FIGHTING DOMAIN GENERATION ALGORITHMS (DGAS) WITH MACHINE LEARNING GPU Technical Conference: Spring 2018 – San Jose, CA Speakers: Greg McCullough and Aaron Sant-Miller MARCH 28, 2018 Collaboration space, Alexandria, VA
CYBER ATTACKS ARE HARD TO DETECT AND REQUIRE MULTIPLE MODELS, INFORMED BY CYBER EXPERTISE Today, the average cyber breach is detected more 250 days after the intrusion . That leaves adversaries 250 days to steal data, compromise the network, and create more open attack vectors to disrupt the mission. The Challenges 1. Increasing reliance on IT systems, and the development of new systems, expands the attack surface every day. 2. The cyber domain and our adversaries are rapidly evolving, where the defenses of yesterday are quickly outdated. 3. The technical depth of the domain is significant, demanding high end technical talent to just understand the problem. We can effectively fight cyber adversaries with intelligent automation and machine learning, decreasing the time to intrusion detection. Effective cyber defense with machine learning and automation is not built on data science skill alone. Cyber expertise must be fused with data science and software development tradecraft. Booz Allen’s Cyber Precog: Network speed alerting through cyber-informed ML model ensembling Our DGA use case: 1. Optimized DL Edge Models – live at the edge, examine all DNS traffic, and flag logs that may have a malicious domain 2. Bayesian Behavioral Models – develop behavioral baselines for endpoints, and alert analysts when an endpoint navigates to a dangerous domain and deviates from its established behavioral baseline Proven, deployed, and operational capability and service offering. We’ll walk through an adware campaign we caught last week for one of our partners. 2 Booz Allen Hamilton
AGENDA WHO WE ARE: BOOZ ALLEN CYBER AND DATA SCIENCE THE CHALLENGES OF CYBER DEFENSE DGAS AND AI-ENABLED DEFENSIVE TACTICS DEEP LEARNING ON MALICIOUS DOMAINS ADAPTIVE BAYESIAN LEARNING FOR BETTER ALERTING CYBER PRECOG : VIDEO DEMONSTRATION BOOZ ALLEN CYBER: OUR AI-ENABLED FUTURE STATE 3 Booz Allen Hamilton Internal
BOOZ ALLEN HAMILTON: WHO WE ARE Greg McCullough: Director of Cyber Machine Intelligence Greg McCullough is the Director of Cyber Machine Intelligence Capability Development at Booz Allen Hamilton. He has over ten years of experience developing cyber capabilities across the Defense market, while building, deploying, and scaling government custom products and solutions focused on securing networks and IT systems. Most recently, he has driven compliance automation and key cyber integrations across the entire Federal market. He holds a BS in Computer Science from Butler University, a BS in Electrical Engineering from Purdue University, and an MS in Computer Science from George Washington University. Aaron Sant-Miller: Lead Data Scientist Aaron Sant-Miller is a Lead Data Scientist at Booz Allen Hamilton with a specialization in applied mathematics, machine learning, and statistical modeling. He has architected, developed, and deployed data science solutions and machine learning suites across a wide-range of domains, including tax fraud detection, climate science trend forecasting, cybersecurity risk scoring, and professional athlete performance prediction. Aaron’s current areas of research are focused on Bayesian modeling design, synthetic data generation, and neural network-based time series modeling. He holds a BS and an MS in Applied and Computational Mathematics and Statistics from the University of Notre Dame. About Booz Allen Hamilton Cyber For more than 100 years, business, government, and military leaders have turned to Booz Allen Hamilton to solve their most complex problems. We are at the forefront of the cyber frontier, relentlessly pursuing innovative solutions that make the world a safer place to live, serve, and do business. With decades of mission intelligence combined with the most advanced tools available, we prote ct industry and government against the attacks of today, and prepare them for the threats of tomorrow. To learn more, visit BoozAllen.com. 4 Booz Allen Hamilton
BOOZ ALLEN DELIVERS SOLUTIONS WITH A FUSION OF CYBER EXPERTISE AND DATA SCIENCE TRADECRAFT Booz Allen works to fuse capability offerings across domains to maximize solution impact Cybersecurity Data science Cyber defense Analytics driven by Booz Allen Cyber ML operations statistical rigor Capability Offerings Cyber engineering Computational and integration optimization Cybersecurity Machine learning compliance model engineering 5 Booz Allen Hamilton
EVOLVING CHALLENGES IN CYBERSECURITY DEMAND CREATIVE AND INTELLIGENT DEFENSIVE POSTURE Cyber attacks can cause significant damage Cyber compromises are having real financial and physical impacts at an organizational and individual level. Creative adversaries have the ability to compromise an endpoint, access a network, steal and ransom data or accounts, and dangerously expose personal information to the open market. Many recent high profile attacks demonstrate this impact. An Evolving Landscape of Challenges Attack surfaces are rapidly expanding – growing dependence on IT systems and rapidly evolving novel technologies expose our networks in new ways while increasing our dependence on vulnerable systems The work force is saturated – adding more bodies to defensive efforts no longer improves defense due to a lack of cyber talent and diminished returns from increased human labor and manual defensive tactics Organizations are inundated with cyber tools – well-funded organizations have the money to buy new cyber tools and do so, but they are unable to effectively manage or integrate the capabilities of these tools Attackers are talented and increasingly more sophisticated – adversaries are getting more creative, developing dynamic attacks that can circumvent existing rules-driven and structurally-defined cyber defenses An evolving landscape demands innovation and creative, new defensive tactics to advance defensive posture in a challenging and impactful cyber warzone. --- This is the Booz Allen Cyber Mission --- 6 Booz Allen Hamilton
DGAS EXEMPLIFY TRANSFORMATIVE ADVERSARIAL TACTICS THAT DEMAND INNOVATIVE AND ADAPTIVE CYBER DEFENSE New tactics demand new defenses Adversaries have developed creative tactics that easily circumvent rules-based defenses. To counter more adaptive attack methods, we must develop our own adaptive and innovative techniques to prevent attacks that transform every minute. Machine learning and AI enable our defenses to evolve and react to new tactics in real time, hardening our defenses. X AI Defense Security Compromise Adversaries Adversaries Rules Adaptable defense counters adaptive offense Domain Generation Algorithms (DGAs) are algorithms that can rapidly create a large number of domain names that act as a midpoint between a user and malware. ➢ Ever-changing and adaptive: Algorithms can rapidly generate new domains of new structures with regularity ➢ Inconspicuous at the surface-level: Algorithms can concatenate dictionary words or normative character patterns ➢ Large in number and historically tagged: Large pools of known DGAs are available and have been reverse engineered To defend against DGAs: • Defenses must understand underlying domain This is an ideal use case for characteristics, but also evolve and adapt rapidly We have at our disposal: AI-powered cyber defense • Large amounts of tagged data from uncovered and reverse engineered DGAs 7 Booz Allen Hamilton
CNNS AND LSTMS ARE PROVEN SOLUTIONS, WHERE GPUS ENABLE INLINE MODEL INFERENCE AT NETWORK SPEED Proven DL capabilities are the building blocks Academic research and our Booz Allen deployments have proven the efficacy of these models in implementation and test. When trained at scale, deep neural networks can learn the underlying framework used by a DGA to build out a breadth of malicious domains, moving beyond memorization of “known bads ” toward an understanding of adversarial toolkits Proven Model Architectures 1 Training Approach Optimized Hardware Deployment Both the LSTM and the CNN use Fuses multiple approaches into • Lives on one NVIDIA DGX-1, across 8 GPUs simple, lightweight architectures a complete learning scheme • Deployed and scaled using MXNet framework (see Yu et al 2007) 1. Offline training: Bambenek • Proven to handle 3.5 GB/s throughput • Capable of powerful DGA Dataset (4M) Performance performance in holdout test 2. Automated Update: Open- • Simplicity allows for rapid web intel collection • 97 percent holdout balanced accuracy inference at network speed 3. Network Tailoring • Proven detection in network deployments 1. Yu et al. (2017). “Inline DGA Detection with Deep Networks.” IEEE International Conference on Data Mining. http://doi.org/10.1109/ICDMW.2017.96 8 Booz Allen Hamilton
Recommend
More recommend
