Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A...
Transcript of Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A...
![Page 1: Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A Presentation by Hafiz Farooq, Senior Cyber Security Consultant, Saudi Aramco.](https://reader031.fdocuments.net/reader031/viewer/2022021417/5abeff447f8b9ab02d8da4c6/html5/thumbnails/1.jpg)
Optimal Machine Learning Algorithms
A Presentation by HafizFarooq,SaudiAramco
for Cyber Threat Detection
![Page 2: Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A Presentation by Hafiz Farooq, Senior Cyber Security Consultant, Saudi Aramco.](https://reader031.fdocuments.net/reader031/viewer/2022021417/5abeff447f8b9ab02d8da4c6/html5/thumbnails/2.jpg)
û
Hafiz FarooqSenior Cyber Security Consultant, Saudi Aramco
ECC (EXPEC Computer Center) SOCMS Data Communication Networks, Aston University, United KingdomBE Computer Engineering, NUST, PakistanDELL Secureworks - Worked as Senior SOC ArchitectSANS Forensic Examiner, SANS Exploit ResearcherSplunk Big Data Architect, Qradar Deployment ProfessionalJuniper Networks – JNCIE Security and JNCIP-Service Provider Routing
A Presentation by HafizFarooq,SeniorCyberSecurityConsultant,SaudiAramco
![Page 3: Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A Presentation by Hafiz Farooq, Senior Cyber Security Consultant, Saudi Aramco.](https://reader031.fdocuments.net/reader031/viewer/2022021417/5abeff447f8b9ab02d8da4c6/html5/thumbnails/3.jpg)
õ Big Data Analytics & Machine Learning
Why we moved to Machine Learning
õ Machine Learning vs Orthodox Cyber Security
õ Post-Shamoon Scenario
![Page 4: Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A Presentation by Hafiz Farooq, Senior Cyber Security Consultant, Saudi Aramco.](https://reader031.fdocuments.net/reader031/viewer/2022021417/5abeff447f8b9ab02d8da4c6/html5/thumbnails/4.jpg)
Optimal Machine Learning Algorithmsfor Cyber Security
STATISTICAL APPROACHMACHINE
LEARNING
![Page 5: Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A Presentation by Hafiz Farooq, Senior Cyber Security Consultant, Saudi Aramco.](https://reader031.fdocuments.net/reader031/viewer/2022021417/5abeff447f8b9ab02d8da4c6/html5/thumbnails/5.jpg)
ANOMALY DETECTION – PRIVILEGED ACCOUNTSBIG DATA STATISTICAL ANALYSIS
SANKEY VISUALIZATION http://www.sankey-diagrams.com/
source=windows AND ( usertype=Administrator* OR usertype=root*) | stats count by host user | sort count desc| head 20Q
U E
R Y
Optimal Machine Learning Algorithms for Cyber Security by Hafiz Farooq
Feature Space: MachineID, UserID, EventCount, Severity, Multihoming
![Page 6: Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A Presentation by Hafiz Farooq, Senior Cyber Security Consultant, Saudi Aramco.](https://reader031.fdocuments.net/reader031/viewer/2022021417/5abeff447f8b9ab02d8da4c6/html5/thumbnails/6.jpg)
ANOMALY DETECTION – TOP TALKERSBIG DATA STATISTICAL ANALYSIS
PARALLEL COORDINATES https://datavizcatalogue.com/methods/parallel_coordinates.html
index=firewall dest=Authentication Server | stats count by src| appendcols [search index=juniper dest=Mail Server | stats count by src| appendcols [search index=juniper dest=NAS/SAN | stats count by src| appendcols [search index=juniper dest=ERP | stats count by src| appendcols [search index=juniper dest=Web | stats count by src
Q U
E R
Y
Authentication ServerMail Server NAS / SANERP ApplicationWeb Proxy
n-dimensional feature space & n-parallels
Optimal Machine Learning Algorithms for Cyber Security by Hafiz Farooq
![Page 7: Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A Presentation by Hafiz Farooq, Senior Cyber Security Consultant, Saudi Aramco.](https://reader031.fdocuments.net/reader031/viewer/2022021417/5abeff447f8b9ab02d8da4c6/html5/thumbnails/7.jpg)
ANOMALY DETECTION – CRITICAL PROCESSESBIG DATA STATISTICAL ANALYSIS
PUNCHCARD VISUALIZATION http://bl.ocks.org/kaezarrex/10122633
index=wineventlog AND (New_Process_Name IN (*\\powershell*, *\\wscript* ,*\\wmic* ,*\\svchost*,*\\regedit*, *\\cmd.*)| evalWorkTime=strftime(_time,"%H") | rex field=New_Process_Name ".*\\\(?<executable>.*)$" | stats count by WorkTime executable Q
U E
R Y
WMIC.EXE
CMD.EXE
POWERSHELL.EXE
SCHTASKS.EXE
SVCHOST.EXE
WSCRIPT.EXE
REGEDIT.EXE
H O U R S I N A D A Y
Discrete / Continuous Time Series Analytics
Optimal Machine Learning Algorithms for Cyber Security by Hafiz Farooq
![Page 8: Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A Presentation by Hafiz Farooq, Senior Cyber Security Consultant, Saudi Aramco.](https://reader031.fdocuments.net/reader031/viewer/2022021417/5abeff447f8b9ab02d8da4c6/html5/thumbnails/8.jpg)
Optimal Machine Learning Algorithmsfor Cyber Security
OPTIMAL ML ALGORITHMSMACHINE
LEARNING
![Page 9: Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A Presentation by Hafiz Farooq, Senior Cyber Security Consultant, Saudi Aramco.](https://reader031.fdocuments.net/reader031/viewer/2022021417/5abeff447f8b9ab02d8da4c6/html5/thumbnails/9.jpg)
Standards Used for ML based Threat DetectionCYBER THREAT STANDARDIZATION
Persistence PrivilegeEscalation DefenseEvasion CredentialAccess Discovery
LateralMovement Executions Collection Exfiltration Command&Control
MITRE ATT&CK CATEGORIES
Recon Weaponize Deliver Exploit Install C2 Exfiltrate
CYBER KILL CHAIN MITRE ATT&ACK
õ MITRE Standards for Post-Compromise Detection
§ ATT&CK | Adversarial Tactics, Techniques, and Common Knowledge
§ CAPEC | Common Attack Pattern Enumerations and Classification
§ MAEC | Malware Attribute Enumeration and Characterization
õ Lockheed Martin’s Cyber Kill Chain
Optimal Machine Learning Algorithms for Cyber Security by Hafiz Farooq
![Page 10: Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A Presentation by Hafiz Farooq, Senior Cyber Security Consultant, Saudi Aramco.](https://reader031.fdocuments.net/reader031/viewer/2022021417/5abeff447f8b9ab02d8da4c6/html5/thumbnails/10.jpg)
IMPORTANT USE CASESBASED ON MITRE ATT&CK MATRIX
https://attack.mitre.org/wiki
Persistence PrivilegeEscalation DefenseEvasion CredentialAccess Discovery
LateralMovement Executions Collection Exfiltration Command&Control
ThreatUseCases Pre-Processing MLbasedDetectorAlgorithms ATT&CKCategory
ExfiltrationoverC2Channels StandardScaler/PCA KMeans /X-Means Exfiltration
ServiceScanningAnalysis PCA,KMeans Linear,RF,DTRegressors Discovery
PowerShellAnomalyDetection PCA One-ClassSVMwithLinearKernel Execution
DLLInjection AnomalyDetection PCA/Kernel-PCA One-ClassSVMwithLinearKernel PrivilegeEscalation
Process HollowingviaSystemCalls TFIDF(Logarithmic) LRwithSGDDetector DefenseEvasion
WebURLsAnalysis Levenshtein Distance ShannonEntropy Command&Control
EmailSpamClassification TFIDF RFClassifier Execution
AnalyzingWebProxyLogs BM25 SGDwithNaïveBayesian Command&Control
MITRE ATT&CK
Optimal Machine Learning Algorithms for Cyber Security by Hafiz Farooq
![Page 11: Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A Presentation by Hafiz Farooq, Senior Cyber Security Consultant, Saudi Aramco.](https://reader031.fdocuments.net/reader031/viewer/2022021417/5abeff447f8b9ab02d8da4c6/html5/thumbnails/11.jpg)
SUPERVISED & UNSUPERVISED WORKFLOWS
Machine Learning WorkflowCYBER THRET DETECTION & MACHINE LEARNING
SOC/Forensics UBAScoringEngine
MachineLearningEngine
FeatureExtractor
Pre-Processor
MLDataModel
MLAlgorithms
OfflineTrainingDataSTIX,TAXII,CybOX RealTimeData
ScheduledRefresh
False-Positives
Optimal Machine Learning Algorithms for Cyber Security by Hafiz Farooq
![Page 12: Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A Presentation by Hafiz Farooq, Senior Cyber Security Consultant, Saudi Aramco.](https://reader031.fdocuments.net/reader031/viewer/2022021417/5abeff447f8b9ab02d8da4c6/html5/thumbnails/12.jpg)
Curses of Dimensionality in Cyber Security MLFEATURE ENGINEERING & BAGGING
õ Feature Engineering is Critical in Cyber Security
õ More Categorical Data than Numerical
õ Important Algorithms
- Feature Extraction | PCA/Kernel-PCA, TF-IDF/BM25
- Normalization | StandardScaler (Z-Score), Normalizer (Min-Max)
- Feature Selection |Sampling, SubSampling, OverSampling, KMeans
Optimal Machine Learning Algorithms for Cyber Security by Hafiz Farooq
![Page 13: Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A Presentation by Hafiz Farooq, Senior Cyber Security Consultant, Saudi Aramco.](https://reader031.fdocuments.net/reader031/viewer/2022021417/5abeff447f8b9ab02d8da4c6/html5/thumbnails/13.jpg)
Upload/Download Analytic using Numerical ClusteringMACHINE LEARNING – USE CASE NO - 1
K-Means Clusters MacQueen, 1976: Some Methods for Classification and Analysis of Mulivariate Observations.
Complexity: O( n . k . Iterations . Attributes )
Optimal Machine Learning Algorithms for Cyber Security by Hafiz Farooq
![Page 14: Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A Presentation by Hafiz Farooq, Senior Cyber Security Consultant, Saudi Aramco.](https://reader031.fdocuments.net/reader031/viewer/2022021417/5abeff447f8b9ab02d8da4c6/html5/thumbnails/14.jpg)
Upload/Download Analytic using Numerical ClusteringMACHINE LEARNING – USE CASE NO - 1
K-Means Clusters MacQueen, 1976: Some Methods for Classification and Analysis of Mulivariate Observations.
Complexity: O( n . k . Iterations . Attributes )
Data
Upl
oad
Rate
Data Download Rate
FirewallNetflow /RTStats FeaturePreProcess StandardScaler/PCA KMeans Clustering(k=3)
Optimal Machine Learning Algorithms for Cyber Security by Hafiz Farooq
Features: Source IP, BytesIN, BytesOUT
![Page 15: Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A Presentation by Hafiz Farooq, Senior Cyber Security Consultant, Saudi Aramco.](https://reader031.fdocuments.net/reader031/viewer/2022021417/5abeff447f8b9ab02d8da4c6/html5/thumbnails/15.jpg)
Upload/Download Analytic using Numerical ClusteringMACHINE LEARNING – USE CASE NO - 1
Clustering Algorithms Chakraborty, Sanjay, "Performance Comparison of Incremental k-Means and DBScan."
õ K-Means creates clusters of homogeneous shapes and much faster than
hierarchical clustering techniques
õ DBSCAN is less accurate here due to the dynamically varying traffic
densities and highly scattered data values
õ BIRCH clustering is very slow for larger datasets and hence only limited to
micro-level clustering, in conjunction with a macro-level algorithm
BIRC
H
DBSC
AN
KMea
ns
![Page 16: Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A Presentation by Hafiz Farooq, Senior Cyber Security Consultant, Saudi Aramco.](https://reader031.fdocuments.net/reader031/viewer/2022021417/5abeff447f8b9ab02d8da4c6/html5/thumbnails/16.jpg)
DLL Injection Detection using OneClassSVM (OSVM)MACHINE LEARNING – USE CASE NO – 2
SYSMON Events Reference: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
index=sysmon-events EventID=8sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" | table host _time, SourceImage, TargetImage
SYSMON Events
1 ProcessCreate
2 FileCreationTime
3 NetworkConnection
5 ProcessTerminated
6 DriverLoaded
7 ImageLoaded
8 CreateRemoteThread
QUE
RY
Optimal Machine Learning Algorithms for Cyber Security by Hafiz Farooq
![Page 17: Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A Presentation by Hafiz Farooq, Senior Cyber Security Consultant, Saudi Aramco.](https://reader031.fdocuments.net/reader031/viewer/2022021417/5abeff447f8b9ab02d8da4c6/html5/thumbnails/17.jpg)
Detect DLL Injection using OneClassSVM (OSVM)MACHINE LEARNING – USE CASE NO - 2
One-Class SVM Bernhard Schölkopf, "One-Class Support Measure Machines for Group Anomaly Detection”
DataSource: SYSMON-Logsif EventID == 8 AND isNormal != 1 then
do OneClassSVM Source, Targetset kernel = linear nu = 0.01 coef = 0.5set gamma = 0.01 tol = 1 deg = 3 shrinking = fsave model CreateRemoteThreatOSVMdo deup Source Target
end if
Optimal Machine Learning Algorithms for Cyber Security by Hafiz Farooq
![Page 18: Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A Presentation by Hafiz Farooq, Senior Cyber Security Consultant, Saudi Aramco.](https://reader031.fdocuments.net/reader031/viewer/2022021417/5abeff447f8b9ab02d8da4c6/html5/thumbnails/18.jpg)
Detecting Recon using Numerical Prediction
MACHINE LEARNING – USE CASE NO - 3
Regression / Prediction
Optimal Machine Learning Algorithms for Cyber Security by Hafiz Farooq
![Page 19: Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A Presentation by Hafiz Farooq, Senior Cyber Security Consultant, Saudi Aramco.](https://reader031.fdocuments.net/reader031/viewer/2022021417/5abeff447f8b9ab02d8da4c6/html5/thumbnails/19.jpg)
Detecting Recon using Numerical Prediction
MACHINE LEARNING – USE CASE NO - 3
Numerical Prediction Linear Regression, Random Forest Regressor, DecisionTree Regressor, LASSO
Algorithm Pre-Processing RMSE R2 (1-SSE/TSSE)
LinearRegression PCA(k=3) 00.8999 0.998
RFRegressor (N=5) PCA(k=3) 90.1230 0.980
RFRegressor (N=30) PCA(k=3) 42.8220 0.800
DTRegressor PCA(k=3) 250.0210 0.623
Pred
icted
Des
tinat
ion
Port
Destination Ports
Predicted: Destination PortFeatures: Source IP, Destination IP
Optimal Machine Learning Algorithms for Cyber Security by Hafiz Farooq
![Page 20: Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A Presentation by Hafiz Farooq, Senior Cyber Security Consultant, Saudi Aramco.](https://reader031.fdocuments.net/reader031/viewer/2022021417/5abeff447f8b9ab02d8da4c6/html5/thumbnails/20.jpg)
Detecting Recon Anomaly using Numerical Prediction
MACHINE LEARNING – USE CASE NO - 3
Linear Regression Bernhard Schölkopf, "One-Class Support Measure Machines for Group Anomaly Detection”
õ Logistic Regression (LR) worked well here due to linear dataset and due to
the absence of multicollinearity between the independent predictor
variables (i.e. time, source, destination).
õ RandomForest Ensemble Algorithm (with multiple tree estimators) is also
an ideal predictor for this analysis being relatively more accurate on
relatively weaker training set.
õ DecisionTree required very accurate training set, so was not suitable here.
A Presentation by HafizFarooq,SeniorCyberSecurityConsultant,SaudiAramco
![Page 21: Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A Presentation by Hafiz Farooq, Senior Cyber Security Consultant, Saudi Aramco.](https://reader031.fdocuments.net/reader031/viewer/2022021417/5abeff447f8b9ab02d8da4c6/html5/thumbnails/21.jpg)
PowerShell Anomaly Detection using OneClassSVM
MACHINE LEARNING – USE CASE NO - 4
One-Class SVM Bernhard Schölkopf, "One-Class Support Measure Machines for Group Anomaly Detection”
SYSMON Events
1 ProcessCreate
2 FileCreationTime
3 NetworkConnection
5 ProcessTerminated
6 DriverLoaded
7 ImageLoaded
8 CreateRemoteThread
Optimal Machine Learning Algorithms for Cyber Security by Hafiz Farooq
Features: host, Image, ParentImage
deleteSystemFiles.ps1
checking.bat
Image
ParentImage
![Page 22: Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A Presentation by Hafiz Farooq, Senior Cyber Security Consultant, Saudi Aramco.](https://reader031.fdocuments.net/reader031/viewer/2022021417/5abeff447f8b9ab02d8da4c6/html5/thumbnails/22.jpg)
User Behavioral ModelMachine Learning & Static Correlation
Machine Learning based User Behavioral Model - MLUBA
ExfiltrationoverC2Channels
ServiceScanningAnalysis
DDLInjectionAnalysis
PowerShellAnomalyDetection
ProcessHollowingAnalysis
EmailSpamClassification
ThreatScoringSystem
Optimal Machine Learning Algorithms for Cyber Security by Hafiz Farooq
Distributed Machine Learning Detection System
![Page 23: Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A Presentation by Hafiz Farooq, Senior Cyber Security Consultant, Saudi Aramco.](https://reader031.fdocuments.net/reader031/viewer/2022021417/5abeff447f8b9ab02d8da4c6/html5/thumbnails/23.jpg)
OPTIMAL ALGORITHMS FOR CYBER THREAT DETECTION
LEARNING
� Preprocessing (Sampling, Conversion, Extraction) is the key
� Scope of OneClassClassification in Cyber Security
� Machine Learning for Routine Operational Intelligence
machine>>>>
![Page 24: Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A Presentation by Hafiz Farooq, Senior Cyber Security Consultant, Saudi Aramco.](https://reader031.fdocuments.net/reader031/viewer/2022021417/5abeff447f8b9ab02d8da4c6/html5/thumbnails/24.jpg)
Machine Learning - not a luxury, but a necessity now
&QuestionsAnswers
![Page 25: Optimal Machine Learning Algorithms Networks – JNCIE Security and JNCIP-Service Provider Routing A Presentation by Hafiz Farooq, Senior Cyber Security Consultant, Saudi Aramco.](https://reader031.fdocuments.net/reader031/viewer/2022021417/5abeff447f8b9ab02d8da4c6/html5/thumbnails/25.jpg)
Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it wafts across
the electrified borders