Defending Networks with Incomplete Information: A Machine Learning Approach

Presented at Black Hat USA 2013, Aug. 1, 2013, 5 p.m. (Unknown duration)

Let's face it: we may win some battles, but we are losing the war pretty badly. Regardless of the advances in malware and targeted attacks detection technologies, our top security practitioners can only do so much in a 24-hour day; even less, if you let them eat and sleep. On the other hand, there is a severe shortage of capable people to do "simple" security monitoring effectively, let alone complex incident detection and response.

Enter the use of Machine Learning as a way to automatically prioritize and classify potential events and attacks as something could potentially be blocked automatically, is clearly benign, or is really worth the time of your analyst.

On this presentation we will present publicly for the first time an actual implementation of those concepts, in the form of a free-to-use web service. It leverages OSINT and knowledge about the spatial distribution of the Internet to generate a fluid and constantly updated classifier that pinpoints areas of interest on submitted network traffic logs.

Presenters:

• Alexandre Pinto - Independent
  Alexandre Pinto (or just Alex) has over 13 years dedicated to information security solutions architecture, strategy advisory and monitoring. He has experience with a great range of security products, and has even been know to do pen-testing from time to time. Alex holds the CISSP-ISSAP, CISA, CISM, CREST CCT APP and PMP certifications. And somehow he is still a nice guy. He was also a PCI QSA for 5+ years, but is almost fully recovered. Alex has been responsible over the last 3 years to kickstart his previous company's offices in 2 different countries mainly because he is able to perform competently on a very deep technical level on all the company services, from risk auditing (*sigh*) to network and web application penetration testing. For the past year, as a part of his sabbatical, he has been researching and exploring the applications of Machine Learning and Predictive Analytics into Information Security Data, specially in supporting the mess that we currently face in trying to make sense of day to day usage of SIEM solutions as a whole.

Links:

• https://www.blackhat.com/us-13/archives.html#Pinto
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2013/video/Black Hat 2013 - Defending Networks With Incomplete Information - A Machine Learning Approach.mp4
• https://www.youtube.com/watch?v=73Y7E1dKsl8
• https://media.blackhat.com/us-13/US-13-Pinto-Defending-Networks-with-Incomplete-Information-A-Machine-Learning-Approach-Slides.pdf
• https://media.blackhat.com/us-13/US-13-Pinto-Defending-Networks-with-Incomplete-Information-A-Machine-Learning-Approach-WP.pdf

Similar Presentations:

• 31C3 (2014) / The Invisible Committee Returns with "Fuck Off Google": Cybernetics, Anti-Terrorism, and the ongoing case against the Tarnac 10
• DEF CON 21 (2013) / Defending Networks with Incomplete Information: A Machine Learning Approach
• DEF CON 22 (2014) / Secure Because Math: A Deep Dive On Machine Learning-Based Monitoring