CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"
-
Upload
opendns -
Category
Technology
-
view
1.274 -
download
4
description
Transcript of CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"
![Page 1: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/1.jpg)
INTELLIGENT USE OF INTELLIGENCE
DESIGN TO DISCOVERCanSecWest 2014
Ping Yan : @pingpingya&
Thibault Reuille : @ThibaultReuille
1
Monday, March 17, 14
![Page 2: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/2.jpg)
PING@pingpingya
Data Mining, Machine Learning
InfoSec2
Monday, March 17, 14
![Page 3: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/3.jpg)
THIBAULT
Parisian, moved to Cali in 2010
Security and Visualization ?
Demoscene rocks !3
Monday, March 17, 14
![Page 4: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/4.jpg)
4
Monday, March 17, 14
![Page 5: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/5.jpg)
AGENDA
01100100011000010111010001100001
Use cases - Cryptolocker
Conclusion
5
Big Data
Intelligence
Monday, March 17, 14
![Page 6: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/6.jpg)
6
Continuous monitoring of everything? Yeah, sure …
data != intelligence
THE HAYSTACK PROBLEM
Monday, March 17, 14
![Page 7: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/7.jpg)
7
Monday, March 17, 14
![Page 8: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/8.jpg)
8
Monday, March 17, 14
![Page 9: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/9.jpg)
8
Monday, March 17, 14
![Page 10: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/10.jpg)
9
Monday, March 17, 14
![Page 11: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/11.jpg)
10
EXPLORATION PROCESS
Monday, March 17, 14
![Page 12: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/12.jpg)
10
seed
EXPLORATION PROCESS
Monday, March 17, 14
![Page 13: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/13.jpg)
10
seed
EXPLORATION PROCESS
Monday, March 17, 14
![Page 14: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/14.jpg)
10
seed
EXPLORATION PROCESS
Monday, March 17, 14
![Page 15: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/15.jpg)
10
seed
EXPLORATION PROCESS
Monday, March 17, 14
![Page 16: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/16.jpg)
10
seed Raw
Refined
EXPLORATION PROCESS
Monday, March 17, 14
![Page 17: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/17.jpg)
10
seed Raw
Refined
Intelligence
EXPLORATION PROCESS
Monday, March 17, 14
![Page 18: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/18.jpg)
11
TIME SPACE
TRANSACTIONS/NETWORK Hunches
spiked in the past hour? clustered by geo?
Alice talked to Bob?
4-D APPROACH TO DATA
Monday, March 17, 14
![Page 19: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/19.jpg)
12
22+
OPENDNS’S HAYSTACK
Monday, March 17, 14
![Page 20: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/20.jpg)
13
Monday, March 17, 14
![Page 21: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/21.jpg)
14
3D view !
Monday, March 17, 14
![Page 22: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/22.jpg)
15
Security Graph 3D
Monday, March 17, 14
![Page 23: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/23.jpg)
FRAMEWORK
16
Data Extraction
Monday, March 17, 14
![Page 24: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/24.jpg)
FRAMEWORK
17
Visualization Engine
Monday, March 17, 14
![Page 25: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/25.jpg)
PARTICLE PHYSICS
18
Force Directed Layout
Monday, March 17, 14
![Page 26: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/26.jpg)
PARTICLES
19
Monday, March 17, 14
![Page 27: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/27.jpg)
WHY ?Shape Algorithms populate our knowledge graph Creation is understood, output is complex Layout defined by model structure Closer to the “natural shape” of data Take advantage of the GPU to untangle information
Evolution Security Graph is dynamic, constantly changing Monitoring evolution over time
Investigation Humans are better at processing shapes than numbers Solid tool to build hypothesis / heuristics
20
Monday, March 17, 14
![Page 28: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/28.jpg)
NATURAL CLUSTERING
21
Malicious domains hosting Nuclear exploit kits (pink) to Hosting IPs (Yellow) graph
Monday, March 17, 14
![Page 29: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/29.jpg)
1. Infection2. Retrieve encryption key from CnC3. Encrypt data files4. Collect money
IP CnC fails quickly
DGA!
22
USE CASE #2 : CRYPTOLOCKER
Monday, March 17, 14
![Page 30: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/30.jpg)
23
Monday, March 17, 14
![Page 31: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/31.jpg)
24
CO-OCCURRENCES
Monday, March 17, 14
![Page 32: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/32.jpg)
CO-OCCURRENCES
25
Monday, March 17, 14
![Page 33: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/33.jpg)
ALGORITHM
26
Monday, March 17, 14
![Page 34: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/34.jpg)
Ripple Effect on Co-occurrences
27
Monday, March 17, 14
![Page 35: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/35.jpg)
USE CASE #3
28
Random Walk Live Demo
Monday, March 17, 14
![Page 36: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/36.jpg)
FUTURE WORK
Over-TimeVisualizing data evolution over time (Currently in development)
ScalingPort Force-Directed algorithm to OpenCL
DetectionThreat pattern detection (Find sub-graph inside Security Graph)
Example: DGA “nests”
Modern Human-Computer interactionLeap Motion, Oculus, 3D glasses ...
29
Monday, March 17, 14
![Page 37: CanSecWest 2014 Presentation: "Intelligent Use of Intelligence: Design to Discover"](https://reader034.fdocuments.in/reader034/viewer/2022051818/54989185b479596a4d8b54ad/html5/thumbnails/37.jpg)
@pingpingya
@ThibaultReuillethibaultreuille.tumblr.com
Bloghttp://labs.umbrella.com
30
Monday, March 17, 14