Download - Applied Machine learning for data exfiltration and other fun topics

AppliedMachineLearning�Wolff�Wallace�Zhao

APPLIED MACHINE LEARNING FOR DATA

EXFIL AND OTHER FUN TOPICS

Matt Wolff, Chief Data Scientist Brian Wallace, Security Researcher Xuan Zhao, Data Scientist


GOALS OF THIS TALK: APPLIEDMACHINELEARNING•  Iden5fysuitableproblemsforMLapproaches• DemonstratebyexamplehowtoapplyML• Helpjumpstartaddi5onalresearchintheSecurity+MLspace


WHOWEARE/CYLANCE•  Endpointsecuritycompanybuiltaroundthecapabili5esofar5ficialintelligence•  Protec5ngmillionsofenterpriseendpoints•  Foundedin2012,$177mmraised•  Booth#1124

Ma3WolffChiefDataScien5st

BrianWallaceSeniorSecurityResearcher

XuanZhaoDataScien5st


TALKOVERVIEW

• MachineLearningIntroduc5on• NMAPClustering•  FeatureSpaces• Distances• Clustering

• BotnetPanelIden5fica5on• Classifica5on•  FeatureReduc5on

• Obfusca5ngDatawithMarkovChains


MACHINELEARNINGOVERVIEW

• Machinelearningtechniquesaredatadriven• Availabledatashouldbeabletosolvetheprobleminameaningfulway• Approachesexistfordealingwithrawdata,aswellaslabeledorannotateddata



• Givensomedata,differenttypesofmachinelearningcanbeapplied• Clusteringisusefulforfindingsimilarityacrossdatasettouncovertrendsorotherinsight• Withlabeleddata,classifica5oncanbeusefultobuildpredic5vemodels



• OYen,rawdatahastobetransformedinsomewaytobeusedbymachinelearningalgorithms•  Typicalprocessistoextractfeaturesfromdata,andturnthosefeaturesintovectors• VectorsarethenfedintoMLalgorithmsfortrainingorotherpurposes


MACHINELEARNINGOVERVIEW• Recommendedresources•  Scikit-learn.org•  Python

•  SourcecodeforalltoolsinthistalkavailableontheCylancepublicgitrepo•  h^ps://github.com/CylanceSPEAR

•  Shouldbeabletopulltalksourceandstartmodifyingasneededtosuitdatadrivenproblemsinyourownorganiza5onorresearchgroup.


• NMAPisapopularportscanningtool• ProduceslargeamountofdataperIPaddress•  ScansoverlargenumberofIPscanbedifficulttomakesenseof• NMAPClusteringisatoolwhichclusters(groups)IPsbasedontheiropenports,services,etc

TOOL–NMAPCLUSTERING


FEATURES•  Featuresareinforma5ve,discrimina5veinforma5onthatcandescribeasample/observa5on/phenomenon/etc.•  Featureextrac5onispivotaltothemachinelearningpipeline• OurfeaturesarebasedonNMAPoutput•  Eachportisafeature,eachserviceoneachportisafeature,eachversionofeachserviceoneachportisafeature,etc•  Scriptoutputincludedinfeatures(includingwebsite5tles,publickeys,etc)


VECTORS• Numericalrepresenta5onofasample(IPinNMAPcase)• Arrayofvalueswhichrepresentallfeaturesfromonesample• Vectorscanbethoughtofaspointsinhighdimensionalspace•  Eachfeatureisadimension,thevalueofthefeatureinthevectoristheposi5oninthatdimension•  Ifwehaveonlytwofeatures,itisreallyeasytovisualize


VECTORS–2D


VECTORS–3D

File FilenameLength

Filesize(kB) Sizeofheaders(kB)

calc.exe 8 918.528 63notepad.exe 11 193.024 45malware.exe 11 193.024 10


𝑎

𝑏𝑐

•  Distance:Describethediscrepancybetweentwopoints•  Physicaldistancebetweentwopoints:

Pythagorean’s theorem:

DISTANCES

a2+b2=c2


File FilenameLength Filesize(kB) Sizeofheaders(kb)

calc.exe 8 918.528 63

notepad.exe 11 193.024 45

malware.exe 11 193.024 10

2D 3D


DISTANCESMul5pleDistanceMetrics–As long as an operation satisfy certain mathematical criteria, it can be used as a distance metric

Manhattan

Euclidean

Point 1

Point 2


CLUSTERING• Withawaytomeasuredistance,wecangroupitemsbyhowclosetheyare,akaclustering• Clustersaredis5nctgroupsofsamples(IP)whichhavebeengroupedtogether• Clusteringisgenerallyunsupervisedlearning• Differentalgorithmswithdifferentconfigura5onsgroupthesesamplesindifferentways


k-Means• Clusteringalgorithm• Usersuppliesk(des5natednumberofclusters)• Allsamplesareassignedtorandomclusters• Centerofeachclusteriscomputedbytakingmean(average)ofallsamplesincluster•  Samplesarethenassignedtotheclusterwhosecentertheyareclosestto• Centersarerecomputed,algorithmloopsun5lnosampleschangeclusters


k-Means


NMAPCLUSTERING–MANUAL/AUTOMATIC• Manualallowsyoutosupplyyourownclusteringparameters• Automa5ctriesmanydifferentmethodswiththeore5cally-foundop5malparametersandpickswhatitdeterminestobethebest• Demowithmanualstrategy• Demowithautoma5cstrategy


NMAPCLUSTERING-INTERACTIVE•  IncorporatetheUser’sdecisionintotheclusteringprocess.•  TheClusteringresultwillbecustomizedaccordingtocustomer’spreferenceinthisway•  Process(willshowwithademo):

1.  Userdecidewhethertheclusterneedstobesplitornot:

2.  Ifyes,thensplitusingdivisiveclustering3.  Ifno,finalizethiscluster4.  Recursivelysplitun5lusersare

sa5sfiedwithalltheclusters

Y

Y N

Finalized

N

Finalized

N

Finalized

Y–SplitN–No-Split


TOOL–IDPANEL• Botnetpanels(commandandcontrolwebsites)canbedifficulttoiden5fy•  Needpreviousknowledgeofthebotnetpanels•  OYenmodifiedtoavoiddetec5onorvanity•  Manyarebasedoffothers,sodis5nguishingcanbedifficult

• Wecantrainamodeltoiden5fyifwearelookingatabotpanelandwhichoneitis,withasmallnumberofrequests• Minimizingthenumberofrequeststoclassifyimprovesstealthandrateofclassifica5on


CLASSIFICATION•  Thisisaclassifica5onproblem• Classifica5onanswers“Isitwhatwearelookingfor?”• Classifica5onisgenerallysupervisedlearning•  Supervisedlearningrequirestrainingsamplestohavelabels• Classifica5onmethodsrangefromsimpletohighlycomplex


IDPANELFEATURES• Botnetpanelsaresimilartonormalwebsites• Containvariousfiletypes,oYenedited• HTTPresponsecodes+contentcomparison•  Encodingcontentasfeaturesdifficult•  ssDeepprovidesacon5nuousvaluebycomparingcontent


COLLECTINGDATA• Collec5onofknownbotnetpanels• Requestallknownpathsforallknownbotnetpaneltypes•  StoreHTTPstatuscodeandssDeepofcontent• Collec5onofsitesthatarenotbotnetpanelsneededaswell


DECISIONTREES•  Decisiontreesaresimpleclassifiers•  Splitsthedatasetonefeatureata5meun5ldecisionisconfident•  Resultsinatreeofquerieswheretheresultsproduceadecision•  Simpletotrain


ENSEMBLEOFDECISIONTREES•  Asingledecisiontreemaybeoverfocusedontrainingdata•  Canalleviatethisproblembybuildingmul5pleDecisionTreesforeachlabel•  CombiningtheresultsallowseachDecisionTreetovote•  Par5alanswersmays5llbeofinteresttotheuser•  Ensemblescanobtainbe^erpredic5veperformance

PonyDT1 PonyDT2 PonyDT3 DexterDT1 DexterDT2 DexterDT3 ZeusDT1 ZeusDT2 ZeusDT3

It’sPony


IDPANELDEMO–COMMANDLINE• Quickwaytocheckifawebsitedirectorycontainsabotnetpanel•  Easytobatchsearchingofmul5plewebsites/directories•  Easytogrepresults


IDPANELDEMO–CHROMEEXTENSION•  Everywebsitedirectoryvisitedistested• Resultsarestoredinbrowser•  ssDeepportedfromCtoJavascript• h^ps://github.com/kripken/emscripten•  ExtensionavailableinChromeextensionstore(free,ofcourse)


TOOL–MARKOVOBFUSCATE•  Dataexfiltra5onfromanetworkoYenrequiresavoidinganoutboundfirewall•  Deeppacketinspec5onlookstoblockanythingundesirable•  Easytoencryptdata,butitsalsoeasytodropinforma5onthatcan’tberead• Wecanmakeourdatalooklikesomethingelseen5rely


•  Simplemachinelearningmethodforcharacterizingsequencedata•  Learnsthetransi5onpa^ernfromastatetoanotherbasedonhowlikelyastatecomesaYeranotherstateinthetrainingdata• Wecancreatesequenceswithtransi5onpa^ernsthatarelearnedfromthedataitwastrainedon

MARKOVCHAIN

AABBABABA

A B

A 1(25%) 3(75%)

B 2(100%) 0(0%)

Tran

siXo

nMatrix

TrainingData

A

B

AA

BA

B P(ABB)=0

P(ABA)=0.75P(AAB)=0.1875

P(AAA)=0.0625


POPULARUSECASESOFMARKOVCHAINSWeatherPredic,on

Sunny Rainy

Sunny 0.9999 0.0001

Rainy 0.9 0.1

Recommenda,on

0.9 0.95

0.1

0.05

0.030.13


ENCODINGDATAWITHAMARKOVCHAIN• Givenatransi5onmatrix,wecansortitemsbyhowlikelytheyaretofollowourcurrentitem•  Ifwechoosethe5thmostlikelyitem,wecaniden5fyit’sthe5thmostlikelywithamodeltrainedonthesamedata•  Thisencodesthenumber5inthetransi5onfromourfirstitemtoourseconditem


MARKOVOBFUSCATE-ENCODING•  Trainourmodelwithabook• Observingtransi5onsfromwordtoword• Generatedatabasedontransi5onprobabili5es• Demo


MARKOVOBFUSCATE-WRAPPING•  SimpletotransferourdatathroughapipelinethatlookslikenormalHTTPtraffic•  Lookslikeauserpos5ngtotheirblog• Demo


MARKOVOBFUSCATE–HAVINGFUN•  TrainourmodelsonTaylorSwiYlyrics•  TrainaMarkovModelbasedonTaylorSwiYsongs• Playthegeneratelyricsthroughfes5valwithtones/beatslearnedfromsongs•  Firstlive“TylanceSwiY”concert,demo


WRAPPINGUP• Anyproblemwherethereisasignificantamountofdatageneratedcouldbenefitfromamachinelearningapproach•  Lotsofgreatonlineresourcetohelpanyonegetstarted• HavinglabeledorannotateddatamakesmoreMLapproachedviablecomparedtounlabeleddata


QUESTIONS?•  Email:[email protected]•  Stopbybooth#1124• Careeropportuni5es:h^ps://www.cylance.com/cylance-careers