ML & Deep Learning - Security Management€¦ · 1 ML & Deep Learning THB, 13. Security Forum,...
Transcript of ML & Deep Learning - Security Management€¦ · 1 ML & Deep Learning THB, 13. Security Forum,...
1
ML & Deep Learning
THB, 13. Security Forum, 17.01.2019
Gewinn oder Gefahr für die Security?
David Fuhr
2
ML & Deep Learning
THB, 13. Security Forum, 17.01.2019
Gewinn oder Gefahr für die Security?
David Fuhr
33 © HiSolutions 2019
• Mathematik
• Krypto(graphie)
• Security
• Coaching
David FuhrHead of Research, HiSolutions AG
4
Digital Security Netzwerk Berlin e.V.
• Gründung und Projektstart November 2018, Aufnahme operative Geschäftstätigkeit 1.1.2019
• Aktuell 10 Gründungsmitglieder
• Ausgangslage der Gründung: Marktanalysen von SenWTF IT-Security in Berlin-Brandenburg
• 4 Arbeitspakte:
• AP 1 Kooperation mit Hochschulen und Forschungseinrichtungen (Fachkräftegewinnung)
• AP 2 Kooperation mit Kritis-Bereichen aus der Innovationsstrategie (InnoBB)
• AP 3 Projekte und Initiativen (gemeinsame Akquisition)
• AP 4 Entwicklung eines IT-Sicherheitschecks für KMU
• Netzwerkförderung (GRW-Netzwerk) seitens SenWTF
• Weitere Infos: Stand des Clusters IKT, Medien und Kreativwirtschaft
5
Ziele des Digital Security Netzwerk Berlin
1. Zusammenwachsen der IT-Security-Branche – regionale Kooperationen fördern
2. Zusammenarbeit von Wissenschaft und Wirtschaft im Bereich IT-Security verbessern
3. Kooperation mit Hochschulen und Forschungseinrichtungen optimieren -> Fachkräftegewinnung
4. Kompetenznetzwerk (POC) und vertrauenswürdiger Ansprechpartner in der Hauptstadtregion
5. Gemeinsam Projekte für die Hauptstadtregion akquirieren
6. Kooperation mit anderen Wirtschaftsbereichen (KRITIS und Clusterbereiche der gemeinsamen Innovationsstrategie) intensivieren -> Querschnittcharakter der IT-Sicherheit gerecht werden
7. Umdenken in Prozessen und Systemen anstoßen, Security-Awareness stärken
8. Austausch mit der wachsenden Startup-Szene in Berlin
Weitere Infos: Stand des Clusters IKT, Medien und Kreativwirtschaft
66 © HiSolutions 2019
7 © HiSolutions 2019
88 © HiSolutions 2019
99 © HiSolutions 2019
1010 © HiSolutions 2019
DATA SCIENTIST / AI RESEARCHER
1111 © HiSolutions 2019
1212 © HiSolutions 2019blogs.balbix.com
1313 © HiSolutions 2019blogs.balbix.com
1414 © HiSolutions 2019
www.datasciencecentral.com
15 © HiSolutions 2019
Man vs. Machine
…threatens Human Machine
HumanCivil/Military
SecurityInfoSec ……
Cyberwar
Machine Safety War of Machines
[Liggesmeyer 2015]
16 © HiSolutions 2019
AI Security?
▪ AI for Security
▪ Security of/for AI
▪ Security from/against AI
▪ Security because of / thanks to AI
▪ AI against Security / Security in spite of AI
▪ …?
17 © HiSolutions 2019
Man vs. AI vs. Machine
…threatens Human AI Machine
Human Civil/Military Security AI-Sec InfoSec
AI AI Safety Adversarial Sec AI
Machine Safety (e.g. Safety AI) (AI-Sec) War of Machines
18 © HiSolutions 2019
Adversarial: AI vs. AI
▪ Sparring: GANs (Generative Adversarial Networks, 2014)
▪ Fight: CGC (DARPA Cyber Grand Challenge 2016)
19 © HiSolutions 2019
AI-Sec: Humans vs. AI
▪ Humans (or nature) trying to harm a piece of software
▪ (on purpose or bad luck (e.g., fat finger))
→This we know!
→See InfoSec
20 © HiSolutions 2019
AI-Sec: Humans vs. AI
▪ Availability: Depending on (Cloud) resources, model parameters, data
▪ Confidentiality: Trade secrets in models
▪ Integrity:
▪ Manipulation of evaluation
▪ Manipulation of models
▪ Manipulation of data
▪ Manipulation of AI stacks (source code, binaries)
▪ Manipulation of supply chain
It’s all going to happen.
21 © HiSolutions 2019
Sec-AI: AI vs. Machines
▪ Offensive AI
▪ Defensive AI
https://xkcd.com/
22 © HiSolutions 2019
Incorrect View of InfoSec (Dullien 2017)
Thomas Dullien 2017, https://doc.dustri.org/keynotes/Machine%20Learning,%20Offense,%20and%20the%20future%20of%20Automation%20-%20Halvar%20Flake%20-%20ZeroNights%202017.pdf
23 © HiSolutions 2019
More Realistic View of InfoSec (Dullien 2017)
Thomas Dullien 2017, https://doc.dustri.org/keynotes/Machine%20Learning,%20Offense,%20and%20the%20future%20of%20Automation%20-%20Halvar%20Flake%20-%20ZeroNights%202017.pdf
24 © HiSolutions 2019
The Good, the Bad & the Ugly
Task Today Future Action
SPAM detection Near perfect SPAM evasion might win → Learn about useful/fruitful content
Virus detection Mostly non-AI Not to change that fast (what is
„evil“ behavior?)
Wrong idea anyways ;-)
→ Whitelisting, hardening,
true software engineering
„Anomaly
detection“
AI marketing hype Will work in simple/strict
environments
→ Ditto
Vuln scanning Some AI hype Mostly useless (hacking is
about exploiting minor glitches)
→ Can work on a macro level
Attribution „It was the
Russinese!“
Please don‘t. → Forget about it!
Config
Management
Non-AI Promising („most servers that
were not hacked did X“)
→ Start doing Config management
→ Use AI to make it cooler
Other What is AI? Lots of hidden wins → Start researching
25 © HiSolutions 2019
AI Safety: AI vs. Humans
- Opacity (vs. Transparency)
- Bias
- Singularity
26 © HiSolutions 2019
AI Safety: AI vs. Humans
- Opacity (vs. Transparency)
- Transparency as crucial for democracy: Trust, Accountability
- → Also a chance?
- Bias
- Cannot be avoided (part of culture), but:
- We need to stay fluid vs. power
- Stakeholder problem (bias in professional field)
- → Always ask and invite those discriminated against
- Singularity
- Actually a scale
- Start researching and mitigating early(!!!)
27 © HiSolutions 2019
Who Will Win?
▪ Attacker or Defender?
▪ In (pre AI) InfoSec:
▪ It depends.
▪ Used to say: attacker
▪ New insight:
▪ locally: attacker
▪ globally: defender
▪ but: cyberwar
https://xkcd.com/
28 © HiSolutions 2019
Who Will Win with AI / Post-AI?
▪ Defenders need to keep wining (statistically, without black swans)
→ New type of defenders and defenses needed
→ More research necessary
https://xkcd.com/
29 © HiSolutions 2019
Man vs. AI vs. Machine
…threatens Human AI Machine
Human Civil/Military SecurityAI-Sec
- New Attack VectorsInfoSec
AI
AI Safety
- Opacity
- Bias
- Singularity
Adversarial:
- GANs
- CGC
Sec AI
- Offensive AI
- Defensive AI
MachineSafety
(e.g. Safety AI)(AI-Sec) War of Machines
30 © HiSolutions 2019
Lessons To Be (Deeply) Learned
▪ We (AI & InfoSec communities) need to talk.
▪ Now.
▪ Learn about
▪ Threat Modeling
▪ Attacks/Attack vectors
▪ Risk Analysis and Risk Management
▪ Security by Design, Security by Default
▪ Accountability
▪ Transparency
▪ And have fun doing it!
3131 © HiSolutions 2019
Bouchéstraße 12 | 12435 Berlin
[email protected] | +49 30 533 289 0
www.hisolutions.com
Vielen Dank! Fragen?
David [email protected]