Deep Learning In Security:An Empirical Example in User & Entity Behavior Analytics (UEBA)

Jisheng Wang, Min-Yi Shen

2© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential

Jisheng Wang, Chief Scientist in Niara

• Over 12-year experiences of applying machine learning and big data technology to security

• Ph.D from Penn State – ML in security with 100GB data

• Technical Leader in Cisco – Security Intelligence Operations (SIO) with 10B/day

• Lead the overall big data analytics innovation and development in Niara

Niara

• Recognized leader by Gartner in user and entity behavior analytics (UEBA)

• Re-invent enterprise security analytics for attack detection and incident response

ME, US

3© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential

USER & ENTITY BEHAVIOR ANALYTICS

UEBA SECURITYwhy this matters

UEBA SOLUTION how to detect attacks before damage is done

BEYOND DEEP LEARNINGhow to build a comprehensive solution

YOU

ARE

HERE

4© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential

PROBLEM THE SECURITY GAP

PREVENTION & DETECTION (US $B)

SECURITY SPEND

# BREACHES

DATA BREACHES

5© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential

PROBLEM CAUSE OF THE GAP

ATTACKERSARE QUICKLY INNOVATING &

ADAPTING

BATTLEFIELDWITH IOT AND CLOUD, SECURITY

IS BORDERLESS

6© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential

PROBLEM ADDRESSING THE CAUSE

ATTACKERSARE QUICKLY INNOVATING &

ADAPTING

DEEP LEARNINGSOLUTIONS MUST BE

RESPONSIVE TO CHANGES

7© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential

PROBLEM ADDRESSING THE CAUSE

BATTLEFIELDWITH IOT AND CLOUD, SECURITY

IS BORDERLESS

INSIDER BEHAVIORLOOK AT BEHAVIOR CHANGE OF

INSIDE USERS AND MACHINES

8© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential

USER & ENTITY BEHAVIOR ANALYTICS (UEBA)

MACHINE LEARNING DRIVEN

BEHAVIOR ANALYTICS IS

A NEW WAY TO COMBAT ATTACKERS

1

2

3

Machine driven, not only human driven

Detect compromised users, not only attackers

Post-infection detection, not only prevention

9© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential

REAL WORLD NEWS WORTHY EXAMPLES

COMPROMISED40 million credit cards were stolen

from Target’s severs

STOLEN CREDENTIALS

NEGLIGENTDDoS attack from 10M+ hacked home

devices took down major websites

ALL USED THE SAME PASSWORD

MALICIOUSEdward Snowden stole more than 1.7 million

classified documents

INTENDED TO LEAK INFORMATION

10© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential

USER & ENTITY BEHAVIOR ANALYTICS

UEBA SECURITYwhy this matters

UEBA SOLUTION how to detect attacks before damage is done

BEYOND DEEP LEARNINGhow to build a comprehensive solution

YOU

ARE

HERE

11© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential

REAL WORLD ATTACKS CAUGHT BY NIARA

SCANNING ATTACKscan servers in the data center to find

out vulnerable targets

DETECTED WITH AD LOGS

EXFILTRATION OF DATAupload a large file to cloud server hosted in

new country never accessed before

DETECTED WITH WEB PROXY LOGS

DATA DOWNLOADdownload data from internal document

repository which is not typical for the host

DETECTED WITH NETWORK TRAFFIC

12© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential

BEHAVIOR ENCODING – USER

User 1 User 2

13© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential

BEHAVIOR ENCODING – USER VS MACHINE

User Machine

14© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential

BEHAVIOR ANOMALY USER | EXFILTRATION

User – Before Compromise User – Post Compromise

15© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential

BEHAVIOR ANOMALY MACHINE | DATA DOWNLOAD

Dropcam – Before Compromise Dropcam – Post Compromise

16© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential

BEHAVIOR DETECTION ARCHITECTURE

Stream Data

Pre-processing

Behavior

Encoding

Input

Data

User

Activities

Labeled

User

Behavior

Repository

Apache Spark

Behavior Anomaly

Detection

CNN Training

Behavior

Classifier

Tensorflow

17© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential

CNN – COMPUTATION GRAPH

Behavior

Image

(24x60x9

)

8x20

Convolution

User

Labels

Feature

Maps

(24x60x40)

Feature

Maps

(12x30x40)

Feature

Maps

(12x30x80)

Feature

Maps

(6x15x80)

Output

Layer

1024

Nodes

2x2

Pooling

4x10

Convolution

2x2

Pooling

Fully

Connected

Fully

Connected

with Dropout

Feature Extraction Classification

18© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential

CNN – PROGRESSION OF TRAINING ERROR

Tra

inin

g E

rro

r

# of minibatches (100 profiles/batch)

19© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential

USER & ENTITY BEHAVIOR ANALYTICS

UEBA SECURITYwhat is UEBA

UEBA SOLUTIONinfrastructure needed to deep learning

BEYOND DEEP LEARNINGhow to build a comprehensive solution

YOU

ARE

HERE

20© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential

BEYOND DEEP LEARNING ENSEMBLE LEARNING

Behavioral

Analytics

Internal Resource Access

Finance servers

Authentication

AD logins

Remote Access

VPN logins

External Activity

C&C, personal email

SaaS Activity

Office 365, Box

Cloud IaaS

AWS, Azure

Physical Access

badge logs

Exfiltration

DLP, Email

Ensemble

approach using a

mix of different

models over

various types of

behaviors from the

same entity

21© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential

BEYOND DEEP LEARNING REINFORCEMENT LEARNING

Models

Alerts

User

Feedback

Interactive Learning

Local

Context

Input

Data

Self Learning

Initial Parameters

22© 2016 Niara Inc. All Rights reserved. Proprietary and Confidential

USER & ENTITY BEHAVIOR ANALYTICS

UEBA SECURITYwhat is UEBA

UEBA SOLUTIONinfrastructure needed to deep learning

BEYOND DEEP LEARNINGhow to build a comprehensive solution

Thank You