UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2...
Transcript of UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2...
![Page 1: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/1.jpg)
Machine Learningfor User Behavior Anomaly DetectionEUGENE NEYOLOV, HEAD OF R&D
![Page 2: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/2.jpg)
2
![Page 3: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/3.jpg)
AUTHOR
Eugene NeyolovHEAD OF R&D
Security engineer and analyst leading applied research projects in security monitoring, threat detection and user behavior analytics.
Current Interests
• Building products for
• Cyber security with
• Data science and
• Hype
3
![Page 4: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/4.jpg)
OUTLINE
• Whyo ERP Securityo User Behavior Analyticso Machine Learning
• Whato Static Anomalieso Temporal Anomalies
• Howo Data Preparationo Security Analyticso Security Data Scienceo Machine Learningo Anomaly Detection
4
![Page 5: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/5.jpg)
ERPSecurity
![Page 6: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/6.jpg)
ERP SECURITYBlind Spot
• Endpoint security• Network security• Application security• Intrusion detection• Identity and access governance• Business applications security
6
Infrastructure focusedprevention/detection
Where a real ERP attack happens
![Page 7: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/7.jpg)
Sweet Target
7
Enterprises
HR ManagementFinancial Accounting
Sales and DistributionMaterials Management
Quality ManagementProduction PlanningPlant Maintenance
Supply Chains...
Attackers
ERP SECURITY
![Page 8: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/8.jpg)
User BehaviorAnalytics
![Page 9: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/9.jpg)
USER BEHAVIOR ANALYTICSWhy?
• Legacy threat modelso Users are the easiest attack vector
• Legacy incident monitoringo Infrastructure security focused analysis
• Legacy security alerts analysiso No business context enrichment
9
![Page 10: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/10.jpg)
USER BEHAVIOR ANALYTICS
What?
• User security monitoring
• User-focused alert prioritization
• Advanced context enrichment
• User behavior vs. fraud analysiso UBA is about facts in the technical context
- Developer must work with development server A but have accessed server B owned by the finance departmento Fraud is about intentions in a business context
- Salesman signs a contract with company A and not company B, because A is managed by a friend
10
![Page 11: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/11.jpg)
USER BEHAVIOR ANALYTICSHow?
• Create a user-centered threat model• Identify user-related data sources• Build a user behavior baseline• ???• PROFIT!!!
11
![Page 12: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/12.jpg)
MachineLearning
![Page 13: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/13.jpg)
MACHINE LEARNINGWhy?
• Escape postmortem rules and signatures• Self-adjusted dynamic behavior patterns• Find hidden patterns in user behavior
13
![Page 14: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/14.jpg)
MACHINE LEARNINGWhat?
• ML taskso Clusteringo Regressiono Classificationo Anomaly detectiono ...
• Learning patterns from datao Supervised learning with labeled datao Unsupervised learning without labeled datao Semi-supervised learning with tips from data or humanso Reinforcement learning with a performance feedback loopo ...
14
![Page 15: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/15.jpg)
MACHINE LEARNINGWhat?
• ML modelo Codebaseo Features structureo Model parameters (learned)o Model hyperparameters (architecture)
• ML featureso Categorical (classes)o Statistical (counts)o Empirical (facts)o Continuouso Binaryo ...
15
![Page 16: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/16.jpg)
MACHINE LEARNINGHow?
16
Data Preparation
Collect event dataNormalize events
Enrich events
Security Analytics
Categorize eventsBuild threat models
Map events to threats
Security Data Science
Map threats to algorithmsSelect and encode featuresDefine quality requirements
Machine Learning
Build a modelTrain a model
Optimize model parameters
Anomaly Detection
Feed a real dataDetect anomalies
Prioritize anomalies
Incident Analysis
User behavior analysisPeer group analysisThreat classification
![Page 17: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/17.jpg)
DataPreparation
![Page 18: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/18.jpg)
DATA SOURCES
• APIs• Log files• Databases• Log archives• Log management tools• Security monitoring tools• ...
18
![Page 19: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/19.jpg)
DATA FORMATS
• Syslog• Custom mess• Random key-value• Proprietary key-value (CEF, LEEF, ...)• Other terrible options (JSON, CSV, ...)
19
![Page 20: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/20.jpg)
DATA NORMALIZATION
• Understand that messo When, Who, did What, Where from, Where to, on What
• Bring all formats to the same conventiono Implement a built-in convertor for each format as a part of the solution (inside)o Create a separate convertor tool and treat it as the data source for the model (outside)o Build event storage that allows event fields mapping, like Splunk or ELK (infrastructure)
• Find duplicates and missing fieldso One action generates several entrieso System doesn’t identify itself in its own logso User’s name is recorded, but not its IP (or vice versa)
20
![Page 21: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/21.jpg)
DATA NORMALIZATION: BEFORESAP Security Audit Log ABAP
2AU520180313113209000030400001D1nsalab SAP* SAPMSSY1 0001F&0 nsalab 2AUK20180313113209000030400001D1nsalab SAP*
SAPMSSY1 0001SLO6&SAPLSLO6&RSAU_READ_FILE nsalab2AU220180313114609002315800004D4MacBook-SAP* SESSION_MANAGER SAPMSYST 0001A&1 MacBook-Pro-Nursulta2AU120180313114703002315800004D4MacBook-SAP* SESSION_MANAGER SAPMSYST 0011A&0&P MacBook-Pro-Nursulta2AUW20180313114703002315800004D4MacBook-SAP* SESSION_MANAGER RSRZLLG0
0011RSRZLLG0& MacBook-Pro-Nursulta2AUW20180313114703002315800004D4MacBook-SAP* SESSION_MANAGER RSRZLLG0_ACTUAL 0011RSRZLLG0_ACTUAL& MacBook-Pro-Nursulta2AU320180313115152002316200008D8MacBook-SAP* SE16 SAPLSMTR_NAVIGATION 0011SE16 MacBook-Pro-Nursulta2DU920180313115155002316200008D8MacBook-SAP* SE16 SAPLSETB 0011USR02&02&passed MacBook-Pro-Nursulta
21
![Page 22: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/22.jpg)
DATA NORMALIZATION: AFTERSAP Security Audit Log ABAP
22
Time Title User Device Action Context 1 Context 2 Context 3
3/13/18 11:32 RFC/CPIC Logon Successful SAP* nsalab AU5 F 0
3/13/18 11:32 Successful RFC Call SAP* nsalab AUK SLO6 SAPLSLO6 RSAU_READ_FILE
3/13/18 11:46 Logon Failed SAP* MacBook-Pro-Nursulta AU2 A 1
3/13/18 11:47 Logon Successful SAP* MacBook-Pro-Nursulta AU1 A 0 P
3/13/18 11:51 Transaction Started SAP* MacBook-Pro-Nursulta AU3 SE16
3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed
![Page 23: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/23.jpg)
SecurityAnalytics
![Page 24: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/24.jpg)
ERP SECURITY LOGGING
• Common business application loggingo Event timeo Event typeo Server infoo User infoo ...
24
![Page 25: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/25.jpg)
ERP SECURITY LOGGING
• SAP tracks 50+ fields across 30+ log formatso SAP system ID (business entity)o client number (company sandbox inside a system)o names of processes, transactions, programs or functions (runtime data)o affected user, file, document, table, program or system (context data)o amount of inbound and outbound traffic (network data)o severity, outcome and error messages (status data)o device forwarded the event (infrastructure data)o ...
25
![Page 26: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/26.jpg)
ERP SECURITY LOGGINGSAP Security Audit Log ABAP
• Short list of important fieldso Timeo Event type, classo System type (log source)o System ID, server hostname and IPo User name, device hostname and IPo Executed program name (transaction, report, remote call)
26
![Page 27: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/27.jpg)
THREAT MODELUse Cases
• 10+ Categories (why)o Data Exfiltration, Account Compromise, Regular Access Abuse, Privileged Access Abuse, ...
• 30+ Classes (what)o Data Transfer, Account Sharing, Password Attack, Privilege Escalation, Lateral Movement, ...
• 100+ Scenarios (how)o Login from multiple hosts, User upgrades its own privileges, Cover tracks via user deletion, ...
27
![Page 28: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/28.jpg)
SecurityData Science
![Page 29: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/29.jpg)
ANOMALY TYPES
• Static anomalieso Unusual action (new or rare event)o Unusual context (server, device, ...)o ...
• Temporal anomalieso Unusual timeo Unexpected evento Huge events volumeo ...
29
![Page 30: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/30.jpg)
ANOMALIES VS. THREATS
• Many anomalies are not malicious• Anomalies are statistical deviations• Big infrastructures always have anomalies
30
![Page 31: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/31.jpg)
ANOMALIES VS. THREATSMatrix Example
31
Threat Model Temporal Anomalies Static Anomalies
Category Class Unusual action Unusual time Unusual volume New action New server New device
Regular Access AbuseUnauthorized Access high medium low high medium low
Account Sharing low medium high low medium high
Account Compromise
Password Attack medium low high low high high
Privilege Escalation high medium low high medium low
Access Enumeration high low medium high medium low
Data Exfiltration Data Transfer low medium high low high medium
![Page 32: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/32.jpg)
StaticAnomalies
![Page 33: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/33.jpg)
STATIC ANOMALY DETECTIONPlan
• Context building• Context matching• Anomaly analysis
33
Events Storage Scoring Engine Context Matching Anomalies Storage
Context StorageContext Building
![Page 34: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/34.jpg)
CONTEXT BUILDING
• Whitelist known values for all users• Define anomaly scores for all fields
34
Events Storage Scoring Engine Context Matching Anomalies Storage
Context StorageContext Building
![Page 35: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/35.jpg)
CONTEXT THRESHOLD
• Problemo Log poisoning attackso Anomalies in user context
• Solutiono Importance amplificationo Mean of squared values
35
IP Mean172.16.100.11 320
172.16.100.118 308172.16.100.137 30
Threshold 219
IP Mean Squared172.16.100.11 320 102400
172.16.100.118 308 94864172.16.100.137 30 900172.16.100.200 1 1172.16.100.201 1 1172.16.100.202 1 1172.16.100.203 1 1172.16.100.204 1 1172.16.100.217 1 1172.16.100.218 1 1172.16.100.219 1 1172.16.100.220 1 1
Threshold 28 8,258
![Page 36: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/36.jpg)
CONTEXT MATCHING
• Compare new events with the user context field by field• Assign individual anomaly scores for unknown fields
36
Events Storage Scoring Engine Context Matching Anomalies Storage
Context StorageContext Building
![Page 37: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/37.jpg)
ANOMALY ANALYSIS
• Get a total event anomaly score from all its fields• Get a total user anomaly score from all its events
37
Events Storage Scoring Engine Context Matching Anomalies Storage
Context StorageContext Building
![Page 38: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/38.jpg)
TemporalAnomalies
![Page 39: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/39.jpg)
TEMPORAL ANOMALY DETECTION
• Establish a normal behavior baseline• Train to predict normal user actions• Analyze incorrectly predicted actions
39
Events Storage RNN Engine Anomaly Detection Anomalies Storage
Weights StorageModel Training
Features Encoding
![Page 40: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/40.jpg)
FEATURE ENGINEERING
• Feature selection• Feature encoding
40
Events Storage RNN Engine Anomaly Detection Anomalies Storage
Weights StorageModel Training
Features Encoding
![Page 41: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/41.jpg)
FEATURE SELECTIONData
41
Time Title User Device Action Context 1 Context 2 Context 3
3/13/18 11:32 RFC/CPIC Logon Successful SAP* nsalab AU5 F 0
3/13/18 11:32 Successful RFC Call SAP* nsalab AUK SLO6 SAPLSLO6 RSAU_READ_FILE
3/13/18 11:46 Logon Failed SAP* MacBook-Pro-Nursulta AU2 A 1
3/13/18 11:47 Logon Successful SAP* MacBook-Pro-Nursulta AU1 A 0 P
3/13/18 11:51 Transaction Started SAP* MacBook-Pro-Nursulta AU3 SE16
3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed
![Page 42: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/42.jpg)
Time Title User Device Action Context 1 Context 2 Context 3
3/13/18 11:32 RFC/CPIC Logon Successful SAP* nsalab AU5 F 0
3/13/18 11:32 Successful RFC Call SAP* nsalab AUK SLO6 SAPLSLO6 RSAU_READ_FILE
FEATURE ENCODINGVector
42
[ 0.19248842592592594 0.7110773240660063 0.8366013071895425 ]
![Page 43: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/43.jpg)
FEATURE ENCODINGKnowledge Base
• On-the-fly KB• Security-focused KB• Application-focused KB
o Static (1/100000 scale)o Mapping (1/100 scale)
43
![Page 44: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/44.jpg)
MachineLearning
![Page 45: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/45.jpg)
MODEL IMPLEMENTATION
• Find the right algorithm for a task• Implement a model and its environment• Optimize the model for the best accuracy
45
Events Storage RNN Engine Anomaly Detection Anomalies Storage
Weights StorageModel Training
Features Encoding
![Page 46: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/46.jpg)
MODEL MEMORY
• Recurrent neural networkso Simple RNN
- Forgets longer dependencieso Long Short-Term Memory
- Proven track recordo Gated Recurrent Unit
- LSTM simplifiedo Neural Turing Machine
- RNN on steroidso ...
46
![Page 47: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/47.jpg)
MODEL DESIGNArchitecture
47
OutputLSTMInput
Predict
Program
Time
ActionFeatures
![Page 48: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/48.jpg)
MODEL PARAMETERS
• Architectureo Layers number, Neurons number, Activation function, Loss function, Optimizer, ...
• Datao Features, Knowledge base, Sequence length, Normalization, ...
• Trainingo Epochs, Bach size, Threshold, Distance, Smoothing, ...
48
Events Storage RNN Engine Anomaly Detection Anomalies Storage
Weights StorageModel Training
Features Encoding
![Page 49: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/49.jpg)
SEQUENCE LENGTH
• A B C D E F G H A C K E D• A B C D E F G H A C K E D• A B C D E F G H A C K E D• A B C D E F G H A C K E D
49
![Page 50: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/50.jpg)
KNOWLEDGE BASE SORTING
• Alphabet• Criticality• Frequency
50
Sorted by Alphabet Sorted by Frequency
![Page 51: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/51.jpg)
ADAPTIVE THRESHOLD
• Error score o Distance-based
- Predicted value (blue)- Actual value (green)
• Thresholdo Max training error score
• Sensitivityo As iso Coefficient
51
![Page 52: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/52.jpg)
ANOMALY DETECTION
• Predict a potential user activity• Report incorrectly predicted events above threshold
52
Events Storage RNN Engine Anomaly Detection Anomalies Storage
Weights StorageModel Training
Features Encoding
![Page 53: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/53.jpg)
ANOMALY DETECTIONPrediction
53
![Page 54: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/54.jpg)
ANOMALY DETECTIONMetrics
• Accuracy 95%o True Positives 71%o True Negatives 97%
• Errors 5%o False Positives 3%o False Negatives 29%
54
![Page 55: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/55.jpg)
CONCLUSIONS
• Security analytics is more important than machine learning• ML-driven solutions must help analysts and not replace them• Adjust accuracy and tolerance to false positives for your situation• Build an ecosystem of ML models and advanced analytics on top of it
55
![Page 56: UBA with ML - Final NO Comments...3/13/18 11:51 Read Table SAP* MacBook-Pro-Nursulta DU9 USR02 2 passed Time Title User Device Action Context 1 Context 2 Context 3 3/13/18 11:32 RFC/CPIC](https://reader033.fdocuments.us/reader033/viewer/2022042400/5f0e5c4f7e708231d43ede91/html5/thumbnails/56.jpg)
AI BLESS YOU
USA:228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301Phone 650.798.5255
EU:Luna ArenA 238 Herikerbergweg, 1101 CM AmsterdamPhone +31 20 8932892
EU:Štětkova 1638/18, Prague 4 - Nusle,
140 00, Czech Republic
Read our blogerpscan.com/category/press-center/blog/
Join our webinarserpscan.com/category/press-center/events/
Subscribe to our newsletterseepurl.com/bef7h1
56
Eugene NeyolovHead of R&[email protected]