Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Artificial Intelligence and cyber security
European Cyber Week / C&ESAR Conference
19-22 November 2018 / Rennes / France
Protection of an information system by an AI : a three-phase approach based on
behaviour analysis to detect a hostile scenario
Speakers: Jean-Philippe FAUVELLE - www.linkedin.com/in/jpfauvelle/
Alexandre DEY - www.linkedin.com/in/alexandre-dey/
1. Needs
2. SIEM solutions
3. UEBA concept
4. Our approach
5. POC #1: scenario
6. POC #1: behind the scene
7. POC #1: results
8. POC #1: conclusion
9. POC #2: scenario
10. POC #2: behind the scene
11. POC #2: results
12. POC #2: conclusion
13. Situation and future
14. Your questions
A B A B
A. Real world: 4 cases to
illustrate detection
completeness and quality.
B. Needs.
1. Needs
(*) APT – Advanced Persistent Threat Strong signal Weak signal Average signal
REAL WORLD Growing and evolving threats.
Hostile actions over wide time
periods, including APT*.
Cyber and non-cyber events.
Weak signals, noises, pollution.
Increasing volume of data.
Events chains spread over a wide time period
1
2
3
4
Events chain
is hostile ?
No
Yes
Yes
(APT*)
Yes
Case
MAIN NEEDS Detect hostile actions over wide time
periods, including APT*.
Produce explainable alerts.
Automatically adapt to changing threats
and behaviors.
Reduce false positives/negatives.
Horizontal scaling.
Expected detection and quality
Correctness Explainability
True
positive
True
negative
True
positive
True
positive
N/A
Yes
(complete)
Yes
(complete)
Yes
(complete)
?
Pros Cons Of current SIEM* solutions & A B A B
A. SIEM pros and cons.
B. Four cases to show limits.
2. SIEM* solutions
Strong signal Weak signal Average signal (*) SIEM – Security Information and Event Management
Events chains spread over a wide time period Usual detection/quality of SIEM* solutions
Correctness Explainability
True
positive
False
positive
True posit.
Two alerts
False
negative
N/A
Yes
Yes
(partial)
N/A
1
2
3
4
Events chain
is hostile ?
No
Yes
Yes
(APT)
Yes
Case
SIEM*
A B C A B C A B C
A. Facts concerning UEBA.
B. Biases of current solutions.
C. Principle overview and
boiled frog paradox.
3. UEBA concept
QUICK FACTS CONCERNING UEBA* Learning of behaviours.
Method agnostic to Good/Evil: detects
behaviour changes (incongruities).
Two training methods:
• Once for all training (eg: embarked).
• Continuous training: assimilation and
forgetting of behaviours, permanent
adaptation, non-supervised.
UEBA with continuous training meets
our needs.
MAIN BIASES OF AVAILABLE SOLUTIONS Training performance.
Many false positives (or negatives).
Slightly explainable result (black box).
Over-simplification of problems to solve.
Almost systematic presence of a simple
time window alerts counter.
Little consideration of events temporality.
Low management of behavioural model,
boiled frog paradox (see below).
But
UEBA PRINCIPLE AND BOILED FROG PARADOX
Assimilate new behaviours:
►Need for quick synchronism.
Avoid boiled frog paradox:
►Need for slow synchronism.
Conflicting needs: synchronism
is an unsatisfactory compromise.
More
Sensors
AIinference
AIlearning
Behavioural model
Observedworld
Behavioural model
Datavector
( )872
415
106
Data + incongruity
score
:19%( )872
415
106
Feed
Read
SYNC.
Result:
(*) UEBA – User and Entity Behaviour Analytics
A B A B
A. Our two-POCs approach.
B. Principle overview.
4. Our approach
APPROACH POC #1 (finished): simulated activity on an information system (with synthetic data).
POC #2 (almost finished): real activity on a workstation (with real data).
Keep in mind biases.
Focus on explainability of results.
Continue the work with a PhD Thesis (2019).
More
PRINCIPLE
Three phases AI :
• Learning (coutinuous).
• Inference.
• Correlation.
AI for memorisation (to be done).
Sensors
AIinference
AIlearning
Behavioural model
Observedworld
Behavioural model
Datavector
( )872
415
106
Data + incongruity
score
:19%( )872
415
106
Feed
Read
AI memori-sation
AIcorrelation
eqvu1 he48
eqhh
eqhe1
eqvu5
eqhr
exhe1
Subgraph of boundevents, considered
globally hostile
Complete graph(sliding time window)
A B C A B C A B C
A. Scenario theatre.
B. Usual behavior.
C. Hostile behavior.
5. POC #1: scenario
More
(*) OSINT – Open Source Intelligence
Compromising documents on a company's information system, by screening / targeting,
identity theft, malicious attachment, and exploitation of a vulnerability.
Hostile scenario
10
11
The hacker performs a screening and
targeting.
12 The hacker prepares an attack kit.
13
BI1
The hacker sends an email with malicious
attachment to 2 targeted employees by
usurping a third-party identity.
16 Targeted employee opens the attachment
and activates the charge.
17
BI2
The charge scans ports on vulnerable
equipment and compromises one.
19
BI3
The hacker connects to the compromised
equipment and takes control of it.
21 The hacker exploits the vulnerability to
collect sensitive documents.
30 An OSINT* source reports hacker.
Usual behaviours (extract)
14
15
Normal sending of internal and external
emails.
18 Normal solicitations of equipments / ports.
20 Normal activity between the external and
the equipment compromised.
INFORMATION SYSTEM | ENTREPRISE.COM
EXTERNAL.COMFACEBOOK.COM
EQSN
EQME
@
Humans / EmployeesHE1 ... HE<NB_HE>
Humans / TargetedHE1 ... HE<NB_HT>
Humans / AttackedHE1 ... HE<NB_HA>
HR / EQHR
HE1/EQHE1
(A17)
DMZ
EQFW1
EQFW2
Hacker
Employees (all)
Employees (attacked)
Employees (targeted)
Employee (charge activation)
Person whose identity is usurped
Employees(from home)
Messaging servers
Firewall
Firewall
Web servers
Human-EmployeeHE:From external / Human-EmployeeEXHE:Equipment of / Human-EmployeeEQHE:Human-HackerHH:Equipment of / Human-HackerEQHH:Human-ReferentHR:Equipment of / Human-ReferentEQHR:
Equipment / FirewallEQFW:Equipment / MessagingEQME:Equipment / Social NetworkEQSN:Equipment / VulnerableEQVU:
Number of equipments vulnerable<NB_EQVU>:Number of humans attacked<NB_HA>:Number of humans employed<NB_HE>:Number of humans targeted<NB_HT>:
Rule reference(xx):BI Behavioural incongruity
HH / EQHH
EQVU1 ...
EQVU<NB_EQVU>
EQVU1
Scannedequipments
Compromisedequipment
Humans / EmployeesHE1 ... HE<NB_HE>
EXHE1 EXHE<NB_HE>
...
INFORMATION SYSTEM | ENTREPRISE.COM
EXTERNAL.COMFACEBOOK.COM
EQSN
EQME
@ (14)
Humans / EmployeesHE1 ... HE<NB_HE>
Humans / TargetedHE1 ... HE<NB_HT>
Humans / AttackedHE1 ... HE<NB_HA>
HR / EQHR
(15)
HE1/EQHE1
(14)
DMZ
EQFW1
EQFW2
(20)
Hacker
Employees (all)
Employees (attacked)
Employees (targeted)
Employee (charge activation)
Person whose identity is usurped
Employees(from home)
Messaging servers
Firewall
Firewall
Web servers
Human-EmployeeHE:From external / Human-EmployeeEXHE:Equipment of / Human-EmployeeEQHE:Human-HackerHH:Equipment of / Human-HackerEQHH:Human-ReferentHR:Equipment of / Human-ReferentEQHR:
Equipment / FirewallEQFW:Equipment / MessagingEQME:Equipment / Social NetworkEQSN:Equipment / VulnerableEQVU:
Number of equipments vulnerable<NB_EQVU>:Number of humans attacked<NB_HA>:Number of humans employed<NB_HE>:Number of humans targeted<NB_HT>:
Rule reference(xx):BI Behavioural incongruity
HH / EQHH
EQVU1 ...
EQVU<NB_EQVU>
(20)
EQVU1
Scannedequipments
Compromisedequipment
(18)
Humans / EmployeesHE1 ... HE<NB_HE>
EXHE1 EXHE<NB_HE>
...
(18)
INFORMATION SYSTEM | ENTREPRISE.COM
EXTERNAL.COMFACEBOOK.COM
(10, 11)
EQSN
(12)
EQME
@ (14)
Humans / EmployeesHE1 ... HE<NB_HE>
Humans / TargetedHE1 ... HE<NB_HT>
Humans / AttackedHE1 ... HE<NB_HA>
(13)
HR / EQHR
(15)
HE1/EQHE1
(14)
DMZ
EQFW1
EQFW2
(19)
(21)
(20)
Multi-int
(30)
Hacker
Employees (all)
Employees (attacked)
Employees (targeted)
Employee (charge activation)
Person whose identity is usurped
Employees(from home)
Messaging servers
Firewall
Firewall
Web servers
Threat Informationabout hacker
BI3 OSINT
Realsender
Apparentsender
Human-EmployeeHE:From external / Human-EmployeeEXHE:Equipment of / Human-EmployeeEQHE:Human-HackerHH:Equipment of / Human-HackerEQHH:Human-ReferentHR:Equipment of / Human-ReferentEQHR:
Equipment / FirewallEQFW:Equipment / MessagingEQME:Equipment / Social NetworkEQSN:Equipment / VulnerableEQVU:
Number of equipments vulnerable<NB_EQVU>:Number of humans attacked<NB_HA>:Number of humans employed<NB_HE>:Number of humans targeted<NB_HT>:
Rule reference(xx):BI Behavioural incongruity
HH / EQHH
EQVU1 ...
EQVU<NB_EQVU>
(20)
EQVU1
Scannedequipments
Compromisedequipment
(19)
(21)
(17)
(18)
Humans / EmployeesHE1 ... HE<NB_HE>
EXHE1 EXHE<NB_HE>
...
BI2
(18)
(13)
BI1
(17)
A B C D A B C D A B C D A B C D
A. Scenario details.
B. Metrics generation.
C. More about AI.
D. Correlation and graphs.
6. POC #1: behind the scene
Input metrics: converted to numbers.
Algorithm: isolation forest, unsupervised.
Output scores: neither normalised nor filtered, so that the
correlation phase (see below) receives all the information including
weak signals.
Real time performance : ~5K metrics / s. on a single PC.
Our own massive, coherent data generator.
500K metrics generated.
Data enrichment (eg: aggregations / counts
on sliding time windows).
Metrics
• Flow (source, destination).
• Email (sender, recipient, attachment).
• Protocols, ports, timestamp.
• OSINT source.
Discovery of major interest graphs, with an
algorithm working on 3 spaces:
1. Metrics concentration (quasi-twins).
2. Search for related events.
3. Search for major interest graphs made
of strong / weak / normal signals via a
relevance function.
Relevance function
Based on temporal feedback, hysteretic
effect, forgetfulness, incongruity score,
signal type, topological properties, time
scales, probabilities.
A company, 100 employees working on site and from their home.
Theatre: an IS (internal/external PC, messaging, network flows, firewalls, routers).
internal, external, mixed flows.
A social network used for screening / targeting.
1 month
Normal activity
2 days
Normal + hostile activities
1 month
Normal activity
Result(next slide)
Scenario
Data generator
<01100101101010
Sync.
Data + Incongruity score
AIcorrelation
:19%( )872
415
106
Feed
AIlearning
Behavioural model
Read
AIinference
Behavioural model
Datavector( )8
72
415
106
A. Achieved expected results.
B. Unexpected results.
7. POC #1: results
MAIN RESULTS: DETECTION OF HOSTILE
BEHAVIOURS HAVING DIRECT IMPACT
Few false positives (during calibration).
SCENARIO DETECTED
BI1 The hacker sends malicious
attachment to 2 targeted
employees by usurping a
third-party identity.
Event is considered only
suspicious but nevertheless
contributes to the globally
hostile events chain.
BI2 The charge scans ports on
vulnerable equipment and
compromises one.
Event is considered
incongruous (average score)
within hostile events chain.
BI3 The hacker takes control of
compromised equipment.
Event is considered
incongruous (strong score)
within hostile events chain.
UNEXPECTED: DETECTION OF HOSTILE
BEHAVIOURS HAVING INDIRECT IMPACT
Detection of suspicious flow: sending of
the same malicious attachment to the
employee’s PC n° 2.
Detection of a fourth behavioural
incongruity : the hacker downloads
sensitive documents located on PC n° 48.
Detection is complete with good
explainability.
BI4
A B A B Nonemployees
EmployeesPC
Networkequipments
0.66(average)
0.60(average)
BI1
BI2
1.62(strong)
BI3
EQHE1
Employee n°1(from site)
EXHE1
Employee n°1(from home)
EQHE2
Employee n°2(from site)
Third party (whose identity is theft)
EQHR
EQHE48
Employee n°48(from site)
EQVU1
Equipment n°1
EQVU5
Equipment n°5
Hacker
HH
Event considered suspicious
Event considered hostile
BI Behavioural incongruityas defined by scenario
Nonemployees
EmployeesPC
Networkequipments
0.66(average)
0.60(average)
BI1
BI2
1.62(strong)
BI3
0.66(average)
0.58(average)
0.49(weak)
0.69(average)
EQHE1
Employee n°1(from site)
EXHE1
Employee n°1(from home)
EQHE2
Employee n°2(from site)
Third party (whose identity is theft)
EQHR
EQHE48
Employee n°48(from site)
EQVU1
Equipment n°1
EQVU5
Equipment n°5
Hacker
HH
Event considered suspicious
Event considered hostile
BI Behavioural incongruityas defined by scenario
BI4
Each event / signal
is a flow
A. Biases versus progress.
8. POC #1: conclusion
Few false positives, only during first month (calibration).
No false negatives. Many false positives
Over-simplification of problems Training on the entire dataset.
Multivariate events of different types.
Slightly explainable result Detection is complete with good explainability.
Little consideration of events
temporality
Our algorithm uses events temporality, it adapts to any time
scale, from microseconds to years.
Low management of behavioural
model, boiled frog paradox
To be done, we will use AI for synchronisation of the
behavioural model.
Frequent presence of a simple
time window alerts counter
We don’t use counters but graphs on sliding and variable
time windows over wide temporal ranges.
Learning: partially scalable.
Inference + correlation: horizontal scaling. Training performance
Other limitations Synthetic data.
Simplistic scenario.
Too little data.
MAIN BIASES OF AVAILABLE SOLUTIONS OUR RESULTS FOR POC #1 FOCUS
(FOR POC #2) A
A. Scenario overview.
9. POC #2: scenario
More
Hostile scenario
1 The user executes a malicious script, via a
BASH* command.
2, 3, 4 The malicious script downloads source code of an
exploit from the web, via a WGET* command.
5, 6, 7 The malicious script compiles the exploit, via a GCC*
command.
8, 9 The malicious script executes the compiled exploit,
which tries to elevate its privileges using a vulnerability
of the operating system kernel.
On his Linux PC, a user unwisely executes a malicious script which downloads an
exploit from the Web in order to use a kernel vulnerability to elevate its privileges.
Usual behaviours
The user performs office tasks (eg: word processing,
messaging, Internet browsing).
The user executes commands and scripts.
BASH : standard command for executing scripts.
WGET : standard command for downloading files from the Web.
GCC : standard command for compiling programming languages.
(*)
User’s PC
Internet
BASH script
WGET
User
GCC
(2) Execute
(3) Download
Exploit (source)
Exploit(compiled)
(4) Write
(6) Read (7) Compile
(5) Execute
(8) Execute
(1) Execute
Linux kernel
(9) Use avulnerability
to elevateprivileges
A
A B C A B C A B C
A. Metrics.
B. More about AI.
C. Correlation and graphs.
10. POC #2: behind the scene
Input metrics: conversion of categorical variables to numerical using
probability of observing couples of values after observing others.
Algorithm: deep learning autoencoder, unsupervised.
Regularisation: dropout, noise addition, early stopping.
Output scores: normalised, not filtered.
Real time performance : ~2K metrics / s. on a single PC with GPU.
Discovery of major interest graphs: same as for POC #1.
Real data.
12 million metrics
(2 millions / day).
Theatre: inside a PC.
Metrics collected through
standard auditing functions
of operating system.
90% kernel primitives calls.
Metrics
• Unauthorised actions.
• Calls to functions/commands for modifying kernel/modules.
• Suspicious actions (eg: nmap, wget, tcpdump).
• Access to monitored files (eg: config., binaries, temp. files).
• Commands executed.
• Invocations of potentially dangerous kernel primitives.
• Credentials (eg: user, group).
• Context (eg: path, timestamp, parent process).
1 week
Normal activity
1 minute
Normal + hostile activity
Result(next slide)
Scenario
Sync.
Data + Incongruity score
AIcorrelation
:19%( )872
415
106
Feed
AIlearning
Behavioural model
Read
AIinference
Behavioural model
Datavector( )8
72
415
106
A. Achieved expected results.
11. POC #2: results
A
Each event / signal
is an action
MAIN RESULTS Detection is complete with good explainability :
• Execution of the BASH script (score 0.1).
• Execution of the WGET command (score 0.6).
• Three executions of the GCC command (score 0.29).
• Execution of the exploit (score 0.29).
The BASH process has a low incongruity score, but it still contributes to the major interest
graph because it connects other actions.
Some false positives resulting from rare actions, which could be avoided by optimising
training.
No false negatives.
Execution(BASH script)
Score : 0.1
Is parentprocess of
Execution(WGET)
Score : 0.6
Execution(GCC)
Score : 0.29
Execution(GCC)
Score : 0.29
Execution(GCC)
Score : 0.29
Execution(exploit)
Score : 0.29Score
Time
Is parent
process of
Is parentprocess of
A. Biases versus progress.
12. POC #2: conclusion
Few false positives, but could be avoided.
No false negatives. Many false positives
Over-simplification of problems Training on the entire dataset, directly from raw logs.
Multivariate events of different types.
Slightly explainable result Detection is complete with good explainability.
Little consideration of events
temporality
Our algorithm uses events temporality, it adapts to any time
scale, from microseconds to years.
Low management of behavioural
model, boiled frog paradox
To be done, we will use AI for synchronisation of the
behavioural model.
Frequent presence of a simple
time window alerts counter
We don’t use counters but graphs on sliding and variable
time windows over wide temporal ranges.
Learning + inference + correlation : horizontal scaling (cloud
friendly). Training performance
Other limitations Simplistic scenario.
MAIN BIASES OF AVAILABLE SOLUTIONS OUR RESULTS FOR POC #2 A
A. Progress and limits.
B. Remaining work.
13. Situation and future
SITUATION Effective association of UEBA with correlation process.
Good explainability of alerts.
Few but avoidable false positives.
Temporality taken into account from microseconds to years.
Real time 3 phases algorithm + horizontal scaling.
Integration issues partially addressed (ELK).
Encouraging results.
Results confirmed in various contexts.
Co
nte
xts
Data:
Real
Synthetic
Signal type:
Flows
Actions
Theatre:
All over an IS
Inside a PC
Algorithm:
Isolation forest
Autoencoder
A B A B
FUTURE More realistic scenarios.
Adversarial AI*.
Memorisation AI*.
Interoperation with SIEM.
(*) PhD thesis 2019 : « Continuous Model
Learning for Anomaly Detection In the
Presence of Highly Adaptative Cyberattacks ».
EXISTING SOC UEBA SOLUTION
AIinference
AIlearning
AI memori-sation
AIcorrelation
Observedworld
Sensors
Sensors
SIEM
HMIAlerts
dashboard
HMIIncident and
ticket manag.
HMIMetrics
dashboard
HMISupervision
HMIRisk
assessement
Collectdata
Collectevents
Collectnetwork flows
Threat intelligence
Alerts
Expert
14. Your questions
Questions (and answers !)