SlideShare a Scribd company logo

Navy security contest-bigdataforsecurity

stelligence
stelligence

Machine Learning for Security Monitoring

Data & Analytics
1 of 90
ML for Security Monitoring Santisook Limpeeticharoenchot Managing Director
Agenda • Why ML for Security Monitoring ? • Overview of Machine Learning • Apply Theory to Practice • ML for Security Example. • DataScience Process for Security • Q&A
Fraud Bad Actors Ransomware IP Theft Application Performance Identity Theft Key Performance Indicators Network Intrusion Malware Exfiltration Cyber-attacks Zero-day Compromised Credentials SCADA Security Hardware Deterioration Known & Unknown Threat
The Current IT Situation VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM Fluid Infrastructure Distributed Applications Continuous Deployment
5 Data Breaches: Detected Late. Undetected.
6 Moving from Protective to Defensive
Current State Of Security Monitoring: #monitoringsucks Measure Everything ➢Collect 1000’s of metrics and logs, most unused ➢Analytics methods too simple, not correlated, doesn’t help solve outages Threshold = alert overload ➢Too many false positives ➢Hundreds of alerts a day, most ignored IT & Security operations has become a big data challenge “The [traditional] tools present us with the raw data, and lots of it, but sufficient insight into the actual meaning buried in all that data is still remarkably scarce” - Turn Big Data Inward With IT Analytics, Forrester Research
8 Difficult to Tell Normal from Abnormal
Watching screens cannot scale + it’s useless
Wall of Charts
Human brains are good at detecting patterns
OTOH, humans get lost in volume and details
Need the cognitive equivalent of THIS!
Why Machine Learning not Big Data !
Terms and definitions Artificial Intelligence Machine learning Deep learning Algorithms Supervised Unsupervised source:www.ibm.com
Traditional Computers vs. Artificial Intelligence Traditional Programs •Pre-programmed: producing same results every time •Deterministic: good or false •One-dimensional: for one/limited purpose 10 Artificial Intelligence •Machine learning: changing its code to improve results •Stochastic: based on probability •Multi-dimensional: potential for more general purposes source:www.ibm.com
Traditional Programs vs. Machine Learning Machine LearningTraditional Programs Data Static code Real world result Data Algorithm Real world result Hypothesis Feedback source:www.ibm.com
Enter Machine Learning! What: “Field of study that gives computers the ability to learn without being explicitly programmed” – Arthur Samuel, 1959 How: Generalizing (learning) from examples (data)
Training & Prediction Process
source:conf2016,splunk Type of Machine Learning
source:conf2016,splunk Type of Machine Learning Unsupervised LearningSupervised Learning
Classification: Applying labels Triangle Triangle Triangle Triangle Square Square Square Learn Apply Triangle Square source:conf2016,splunk
Predict/Forecast ? Learn Apply source:conf2016,splunk
Predict/Forecast source:conf2016,splunk
Predict/Forecast ALERT Will reach capacity in 2 hours. Provision more servers. source:conf2016,splunk
Clustering: Grouping similar things source:conf2016,splunk
Clustering: Grouping similar things source:conf2016,splunk
Anomaly Detection: Find unusual stuff source:conf2016,splunk
Time Series –Anomaly Detection source:conf2016,splunk
Anomaly Detection Unusual vs. peers Rare Events Deviations in Counts or Values = = = “responsetime by host” “count by error_type” “rare by EventID” “rare by process” “sum(bytes) over client_ip” EXAMPLES source:prelert.com
Evolution of Malware Detection Signature-based Potential malware Known “bad” Behavior-based Potential malware Bad behavior Potential malware Heuristics/sandboxing Testing indicators Statistical inference Potential malware Probabilities source:www.ibm.com
Real world applications for Machine Learning • Fraud: credit card fraud, spam, DLP Automated recognition: face, handwriting • Capacity planning: product stocking, server provisioning • Anomaly detection for security and IT Operations Product recommendations • Customer segmentation Medical diagnoses …
Customer Usecase : Detect Network Outliers Reduced downtime + increased service availability = better customer satisfaction ML Use Case Monitor noise rise for 20,000+ cell towers to increase service and device availability, reduce MTTR Technical overview •A customized solution deployed in production based on outlier detection. •Leverage previous month data and voting algorithms “The ability to model complex systems and alert on deviations is where IT and security operations are headed … Splunk Machine Learning has given us a head start...” source:www.splunk.com
Reliable website updates Proactive website monitoring leads to reduced downtime “Splunk ML helps us rapidly improve end-user experience by ranking issue severity which helps us determine root causes faster thus reducing MTTR and improving SLA • Very frequent code and config updates (1000+ daily) can cause site issues • Find errors in server pools, then prioritize actions and predict root cause •Custom outlier detection built using ML Toolkit Outlier assistant •Built by Splunk Architect with no Data Science background ML Use Case Technical overview source:www.splunk.com
Theory of Distribution Function for Anomaly Detection
Bell-shaped distribution Gaussian or Normal distribution
Normal distributions are really useful • I can make powerful predictions because of the statistical properties of the data , most naturally occurring processes • I can easily compare different metrics since they have similar statistical properties • Population height, IQ distributions ,Widget sizes, weights in manufacturing • There is a HUGE body of statistical work on parametric techniques for normally distributed data source:conf2016,splunk
Can you tell? source:conf2016,splunk
THIS is normal source:conf2016,splunk
This isn’t source:conf2016,splunk
Neither is this source:conf2016,splunk
Example: Three-Sigma Rule Three-sigma rule –~68% of the values lie within 1 std deviation of the mean –~95% of the values lie within 2 std deviations –99.73% of the values lie within 3 std deviations: anything else is considered an outlier source:conf2016,splunk
Probabilistic Modeling and Analysis Outliers likelihood observed values X ML model Gaussian source:prelert.com
46 Apply Theory to Practical
Network Security Monitoring
• Fraud detection systems: – Is what he just did consistent with past behavior? • Network anomaly detection: – More like bad statistical analysis • Predicting likelihood of attack actors – Create different predictive models and chain them to gain more confidence in each step. Security Applications of ML Source:mlsecproject.org
• Alert-‐based: – “Traditional” log management – SIEM – Using “Threat Intelligence” (i.e blacklists) for about a year or so – Lack of context – Low effectiveness – You get the results handed over to you Kinds of Network Security Monitoring • Exploration-‐based: – Network Forensics tools – High effectiveness – Lots of people necessary – Lots of HIGHLY trained people • Big Data Security Analytics (BDSA): – Run exploration-‐basedmonitoring on Hadoop – More like Big Data Security Monitoring(BDSM) Source:mlsecproject.org
• Rules in a SIEM solution invariably are: – “Something” has happened “x”times; – “Something” has happened and other “something2” has happened, with some relationship (time, same fields, etc) between them. • Configuring SIEM = iterate on combinations until: – Customer or management is satisfied; – Consulting money runs out • Behavioral rules (anomaly detection) helps a bit with the “x”s, but still, very laborious and time consuming. Correlation Rules: A Primer Source:mlsecproject.org
Historical Data Real-time Data Statistical Models DB, Hadoop/S3/NoSQL, Splunk Anomaly Detection or Machine Learning T – a few days T + a few days Why is this so challenging using traditional methods? • DATA IS STILL IN MOTION, still in a BUSINESS PROCESS. • Enrich real-time MACHINE DATA with structured HISTORICAL DATA • Make decisions IN REAL TIME using ALL THE DATA • Combine LEADING and LAGGING INDICATORS (KPIs) SIEM Security Operations Center Network Operations Center Business Operations Center source:conf2016,splunk
Anomaly Detection & Machine Learning What is AD? Types of security anomalies: spikes in activity rare events first-observed Outliers state change simple existence What do these have in common? time-based The basic comparison parameter is self-comparison overtime. Advanced parameters include peer-based comparison. What is ML? Supervised ML –Classification/Regression Unsupervised ML –Clustering Semi-Supervised –Rule-based AD For AD and security, ML can establish a baseline of normal (negative) values source:conf2016,splunk
Unsupervised Learning Unsupervised Machine Learning – You have unlabeled data and want to group the data by feature(s) – The algorithm makes its own structure out of the data – You do not know what outliers look like – Good for the data exploration phases of security anomaly detection – Examples used in security applications include: Clustering: k-means, k-medians, Expectation Maximization Association: less relevant because in highly structured searches we are less concerned with associations between fields for security anomaly detection source:conf2016,splunk
Supervised Learning Supervised Machine Learning – You have labeled data and the algorithm predicts the output – Classification vs. Regression – Example ML algorithms include: Linear and Logistic Regression Random Forest Support Vector Machine DBSCAN Semi-Supervised Machine Learning – You have “some” labeled data, but not all – Most security ML applications fall in this category – LabelPropagation – Rule-based anomaly detection For SECURITY-PURPOSED applications of ML, a combination of unsupervised, supervised, and Semi-Supervised learning algorithms is a best practice In realistic applications, security-purposed AD requires highly structured data and human training of the algorithm source:conf2016,splunk
ML 101 for Security Monitoring • Machine Learning (ML) is a process for generalizing from examples – Examples = example or “training” data – Generalizing = build “statistical models” to capture correlations – Process = ML is never done, you must keep validating & refitting models • Simple ML workflow: – Explore data – FIT models based on data – APPLY models in production – Keep validating models source:conf2016,splunk
The ML Process Problem: <Stuff in the world> causes big time & money expense Solution: Build predictive model to forecast <possible incidents>, act pre-emptively & learn 1.Get all relevant data to problem 2.Explore data & build KPIs 3.Fit, apply & validate models on past / real-time data 4.Predict and act. Identify notable events, create alerts 5.Surface incidents to X Ops, who INVESTIGATES & ACTS Operationalize source:conf2016,splunk
Security: Find Insider Threats Problem: Security breaches cause big time & money expense Solution: Build predictive model to forecast threat scenarios, act pre-emptively & learn 1. Get security data (data transfers, authentication, incidents) 2. Explore data & build KPIs 3. Fit, apply & validate models on past / real-time data 4. Predict and act. Identify anomalous behaviors, create alerts 5. Surface incidents to Security Ops, who INVESTIGATES & ACTS Operationalize source:conf2016,splunk
Machine Learning in IT Operation. Adaptive Thresholding: • Learn baselines & dynamic thresholds • Alert & act on deviations • Manage for 1000s of KPIs & entities • Stdev/Avg, Quartile/Median, Range Anomaly Detection: • Employ machine learning to baseline normal operations and alert on anomalous conditions • Identify abnormal trends and patterns in KPI data source:conf2016,splunk
Finds the Deviation perfectly 5 7 • No extraneous false alarms • Automatic periodicity source:prelert.com
Challenge: How do you find the signs of advanced threats amid thousands of daily high-severity alerts? ▪ Difficulty of creating effective rules results in a high false positive rate ▪ Advanced Evasion Techniques (AETs) well- known to attackers Find Important IDS/IPS Events source:prelert.com
• Anomaly Detective generates a dozen or so alerts per week • Accuracy & alert detail enable faster determination of threat level Find Important IDS/IPS Events Solution: Let machine learning filter out normal ‘noise’ and identify unusual counts, signatures, protocols and destinations by source source:prelert.com
Rare Items as Anomalies Use Case: Learn typical processes on each host Find rare processes that “start up and communicate” source:prelert.com
Finds the RARE anomaly perfectly • finds FTP process running for 3 hours on system that doesn’t normally run source:prelert.com
Population / Peer Outliers Use Case: Find users behaving much differently than the others source:prelert.com
Find the Unusual USER Perfectly • Host sending 20,000 requests/hr • Attempt to hack an IIS webserver source:prelert.com
Low and Slow – Automated Logins user failing logins all day = “dc(date_hour) over user” source:prelert.com
Machine Learning in Event Correlation • Reduce event clutter, false positives and extensive rules maintenance • Events are auto-grouped together (supressed, de-duped) • Easily provide feedback on auto-grouping of events & alerts source:conf2016,splunk
Cluster IPs based on Security Alerts source:conf2016,splunk
(Security) Data Scientist Data Science Venn Diagram by Drew Conway • “Data Scientist (n.): Person who is better at statistics than any software engineer and better at software engineering than any statistician.” -‐-‐Josh Willis, Cloudera
Data Science Cycle For Security Determine Use-Case Computational Scaling/Storage Machine Learning & Anomaly Detection Model Model Testing Refinement Alerts & Visualization Data Mining & Exploration Data Validating & Cleaning source:conf2016,splunk
Example : Email Use-Case Your company has been hit with a large number of phishing emails that were not detected by traditional signature-based tools Several employees have clicked on the phishing link and entered their credentials The adversary has taken over several accounts and sent thousands of additional emails, internal and external Use-Case Deep Dive source:conf2016,splunk
Where Are We In The Platform? Log Sources Model Testing & Validation Alerts & Visualizations Exploration Mining Cleaning Validation API Short Term Storage 3rd Party Computations Machine Learning Anomaly Detection Use-Case Deep Dive SIEM Platform source:conf2016,splunk
3rd party ML Calculations All are open source products source:conf2016,splunk
Data Mining & Exploration What looks interesting in this sourcetype? What could be used to detect an anomaly? What is important to note about the events? Send an email to yourself, then to a co-worker, then to several people, etc. as a validation test; trace the actions through Splunk ML & AD for Security Best Practice: Validate data by viewing your own actions on the network sourcetype="MSExchange:2010:MessageTracking" source:conf2016,splunk
Data Cleaning sourcetype="MSExchange:2010:MessageTracking" sender="toby.ryan@emerson.com" recipient_count!=NONE | dedup message_id sortby _time | table _time directionality sender recipient message_subject message_id recipient_count total_bytes |sort -_time What fields are best poised for measuring? What fields provide enough context for analysis? source:conf2016,splunk
ML & AD Model What features do we choose? Supervised? Unsupervised? Classification? What statistical model do we choose? Start by clustering all data • Splunk “cluster” command for text and “kmeans” for numerical fields | stats count by {field being measured} ML & AD for Security Best Practice: From an incident response perspective, highly structured and single feature data is required to minimize time considering false positives source:conf2016,splunk
K-Means Clustering sourcetype="MSExchange:2010:MessageTracking" sender="*@emerson.com" recipient_count!=NONE | dedup me Use-Case Deep Dive r | kmeans k=5 daily_total | stats count by CLUSTERNUM centroid_daily_total source:conf2016,splunk
Training Data And The ML Process Collect a set of training data (univariate/single feature/single field) • In our case, it is 60-120 days worth of daily email totals • Next, split the data by time into 3 groups: training set, cross-validation set, test set Determine if your dataset is Gaussian (Normal Distribution) ML & AD for Security Best Practices: -Split historical data 60-20-20 into training, cross-validation, and test sets source:conf2016,splunk
Algorithm Selection For normal distributions, Inter-Quartile Range (IQR) is a good place to start We can test back in Splunk for specific cluster users Other options available include: –Scikit-learn.org has the python modules –MATLAB, GNU Octave, and R all have extensive ML and AD packages –Python has easy Gaussian test algorithms (used in this example) • scipy.stats.mstats.normaltest • scipy.stats.shapiro Scikit-Learn has in-depth explanations of each algorithm and command descriptions such as “fit(x)” and “predict(x)”, etc. source:conf2016,splunk
Model Testing: 1 sourcetype="MSExchange:2010:MessageTracking" sender="xxxx@xxxx.com" recipient_count!=NONE | dedup message_id sortby _time | table _time directionality sender recipient message_subject message_id recipient_count total_bytes | timechart sum(recipient_count) as daily_total span=1d | eventstats median(daily_total) as median, p25(daily_total) as p25, p75(daily_total) as p75, mean(daily_total) as mean | eval iqr = p75 - p25 | eval xplier = 2 | eval low_lim = median - (iqr * xplier) | eval high_lim = median + (iqr * xplier) | eval anomaly = False Positive False Positives TruePositive if(daily_total < low_lim OR daily_total > high_lim, daily_total,0) | table _time daily_total anomaly source:conf2016,splunk
Model Testing : 2 sourcetype="MSExchange:2010:MessageTracking" sender="toby.ryan@emerson.com" recipient_count!=NONE | dedup message_id sortby _time | table _time directionality sender recipient message_subject message_id recipient_count total_bytes | timechart sum(recipient_count) as daily_total span=1d | eventstats median(daily_total) as median, p10(daily_total) as p10, p90(daily_total) as p90, mean(daily_total) as mean | eval iqr = p90 - p10 | eval xplier = 2 | eval low_lim = median - (iqr * xplier) | eval high_lim = median + (iqr * xplier) | eval anomaly = if(daily_total < low_lim OR daily_total > high_lim, daily_total,0) | table _time daily_total anomaly source:conf2016,splunk
Validating Models • How can we validate models? Precision = # of correct positive values # of all positive results # of correct positive values # that should have been positive Recall = precision x recall precision + recall F1 Score = 2 F1 Score is the harmonic mean, or average of rates, where F1 is best at a value of 1, and worst at a value of 0. First model: F1 = 0.4 Second model: F1 = 1.0 Beware of missing false negatives by tuning too much too quickly; tuning is an iterative process over time 8 0 source:conf2016,splunk
Alerts & Visualizations • The output of the off-Splunk calculations can be picked up by the Splunk UF or written to a flat file • Allows the user to capitalize on the Splunk interface • Advantages/Disadvantages of Indexing and Sourcetyping: • Treat like any other data source for calculations • Technically “re-indexing” data, however anomaly data sets will be small source:conf2016,splunk
Refinement • Treat different clusters with different models • Continually validate data and results • Understand why false positives come up • Add length to training data time if possible • If a cluster is not Gaussian, try other models, or try to fit the data to a Normal Distribution • Compare simple rule-based models such as 3 x mean = anomaly source:conf2016,splunk
Domain Expert on Insider Email Analytics Consider not only a large number of recipients outside a user’s normal behavior, but consider the number of new recipients What is the average number of new recipients an employee emails each day? One? Five? Establish a set of training data and record the unique recipients over 60 days Create an anomaly detection that fires when the number of new recipients exceeds the baseline variance Add to the “# of recipients per day” data for higher fidelity alert. source:conf2016,splunk
Key Takeaways • Machine Learning is an evolution in the tools available to us • ML is not one thing, it’s many different types of things that can be applied to different types of problems • ML applications and techniques vary so like any other tool, it helps to use the right tool for the right problem space • SIME enhance capability to support ML algorithms and make our life easier.
Machine Learning in Splunk ITSI Adaptive Thresholding: • Learn baselines & dynamic thresholds • Alert & act on deviations • Manage for 1000s of KPIs & entities • Stdev/Avg, Quartile/Median, Range Anomaly Detection: • Find “hiccups” in expected patterns • Catches deviations beyond thresholds • Uses advanced proprietary algorithm
User Behavior Analytics (UBA) in Splunk • Understand normal & anomalous behaviors for ALL users • UBA detects Advanced Cyberattacks and Malicious Insider Threats • Lots of ML under the hood: – Behavior Baselining & Modeling – Anomaly Detection (30+ models) – Advanced Threat Detection • E.g., Data Exfil Threat: – “Saw this strange login & data transfer for user mpittman at 3am in China…” – Surface threat to SOC Analysts
Splunk Machine Learning Toolkit Assistants: Guide model building, testing & deployment for common objectives Showcases: Interactive examples for typical IT, security, business, IoT use cases SPL ML Commands: New commands to fit, test and operationalize models Python for Scientific Computing Library: 300+ open source algorithms available for use Build custom analytics for any use case 20
Reference • https://conf.splunk.com/sessions/2016-sessions.html • https://conf.splunk.com/files/2016/slides/demystifying-machine-learning-and-anomaly- detection-practical-applications-in-splunk-for-insider-threat-detection-and-security- analytics.pdf • https://conf.splunk.com/files/2016/slides/solve-big-problems-with-machine-learning.pdf • https://conf.splunk.com/files/2016/slides/a-very-brief-introduction-to-machine- learning-for-itoa.pdf • https://www.slideshare.net/eburon/machine-learning-security-ibm-seoul-compressed- version?qid=9256cc75-07e5-46fc-9539-27a496c877ba&v=&b=&from_search=1 • www.prelert.com • www.MLsecproject.org
Q&A Thank you

Recommended

Anomaly detection (Unsupervised Learning) in Machine Learning
Anomaly detection (Unsupervised Learning) in Machine LearningAnomaly detection (Unsupervised Learning) in Machine Learning
Anomaly detection (Unsupervised Learning) in Machine LearningKuppusamy P
 
rsec2a-2016-jheaton-morning
rsec2a-2016-jheaton-morningrsec2a-2016-jheaton-morning
rsec2a-2016-jheaton-morningJeff Heaton
 
CLASSIFIER SELECTION MODELS FOR INTRUSION DETECTION SYSTEM (IDS)
CLASSIFIER SELECTION MODELS FOR INTRUSION DETECTION SYSTEM (IDS)CLASSIFIER SELECTION MODELS FOR INTRUSION DETECTION SYSTEM (IDS)
CLASSIFIER SELECTION MODELS FOR INTRUSION DETECTION SYSTEM (IDS)ieijjournal1
 
NSL KDD Cup 99 dataset Anomaly Detection using Machine Learning Technique
NSL KDD Cup 99 dataset Anomaly Detection using Machine Learning Technique NSL KDD Cup 99 dataset Anomaly Detection using Machine Learning Technique
NSL KDD Cup 99 dataset Anomaly Detection using Machine Learning Technique Sujeet Suryawanshi
 
Anomaly detection
Anomaly detectionAnomaly detection
Anomaly detectionDr. Stylianos Kampakis
 
Anomaly Detection using Deep Auto-Encoders
Anomaly Detection using Deep Auto-EncodersAnomaly Detection using Deep Auto-Encoders
Anomaly Detection using Deep Auto-EncodersGianmario Spacagna
 
Anomaly Detection: A Survey
Anomaly Detection: A SurveyAnomaly Detection: A Survey
Anomaly Detection: A SurveyKonkuk University, Korea
 
A Practical Guide to Anomaly Detection for DevOps
A Practical Guide to Anomaly Detection for DevOpsA Practical Guide to Anomaly Detection for DevOps
A Practical Guide to Anomaly Detection for DevOpsBigPanda
 

Recommended

Anomaly detection (Unsupervised Learning) in Machine Learning
Anomaly detection (Unsupervised Learning) in Machine LearningAnomaly detection (Unsupervised Learning) in Machine Learning
Anomaly detection (Unsupervised Learning) in Machine LearningKuppusamy P
 
rsec2a-2016-jheaton-morning
rsec2a-2016-jheaton-morningrsec2a-2016-jheaton-morning
rsec2a-2016-jheaton-morningJeff Heaton
 
CLASSIFIER SELECTION MODELS FOR INTRUSION DETECTION SYSTEM (IDS)
CLASSIFIER SELECTION MODELS FOR INTRUSION DETECTION SYSTEM (IDS)CLASSIFIER SELECTION MODELS FOR INTRUSION DETECTION SYSTEM (IDS)
CLASSIFIER SELECTION MODELS FOR INTRUSION DETECTION SYSTEM (IDS)ieijjournal1
 
NSL KDD Cup 99 dataset Anomaly Detection using Machine Learning Technique
NSL KDD Cup 99 dataset Anomaly Detection using Machine Learning Technique NSL KDD Cup 99 dataset Anomaly Detection using Machine Learning Technique
NSL KDD Cup 99 dataset Anomaly Detection using Machine Learning Technique Sujeet Suryawanshi
 
Anomaly detection
Anomaly detectionAnomaly detection
Anomaly detectionDr. Stylianos Kampakis
 
Anomaly Detection using Deep Auto-Encoders
Anomaly Detection using Deep Auto-EncodersAnomaly Detection using Deep Auto-Encoders
Anomaly Detection using Deep Auto-EncodersGianmario Spacagna
 
Anomaly Detection: A Survey
Anomaly Detection: A SurveyAnomaly Detection: A Survey
Anomaly Detection: A SurveyKonkuk University, Korea
 
A Practical Guide to Anomaly Detection for DevOps
A Practical Guide to Anomaly Detection for DevOpsA Practical Guide to Anomaly Detection for DevOps
A Practical Guide to Anomaly Detection for DevOpsBigPanda
 
Anomaly detection Workshop slides
Anomaly detection Workshop slidesAnomaly detection Workshop slides
Anomaly detection Workshop slidesQuantUniversity
 
Anomaly Detection Technique
Anomaly Detection TechniqueAnomaly Detection Technique
Anomaly Detection TechniqueChakrit Phain
 
Bayesian Autoencoders for anomaly detection in industrial environments
Bayesian Autoencoders for anomaly detection in industrial environmentsBayesian Autoencoders for anomaly detection in industrial environments
Bayesian Autoencoders for anomaly detection in industrial environmentsBang Xiang Yong
 
Anomaly detection, part 1
Anomaly detection, part 1Anomaly detection, part 1
Anomaly detection, part 1David Khosid
 
Heuristic design of experiments w meta gradient search
Heuristic design of experiments w meta gradient searchHeuristic design of experiments w meta gradient search
Heuristic design of experiments w meta gradient searchGreg Makowski
 
Outlier and fraud detection using Hadoop
Outlier and fraud detection using HadoopOutlier and fraud detection using Hadoop
Outlier and fraud detection using HadoopPranab Ghosh
 
Scaling Analytics with Apache Spark
Scaling Analytics with Apache SparkScaling Analytics with Apache Spark
Scaling Analytics with Apache SparkQuantUniversity
 
My
MyMy
MyDrAmin Dastanpour
 
Machine learning in computer security
Machine learning in computer securityMachine learning in computer security
Machine learning in computer securityKishor Datta Gupta
 
Anomaly Detection Via PCA
Anomaly Detection Via PCAAnomaly Detection Via PCA
Anomaly Detection Via PCADeepak Kumar
 
From sensor readings to prediction: on the process of developing practical so...
From sensor readings to prediction: on the process of developing practical so...From sensor readings to prediction: on the process of developing practical so...
From sensor readings to prediction: on the process of developing practical so...Manuel Martín
 
Data Mining: Outlier analysis
Data Mining: Outlier analysisData Mining: Outlier analysis
Data Mining: Outlier analysisDataminingTools Inc
 
Legal Markup Generation in the Large: An Experience Report
Legal Markup Generation in the Large: An Experience ReportLegal Markup Generation in the Large: An Experience Report
Legal Markup Generation in the Large: An Experience ReportLionel Briand
 
Analytics for large-scale time series and event data
Analytics for large-scale time series and event dataAnalytics for large-scale time series and event data
Analytics for large-scale time series and event dataAnodot
 
M41028892
M41028892M41028892
M41028892IJERA Editor
 
Spam email filtering
Spam email filteringSpam email filtering
Spam email filteringNational Institute
 
Credit risk meetup
Credit risk meetupCredit risk meetup
Credit risk meetupQuantUniversity
 
Applicability issues of Evasion-Based Adversarial Attacks and Mitigation Tech...
Applicability issues of Evasion-Based Adversarial Attacks and Mitigation Tech...Applicability issues of Evasion-Based Adversarial Attacks and Mitigation Tech...
Applicability issues of Evasion-Based Adversarial Attacks and Mitigation Tech...Kishor Datta Gupta
 
IRJET - Crime Analysis and Prediction - by using DBSCAN Algorithm
IRJET - Crime Analysis and Prediction - by using DBSCAN AlgorithmIRJET - Crime Analysis and Prediction - by using DBSCAN Algorithm
IRJET - Crime Analysis and Prediction - by using DBSCAN AlgorithmIRJET Journal
 
Design and Implementation of Artificial Immune System for Detecting Flooding ...
Design and Implementation of Artificial Immune System for Detecting Flooding ...Design and Implementation of Artificial Immune System for Detecting Flooding ...
Design and Implementation of Artificial Immune System for Detecting Flooding ...Kent State University
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk
 
BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6Rod Soto
 

More Related Content

What's hot

Anomaly detection Workshop slides
Anomaly detection Workshop slidesAnomaly detection Workshop slides
Anomaly detection Workshop slidesQuantUniversity
 
Anomaly Detection Technique
Anomaly Detection TechniqueAnomaly Detection Technique
Anomaly Detection TechniqueChakrit Phain
 
Bayesian Autoencoders for anomaly detection in industrial environments
Bayesian Autoencoders for anomaly detection in industrial environmentsBayesian Autoencoders for anomaly detection in industrial environments
Bayesian Autoencoders for anomaly detection in industrial environmentsBang Xiang Yong
 
Anomaly detection, part 1
Anomaly detection, part 1Anomaly detection, part 1
Anomaly detection, part 1David Khosid
 
Heuristic design of experiments w meta gradient search
Heuristic design of experiments w meta gradient searchHeuristic design of experiments w meta gradient search
Heuristic design of experiments w meta gradient searchGreg Makowski
 
Outlier and fraud detection using Hadoop
Outlier and fraud detection using HadoopOutlier and fraud detection using Hadoop
Outlier and fraud detection using HadoopPranab Ghosh
 
Scaling Analytics with Apache Spark
Scaling Analytics with Apache SparkScaling Analytics with Apache Spark
Scaling Analytics with Apache SparkQuantUniversity
 
Machine learning in computer security
Machine learning in computer securityMachine learning in computer security
Machine learning in computer securityKishor Datta Gupta
 
Anomaly Detection Via PCA
Anomaly Detection Via PCAAnomaly Detection Via PCA
Anomaly Detection Via PCADeepak Kumar
 
From sensor readings to prediction: on the process of developing practical so...
From sensor readings to prediction: on the process of developing practical so...From sensor readings to prediction: on the process of developing practical so...
From sensor readings to prediction: on the process of developing practical so...Manuel Martín
 
Legal Markup Generation in the Large: An Experience Report
Legal Markup Generation in the Large: An Experience ReportLegal Markup Generation in the Large: An Experience Report
Legal Markup Generation in the Large: An Experience ReportLionel Briand
 
Analytics for large-scale time series and event data
Analytics for large-scale time series and event dataAnalytics for large-scale time series and event data
Analytics for large-scale time series and event dataAnodot
 
Applicability issues of Evasion-Based Adversarial Attacks and Mitigation Tech...
Applicability issues of Evasion-Based Adversarial Attacks and Mitigation Tech...Applicability issues of Evasion-Based Adversarial Attacks and Mitigation Tech...
Applicability issues of Evasion-Based Adversarial Attacks and Mitigation Tech...Kishor Datta Gupta
 
IRJET - Crime Analysis and Prediction - by using DBSCAN Algorithm
IRJET - Crime Analysis and Prediction - by using DBSCAN AlgorithmIRJET - Crime Analysis and Prediction - by using DBSCAN Algorithm
IRJET - Crime Analysis and Prediction - by using DBSCAN AlgorithmIRJET Journal
 
Design and Implementation of Artificial Immune System for Detecting Flooding ...
Design and Implementation of Artificial Immune System for Detecting Flooding ...Design and Implementation of Artificial Immune System for Detecting Flooding ...
Design and Implementation of Artificial Immune System for Detecting Flooding ...Kent State University
 

What's hot (20)

Anomaly detection Workshop slides
Anomaly detection Workshop slidesAnomaly detection Workshop slides
Anomaly detection Workshop slides
 
Anomaly Detection Technique
Anomaly Detection TechniqueAnomaly Detection Technique
Anomaly Detection Technique
 
Bayesian Autoencoders for anomaly detection in industrial environments
Bayesian Autoencoders for anomaly detection in industrial environmentsBayesian Autoencoders for anomaly detection in industrial environments
Bayesian Autoencoders for anomaly detection in industrial environments
 
Anomaly detection, part 1
Anomaly detection, part 1Anomaly detection, part 1
Anomaly detection, part 1
 
Heuristic design of experiments w meta gradient search
Heuristic design of experiments w meta gradient searchHeuristic design of experiments w meta gradient search
Heuristic design of experiments w meta gradient search
 
Outlier and fraud detection using Hadoop
Outlier and fraud detection using HadoopOutlier and fraud detection using Hadoop
Outlier and fraud detection using Hadoop
 
Scaling Analytics with Apache Spark
Scaling Analytics with Apache SparkScaling Analytics with Apache Spark
Scaling Analytics with Apache Spark
 
My
MyMy
My
 
Machine learning in computer security
Machine learning in computer securityMachine learning in computer security
Machine learning in computer security
 
Anomaly Detection Via PCA
Anomaly Detection Via PCAAnomaly Detection Via PCA
Anomaly Detection Via PCA
 
From sensor readings to prediction: on the process of developing practical so...
From sensor readings to prediction: on the process of developing practical so...From sensor readings to prediction: on the process of developing practical so...
From sensor readings to prediction: on the process of developing practical so...
 
Data Mining: Outlier analysis
Data Mining: Outlier analysisData Mining: Outlier analysis
Data Mining: Outlier analysis
 
Legal Markup Generation in the Large: An Experience Report
Legal Markup Generation in the Large: An Experience ReportLegal Markup Generation in the Large: An Experience Report
Legal Markup Generation in the Large: An Experience Report
 
Analytics for large-scale time series and event data
Analytics for large-scale time series and event dataAnalytics for large-scale time series and event data
Analytics for large-scale time series and event data
 
M41028892
M41028892M41028892
M41028892
 
Spam email filtering
Spam email filteringSpam email filtering
Spam email filtering
 
Credit risk meetup
Credit risk meetupCredit risk meetup
Credit risk meetup
 
Applicability issues of Evasion-Based Adversarial Attacks and Mitigation Tech...
Applicability issues of Evasion-Based Adversarial Attacks and Mitigation Tech...Applicability issues of Evasion-Based Adversarial Attacks and Mitigation Tech...
Applicability issues of Evasion-Based Adversarial Attacks and Mitigation Tech...
 
IRJET - Crime Analysis and Prediction - by using DBSCAN Algorithm
IRJET - Crime Analysis and Prediction - by using DBSCAN AlgorithmIRJET - Crime Analysis and Prediction - by using DBSCAN Algorithm
IRJET - Crime Analysis and Prediction - by using DBSCAN Algorithm
 
Design and Implementation of Artificial Immune System for Detecting Flooding ...
Design and Implementation of Artificial Immune System for Detecting Flooding ...Design and Implementation of Artificial Immune System for Detecting Flooding ...
Design and Implementation of Artificial Immune System for Detecting Flooding ...
 

Similar to Navy security contest-bigdataforsecurity

Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk
 
BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6Rod Soto
 
Machine Learning + Analytics in Splunk
Machine Learning + Analytics in Splunk Machine Learning + Analytics in Splunk
Machine Learning + Analytics in Splunk Splunk
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session Splunk
 
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...Jon Papp
 
Splunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBASplunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBASplunk
 
Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per... Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per...Splunk
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk
 
Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior AnalyticsSplunk
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics Splunk
 
Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...
Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...
Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...Precisely
 
Splunk for Enterprise Security Featuring User Behavior Analytics
Splunk for Enterprise Security Featuring User Behavior Analytics Splunk for Enterprise Security Featuring User Behavior Analytics
Splunk for Enterprise Security Featuring User Behavior Analytics Splunk
 
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk
 
Endpoint Modeling 101 - A New Approach to Endpoint Security
Endpoint Modeling 101 - A New Approach to Endpoint SecurityEndpoint Modeling 101 - A New Approach to Endpoint Security
Endpoint Modeling 101 - A New Approach to Endpoint SecurityObservable Networks
 
Machine Learning and Analytics Breakout Session
Machine Learning and Analytics Breakout SessionMachine Learning and Analytics Breakout Session
Machine Learning and Analytics Breakout SessionSplunk
 
Analytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopAnalytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopSplunk
 
SplunkLive! Munich 2018: Intro to Security Analytics Methods
SplunkLive! Munich 2018: Intro to Security Analytics MethodsSplunkLive! Munich 2018: Intro to Security Analytics Methods
SplunkLive! Munich 2018: Intro to Security Analytics MethodsSplunk
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...Splunk
 

Similar to Navy security contest-bigdataforsecurity (20)

Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
 
BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6BsidesLVPresso2016_JZeditsv6
BsidesLVPresso2016_JZeditsv6
 
Machine Learning + Analytics in Splunk
Machine Learning + Analytics in Splunk Machine Learning + Analytics in Splunk
Machine Learning + Analytics in Splunk
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...
FINAL_SCFm50000_JonPapp_CAA_The_Practical_Benefits_of_a_Behavioral_Solution_f...
 
Splunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBASplunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBA
 
Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per... Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per...
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
 
Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
 
Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...
Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...
Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...
 
Splunk for Enterprise Security Featuring User Behavior Analytics
Splunk for Enterprise Security Featuring User Behavior Analytics Splunk for Enterprise Security Featuring User Behavior Analytics
Splunk for Enterprise Security Featuring User Behavior Analytics
 
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security Keynote
 
Endpoint Modeling 101 - A New Approach to Endpoint Security
Endpoint Modeling 101 - A New Approach to Endpoint SecurityEndpoint Modeling 101 - A New Approach to Endpoint Security
Endpoint Modeling 101 - A New Approach to Endpoint Security
 
Machine Learning and Analytics Breakout Session
Machine Learning and Analytics Breakout SessionMachine Learning and Analytics Breakout Session
Machine Learning and Analytics Breakout Session
 
Analytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopAnalytics Driven SIEM Workshop
Analytics Driven SIEM Workshop
 
SplunkLive! Munich 2018: Intro to Security Analytics Methods
SplunkLive! Munich 2018: Intro to Security Analytics MethodsSplunkLive! Munich 2018: Intro to Security Analytics Methods
SplunkLive! Munich 2018: Intro to Security Analytics Methods
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
 

More from stelligence

BigData Visualization and Usecase@TDGA-Stelligence-11july2019-share
BigData Visualization and Usecase@TDGA-Stelligence-11july2019-shareBigData Visualization and Usecase@TDGA-Stelligence-11july2019-share
BigData Visualization and Usecase@TDGA-Stelligence-11july2019-sharestelligence
 
Santisook s telligence ai-innovation-digital big bang-thailand2018-share
Santisook s telligence ai-innovation-digital big bang-thailand2018-shareSantisook s telligence ai-innovation-digital big bang-thailand2018-share
Santisook s telligence ai-innovation-digital big bang-thailand2018-sharestelligence
 
Recommend 10 splunk apps-Bangkok Splunk Meetup#1
Recommend 10 splunk apps-Bangkok Splunk Meetup#1Recommend 10 splunk apps-Bangkok Splunk Meetup#1
Recommend 10 splunk apps-Bangkok Splunk Meetup#1stelligence
 
MBA-TU-Thailand:BigData for business startup.
MBA-TU-Thailand:BigData for business startup.MBA-TU-Thailand:BigData for business startup.
MBA-TU-Thailand:BigData for business startup.stelligence
 
SuanIct-Bigdata desktop-final
SuanIct-Bigdata desktop-finalSuanIct-Bigdata desktop-final
SuanIct-Bigdata desktop-finalstelligence
 
Self-service Analytic for Business Users-19july2017-final
Self-service Analytic for Business Users-19july2017-finalSelf-service Analytic for Business Users-19july2017-final
Self-service Analytic for Business Users-19july2017-finalstelligence
 
Bigdata for sme-industrial intelligence information-24july2017-final
Bigdata for sme-industrial intelligence information-24july2017-finalBigdata for sme-industrial intelligence information-24july2017-final
Bigdata for sme-industrial intelligence information-24july2017-finalstelligence
 
IT Operation Analytic for security- MiSSconf(sp1)
IT Operation Analytic for security- MiSSconf(sp1)IT Operation Analytic for security- MiSSconf(sp1)
IT Operation Analytic for security- MiSSconf(sp1)stelligence
 
Splunk for DataScience (.conf2014)
Splunk for DataScience (.conf2014)Splunk for DataScience (.conf2014)
Splunk for DataScience (.conf2014)stelligence
 

More from stelligence (9)

BigData Visualization and Usecase@TDGA-Stelligence-11july2019-share
BigData Visualization and Usecase@TDGA-Stelligence-11july2019-shareBigData Visualization and Usecase@TDGA-Stelligence-11july2019-share
BigData Visualization and Usecase@TDGA-Stelligence-11july2019-share
 
Santisook s telligence ai-innovation-digital big bang-thailand2018-share
Santisook s telligence ai-innovation-digital big bang-thailand2018-shareSantisook s telligence ai-innovation-digital big bang-thailand2018-share
Santisook s telligence ai-innovation-digital big bang-thailand2018-share
 
Recommend 10 splunk apps-Bangkok Splunk Meetup#1
Recommend 10 splunk apps-Bangkok Splunk Meetup#1Recommend 10 splunk apps-Bangkok Splunk Meetup#1
Recommend 10 splunk apps-Bangkok Splunk Meetup#1
 
MBA-TU-Thailand:BigData for business startup.
MBA-TU-Thailand:BigData for business startup.MBA-TU-Thailand:BigData for business startup.
MBA-TU-Thailand:BigData for business startup.
 
SuanIct-Bigdata desktop-final
SuanIct-Bigdata desktop-finalSuanIct-Bigdata desktop-final
SuanIct-Bigdata desktop-final
 
Self-service Analytic for Business Users-19july2017-final
Self-service Analytic for Business Users-19july2017-finalSelf-service Analytic for Business Users-19july2017-final
Self-service Analytic for Business Users-19july2017-final
 
Bigdata for sme-industrial intelligence information-24july2017-final
Bigdata for sme-industrial intelligence information-24july2017-finalBigdata for sme-industrial intelligence information-24july2017-final
Bigdata for sme-industrial intelligence information-24july2017-final
 
IT Operation Analytic for security- MiSSconf(sp1)
IT Operation Analytic for security- MiSSconf(sp1)IT Operation Analytic for security- MiSSconf(sp1)
IT Operation Analytic for security- MiSSconf(sp1)
 
Splunk for DataScience (.conf2014)
Splunk for DataScience (.conf2014)Splunk for DataScience (.conf2014)
Splunk for DataScience (.conf2014)
 

Recently uploaded

Top profile Call Girls In dimapur [ 7014168258 ] Call Me For Genuine Models W...
Top profile Call Girls In dimapur [ 7014168258 ] Call Me For Genuine Models W...Top profile Call Girls In dimapur [ 7014168258 ] Call Me For Genuine Models W...
Top profile Call Girls In dimapur [ 7014168258 ] Call Me For Genuine Models W...gajnagarg
 
Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...
Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...
Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...nirzagarg
 
Top profile Call Girls In Hapur [ 7014168258 ] Call Me For Genuine Models We ...
Top profile Call Girls In Hapur [ 7014168258 ] Call Me For Genuine Models We ...Top profile Call Girls In Hapur [ 7014168258 ] Call Me For Genuine Models We ...
Top profile Call Girls In Hapur [ 7014168258 ] Call Me For Genuine Models We ...nirzagarg
 
Gomti Nagar & best call girls in Lucknow | 9548273370 Independent Escorts & D...
Gomti Nagar & best call girls in Lucknow | 9548273370 Independent Escorts & D...Gomti Nagar & best call girls in Lucknow | 9548273370 Independent Escorts & D...
Gomti Nagar & best call girls in Lucknow | 9548273370 Independent Escorts & D...HyderabadDolls
 
Jodhpur Park | Call Girls in Kolkata Phone No 8005736733 Elite Escort Service...
Jodhpur Park | Call Girls in Kolkata Phone No 8005736733 Elite Escort Service...Jodhpur Park | Call Girls in Kolkata Phone No 8005736733 Elite Escort Service...
Jodhpur Park | Call Girls in Kolkata Phone No 8005736733 Elite Escort Service...HyderabadDolls
 
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
Gartner's Data Analytics Maturity Model.pptx
Gartner's Data Analytics Maturity Model.pptxGartner's Data Analytics Maturity Model.pptx
Gartner's Data Analytics Maturity Model.pptxchadhar227
 
Sealdah % High Class Call Girls Kolkata - 450+ Call Girl Cash Payment 8005736...
Sealdah % High Class Call Girls Kolkata - 450+ Call Girl Cash Payment 8005736...Sealdah % High Class Call Girls Kolkata - 450+ Call Girl Cash Payment 8005736...
Sealdah % High Class Call Girls Kolkata - 450+ Call Girl Cash Payment 8005736...HyderabadDolls
 
Top profile Call Girls In Chandrapur [ 7014168258 ] Call Me For Genuine Model...
Top profile Call Girls In Chandrapur [ 7014168258 ] Call Me For Genuine Model...Top profile Call Girls In Chandrapur [ 7014168258 ] Call Me For Genuine Model...
Top profile Call Girls In Chandrapur [ 7014168258 ] Call Me For Genuine Model...gajnagarg
 
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...Valters Lauzums
 
Top Call Girls in Balaghat 9332606886Call Girls Advance Cash On Delivery Ser...
Top Call Girls in Balaghat 9332606886Call Girls Advance Cash On Delivery Ser...Top Call Girls in Balaghat 9332606886Call Girls Advance Cash On Delivery Ser...
Top Call Girls in Balaghat 9332606886Call Girls Advance Cash On Delivery Ser...kumargunjan9515
 
Dubai Call Girls Peeing O525547819 Call Girls Dubai
Dubai Call Girls Peeing O525547819 Call Girls DubaiDubai Call Girls Peeing O525547819 Call Girls Dubai
Dubai Call Girls Peeing O525547819 Call Girls Dubaikojalkojal131
 
7. Epi of Chronic respiratory diseases.ppt
7. Epi of Chronic respiratory diseases.ppt7. Epi of Chronic respiratory diseases.ppt
7. Epi of Chronic respiratory diseases.pptibrahimabdi22
 
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteedamy56318795
 
Fun all Day Call Girls in Jaipur 9332606886 High Profile Call Girls You Ca...
Fun all Day Call Girls in Jaipur 9332606886 High Profile Call Girls You Ca...Fun all Day Call Girls in Jaipur 9332606886 High Profile Call Girls You Ca...
Fun all Day Call Girls in Jaipur 9332606886 High Profile Call Girls You Ca...kumargunjan9515
 
20240412-SmartCityIndex-2024-Full-Report.pdf
20240412-SmartCityIndex-2024-Full-Report.pdf20240412-SmartCityIndex-2024-Full-Report.pdf
20240412-SmartCityIndex-2024-Full-Report.pdfkhraisr
 
如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样
如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样
如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样wsppdmt
 
Statistics notes ,it includes mean to index numbers
Statistics notes ,it includes mean to index numbersStatistics notes ,it includes mean to index numbers
Statistics notes ,it includes mean to index numberssuginr1
 
怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制
怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制
怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制vexqp
 

Recently uploaded (20)

Top profile Call Girls In dimapur [ 7014168258 ] Call Me For Genuine Models W...
Top profile Call Girls In dimapur [ 7014168258 ] Call Me For Genuine Models W...Top profile Call Girls In dimapur [ 7014168258 ] Call Me For Genuine Models W...
Top profile Call Girls In dimapur [ 7014168258 ] Call Me For Genuine Models W...
 
Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...
Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...
Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...
 
Top profile Call Girls In Hapur [ 7014168258 ] Call Me For Genuine Models We ...
Top profile Call Girls In Hapur [ 7014168258 ] Call Me For Genuine Models We ...Top profile Call Girls In Hapur [ 7014168258 ] Call Me For Genuine Models We ...
Top profile Call Girls In Hapur [ 7014168258 ] Call Me For Genuine Models We ...
 
Gomti Nagar & best call girls in Lucknow | 9548273370 Independent Escorts & D...
Gomti Nagar & best call girls in Lucknow | 9548273370 Independent Escorts & D...Gomti Nagar & best call girls in Lucknow | 9548273370 Independent Escorts & D...
Gomti Nagar & best call girls in Lucknow | 9548273370 Independent Escorts & D...
 
Jodhpur Park | Call Girls in Kolkata Phone No 8005736733 Elite Escort Service...
Jodhpur Park | Call Girls in Kolkata Phone No 8005736733 Elite Escort Service...Jodhpur Park | Call Girls in Kolkata Phone No 8005736733 Elite Escort Service...
Jodhpur Park | Call Girls in Kolkata Phone No 8005736733 Elite Escort Service...
 
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Gartner's Data Analytics Maturity Model.pptx
Gartner's Data Analytics Maturity Model.pptxGartner's Data Analytics Maturity Model.pptx
Gartner's Data Analytics Maturity Model.pptx
 
Sealdah % High Class Call Girls Kolkata - 450+ Call Girl Cash Payment 8005736...
Sealdah % High Class Call Girls Kolkata - 450+ Call Girl Cash Payment 8005736...Sealdah % High Class Call Girls Kolkata - 450+ Call Girl Cash Payment 8005736...
Sealdah % High Class Call Girls Kolkata - 450+ Call Girl Cash Payment 8005736...
 
Top profile Call Girls In Chandrapur [ 7014168258 ] Call Me For Genuine Model...
Top profile Call Girls In Chandrapur [ 7014168258 ] Call Me For Genuine Model...Top profile Call Girls In Chandrapur [ 7014168258 ] Call Me For Genuine Model...
Top profile Call Girls In Chandrapur [ 7014168258 ] Call Me For Genuine Model...
 
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
 
Top Call Girls in Balaghat 9332606886Call Girls Advance Cash On Delivery Ser...
Top Call Girls in Balaghat 9332606886Call Girls Advance Cash On Delivery Ser...Top Call Girls in Balaghat 9332606886Call Girls Advance Cash On Delivery Ser...
Top Call Girls in Balaghat 9332606886Call Girls Advance Cash On Delivery Ser...
 
Dubai Call Girls Peeing O525547819 Call Girls Dubai
Dubai Call Girls Peeing O525547819 Call Girls DubaiDubai Call Girls Peeing O525547819 Call Girls Dubai
Dubai Call Girls Peeing O525547819 Call Girls Dubai
 
Abortion pills in Jeddah | +966572737505 | Get Cytotec
Abortion pills in Jeddah | +966572737505 | Get CytotecAbortion pills in Jeddah | +966572737505 | Get Cytotec
Abortion pills in Jeddah | +966572737505 | Get Cytotec
 
7. Epi of Chronic respiratory diseases.ppt
7. Epi of Chronic respiratory diseases.ppt7. Epi of Chronic respiratory diseases.ppt
7. Epi of Chronic respiratory diseases.ppt
 
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
 
Fun all Day Call Girls in Jaipur 9332606886 High Profile Call Girls You Ca...
Fun all Day Call Girls in Jaipur 9332606886 High Profile Call Girls You Ca...Fun all Day Call Girls in Jaipur 9332606886 High Profile Call Girls You Ca...
Fun all Day Call Girls in Jaipur 9332606886 High Profile Call Girls You Ca...
 
20240412-SmartCityIndex-2024-Full-Report.pdf
20240412-SmartCityIndex-2024-Full-Report.pdf20240412-SmartCityIndex-2024-Full-Report.pdf
20240412-SmartCityIndex-2024-Full-Report.pdf
 
如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样
如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样
如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样
 
Statistics notes ,it includes mean to index numbers
Statistics notes ,it includes mean to index numbersStatistics notes ,it includes mean to index numbers
Statistics notes ,it includes mean to index numbers
 
怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制
怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制
怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制
 

Navy security contest-bigdataforsecurity

  • 1. ML for Security Monitoring Santisook Limpeeticharoenchot Managing Director
  • 2. Agenda • Why ML for Security Monitoring ? • Overview of Machine Learning • Apply Theory to Practice • ML for Security Example. • DataScience Process for Security • Q&A
  • 3. Fraud Bad Actors Ransomware IP Theft Application Performance Identity Theft Key Performance Indicators Network Intrusion Malware Exfiltration Cyber-attacks Zero-day Compromised Credentials SCADA Security Hardware Deterioration Known & Unknown Threat
  • 4. The Current IT Situation VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM Fluid Infrastructure Distributed Applications Continuous Deployment
  • 7. Current State Of Security Monitoring: #monitoringsucks Measure Everything ➢Collect 1000’s of metrics and logs, most unused ➢Analytics methods too simple, not correlated, doesn’t help solve outages Threshold = alert overload ➢Too many false positives ➢Hundreds of alerts a day, most ignored IT & Security operations has become a big data challenge “The [traditional] tools present us with the raw data, and lots of it, but sufficient insight into the actual meaning buried in all that data is still remarkably scarce” - Turn Big Data Inward With IT Analytics, Forrester Research
  • 9. Watching screens cannot scale + it’s useless
  • 11. Human brains are good at detecting patterns
  • 12. OTOH, humans get lost in volume and details
  • 13. Need the cognitive equivalent of THIS!
  • 14. Why Machine Learning not Big Data !
  • 15. Terms and definitions Artificial Intelligence Machine learning Deep learning Algorithms Supervised Unsupervised source:www.ibm.com
  • 16. Traditional Computers vs. Artificial Intelligence Traditional Programs •Pre-programmed: producing same results every time •Deterministic: good or false •One-dimensional: for one/limited purpose 10 Artificial Intelligence •Machine learning: changing its code to improve results •Stochastic: based on probability •Multi-dimensional: potential for more general purposes source:www.ibm.com
  • 17. Traditional Programs vs. Machine Learning Machine LearningTraditional Programs Data Static code Real world result Data Algorithm Real world result Hypothesis Feedback source:www.ibm.com
  • 18. Enter Machine Learning! What: “Field of study that gives computers the ability to learn without being explicitly programmed” – Arthur Samuel, 1959 How: Generalizing (learning) from examples (data)
  • 21. source:conf2016,splunk Type of Machine Learning Unsupervised LearningSupervised Learning
  • 22. Classification: Applying labels Triangle Triangle Triangle Triangle Square Square Square Learn Apply Triangle Square source:conf2016,splunk
  • 25. Predict/Forecast ALERT Will reach capacity in 2 hours. Provision more servers. source:conf2016,splunk
  • 26. Clustering: Grouping similar things source:conf2016,splunk
  • 27. Clustering: Grouping similar things source:conf2016,splunk
  • 28. Anomaly Detection: Find unusual stuff source:conf2016,splunk
  • 29. Time Series –Anomaly Detection source:conf2016,splunk
  • 30. Anomaly Detection Unusual vs. peers Rare Events Deviations in Counts or Values = = = “responsetime by host” “count by error_type” “rare by EventID” “rare by process” “sum(bytes) over client_ip” EXAMPLES source:prelert.com
  • 31. Evolution of Malware Detection Signature-based Potential malware Known “bad” Behavior-based Potential malware Bad behavior Potential malware Heuristics/sandboxing Testing indicators Statistical inference Potential malware Probabilities source:www.ibm.com
  • 32. Real world applications for Machine Learning • Fraud: credit card fraud, spam, DLP Automated recognition: face, handwriting • Capacity planning: product stocking, server provisioning • Anomaly detection for security and IT Operations Product recommendations • Customer segmentation Medical diagnoses …
  • 33. Customer Usecase : Detect Network Outliers Reduced downtime + increased service availability = better customer satisfaction ML Use Case Monitor noise rise for 20,000+ cell towers to increase service and device availability, reduce MTTR Technical overview •A customized solution deployed in production based on outlier detection. •Leverage previous month data and voting algorithms “The ability to model complex systems and alert on deviations is where IT and security operations are headed … Splunk Machine Learning has given us a head start...” source:www.splunk.com
  • 34. Reliable website updates Proactive website monitoring leads to reduced downtime “Splunk ML helps us rapidly improve end-user experience by ranking issue severity which helps us determine root causes faster thus reducing MTTR and improving SLA • Very frequent code and config updates (1000+ daily) can cause site issues • Find errors in server pools, then prioritize actions and predict root cause •Custom outlier detection built using ML Toolkit Outlier assistant •Built by Splunk Architect with no Data Science background ML Use Case Technical overview source:www.splunk.com
  • 35. Theory of Distribution Function for Anomaly Detection
  • 37. Normal distributions are really useful • I can make powerful predictions because of the statistical properties of the data , most naturally occurring processes • I can easily compare different metrics since they have similar statistical properties • Population height, IQ distributions ,Widget sizes, weights in manufacturing • There is a HUGE body of statistical work on parametric techniques for normally distributed data source:conf2016,splunk
  • 42. Example: Three-Sigma Rule Three-sigma rule –~68% of the values lie within 1 std deviation of the mean –~95% of the values lie within 2 std deviations –99.73% of the values lie within 3 std deviations: anything else is considered an outlier source:conf2016,splunk
  • 43. Probabilistic Modeling and Analysis Outliers likelihood observed values X ML model Gaussian source:prelert.com
  • 44. 46 Apply Theory to Practical
  • 46. • Fraud detection systems: – Is what he just did consistent with past behavior? • Network anomaly detection: – More like bad statistical analysis • Predicting likelihood of attack actors – Create different predictive models and chain them to gain more confidence in each step. Security Applications of ML Source:mlsecproject.org
  • 47. • Alert-‐based: – “Traditional” log management – SIEM – Using “Threat Intelligence” (i.e blacklists) for about a year or so – Lack of context – Low effectiveness – You get the results handed over to you Kinds of Network Security Monitoring • Exploration-‐based: – Network Forensics tools – High effectiveness – Lots of people necessary – Lots of HIGHLY trained people • Big Data Security Analytics (BDSA): – Run exploration-‐basedmonitoring on Hadoop – More like Big Data Security Monitoring(BDSM) Source:mlsecproject.org
  • 48. • Rules in a SIEM solution invariably are: – “Something” has happened “x”times; – “Something” has happened and other “something2” has happened, with some relationship (time, same fields, etc) between them. • Configuring SIEM = iterate on combinations until: – Customer or management is satisfied; – Consulting money runs out • Behavioral rules (anomaly detection) helps a bit with the “x”s, but still, very laborious and time consuming. Correlation Rules: A Primer Source:mlsecproject.org
  • 49. Historical Data Real-time Data Statistical Models DB, Hadoop/S3/NoSQL, Splunk Anomaly Detection or Machine Learning T – a few days T + a few days Why is this so challenging using traditional methods? • DATA IS STILL IN MOTION, still in a BUSINESS PROCESS. • Enrich real-time MACHINE DATA with structured HISTORICAL DATA • Make decisions IN REAL TIME using ALL THE DATA • Combine LEADING and LAGGING INDICATORS (KPIs) SIEM Security Operations Center Network Operations Center Business Operations Center source:conf2016,splunk
  • 50. Anomaly Detection & Machine Learning What is AD? Types of security anomalies: spikes in activity rare events first-observed Outliers state change simple existence What do these have in common? time-based The basic comparison parameter is self-comparison overtime. Advanced parameters include peer-based comparison. What is ML? Supervised ML –Classification/Regression Unsupervised ML –Clustering Semi-Supervised –Rule-based AD For AD and security, ML can establish a baseline of normal (negative) values source:conf2016,splunk
  • 51. Unsupervised Learning Unsupervised Machine Learning – You have unlabeled data and want to group the data by feature(s) – The algorithm makes its own structure out of the data – You do not know what outliers look like – Good for the data exploration phases of security anomaly detection – Examples used in security applications include: Clustering: k-means, k-medians, Expectation Maximization Association: less relevant because in highly structured searches we are less concerned with associations between fields for security anomaly detection source:conf2016,splunk
  • 52. Supervised Learning Supervised Machine Learning – You have labeled data and the algorithm predicts the output – Classification vs. Regression – Example ML algorithms include: Linear and Logistic Regression Random Forest Support Vector Machine DBSCAN Semi-Supervised Machine Learning – You have “some” labeled data, but not all – Most security ML applications fall in this category – LabelPropagation – Rule-based anomaly detection For SECURITY-PURPOSED applications of ML, a combination of unsupervised, supervised, and Semi-Supervised learning algorithms is a best practice In realistic applications, security-purposed AD requires highly structured data and human training of the algorithm source:conf2016,splunk
  • 53. ML 101 for Security Monitoring • Machine Learning (ML) is a process for generalizing from examples – Examples = example or “training” data – Generalizing = build “statistical models” to capture correlations – Process = ML is never done, you must keep validating & refitting models • Simple ML workflow: – Explore data – FIT models based on data – APPLY models in production – Keep validating models source:conf2016,splunk
  • 54. The ML Process Problem: <Stuff in the world> causes big time & money expense Solution: Build predictive model to forecast <possible incidents>, act pre-emptively & learn 1.Get all relevant data to problem 2.Explore data & build KPIs 3.Fit, apply & validate models on past / real-time data 4.Predict and act. Identify notable events, create alerts 5.Surface incidents to X Ops, who INVESTIGATES & ACTS Operationalize source:conf2016,splunk
  • 55. Security: Find Insider Threats Problem: Security breaches cause big time & money expense Solution: Build predictive model to forecast threat scenarios, act pre-emptively & learn 1. Get security data (data transfers, authentication, incidents) 2. Explore data & build KPIs 3. Fit, apply & validate models on past / real-time data 4. Predict and act. Identify anomalous behaviors, create alerts 5. Surface incidents to Security Ops, who INVESTIGATES & ACTS Operationalize source:conf2016,splunk
  • 56. Machine Learning in IT Operation. Adaptive Thresholding: • Learn baselines & dynamic thresholds • Alert & act on deviations • Manage for 1000s of KPIs & entities • Stdev/Avg, Quartile/Median, Range Anomaly Detection: • Employ machine learning to baseline normal operations and alert on anomalous conditions • Identify abnormal trends and patterns in KPI data source:conf2016,splunk
  • 57. Finds the Deviation perfectly 5 7 • No extraneous false alarms • Automatic periodicity source:prelert.com
  • 58. Challenge: How do you find the signs of advanced threats amid thousands of daily high-severity alerts? ▪ Difficulty of creating effective rules results in a high false positive rate ▪ Advanced Evasion Techniques (AETs) well- known to attackers Find Important IDS/IPS Events source:prelert.com
  • 59. • Anomaly Detective generates a dozen or so alerts per week • Accuracy & alert detail enable faster determination of threat level Find Important IDS/IPS Events Solution: Let machine learning filter out normal ‘noise’ and identify unusual counts, signatures, protocols and destinations by source source:prelert.com
  • 60. Rare Items as Anomalies Use Case: Learn typical processes on each host Find rare processes that “start up and communicate” source:prelert.com
  • 61. Finds the RARE anomaly perfectly • finds FTP process running for 3 hours on system that doesn’t normally run source:prelert.com
  • 62. Population / Peer Outliers Use Case: Find users behaving much differently than the others source:prelert.com
  • 63. Find the Unusual USER Perfectly • Host sending 20,000 requests/hr • Attempt to hack an IIS webserver source:prelert.com
  • 64. Low and Slow – Automated Logins user failing logins all day = “dc(date_hour) over user” source:prelert.com
  • 65. Machine Learning in Event Correlation • Reduce event clutter, false positives and extensive rules maintenance • Events are auto-grouped together (supressed, de-duped) • Easily provide feedback on auto-grouping of events & alerts source:conf2016,splunk
  • 66. Cluster IPs based on Security Alerts source:conf2016,splunk
  • 67. (Security) Data Scientist Data Science Venn Diagram by Drew Conway • “Data Scientist (n.): Person who is better at statistics than any software engineer and better at software engineering than any statistician.” -‐-‐Josh Willis, Cloudera
  • 68. Data Science Cycle For Security Determine Use-Case Computational Scaling/Storage Machine Learning & Anomaly Detection Model Model Testing Refinement Alerts & Visualization Data Mining & Exploration Data Validating & Cleaning source:conf2016,splunk
  • 69. Example : Email Use-Case Your company has been hit with a large number of phishing emails that were not detected by traditional signature-based tools Several employees have clicked on the phishing link and entered their credentials The adversary has taken over several accounts and sent thousands of additional emails, internal and external Use-Case Deep Dive source:conf2016,splunk
  • 70. Where Are We In The Platform? Log Sources Model Testing & Validation Alerts & Visualizations Exploration Mining Cleaning Validation API Short Term Storage 3rd Party Computations Machine Learning Anomaly Detection Use-Case Deep Dive SIEM Platform source:conf2016,splunk
  • 71. 3rd party ML Calculations All are open source products source:conf2016,splunk
  • 72. Data Mining & Exploration What looks interesting in this sourcetype? What could be used to detect an anomaly? What is important to note about the events? Send an email to yourself, then to a co-worker, then to several people, etc. as a validation test; trace the actions through Splunk ML & AD for Security Best Practice: Validate data by viewing your own actions on the network sourcetype="MSExchange:2010:MessageTracking" source:conf2016,splunk
  • 73. Data Cleaning sourcetype="MSExchange:2010:MessageTracking" sender="toby.ryan@emerson.com" recipient_count!=NONE | dedup message_id sortby _time | table _time directionality sender recipient message_subject message_id recipient_count total_bytes |sort -_time What fields are best poised for measuring? What fields provide enough context for analysis? source:conf2016,splunk
  • 74. ML & AD Model What features do we choose? Supervised? Unsupervised? Classification? What statistical model do we choose? Start by clustering all data • Splunk “cluster” command for text and “kmeans” for numerical fields | stats count by {field being measured} ML & AD for Security Best Practice: From an incident response perspective, highly structured and single feature data is required to minimize time considering false positives source:conf2016,splunk
  • 75. K-Means Clustering sourcetype="MSExchange:2010:MessageTracking" sender="*@emerson.com" recipient_count!=NONE | dedup me Use-Case Deep Dive r | kmeans k=5 daily_total | stats count by CLUSTERNUM centroid_daily_total source:conf2016,splunk
  • 76. Training Data And The ML Process Collect a set of training data (univariate/single feature/single field) • In our case, it is 60-120 days worth of daily email totals • Next, split the data by time into 3 groups: training set, cross-validation set, test set Determine if your dataset is Gaussian (Normal Distribution) ML & AD for Security Best Practices: -Split historical data 60-20-20 into training, cross-validation, and test sets source:conf2016,splunk
  • 77. Algorithm Selection For normal distributions, Inter-Quartile Range (IQR) is a good place to start We can test back in Splunk for specific cluster users Other options available include: –Scikit-learn.org has the python modules –MATLAB, GNU Octave, and R all have extensive ML and AD packages –Python has easy Gaussian test algorithms (used in this example) • scipy.stats.mstats.normaltest • scipy.stats.shapiro Scikit-Learn has in-depth explanations of each algorithm and command descriptions such as “fit(x)” and “predict(x)”, etc. source:conf2016,splunk
  • 78. Model Testing: 1 sourcetype="MSExchange:2010:MessageTracking" sender="xxxx@xxxx.com" recipient_count!=NONE | dedup message_id sortby _time | table _time directionality sender recipient message_subject message_id recipient_count total_bytes | timechart sum(recipient_count) as daily_total span=1d | eventstats median(daily_total) as median, p25(daily_total) as p25, p75(daily_total) as p75, mean(daily_total) as mean | eval iqr = p75 - p25 | eval xplier = 2 | eval low_lim = median - (iqr * xplier) | eval high_lim = median + (iqr * xplier) | eval anomaly = False Positive False Positives TruePositive if(daily_total < low_lim OR daily_total > high_lim, daily_total,0) | table _time daily_total anomaly source:conf2016,splunk
  • 79. Model Testing : 2 sourcetype="MSExchange:2010:MessageTracking" sender="toby.ryan@emerson.com" recipient_count!=NONE | dedup message_id sortby _time | table _time directionality sender recipient message_subject message_id recipient_count total_bytes | timechart sum(recipient_count) as daily_total span=1d | eventstats median(daily_total) as median, p10(daily_total) as p10, p90(daily_total) as p90, mean(daily_total) as mean | eval iqr = p90 - p10 | eval xplier = 2 | eval low_lim = median - (iqr * xplier) | eval high_lim = median + (iqr * xplier) | eval anomaly = if(daily_total < low_lim OR daily_total > high_lim, daily_total,0) | table _time daily_total anomaly source:conf2016,splunk
  • 80. Validating Models • How can we validate models? Precision = # of correct positive values # of all positive results # of correct positive values # that should have been positive Recall = precision x recall precision + recall F1 Score = 2 F1 Score is the harmonic mean, or average of rates, where F1 is best at a value of 1, and worst at a value of 0. First model: F1 = 0.4 Second model: F1 = 1.0 Beware of missing false negatives by tuning too much too quickly; tuning is an iterative process over time 8 0 source:conf2016,splunk
  • 81. Alerts & Visualizations • The output of the off-Splunk calculations can be picked up by the Splunk UF or written to a flat file • Allows the user to capitalize on the Splunk interface • Advantages/Disadvantages of Indexing and Sourcetyping: • Treat like any other data source for calculations • Technically “re-indexing” data, however anomaly data sets will be small source:conf2016,splunk
  • 82. Refinement • Treat different clusters with different models • Continually validate data and results • Understand why false positives come up • Add length to training data time if possible • If a cluster is not Gaussian, try other models, or try to fit the data to a Normal Distribution • Compare simple rule-based models such as 3 x mean = anomaly source:conf2016,splunk
  • 83. Domain Expert on Insider Email Analytics Consider not only a large number of recipients outside a user’s normal behavior, but consider the number of new recipients What is the average number of new recipients an employee emails each day? One? Five? Establish a set of training data and record the unique recipients over 60 days Create an anomaly detection that fires when the number of new recipients exceeds the baseline variance Add to the “# of recipients per day” data for higher fidelity alert. source:conf2016,splunk
  • 84. Key Takeaways • Machine Learning is an evolution in the tools available to us • ML is not one thing, it’s many different types of things that can be applied to different types of problems • ML applications and techniques vary so like any other tool, it helps to use the right tool for the right problem space • SIME enhance capability to support ML algorithms and make our life easier.
  • 85. Machine Learning in Splunk ITSI Adaptive Thresholding: • Learn baselines & dynamic thresholds • Alert & act on deviations • Manage for 1000s of KPIs & entities • Stdev/Avg, Quartile/Median, Range Anomaly Detection: • Find “hiccups” in expected patterns • Catches deviations beyond thresholds • Uses advanced proprietary algorithm
  • 86. User Behavior Analytics (UBA) in Splunk • Understand normal & anomalous behaviors for ALL users • UBA detects Advanced Cyberattacks and Malicious Insider Threats • Lots of ML under the hood: – Behavior Baselining & Modeling – Anomaly Detection (30+ models) – Advanced Threat Detection • E.g., Data Exfil Threat: – “Saw this strange login & data transfer for user mpittman at 3am in China…” – Surface threat to SOC Analysts
  • 87. Splunk Machine Learning Toolkit Assistants: Guide model building, testing & deployment for common objectives Showcases: Interactive examples for typical IT, security, business, IoT use cases SPL ML Commands: New commands to fit, test and operationalize models Python for Scientific Computing Library: 300+ open source algorithms available for use Build custom analytics for any use case 20
  • 88.
  • 89. Reference • https://conf.splunk.com/sessions/2016-sessions.html • https://conf.splunk.com/files/2016/slides/demystifying-machine-learning-and-anomaly- detection-practical-applications-in-splunk-for-insider-threat-detection-and-security- analytics.pdf • https://conf.splunk.com/files/2016/slides/solve-big-problems-with-machine-learning.pdf • https://conf.splunk.com/files/2016/slides/a-very-brief-introduction-to-machine- learning-for-itoa.pdf • https://www.slideshare.net/eburon/machine-learning-security-ibm-seoul-compressed- version?qid=9256cc75-07e5-46fc-9539-27a496c877ba&v=&b=&from_search=1 • www.prelert.com • www.MLsecproject.org