machine learning for cyber security dr. chris nicol chief ...boi.gov.ph › ... › 2018 ›...
TRANSCRIPT
Machine Learning for Cyber Security
Dr. Chris Nicol
Chief Technology Officer
Wave Computing. Copyright 2017.
Wave Computing Profile
Founded in 2010 (after 2 years of incubation)
• Tallwood Venture Capital
• Southern Cross Venture Partners
Headquartered in Campbell, CA
• World class team of 45 dataflow, data science, and systems experts
• 60+ patents
Invented Dataflow Processing Unit (DPU) architecture to accelerate deep learning training by up to 1000x
• $55M+ investment in DPU architecture and software
• $20M+ customer contract to implement DPU silicon
Now accepting qualified customers for Early Access Program
Wave Computing Copyright 2017.
First Product: Dataflow Computer for ML
Wave Computing. Copyright 2017.
2.9 Peta-Ops/Second
256,000 Processing Elements
Over 2TB Bulk & High Speed Memory
Up to 32TB SSD Storage
Over 4.5TB/Sec Dataflow Bandwidth
Up to 4 Wave Computers per Data Center Node
Initially Supporting TensorFlow
Wave Computing – Market Focus
Consumer Smart Memory
Wave’s initial market:
Machine Learning in the Datacenter
Wave’s
Dataflow Computing
Technology
Industrial
Wave Computing. Copyright 2017.
Wave Computing ML Applications
Medical Image
Diagnosis
Cyber Security
Text & Language
Processing
Retail Upselling /
Cross Selling
Fraud Detection &
Credit Analysis
Medical Record
Analysis
Public Safety Threat
Analysis
SpeechRecognition
Autonomous Driving
Image Recognition
CyberSecurity
Ransomware
• 2015: 4 million attacks
• 2016: 638 million attacks. $940M ransom paid.
• WannaCry: Friday 12th May, 2017• 230,000 computers affected in 150+
countries.• Finds and encrypts files & displays
ransom message demanding payment (in bitcoin).
• Moves to other computers within network.
• Ransomware as a Service (RaaS) –outsourcing crime.
Distributed Denial of Service
• Cost on black market to attack a small company for 1 week = $150
• Percentage of all downtime caused by DDoS = 33%
• October 21, 2016, Mirai took down multiple social networks including Twitter, Github, Spotify, Etsy.
Distributed Denial of Service
• Sept 14, 2014 a global attack on Philippines (www.digitalattackmap.com).
Technologies for Protection
• Network Intrusion Detection (IDS) (and IPS)
• External to firewall (inline blocking), and Internal to firewall
• Inspect packets and identify malware, attacks, etc
Network Intrusion Detection In a Software Defined Network
Landscape of Intrusion Detection
From “Shallow and Deep Networks Intrusion Detection System: A Taxonomy and Survey”, Elike Hodo, Xavier Bellekens, Andrew Hamilton, Christos Tachtatzis and Robert Atkinson, University of Strathclyde, U.K. & Division of Computing and Mathematics , University of Abertay Dundee
Most common NIDS approachNext Generation
(NGIDS)
Signature / Rule based IDS
• Rule-based approach for deep packet inspection at wireline speeds.
• Can only detect known attack signatures.• Cannot detect zero-day attacks.
NIDS on Wave Dataflow Product
• Benchmark Background• Fundamental technology for matching and extracting data
• Complexity can explode when the data or targets scale up
• RegEx hardware acceleration underlies much of Big Data
• Implementation Details– B-FSM programmable state machine
– Exploits unique Wave DPU 8-b features to reduce storage costs ~95%
– Packs multiple instances into the Wave DPU
– Can exploit real-time reprogramming to support larger pattern sets
• Snort’04: 21.6K rules are implemented in 22 DPU Clusters achieving 1.3Gbps
• Each Wave DPU achieves 60Gbps
Byte-Fabric B-FSMEngine Block Diagram
CharacterClassifier
Default Rule LUT
State, Table Addr, Mask
Address Generation
Rule Selector
Input
Transition Rule Memory
Rule 0 Rule 1
… …
REGEX for NIDS
Cisco Sourcefire8360 4U
Wave 3U DataFlowProduct
Snort 04 30 Gbps 956 Gbps
SW Architecture of B-FSM in DPU
Anomaly Based Detection
• 60% of breaches, data is stolen within hours†.
• 85% of breaches are not detected for weeks†.
• Signature based detection can only detect known attacks (hence days-weeks of delay), but anomaly based detection looks for any behavior that deviates from the norm.
• Supervised Machine Learning – trained on known malware behavior and attack techniques‡.
• Unsupervised Machine Learning - determines what is normal for the unique characteristics of the environment being protected‡.
† Gary Spiteri, Cisco Systems‡ Vectra Networks: www.vectranetworks.com
Landscape of Intrusion Detection
Performance of ML IDS
(DNN_AUC) Deep Neural Network
(DT_AUC) Decision Tree
(SVM_AUC) Support Vector Machine
(NB_AUC) Naïve Bayes
Deep Learning Approach for Network Intrusion
Detection in Software Defined NetworkingTuan A Tang, Lotfi Mhamdi, Des McLernon, Syed Ali Raza Zaidi and Mounir Ghogho†School of Electronic and Electrical Engineering, The University of Leeds, Leeds, UK.
†International University of Rabat, Morocco.
Uses the NSL-KDD dataset
http://kdd.ics.uci.edu/databases/kddcup99/
In-Vehicle Network Security
In-Vehicle Intrusion Detection will require online self-supervised training in each vehicle.
Intrusion Detection System Using Deep Neural Network for In-Vehicle Network SecurityMin-Joo Kang, Je-Won Kang,The Department of Electronics Engineering, Ewha W. University, Seoul, Republic of Korea
Wave Dataflow Processor is Ideal for Deep Learning
Times
Times
I/O
Softmax
Plus
Plus
Mem I/OSigmoid
Programmed on
Deep Learning
Software
Run on Wave
Dataflow
Processor
Times
Times
Plus
Plus
Softmax
Sigmoid
Deep Learning
Networks are
Dataflow
Graphs
Wave Dataflow Processor
WaveFlow Agent Library
Wave Computing. Copyright 2017.
DataFlow Computing
Consumer Smart Memory
Wave’s initial market:
Machine Learning in the Datacenter
Wave’s
Dataflow Computing
Technology
Industrial
Wave Computing. Copyright 2017.