SlideShare una empresa de Scribd logo

Fighting Malware with Graph Analytics: An End-to-End Case Study

Priyanka Aash
Priyanka Aash

1. The document discusses using graph analytics and mining techniques for malware detection. Specifically, it explores using graphs to extract malware dictionaries from DNS traffic to detect dictionary-generated domain algorithms (DGA). 2. It describes techniques like anomaly detection using egonet analysis and community detection that can help identify malicious behavior in graphs. 3. Open-source tools like NetworkX, python-Louvain, and Gephi are recommended for working with and visualizing graph data.

Tecnología
1 de 51
Descargar para leer sin conexión
SESSION ID: #RSAC Mayana Pereira FIGHTING MALWARE WITH GRAPH ANALYTICS: AN END-TO-END CASE STUDY MLN-F01 Data Scientist Infoblox Inc.
# R S A C MACHINE LEARNING 2 Profile picture  Posts   Age  Gender  Personality  Political Preferences  Advertising
# R S A C MACHINE LEARNING 3 Profile picture  Posts   Fake Users  Influencers
# R S A C MACHINE LEARNING 4 Relations between users Graphs
# R S A C GRAPH DEFINITION 5 Nodes  Users Edges  Friendship
# R S A C GRAPH-BASED ANALYTICS 6 A powerful tool for modeling, structuring and understanding relationships among people, devices, information entities. Graph mining provides an insightful representation — Interdependent instances — Long-range relations — Node/Edge attributes (data complexity) — Hard to fake/alter (adversarial robustness) Security-related applications: — Exposing Terrorist cells — Botnet detection — Reputation propagation of IPs
# R S A C OUR GOAL IS… 7 How graphs and graph mining can be used to solve security problems. Intuitive and easy to understand approaches. + = Learn Apply Obtain Identify the data related problems and how to describe them through graphs. Graph-based machine learning models that complements and can outperform traditional techniques.
# R S A C SUMMARY 8 1. Study Case: Malware Detection using Graph Mining a) Dictionary-DGA Problem b) Graph-based analytics to extract malware dictionaries from DNS traffic 2. Graph Mining techniques that are easy to visualize and interpret a) EgAnomaly Detection b) Open Source tools for data exploration & visualization tools
# R S A C SUMMARY 9 1. Study Case: Malware Detection using Graph Mining a) Dictionary-DGA Problem b) Graph-based analytics to extract malware dictionaries from DNS traffic 2. Graph Mining techniques that are easy to visualize and interpret a) Anomaly Detection b) Open Source tools for data exploration & visualization tools
# R S A C 10 135.175.17.35 MALWARE COMMUNICATION bad-domain.com DNS Server 135.175.17.35 Infected Machine Command and Control
# R S A C 11 NXdomain DOMAIN GENERATION ALGORITHMS dnskasd.info DNS Server 135.175.17.35 Infected Machine Command and Control NXdomain ajdhkbf.info 135.175.17.35 akdjnfag.info
# R S A C 12 DOMAIN GENERATION ALGORITHMS 135.175.17.35 Infected Machine Command and Control Malicious Payload Contact 135.175.17.35
# R S A C 13 DOMAIN GENERATION ALGORITHMS DNS Server Infected Machine infoblox.com infoblox.com Classification: legitimate domain infoblox.com
# R S A C 14 DOMAIN GENERATION ALGORITHMS DNS Server Infected Machine z030zy.com z030zy.com Classification: darkshell DGA domain z030zy.com
# R S A C DGA DETECTION 15 katherinelangford.net X kyt6ea4ak4bvo35lrw.net Can you tell which one is a DGA domain and which one is a Hollywood actress website?
# R S A C DGA DETECTION 16 katherinelangford.net kyt6ea4ak4bvo35lrw.net Rovnix Malware DGA domain
# R S A C HOW DIFFICULT IS THE PROBLEM? 17 christinepatterson.net X christinekirkpatrick.net Can you tell which one is a DGA domain and which one is an online art gallery?
# R S A C 18 IT IS A DIFFICULT PROBLEM
# R S A C IT IS A DIFFICULT PROBLEM 19 christinepatterson.net Is a DGA domain! Suppobox Malware Family
# R S A C 20 OBSERVE GROUP OF DOMAINS hurt
# R S A C 21 THE WORDS REPEAT honeycutt
# R S A C SUMMARY 22 1. Study Case: Malware Detection using Graph Mining a) Dictionary-DGA Problem b) Graph-based analytics to extract malware dictionaries from DNS traffic 2. Graph Mining techniques that are easy to visualize and interpret a) Egonet analysis for Anomaly Detection b) Open Source tools for data exploration & visualization tools
# R S A C 23 BUILDING THE GRAPH Word Finding doghouse.com dog house
# R S A C 24 BUILDING THE GRAPH smarthouse.com smart house Word Finding
# R S A C 25 BUILDING THE GRAPH doghouse.com smarthouse.com dog house smart
# R S A C DGA WORDS CONNECT DIFFERENTLY 26
# R S A C 27 WE EXTRACT THE DICTIONARIES WITHOUT REVERSE ENGINEERING EFFORTS! DETECTING DICTONARIES
# R S A C MALICIOUS REGION IDENTIFICATION 28 Features Dmean: Average node degree Dmax: Maximum node Degree C: Cardinality of basis of cycles of G Cv: Average cycles per node ASPL: Average Shortest Path Length
# R S A C GRAPH MINING IS POWERFUL 29 DGA Dict 1 DGA Dict 2 Alexa Train Train DGA Dict 3 Alexa Test Test Unbalanced Dataset: DGA domains are less than 1% # of words used by DGA # of detected words Recall FPR Round 1 92 92 1 0 Round 2 70 64 0.91 0 Round 3 80 80 1 0 120K Benign Domains 1020 DDGA domains
# R S A C HIGH DETECTION RATE 30 Round 1 Round 2 Round 3 Model Precision Recall FPR Precision Recall FPR Precision Recall FPR WordGraph 1 1 0 1 0.96 0 1 1 0 Random Forest (Baseline) 0.056 0.009 10-3 0.031 0.006 10-3 0.0 0.0 10-3 Classification Results
# R S A C SUMMARY 31 1. Study Case: Malware Detection using Graph Mining a) Dictionary-DGA Problem b) Graph-based analytics to extract malware dictionaries from DNS traffic 2. Graph Mining techniques that are easy to visualize and interpret a) Anomaly Detection b) Open Source tools for data exploration & visualization tools
# R S A C ANOMALY DETECTION 32 How can we find anomalies in a graph? Anomalous behavior could signify — Fraud — Network intrusion — Electronic auction fraud — Etc.
# R S A C EGONET 33
# R S A C EGONET 34 Ego node
# R S A C EGONET 35 Neighborhood around a node Ego node
# R S A C EGONET 36 Ego node Egonet
# R S A C ANOMALY DETECTION 37 • Finding Anomalous nodes in graphs by analyzing their Egonets • Egonet behaviors that can indicate anomaly
# R S A C ANOMALY DETECTION 38 Spam email accounts Spamming email accounts usually send emails in a robotic fashion to many accounts, that are unrelated to each other.
# R S A C ANOMALY DETECTION 39 Finding a Star Egonet (Near-Star)[2] • E = N⍺ , ⍺ < 1.1 • E: number of edges in a Egonet • N: Degree of an egonet (numer of nodes)
# R S A C ANOMALY DETECTION 40 IRS Fraud – Phony tax returns In a graph model in which each tax form is a node, and the existence of an edge is based on tax form similarity, i.e. any two tax forms that are suspiciously similar have a relationship (edge), any sufficiently large clique identifies a cluster worth studying. Finding a group of nodes with clique or near clique egonets  Fraud.
# R S A C ANOMALY DETECTION 41 Finding a Clique Egonet (Near-Clique) • E = N⍺ , ⍺ > 1.7 • E: number of edges in a Egonet • N: Degree of an egonet (number of nodes)
# R S A C ANOMALY DETECTION 42 Fraud in Credit Card Transactions An unusual high transaction can indicate stolen or cloned credit card. This is represented by a dominant edge in an Egonet.
# R S A C ANOMALY DETECTION 43 Finding a Heavy Edge • λ = W⍺ , ⍺ > 0.98 • λ : Principal Eigenvalue of an Egonet • W: Egonet weight (sum of the weights of all edges)
# R S A C SUMMARY 44 1. Study Case: Malware Detection using Graph Mining a) Dictionary-DGA Problem b) Graph-based analytics to extract malware dictionaries from DNS traffic 2. Graph Mining techniques that are easy to visualize and interpret a) Anomaly Detection b) Open Source tools for data exploration & visualization tools
# R S A C COMMUNITY DETECTION 45 Community structure means that the network may be clustered to sets of nodes, each of which relatively densely-interconnected internally, with relatively few connections between sets. Used in study of many fields such as social networks, social studies, computer networks, etc.
# R S A C COMMUNITY DETECTION 46 • Useful Tool for Graph Exploration • Can we find communities in a certain graph structure? • Detecting Malicious Group Behavior [5] • Problem of Detecting spammers in Email Service Providers (ESPs) • Performs better than Content-based filters. • Early detection of spamming accounts.
# R S A C TOOLS FOR GRAPH ANALYSIS 47 How to Explore? — Python’s Libraries NetworkX and python-Louvain are easy to start.  https://networkx.github.io  https://github.com/taynaud/python-louvain How to visualize? — Gephi is a great Graph visualization tool that allows to apply community detection while visualizing the data – this is great for data exploration!  https://gephi.org
# R S A C TODAY WE LEARNED… 48 Representing information in the right way is the key to find what you want. Graphs are a powerful representation for highlighting group structures. They are a powerful ally in: fraud detection and intrusion detection and group classification problems. There are powerful open source tools for graph mining and analysis.
# R S A C APPLY WHAT YOU LEARNED TODAY! 49 Next week you should: Identify problems that can be represented and explored by graph analytics. Think of unusual node relations when building graphs, just like our study case example. In the first three months following this presentation you should: Identify which approach is best suitable for the problem you are trying to solve. Is it Community Detection, Anomaly Detection or Topology Classification ? Within six months you should: Be able to compare the graph-based approach with traditional approach. — Can you combine both approaches in order to achieve better accuracy and lower false positive rate?
# R S A C REFERENCES 50 • [1] A Word Graph Approach for Dictionary Detection and Extraction in DGA Domain Names: https://machine-learning-and-security.github.io/slides/Mayana-final-of-NIPS-DDGA.pdf • [2] Oddball: Spotting anomalies in weighted graphs https://link.springer.com/10.1007%2F978-3-642-13672-6_40 • [3] Graph-based irregularity and fraud detection: http://www3.cs.stonybrook.edu/~leman/icdm12/ICDM12-Tutorial%20-%20PartI.pdf • [4] Fast unfolding of communities in large networks: https://arxiv.org/pdf/0803.0476.pdf • [5] Birds of a Feather Flock Together: The Accidental Community of Spammers https://www.cs.bgu.ac.il/~snean161/wiki.files/151_0605.pdf • [6] Gephi: https://gephi.org • [7] NetworkX: https://networkx.github.io
# R S A C Think Graph! Thank you! Questions? Mayana Pereira :: mpereira@infoblox.com

Recomendados

Evolution of-ai-bots-for-real-time-adaptive-security
Evolution of-ai-bots-for-real-time-adaptive-securityEvolution of-ai-bots-for-real-time-adaptive-security
Evolution of-ai-bots-for-real-time-adaptive-securityDESMOND YUEN
 
GPS Spoofing: No Longer a Fish Story
GPS Spoofing: No Longer a Fish StoryGPS Spoofing: No Longer a Fish Story
GPS Spoofing: No Longer a Fish StoryPriyanka Aash
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligencePriyanka Aash
 
Rise of the Hacking Machines
Rise of the Hacking MachinesRise of the Hacking Machines
Rise of the Hacking MachinesPriyanka Aash
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple TeamPriyanka Aash
 
Smart Megalopolises. How Safe and Reliable Is Your Data?
Smart Megalopolises. How Safe and Reliable Is Your Data?Smart Megalopolises. How Safe and Reliable Is Your Data?
Smart Megalopolises. How Safe and Reliable Is Your Data?Priyanka Aash
 
IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!Priyanka Aash
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Priyanka Aash
 

Recomendados

Evolution of-ai-bots-for-real-time-adaptive-security
Evolution of-ai-bots-for-real-time-adaptive-securityEvolution of-ai-bots-for-real-time-adaptive-security
Evolution of-ai-bots-for-real-time-adaptive-securityDESMOND YUEN
 
GPS Spoofing: No Longer a Fish Story
GPS Spoofing: No Longer a Fish StoryGPS Spoofing: No Longer a Fish Story
GPS Spoofing: No Longer a Fish StoryPriyanka Aash
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligencePriyanka Aash
 
Rise of the Hacking Machines
Rise of the Hacking MachinesRise of the Hacking Machines
Rise of the Hacking MachinesPriyanka Aash
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple TeamPriyanka Aash
 
Smart Megalopolises. How Safe and Reliable Is Your Data?
Smart Megalopolises. How Safe and Reliable Is Your Data?Smart Megalopolises. How Safe and Reliable Is Your Data?
Smart Megalopolises. How Safe and Reliable Is Your Data?Priyanka Aash
 
IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!Priyanka Aash
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Priyanka Aash
 
Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defensePriyanka Aash
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsRod Soto
 
Machine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondoggleMachine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondogglePriyanka Aash
 
Applied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsApplied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsPriyanka Aash
 
Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using HadoopDataWorks Summit
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE - ATT&CKcon
 
Three Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response ProgramThree Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response ProgramMorphick
 
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesAspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesPriyanka Aash
 
A New Security Paradigm for IoT (Internet of Threats)
A New Security Paradigm for IoT (Internet of Threats)A New Security Paradigm for IoT (Internet of Threats)
A New Security Paradigm for IoT (Internet of Threats)Priyanka Aash
 
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE - ATT&CKcon
 
Intelligence-Led Security: Powering the Future of Cyber Defense
Intelligence-Led Security: Powering the Future of Cyber DefenseIntelligence-Led Security: Powering the Future of Cyber Defense
Intelligence-Led Security: Powering the Future of Cyber DefensePriyanka Aash
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE - ATT&CKcon
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceJacklynTsai
 
How to assign a CVE to yourself?
How to assign a CVE to yourself?How to assign a CVE to yourself?
How to assign a CVE to yourself?Ramin Farajpour Cami
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE - ATT&CKcon
 
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Vaticle
 
Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Manag...
Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Manag...Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Manag...
Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Manag...Priyanka Aash
 
Fighting malware - keeping your Intellectual Property safe
Fighting malware - keeping your Intellectual Property safeFighting malware - keeping your Intellectual Property safe
Fighting malware - keeping your Intellectual Property safePrayukth K V
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksMehrdad Jingoism
 
How we use functional programming to find the bad guys @ Build Stuff LT and U...
How we use functional programming to find the bad guys @ Build Stuff LT and U...How we use functional programming to find the bad guys @ Build Stuff LT and U...
How we use functional programming to find the bad guys @ Build Stuff LT and U...Richard Minerich
 

Más contenido relacionado

La actualidad más candente

Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defensePriyanka Aash
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsRod Soto
 
Machine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondoggleMachine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondogglePriyanka Aash
 
Applied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsApplied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsPriyanka Aash
 
Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using HadoopDataWorks Summit
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE - ATT&CKcon
 
Three Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response ProgramThree Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response ProgramMorphick
 
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesAspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesPriyanka Aash
 
A New Security Paradigm for IoT (Internet of Threats)
A New Security Paradigm for IoT (Internet of Threats)A New Security Paradigm for IoT (Internet of Threats)
A New Security Paradigm for IoT (Internet of Threats)Priyanka Aash
 
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE - ATT&CKcon
 
Intelligence-Led Security: Powering the Future of Cyber Defense
Intelligence-Led Security: Powering the Future of Cyber DefenseIntelligence-Led Security: Powering the Future of Cyber Defense
Intelligence-Led Security: Powering the Future of Cyber DefensePriyanka Aash
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE - ATT&CKcon
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceJacklynTsai
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE - ATT&CKcon
 
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Vaticle
 
Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Manag...
Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Manag...Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Manag...
Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Manag...Priyanka Aash
 
Fighting malware - keeping your Intellectual Property safe
Fighting malware - keeping your Intellectual Property safeFighting malware - keeping your Intellectual Property safe
Fighting malware - keeping your Intellectual Property safePrayukth K V
 

La actualidad más candente (20)

Advances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defenseAdvances in cloud scale machine learning for cyber-defense
Advances in cloud scale machine learning for cyber-defense
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
 
Machine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondoggleMachine learning cybersecurity boon or boondoggle
Machine learning cybersecurity boon or boondoggle
 
Applied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documentsApplied machine learning defeating modern malicious documents
Applied machine learning defeating modern malicious documents
 
Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using Hadoop
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
 
Three Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response ProgramThree Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response Program
 
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesAspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security Headaches
 
A New Security Paradigm for IoT (Internet of Threats)
A New Security Paradigm for IoT (Internet of Threats)A New Security Paradigm for IoT (Internet of Threats)
A New Security Paradigm for IoT (Internet of Threats)
 
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
 
Intelligence-Led Security: Powering the Future of Cyber Defense
Intelligence-Led Security: Powering the Future of Cyber DefenseIntelligence-Led Security: Powering the Future of Cyber Defense
Intelligence-Led Security: Powering the Future of Cyber Defense
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat Intelligence
 
How to assign a CVE to yourself?
How to assign a CVE to yourself?How to assign a CVE to yourself?
How to assign a CVE to yourself?
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
 
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
 
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
 
Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Manag...
Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Manag...Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Manag...
Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Manag...
 
Fighting malware - keeping your Intellectual Property safe
Fighting malware - keeping your Intellectual Property safeFighting malware - keeping your Intellectual Property safe
Fighting malware - keeping your Intellectual Property safe
 

Similar a Fighting Malware with Graph Analytics: An End-to-End Case Study

Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksMehrdad Jingoism
 
How we use functional programming to find the bad guys @ Build Stuff LT and U...
How we use functional programming to find the bad guys @ Build Stuff LT and U...How we use functional programming to find the bad guys @ Build Stuff LT and U...
How we use functional programming to find the bad guys @ Build Stuff LT and U...Richard Minerich
 
How Graph Databases used in Police Department?
How Graph Databases used in Police Department?How Graph Databases used in Police Department?
How Graph Databases used in Police Department?Samet KILICTAS
 
Cyber security and attack analysis : how Cisco uses graph analytics
Cyber security and attack analysis : how Cisco uses graph analyticsCyber security and attack analysis : how Cisco uses graph analytics
Cyber security and attack analysis : how Cisco uses graph analyticsLinkurious
 
An introduction to R is a document useful
An introduction to R is a document usefulAn introduction to R is a document useful
An introduction to R is a document usefulssuser3c3f88
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"Christiaan Beek
 
Ketnote: GraphTour Boston
Ketnote: GraphTour BostonKetnote: GraphTour Boston
Ketnote: GraphTour BostonNeo4j
 
Baythreat Cryptolocker Presentation
Baythreat Cryptolocker PresentationBaythreat Cryptolocker Presentation
Baythreat Cryptolocker PresentationOpenDNS
 
Metadata and the Power of Pattern-Finding
Metadata and the Power of Pattern-FindingMetadata and the Power of Pattern-Finding
Metadata and the Power of Pattern-FindingDATAVERSITY
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Priyanka Aash
 
ANALYSIS OF SIDE CHANNEL ATTACKS ON VARIOUS CRYPTOGRAPHIC ALGORITHMS
ANALYSIS OF SIDE CHANNEL ATTACKS ON VARIOUS CRYPTOGRAPHIC ALGORITHMSANALYSIS OF SIDE CHANNEL ATTACKS ON VARIOUS CRYPTOGRAPHIC ALGORITHMS
ANALYSIS OF SIDE CHANNEL ATTACKS ON VARIOUS CRYPTOGRAPHIC ALGORITHMSJournal For Research
 
100X Investigations - Graphistry / Microsoft BlueHat
100X Investigations - Graphistry / Microsoft BlueHat100X Investigations - Graphistry / Microsoft BlueHat
100X Investigations - Graphistry / Microsoft BlueHatgraphistry
 
Finding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsFinding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsPriyanka Aash
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
OSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersOSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersMegan DeBlois
 
Autonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefenseAutonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefensePriyanka Aash
 
Traffic anomaly detection and attack
Traffic anomaly detection and attackTraffic anomaly detection and attack
Traffic anomaly detection and attackQrator Labs
 

Similar a Fighting Malware with Graph Analytics: An End-to-End Case Study (20)

Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 
How we use functional programming to find the bad guys @ Build Stuff LT and U...
How we use functional programming to find the bad guys @ Build Stuff LT and U...How we use functional programming to find the bad guys @ Build Stuff LT and U...
How we use functional programming to find the bad guys @ Build Stuff LT and U...
 
How Graph Databases used in Police Department?
How Graph Databases used in Police Department?How Graph Databases used in Police Department?
How Graph Databases used in Police Department?
 
Cyber security and attack analysis : how Cisco uses graph analytics
Cyber security and attack analysis : how Cisco uses graph analyticsCyber security and attack analysis : how Cisco uses graph analytics
Cyber security and attack analysis : how Cisco uses graph analytics
 
An introduction to R is a document useful
An introduction to R is a document usefulAn introduction to R is a document useful
An introduction to R is a document useful
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"
 
Ketnote: GraphTour Boston
Ketnote: GraphTour BostonKetnote: GraphTour Boston
Ketnote: GraphTour Boston
 
Baythreat Cryptolocker Presentation
Baythreat Cryptolocker PresentationBaythreat Cryptolocker Presentation
Baythreat Cryptolocker Presentation
 
Metadata and the Power of Pattern-Finding
Metadata and the Power of Pattern-FindingMetadata and the Power of Pattern-Finding
Metadata and the Power of Pattern-Finding
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”
 
ANALYSIS OF SIDE CHANNEL ATTACKS ON VARIOUS CRYPTOGRAPHIC ALGORITHMS
ANALYSIS OF SIDE CHANNEL ATTACKS ON VARIOUS CRYPTOGRAPHIC ALGORITHMSANALYSIS OF SIDE CHANNEL ATTACKS ON VARIOUS CRYPTOGRAPHIC ALGORITHMS
ANALYSIS OF SIDE CHANNEL ATTACKS ON VARIOUS CRYPTOGRAPHIC ALGORITHMS
 
100X Investigations - Graphistry / Microsoft BlueHat
100X Investigations - Graphistry / Microsoft BlueHat100X Investigations - Graphistry / Microsoft BlueHat
100X Investigations - Graphistry / Microsoft BlueHat
 
Finding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsFinding Triggered Malice in Android Apps
Finding Triggered Malice in Android Apps
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
OSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersOSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and Practitioners
 
How We Use Functional Programming to Find the Bad Guys
How We Use Functional Programming to Find the Bad GuysHow We Use Functional Programming to Find the Bad Guys
How We Use Functional Programming to Find the Bad Guys
 
Polyvalent Recommendations
Polyvalent RecommendationsPolyvalent Recommendations
Polyvalent Recommendations
 
Autonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefenseAutonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and Defense
 
Traffic anomaly detection and attack
Traffic anomaly detection and attackTraffic anomaly detection and attack
Traffic anomaly detection and attack
 

Más de Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

Más de Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Último

Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 

Último (20)

Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 

Fighting Malware with Graph Analytics: An End-to-End Case Study

  • 1. SESSION ID: #RSAC Mayana Pereira FIGHTING MALWARE WITH GRAPH ANALYTICS: AN END-TO-END CASE STUDY MLN-F01 Data Scientist Infoblox Inc.
  • 2. # R S A C MACHINE LEARNING 2 Profile picture  Posts   Age  Gender  Personality  Political Preferences  Advertising
  • 3. # R S A C MACHINE LEARNING 3 Profile picture  Posts   Fake Users  Influencers
  • 4. # R S A C MACHINE LEARNING 4 Relations between users Graphs
  • 5. # R S A C GRAPH DEFINITION 5 Nodes  Users Edges  Friendship
  • 6. # R S A C GRAPH-BASED ANALYTICS 6 A powerful tool for modeling, structuring and understanding relationships among people, devices, information entities. Graph mining provides an insightful representation — Interdependent instances — Long-range relations — Node/Edge attributes (data complexity) — Hard to fake/alter (adversarial robustness) Security-related applications: — Exposing Terrorist cells — Botnet detection — Reputation propagation of IPs
  • 7. # R S A C OUR GOAL IS… 7 How graphs and graph mining can be used to solve security problems. Intuitive and easy to understand approaches. + = Learn Apply Obtain Identify the data related problems and how to describe them through graphs. Graph-based machine learning models that complements and can outperform traditional techniques.
  • 8. # R S A C SUMMARY 8 1. Study Case: Malware Detection using Graph Mining a) Dictionary-DGA Problem b) Graph-based analytics to extract malware dictionaries from DNS traffic 2. Graph Mining techniques that are easy to visualize and interpret a) EgAnomaly Detection b) Open Source tools for data exploration & visualization tools
  • 9. # R S A C SUMMARY 9 1. Study Case: Malware Detection using Graph Mining a) Dictionary-DGA Problem b) Graph-based analytics to extract malware dictionaries from DNS traffic 2. Graph Mining techniques that are easy to visualize and interpret a) Anomaly Detection b) Open Source tools for data exploration & visualization tools
  • 10. # R S A C 10 135.175.17.35 MALWARE COMMUNICATION bad-domain.com DNS Server 135.175.17.35 Infected Machine Command and Control
  • 11. # R S A C 11 NXdomain DOMAIN GENERATION ALGORITHMS dnskasd.info DNS Server 135.175.17.35 Infected Machine Command and Control NXdomain ajdhkbf.info 135.175.17.35 akdjnfag.info
  • 12. # R S A C 12 DOMAIN GENERATION ALGORITHMS 135.175.17.35 Infected Machine Command and Control Malicious Payload Contact 135.175.17.35
  • 13. # R S A C 13 DOMAIN GENERATION ALGORITHMS DNS Server Infected Machine infoblox.com infoblox.com Classification: legitimate domain infoblox.com
  • 14. # R S A C 14 DOMAIN GENERATION ALGORITHMS DNS Server Infected Machine z030zy.com z030zy.com Classification: darkshell DGA domain z030zy.com
  • 15. # R S A C DGA DETECTION 15 katherinelangford.net X kyt6ea4ak4bvo35lrw.net Can you tell which one is a DGA domain and which one is a Hollywood actress website?
  • 16. # R S A C DGA DETECTION 16 katherinelangford.net kyt6ea4ak4bvo35lrw.net Rovnix Malware DGA domain
  • 17. # R S A C HOW DIFFICULT IS THE PROBLEM? 17 christinepatterson.net X christinekirkpatrick.net Can you tell which one is a DGA domain and which one is an online art gallery?
  • 18. # R S A C 18 IT IS A DIFFICULT PROBLEM
  • 19. # R S A C IT IS A DIFFICULT PROBLEM 19 christinepatterson.net Is a DGA domain! Suppobox Malware Family
  • 20. # R S A C 20 OBSERVE GROUP OF DOMAINS hurt
  • 21. # R S A C 21 THE WORDS REPEAT honeycutt
  • 22. # R S A C SUMMARY 22 1. Study Case: Malware Detection using Graph Mining a) Dictionary-DGA Problem b) Graph-based analytics to extract malware dictionaries from DNS traffic 2. Graph Mining techniques that are easy to visualize and interpret a) Egonet analysis for Anomaly Detection b) Open Source tools for data exploration & visualization tools
  • 23. # R S A C 23 BUILDING THE GRAPH Word Finding doghouse.com dog house
  • 24. # R S A C 24 BUILDING THE GRAPH smarthouse.com smart house Word Finding
  • 25. # R S A C 25 BUILDING THE GRAPH doghouse.com smarthouse.com dog house smart
  • 26. # R S A C DGA WORDS CONNECT DIFFERENTLY 26
  • 27. # R S A C 27 WE EXTRACT THE DICTIONARIES WITHOUT REVERSE ENGINEERING EFFORTS! DETECTING DICTONARIES
  • 28. # R S A C MALICIOUS REGION IDENTIFICATION 28 Features Dmean: Average node degree Dmax: Maximum node Degree C: Cardinality of basis of cycles of G Cv: Average cycles per node ASPL: Average Shortest Path Length
  • 29. # R S A C GRAPH MINING IS POWERFUL 29 DGA Dict 1 DGA Dict 2 Alexa Train Train DGA Dict 3 Alexa Test Test Unbalanced Dataset: DGA domains are less than 1% # of words used by DGA # of detected words Recall FPR Round 1 92 92 1 0 Round 2 70 64 0.91 0 Round 3 80 80 1 0 120K Benign Domains 1020 DDGA domains
  • 30. # R S A C HIGH DETECTION RATE 30 Round 1 Round 2 Round 3 Model Precision Recall FPR Precision Recall FPR Precision Recall FPR WordGraph 1 1 0 1 0.96 0 1 1 0 Random Forest (Baseline) 0.056 0.009 10-3 0.031 0.006 10-3 0.0 0.0 10-3 Classification Results
  • 31. # R S A C SUMMARY 31 1. Study Case: Malware Detection using Graph Mining a) Dictionary-DGA Problem b) Graph-based analytics to extract malware dictionaries from DNS traffic 2. Graph Mining techniques that are easy to visualize and interpret a) Anomaly Detection b) Open Source tools for data exploration & visualization tools
  • 32. # R S A C ANOMALY DETECTION 32 How can we find anomalies in a graph? Anomalous behavior could signify — Fraud — Network intrusion — Electronic auction fraud — Etc.
  • 33. # R S A C EGONET 33
  • 34. # R S A C EGONET 34 Ego node
  • 35. # R S A C EGONET 35 Neighborhood around a node Ego node
  • 36. # R S A C EGONET 36 Ego node Egonet
  • 37. # R S A C ANOMALY DETECTION 37 • Finding Anomalous nodes in graphs by analyzing their Egonets • Egonet behaviors that can indicate anomaly
  • 38. # R S A C ANOMALY DETECTION 38 Spam email accounts Spamming email accounts usually send emails in a robotic fashion to many accounts, that are unrelated to each other.
  • 39. # R S A C ANOMALY DETECTION 39 Finding a Star Egonet (Near-Star)[2] • E = N⍺ , ⍺ < 1.1 • E: number of edges in a Egonet • N: Degree of an egonet (numer of nodes)
  • 40. # R S A C ANOMALY DETECTION 40 IRS Fraud – Phony tax returns In a graph model in which each tax form is a node, and the existence of an edge is based on tax form similarity, i.e. any two tax forms that are suspiciously similar have a relationship (edge), any sufficiently large clique identifies a cluster worth studying. Finding a group of nodes with clique or near clique egonets  Fraud.
  • 41. # R S A C ANOMALY DETECTION 41 Finding a Clique Egonet (Near-Clique) • E = N⍺ , ⍺ > 1.7 • E: number of edges in a Egonet • N: Degree of an egonet (number of nodes)
  • 42. # R S A C ANOMALY DETECTION 42 Fraud in Credit Card Transactions An unusual high transaction can indicate stolen or cloned credit card. This is represented by a dominant edge in an Egonet.
  • 43. # R S A C ANOMALY DETECTION 43 Finding a Heavy Edge • λ = W⍺ , ⍺ > 0.98 • λ : Principal Eigenvalue of an Egonet • W: Egonet weight (sum of the weights of all edges)
  • 44. # R S A C SUMMARY 44 1. Study Case: Malware Detection using Graph Mining a) Dictionary-DGA Problem b) Graph-based analytics to extract malware dictionaries from DNS traffic 2. Graph Mining techniques that are easy to visualize and interpret a) Anomaly Detection b) Open Source tools for data exploration & visualization tools
  • 45. # R S A C COMMUNITY DETECTION 45 Community structure means that the network may be clustered to sets of nodes, each of which relatively densely-interconnected internally, with relatively few connections between sets. Used in study of many fields such as social networks, social studies, computer networks, etc.
  • 46. # R S A C COMMUNITY DETECTION 46 • Useful Tool for Graph Exploration • Can we find communities in a certain graph structure? • Detecting Malicious Group Behavior [5] • Problem of Detecting spammers in Email Service Providers (ESPs) • Performs better than Content-based filters. • Early detection of spamming accounts.
  • 47. # R S A C TOOLS FOR GRAPH ANALYSIS 47 How to Explore? — Python’s Libraries NetworkX and python-Louvain are easy to start.  https://networkx.github.io  https://github.com/taynaud/python-louvain How to visualize? — Gephi is a great Graph visualization tool that allows to apply community detection while visualizing the data – this is great for data exploration!  https://gephi.org
  • 48. # R S A C TODAY WE LEARNED… 48 Representing information in the right way is the key to find what you want. Graphs are a powerful representation for highlighting group structures. They are a powerful ally in: fraud detection and intrusion detection and group classification problems. There are powerful open source tools for graph mining and analysis.
  • 49. # R S A C APPLY WHAT YOU LEARNED TODAY! 49 Next week you should: Identify problems that can be represented and explored by graph analytics. Think of unusual node relations when building graphs, just like our study case example. In the first three months following this presentation you should: Identify which approach is best suitable for the problem you are trying to solve. Is it Community Detection, Anomaly Detection or Topology Classification ? Within six months you should: Be able to compare the graph-based approach with traditional approach. — Can you combine both approaches in order to achieve better accuracy and lower false positive rate?
  • 50. # R S A C REFERENCES 50 • [1] A Word Graph Approach for Dictionary Detection and Extraction in DGA Domain Names: https://machine-learning-and-security.github.io/slides/Mayana-final-of-NIPS-DDGA.pdf • [2] Oddball: Spotting anomalies in weighted graphs https://link.springer.com/10.1007%2F978-3-642-13672-6_40 • [3] Graph-based irregularity and fraud detection: http://www3.cs.stonybrook.edu/~leman/icdm12/ICDM12-Tutorial%20-%20PartI.pdf • [4] Fast unfolding of communities in large networks: https://arxiv.org/pdf/0803.0476.pdf • [5] Birds of a Feather Flock Together: The Accidental Community of Spammers https://www.cs.bgu.ac.il/~snean161/wiki.files/151_0605.pdf • [6] Gephi: https://gephi.org • [7] NetworkX: https://networkx.github.io
  • 51. # R S A C Think Graph! Thank you! Questions? Mayana Pereira :: mpereira@infoblox.com