machine learning & security. detect atypical behaviour in logs
TRANSCRIPT
Machine Learning & Security. Detect atypical behaviour in
logs
The more experiments you make, the better
All these busters!
The data is correct, sir...
It must be here somewhere… I’ve seen it!
We have a great solution for you!
How it works? Magic?
How it works? Magic?1. Clean out log file
How it works? Magic?1. Clean out log file
2. Prepare data for clusterization
How it works? Magic?1. Clean out log file
2. Prepare data for clusterization
3. Clusterize data
How it works? Magic?1. Clean out log file
2. Prepare data for clusterization
3. Clusterize data
4. “Picture of Normality”
How it works? Magic?1. Clean out log file
2. Prepare data for clusterization
3. Clusterize data
4. “Picture of Normality”
5. Doing some Machine Learning magic ;)
Now it’s clean and nice like baby’s ass!
You see words. I see numbers.
AppInfo connection accepted DeviceName TCPPid IPAddr Port Device Controller
Stopping SdlTCPConnection:
AppInfo RISCMAccess DeviceTransientConnection
AppInfo Closing Station connection Error Description transition defined input
AppInfo StationInit EnblocCall calledParty
0.4567 0.4756 0.4070 0.40230.2546 0.5879 0.3546 0.5467 0.45680.6543 0.3684:0.2365 0.34560.3654 0.24680.6734 0.3756 0.5867 0.14650.7845 0.3765 0.2365 0.7986 0.34630.4768 0.3758 0.4976 0.3756
I don’t need that piece of junk!
score() = effectiveness
% of featuresjunk
Total annihi… Clusterization!
KNN algorithm(K Nearest Neighbors)
No train no gain.
picture of normality
Freeze! You’re busted, buddy. I’m a cop.
Detected anomalies
I’m watching you, loosers
Let me look at you closer, boy
$ nc 202.41.76.251 80
nmap -A -T4 74.207.244.221
nikto -verbose -host google.com
When in doubt, use brute force
BruteForcing
It’s not a DDoS, it’s an “Aggressive Scan”!
DDoS attacks
Smart? Dumb? What do you prefer?
for fuzz in range(255): packet=‘\x80\x00\x00’+chr(fuzz)+’\x01\x00\x00\x00’
sock = socket.socket(socket.AF_INET, 1)sock.connect((IP, PORT))sock.send(packet)
FUZZING
Money talks. But all mine ever says is “Bye!”
Suspicious financial transactions
What do you mean I owe you 10.000 $ ???
Toll fraud
C’mon, kid, I’ll show you smth bad