authentication logs etc.File Event Logs . . . Process Logs Registry Logs Win Events Logs
  • 22. HISH-AI: Summarisation Engine Raw Log Preprocessing Registry Logs File Logs . . . Process Logs Services Logs Bro Logs Rule & Baseline Based Filtering Domain Knowledge Rules Learned Baseline Baseline Summarised Notables Attack Scenarios Input Logs Output Notables Incident 1 60K 16 Incident 2 6K 5 Incident 3 70K 6 Process-based Summarisation
  • 23. HISH-AI: PowerShell Log Engine PreProcessing Command N-GRAM Character N-GRAM Obfuscation Detection Model Tactic Detection Model Obfuscation Prediction Tactic Prediction (Privilege Escalation, Lateral Movement, Exfiltration) PowerShell Logs Tensorflow ANN Classifier
  • 24. HISH-AI:Data exfiltration using DNS Tunnel dns tunnel server (dnstunnel.com) dns traffic local dns server dns tunnel client web traffic data.dnstunnel.com dns query: data.dnstunnel.com DNS Tunnelling Tools Iodine, dnscat2, Ozyman Enterprise Network
  • 25. HISH-AI: DNS Tunnel Detection DNS logs Flow-based features Deep learning based ModelPacket metadata- based features DNS Tunnel prediction Model update TensorFlow DNS tunnel detection output: • IP and domain of tunnelling server: dnstunnel.com • tunnel start time: 26-02-2018 19:43:37 • tunnel end time: 26-02-2018 19:53:37
  • 27. Formally Defining A Game Defining Game - The Normal Form Finite 2-person normal form game: <N,A,u>: - Players: N={Adversary, Defender} is a finite set of 2 players, indexed by i - Action set for player i — Ai a={a1,...,an} - Utility function or Payoff function for player i: ui u=(u1,...,un) is a profile of utility functions
  • 28. InfoSec Game Carry out attack Quit Allow the attack 1,2 2,1 Block the adversary 2,2 2,0 Adversary Defender • Too simplistic • How to scale it for the real world? • How do we learn in real time? • "Row" player is Defender, "column" player is Adversary
  • 29. Model as Reinforcement Learning Problem • Break the problem into Subproblems and learn in real-time • Model it as Reinforcement Learning Problem
  • 30. Summary • Playing a game needs “Visibility” of the adversary • Need to surface signal in low SNR • Fusion of Deception+AI gives a way to engage with the adversary