Make Results, Not Models: Applying AI to Cybersecurity in an Intelligent Way

Presented at BSidesDC 2019, Oct. 27, 2019, 3:30 p.m. (50 minutes)

The recent rapid growth of artificial intelligence (AI), and especially machine learning (ML), entices many cybersecurity professionals into believing these popular techniques are a silver bullet solution to our biggest cybersecurity challenges. Unfortunately, many cyber efforts focus more on using data-driven ML without a clear strategy to carefully measure results derived from the models. Furthermore, AI is an area of advanced computer science that requires experienced analysis, careful data preparation, and measured expectations of model performance and risks. However, it is oftentimes used as a synonym for automation.

Deloitte has performed enterprise-scale cyber analytics at the performance level of 1M events per second / 300B events per month for the last several years. In performing these analyses, Deloitte developed several advanced cyber analytic workflows that utilize ML, contextual enrichment, and data science to support mission-centric cyber hunt operations. Experience has shown analytical workflows are more impactful and relevant when they are defined not by the models used, but by the mission-oriented results they produce.

In this talk, we describe a results-driven perspective of AI and ML applicable to real-world challenges in cyber analytics with a particular focus on detection of malicious actors and behaviors as well as advanced network understanding. We will discuss how analytical workflows utilize AI models and other techniques to define normal and anomalous behaviors; manage the base rate fallacy; integrate cyber-domain knowledge into data-driven models to provide context and explainability; and provide advanced decision-support to human cyber operators and threat hunters.

We will conclude our talk with stories of where AI has effectively supported cybersecurity analysis, where AI has failed in cybersecurity and analytic applications, and recommendations for moving beyond current data-driven AI models focused on classification and toward results-driven AI approaches which are robust to contextualization, uncertainty, and ambiguity in the cyber security domain.

Presenters:

• Eric Dull - Specialist Leader at Deloitte & Touche LLP
  Eric Dull is a a Program Manager at Deloitte and is an expert in analytics, large-scale data science, computer network analysis, applied graph analysis, and behavior-based anomaly detection. He has over 17 years of experience using software and data analysis techniques to research, develop, and demonstrate solutions to mission-driven problems for the DoD. Eric has a Master’s degree in computer science from Johns Hopkins.
• John Zachary - Specialist Master at Deloitte & Touche LLP
  John Zachary is a Data Scientist at Deloitte where he leads the development of advanced, mission-focused cyber analytics, data science, and AI / ML methods in complex DoD big data environments, including the Big Data Platform (BDP) for the US Army ARCYBER. He has over two decades experience across academic and applied research, software engineering, economic development, and entrepreneurship. John has a Doctorate in computer science from Louisiana State University A&M.

Links:

• https://bsidesdc2019.busyconf.com/schedule#activity_5d17eb277836e1c701000083

Similar Presentations:

• Black Hat USA 2020 Virtual / Superman Powered by Kryptonite: Turn the Adversarial Attack into Your Defense Weapon
• CrikeyCon VII (2021) / Introduction to Adversarial ML and other AI attacks
• Black Hat Europe 2017 / The Machine Fights Back — Leveraging AI for Self-Learning Cyber Security