jisheng wang at ai frontiers: deep learning in security
TRANSCRIPT
![Page 1: Jisheng Wang at AI Frontiers: Deep Learning in Security](https://reader034.vdocuments.net/reader034/viewer/2022042723/5886c3af1a28abcc7d8b5929/html5/thumbnails/1.jpg)
Deep Learning In Security:An Empirical Example in User & Entity Behavior Analytics (UEBA)
Jisheng Wang, Min-Yi Shen
![Page 2: Jisheng Wang at AI Frontiers: Deep Learning in Security](https://reader034.vdocuments.net/reader034/viewer/2022042723/5886c3af1a28abcc7d8b5929/html5/thumbnails/2.jpg)
2© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
Jisheng Wang, Chief Scientist in Niara
• Over 12-year experiences of applying machine learning and big data technology to security
• Ph.D from Penn State – ML in security with 100GB data
• Technical Leader in Cisco – Security Intelligence Operations (SIO) with 10B/day
• Lead the overall big data analytics innovation and development in Niara
Niara
• Recognized leader by Gartner in user and entity behavior analytics (UEBA)
• Re-invent enterprise security analytics for attack detection and incident response
ME, US
![Page 3: Jisheng Wang at AI Frontiers: Deep Learning in Security](https://reader034.vdocuments.net/reader034/viewer/2022042723/5886c3af1a28abcc7d8b5929/html5/thumbnails/3.jpg)
3© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
USER & ENTITY BEHAVIOR ANALYTICS
UEBA SECURITYwhy this matters
UEBA SOLUTION how to detect attacks before damage is done
BEYOND DEEP LEARNINGhow to build a comprehensive solution
YOU
ARE
HERE
![Page 4: Jisheng Wang at AI Frontiers: Deep Learning in Security](https://reader034.vdocuments.net/reader034/viewer/2022042723/5886c3af1a28abcc7d8b5929/html5/thumbnails/4.jpg)
4© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
PROBLEM THE SECURITY GAP
PREVENTION & DETECTION (US $B)
SECURITY SPEND
# BREACHES
DATA BREACHES
![Page 5: Jisheng Wang at AI Frontiers: Deep Learning in Security](https://reader034.vdocuments.net/reader034/viewer/2022042723/5886c3af1a28abcc7d8b5929/html5/thumbnails/5.jpg)
5© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
PROBLEM CAUSE OF THE GAP
ATTACKERSARE QUICKLY INNOVATING &
ADAPTING
BATTLEFIELDWITH IOT AND CLOUD, SECURITY
IS BORDERLESS
![Page 6: Jisheng Wang at AI Frontiers: Deep Learning in Security](https://reader034.vdocuments.net/reader034/viewer/2022042723/5886c3af1a28abcc7d8b5929/html5/thumbnails/6.jpg)
6© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
PROBLEM ADDRESSING THE CAUSE
ATTACKERSARE QUICKLY INNOVATING &
ADAPTING
DEEP LEARNINGSOLUTIONS MUST BE
RESPONSIVE TO CHANGES
![Page 7: Jisheng Wang at AI Frontiers: Deep Learning in Security](https://reader034.vdocuments.net/reader034/viewer/2022042723/5886c3af1a28abcc7d8b5929/html5/thumbnails/7.jpg)
7© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
PROBLEM ADDRESSING THE CAUSE
BATTLEFIELDWITH IOT AND CLOUD, SECURITY
IS BORDERLESS
INSIDER BEHAVIORLOOK AT BEHAVIOR CHANGE OF
INSIDE USERS AND MACHINES
![Page 8: Jisheng Wang at AI Frontiers: Deep Learning in Security](https://reader034.vdocuments.net/reader034/viewer/2022042723/5886c3af1a28abcc7d8b5929/html5/thumbnails/8.jpg)
8© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
USER & ENTITY BEHAVIOR ANALYTICS (UEBA)
MACHINE LEARNING DRIVEN
BEHAVIOR ANALYTICS IS
A NEW WAY TO COMBAT ATTACKERS
1
2
3
Machine driven, not only human driven
Detect compromised users, not only attackers
Post-infection detection, not only prevention
![Page 9: Jisheng Wang at AI Frontiers: Deep Learning in Security](https://reader034.vdocuments.net/reader034/viewer/2022042723/5886c3af1a28abcc7d8b5929/html5/thumbnails/9.jpg)
9© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
REAL WORLD NEWS WORTHY EXAMPLES
COMPROMISED40 million credit cards were stolen
from Target’s severs
STOLEN CREDENTIALS
NEGLIGENTDDoS attack from 10M+ hacked home
devices took down major websites
ALL USED THE SAME PASSWORD
MALICIOUSEdward Snowden stole more than 1.7 million
classified documents
INTENDED TO LEAK INFORMATION
![Page 10: Jisheng Wang at AI Frontiers: Deep Learning in Security](https://reader034.vdocuments.net/reader034/viewer/2022042723/5886c3af1a28abcc7d8b5929/html5/thumbnails/10.jpg)
10© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
USER & ENTITY BEHAVIOR ANALYTICS
UEBA SECURITYwhy this matters
UEBA SOLUTION how to detect attacks before damage is done
BEYOND DEEP LEARNINGhow to build a comprehensive solution
YOU
ARE
HERE
![Page 11: Jisheng Wang at AI Frontiers: Deep Learning in Security](https://reader034.vdocuments.net/reader034/viewer/2022042723/5886c3af1a28abcc7d8b5929/html5/thumbnails/11.jpg)
11© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
REAL WORLD ATTACKS CAUGHT BY NIARA
SCANNING ATTACKscan servers in the data center to find
out vulnerable targets
DETECTED WITH AD LOGS
EXFILTRATION OF DATAupload a large file to cloud server hosted in
new country never accessed before
DETECTED WITH WEB PROXY LOGS
DATA DOWNLOADdownload data from internal document
repository which is not typical for the host
DETECTED WITH NETWORK TRAFFIC
![Page 12: Jisheng Wang at AI Frontiers: Deep Learning in Security](https://reader034.vdocuments.net/reader034/viewer/2022042723/5886c3af1a28abcc7d8b5929/html5/thumbnails/12.jpg)
12© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
BEHAVIOR ENCODING – USER
User 1 User 2
![Page 13: Jisheng Wang at AI Frontiers: Deep Learning in Security](https://reader034.vdocuments.net/reader034/viewer/2022042723/5886c3af1a28abcc7d8b5929/html5/thumbnails/13.jpg)
13© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
BEHAVIOR ENCODING – USER VS MACHINE
User Machine
![Page 14: Jisheng Wang at AI Frontiers: Deep Learning in Security](https://reader034.vdocuments.net/reader034/viewer/2022042723/5886c3af1a28abcc7d8b5929/html5/thumbnails/14.jpg)
14© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
BEHAVIOR ANOMALY USER | EXFILTRATION
User – Before Compromise User – Post Compromise
![Page 15: Jisheng Wang at AI Frontiers: Deep Learning in Security](https://reader034.vdocuments.net/reader034/viewer/2022042723/5886c3af1a28abcc7d8b5929/html5/thumbnails/15.jpg)
15© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
BEHAVIOR ANOMALY MACHINE | DATA DOWNLOAD
Dropcam – Before Compromise Dropcam – Post Compromise
![Page 16: Jisheng Wang at AI Frontiers: Deep Learning in Security](https://reader034.vdocuments.net/reader034/viewer/2022042723/5886c3af1a28abcc7d8b5929/html5/thumbnails/16.jpg)
16© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
BEHAVIOR DETECTION ARCHITECTURE
Stream Data
Pre-processing
Behavior
Encoding
Input
Data
User
Activities
Labeled
User
Behavior
Repository
Apache Spark
Behavior Anomaly
Detection
CNN Training
Behavior
Classifier
Tensorflow
![Page 17: Jisheng Wang at AI Frontiers: Deep Learning in Security](https://reader034.vdocuments.net/reader034/viewer/2022042723/5886c3af1a28abcc7d8b5929/html5/thumbnails/17.jpg)
17© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
CNN – COMPUTATION GRAPH
Behavior
Image
(24x60x9
)
8x20
Convolution
User
Labels
Feature
Maps
(24x60x40)
Feature
Maps
(12x30x40)
Feature
Maps
(12x30x80)
Feature
Maps
(6x15x80)
Output
Layer
1024
Nodes
2x2
Pooling
4x10
Convolution
2x2
Pooling
Fully
Connected
Fully
Connected
with Dropout
Feature Extraction Classification
![Page 18: Jisheng Wang at AI Frontiers: Deep Learning in Security](https://reader034.vdocuments.net/reader034/viewer/2022042723/5886c3af1a28abcc7d8b5929/html5/thumbnails/18.jpg)
18© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
CNN – PROGRESSION OF TRAINING ERROR
Tra
inin
g E
rro
r
# of minibatches (100 profiles/batch)
![Page 19: Jisheng Wang at AI Frontiers: Deep Learning in Security](https://reader034.vdocuments.net/reader034/viewer/2022042723/5886c3af1a28abcc7d8b5929/html5/thumbnails/19.jpg)
19© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
USER & ENTITY BEHAVIOR ANALYTICS
UEBA SECURITYwhat is UEBA
UEBA SOLUTIONinfrastructure needed to deep learning
BEYOND DEEP LEARNINGhow to build a comprehensive solution
YOU
ARE
HERE
![Page 20: Jisheng Wang at AI Frontiers: Deep Learning in Security](https://reader034.vdocuments.net/reader034/viewer/2022042723/5886c3af1a28abcc7d8b5929/html5/thumbnails/20.jpg)
20© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
BEYOND DEEP LEARNING ENSEMBLE LEARNING
Behavioral
Analytics
Internal Resource Access
Finance servers
Authentication
AD logins
Remote Access
VPN logins
External Activity
C&C, personal email
SaaS Activity
Office 365, Box
Cloud IaaS
AWS, Azure
Physical Access
badge logs
Exfiltration
DLP, Email
Ensemble
approach using a
mix of different
models over
various types of
behaviors from the
same entity
![Page 21: Jisheng Wang at AI Frontiers: Deep Learning in Security](https://reader034.vdocuments.net/reader034/viewer/2022042723/5886c3af1a28abcc7d8b5929/html5/thumbnails/21.jpg)
21© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
BEYOND DEEP LEARNING REINFORCEMENT LEARNING
Models
Alerts
User
Feedback
Interactive Learning
Local
Context
Input
Data
Self Learning
Initial Parameters
![Page 22: Jisheng Wang at AI Frontiers: Deep Learning in Security](https://reader034.vdocuments.net/reader034/viewer/2022042723/5886c3af1a28abcc7d8b5929/html5/thumbnails/22.jpg)
22© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential
USER & ENTITY BEHAVIOR ANALYTICS
UEBA SECURITYwhat is UEBA
UEBA SOLUTIONinfrastructure needed to deep learning
BEYOND DEEP LEARNINGhow to build a comprehensive solution
![Page 23: Jisheng Wang at AI Frontiers: Deep Learning in Security](https://reader034.vdocuments.net/reader034/viewer/2022042723/5886c3af1a28abcc7d8b5929/html5/thumbnails/23.jpg)
Thank You