Protection d’un système d’information par une intelligence ... · Avoid boiled frog paradox:...

Artificial Intelligence for cyber security

FIC 2019

22-23 January 2019 / Lille/ France

Protection of an information system by an AI : a three-phase approach based on

behaviour analysis to detect a hostile scenario

INTRODUCTION & CONCLUSION Sylvain NAVERS

APPROACH & RESULTS Jean-Philippe FAUVELLE

Alexandre DEY

1. Needs

2. SIEM solutions

3. UEBA concept

4. Our approach

5. POC #1: scenario

6. POC #1: behind the

scene

7. POC #1: results

8. POC #1: conclusion

9. POC #2: scenario

10. POC #2: behind the

scene

11. POC #2: results


13. Situation and future

14. Your questions

A B A B

A. Real world: 4 cases to

illustrate detection

completeness and quality.

B. Needs.

1. Needs

(*) APT – Advanced Persistent Threat Strong signal Weak signal Average signal

REAL WORLD Growing and evolving threats.

Hostile actions over wide time

periods, including APT*.

Cyber and non-cyber events.

Weak signals, noises, pollution.

Increasing volume of data.

Events chains spread over a wide time period

1

2

3

4

Events chain

is hostile ?

No

Yes

Yes

(APT*)

Yes

Case

MAIN NEEDS Detect hostile actions over wide time

periods, including APT*.

Produce explainable alerts.

Automatically adapt to changing threats

and behaviors.

Reduce false positives/negatives.

Horizontal scaling.

Expected detection and quality

Correctness Explainability

True

positive

True

negative

True

positive

True

positive

N/A

Yes

(complete)

Yes

(complete)

Yes

(complete)

?

Pros Cons Of current SIEM* solutions & A B A B

A. SIEM pros and cons.

B. Four cases to show limits.

2. SIEM* solutions

Strong signal Weak signal Average signal (*) SIEM – Security Information and Event Management

Events chains spread over a wide time period Usual detection/quality of SIEM* solutions

Correctness Explainability

True

positive

False

positive

True posit.

Two alerts

False

negative

N/A

Yes

Yes

(partial)

N/A

1

2

3

4

Events chain

is hostile ?

No

Yes

Yes

(APT)

Yes

Case

SIEM*

A B C A B C A B C

A. Facts concerning UEBA.

B. Biases of current solutions.

C. Principle overview and

boiled frog paradox.

3. UEBA concept

QUICK FACTS CONCERNING UEBA* Learning of behaviours.

Method agnostic to Good/Evil: detects

behaviour changes (incongruities).

Two training methods:

• Once for all training (eg: embarked).

• Continuous training: assimilation and

forgetting of behaviours, permanent

adaptation, non-supervised.

UEBA with continuous training meets

our needs.

MAIN BIASES OF AVAILABLE SOLUTIONS Training performance.

Many false positives (or negatives).

Slightly explainable result (black box).

Over-simplification of problems to solve.

Almost systematic presence of a simple

time window alerts counter.

Little consideration of events temporality.

Low management of behavioural model,

boiled frog paradox (see below).

But

UEBA PRINCIPLE AND BOILED FROG PARADOX

Assimilate new behaviours:

►Need for quick synchronism.

Avoid boiled frog paradox:

►Need for slow synchronism.

Conflicting needs: synchronism

is an unsatisfactory compromise.

More

Sensors

AIinference

AIlearning

Behavioural model

Observedworld

Behavioural model

Datavector

( )872

415

106

Data + incongruity

score

:19%( )872

415

106

Feed

Read

SYNC.

Result:

(*) UEBA – User and Entity Behaviour Analytics

A B A B

A. Our two-POCs approach.

B. Principle overview.

4. Our approach

APPROACH POC #1 (finished): simulated activity on an information system (with synthetic data).

POC #2 (almost finished): real activity on a workstation (with real data).

Keep in mind biases.

Focus on explainability of results.

Continue the work with a PhD Thesis (2019).

More

PRINCIPLE

Three phases AI :

• Learning (coutinuous).

• Inference.

• Correlation.

AI for memorisation (to be done).

Sensors

AIinference

AIlearning

Behavioural model

Observedworld

Behavioural model

Datavector

( )872

415

106

Data + incongruity

score

:19%( )872

415

106

Feed

Read

AI memori-sation

AIcorrelation

eqvu1 he48

eqhh

eqhe1

eqvu5

eqhr

exhe1

Subgraph of boundevents, considered

globally hostile

Complete graph(sliding time window)

A B C A B C A B C

A. Scenario theatre.

B. Usual behavior.

C. Hostile behavior.

5. POC #1: scenario

More

(*) OSINT – Open Source Intelligence

Compromising documents on a company's information system, by screening / targeting,

identity theft, malicious attachment, and exploitation of a vulnerability.

Hostile scenario

10

11

The hacker performs a screening and

targeting.

12 The hacker prepares an attack kit.

13

BI1

The hacker sends an email with malicious

attachment to 2 targeted employees by

usurping a third-party identity.

16 Targeted employee opens the attachment

and activates the charge.

17

BI2

The charge scans ports on vulnerable

equipment and compromises one.

19

BI3

The hacker connects to the compromised

equipment and takes control of it.

21 The hacker exploits the vulnerability to

collect sensitive documents.

30 An OSINT* source reports hacker.

Usual behaviours (extract)

14

15

Normal sending of internal and external

emails.

18 Normal solicitations of equipments / ports.

20 Normal activity between the external and

the equipment compromised.

INFORMATION SYSTEM | ENTREPRISE.COM

EXTERNAL.COMFACEBOOK.COM

EQSN

EQME

@

Humans / EmployeesHE1 ... HE<NB_HE>

Humans / TargetedHE1 ... HE<NB_HT>

Humans / AttackedHE1 ... HE<NB_HA>

HR / EQHR

HE1/EQHE1

(A17)

DMZ

EQFW1

EQFW2

Hacker

Employees (all)

Employees (attacked)

Employees (targeted)

Employee (charge activation)

Person whose identity is usurped

Employees(from home)

Messaging servers

Firewall

Firewall

Web servers

Human-EmployeeHE:From external / Human-EmployeeEXHE:Equipment of / Human-EmployeeEQHE:Human-HackerHH:Equipment of / Human-HackerEQHH:Human-ReferentHR:Equipment of / Human-ReferentEQHR:

Equipment / FirewallEQFW:Equipment / MessagingEQME:Equipment / Social NetworkEQSN:Equipment / VulnerableEQVU:

Number of equipments vulnerable<NB_EQVU>:Number of humans attacked<NB_HA>:Number of humans employed<NB_HE>:Number of humans targeted<NB_HT>:

Rule reference(xx):BI Behavioural incongruity

HH / EQHH

EQVU1 ...

EQVU<NB_EQVU>

EQVU1

Scannedequipments

Compromisedequipment


EXHE1 EXHE<NB_HE>

...



EQSN

EQME

@ (14)




HR / EQHR

(15)

HE1/EQHE1

(14)

DMZ

EQFW1

EQFW2

(20)

Hacker

Employees (all)






Messaging servers

Firewall

Firewall

Web servers





HH / EQHH

EQVU1 ...

EQVU<NB_EQVU>

(20)

EQVU1

Scannedequipments


(18)


EXHE1 EXHE<NB_HE>

...

(18)



(10, 11)

EQSN

(12)

EQME

@ (14)




(13)

HR / EQHR

(15)

HE1/EQHE1

(14)

DMZ

EQFW1

EQFW2

(19)

(21)

(20)

Multi-int

(30)

Hacker

Employees (all)






Messaging servers

Firewall

Firewall

Web servers

Threat Informationabout hacker

BI3 OSINT

Realsender

Apparentsender





HH / EQHH

EQVU1 ...

EQVU<NB_EQVU>

(20)

EQVU1

Scannedequipments


(19)

(21)

(17)

(18)


EXHE1 EXHE<NB_HE>

...

BI2

(18)

(13)

BI1

(17)

A B C D A B C D A B C D A B C D

A. Scenario details.

B. Metrics generation.

C. More about AI.

D. Correlation and graphs.

6. POC #1: behind the scene

Input metrics: converted to numbers.

Algorithm: isolation forest, unsupervised.

Output scores: neither normalised nor filtered, so that the

correlation phase (see below) receives all the information including

weak signals.

Real time performance : ~5K metrics / s. on a single PC.

Our own massive, coherent data generator.

500K metrics generated.

Data enrichment (eg: aggregations / counts

on sliding time windows).

Metrics

• Flow (source, destination).

• Email (sender, recipient, attachment).

• Protocols, ports, timestamp.

• OSINT source.

Discovery of major interest graphs, with an

algorithm working on 3 spaces:

1. Metrics concentration (quasi-twins).

2. Search for related events.

3. Search for major interest graphs made

of strong / weak / normal signals via a

relevance function.

Relevance function

Based on temporal feedback, hysteretic

effect, forgetfulness, incongruity score,

signal type, topological properties, time

scales, probabilities.

A company, 100 employees working on site and from their home.

Theatre: an IS (internal/external PC, messaging, network flows, firewalls, routers).

internal, external, mixed flows.

A social network used for screening / targeting.

1 month

Normal activity

2 days

Normal + hostile activities

1 month

Normal activity

Result(next slide)

Scenario

Data generator

<01100101101010

Sync.

Data + Incongruity score

AIcorrelation

:19%( )872

415

106

Feed

AIlearning

Behavioural model

Read

AIinference

Behavioural model

Datavector( )8

72

415

106

A. Achieved expected results.

B. Unexpected results.

7. POC #1: results

MAIN RESULTS: DETECTION OF HOSTILE

BEHAVIOURS HAVING DIRECT IMPACT

Few false positives (during calibration).

SCENARIO DETECTED

BI1 The hacker sends malicious

attachment to 2 targeted

employees by usurping a

third-party identity.

Event is considered only

suspicious but nevertheless

contributes to the globally

hostile events chain.

BI2 The charge scans ports on

vulnerable equipment and

compromises one.

Event is considered

incongruous (average score)

within hostile events chain.

BI3 The hacker takes control of

compromised equipment.

Event is considered

incongruous (strong score)

within hostile events chain.

UNEXPECTED: DETECTION OF HOSTILE

BEHAVIOURS HAVING INDIRECT IMPACT

Detection of suspicious flow: sending of

the same malicious attachment to the

employee’s PC n° 2.

Detection of a fourth behavioural

incongruity : the hacker downloads

sensitive documents located on PC n° 48.

Detection is complete with good

explainability.

BI4

A B A B Nonemployees

EmployeesPC

Networkequipments

0.66(average)

0.60(average)

BI1

BI2

1.62(strong)

BI3

EQHE1

Employee n°1(from site)

EXHE1

Employee n°1(from home)

EQHE2


Third party (whose identity is theft)

EQHR

EQHE48


EQVU1

Equipment n°1

EQVU5

Equipment n°5

Hacker

HH

Event considered suspicious

Event considered hostile

BI Behavioural incongruityas defined by scenario

Nonemployees

EmployeesPC

Networkequipments

0.66(average)

0.60(average)

BI1

BI2

1.62(strong)

BI3

0.66(average)

0.58(average)

0.49(weak)

0.69(average)

EQHE1


EXHE1

Employee n°1(from home)

EQHE2


Third party (whose identity is theft)

EQHR

EQHE48


EQVU1

Equipment n°1

EQVU5

Equipment n°5

Hacker

HH

Event considered suspicious

Event considered hostile

BI Behavioural incongruityas defined by scenario

BI4

Each event / signal

is a flow

A. Biases versus progress.


Few false positives, only during first month (calibration).

No false negatives. Many false positives

Over-simplification of problems Training on the entire dataset.

Multivariate events of different types.

Slightly explainable result Detection is complete with good explainability.

Little consideration of events

temporality

Our algorithm uses events temporality, it adapts to any time

scale, from microseconds to years.

Low management of behavioural

model, boiled frog paradox

To be done, we will use AI for synchronisation of the

behavioural model.

Frequent presence of a simple

time window alerts counter

We don’t use counters but graphs on sliding and variable

time windows over wide temporal ranges.

Learning: partially scalable.

Inference + correlation: horizontal scaling. Training performance

Other limitations Synthetic data.

Simplistic scenario.

Too little data.

MAIN BIASES OF AVAILABLE SOLUTIONS OUR RESULTS FOR POC #1 FOCUS

(FOR POC #2) A

A. Scenario overview.

9. POC #2: scenario

More

Hostile scenario

1 The user executes a malicious script, via a

BASH* command.

2, 3, 4 The malicious script downloads source code of an

exploit from the web, via a WGET* command.

5, 6, 7 The malicious script compiles the exploit, via a GCC*

command.

8, 9 The malicious script executes the compiled exploit,

which tries to elevate its privileges using a vulnerability

of the operating system kernel.

On his Linux PC, a user unwisely executes a malicious script which downloads an

exploit from the Web in order to use a kernel vulnerability to elevate its privileges.

Usual behaviours

The user performs office tasks (eg: word processing,

messaging, Internet browsing).

The user executes commands and scripts.

BASH : standard command for executing scripts.

WGET : standard command for downloading files from the Web.

GCC : standard command for compiling programming languages.

(*)

User’s PC

Internet

BASH script

WGET

User

GCC

(2) Execute

(3) Download

Exploit (source)

Exploit(compiled)

(4) Write

(6) Read (7) Compile

(5) Execute

(8) Execute

(1) Execute

Linux kernel

(9) Use avulnerability

to elevateprivileges

A

A B C A B C A B C

A. Metrics.

B. More about AI.

C. Correlation and graphs.

10. POC #2: behind the scene

Input metrics: conversion of categorical variables to numerical using

probability of observing couples of values after observing others.

Algorithm: deep learning autoencoder, unsupervised.

Regularisation: dropout, noise addition, early stopping.

Output scores: normalised, not filtered.

Real time performance : ~2K metrics / s. on a single PC with GPU.

Discovery of major interest graphs: same as for POC #1.

Real data.

12 million metrics

(2 millions / day).

Theatre: inside a PC.

Metrics collected through

standard auditing functions

of operating system.

90% kernel primitives calls.

Metrics

• Unauthorised actions.

• Calls to functions/commands for modifying kernel/modules.

• Suspicious actions (eg: nmap, wget, tcpdump).

• Access to monitored files (eg: config., binaries, temp. files).

• Commands executed.

• Invocations of potentially dangerous kernel primitives.

• Credentials (eg: user, group).

• Context (eg: path, timestamp, parent process).

1 week

Normal activity

1 minute

Normal + hostile activity

Result(next slide)

Scenario

Sync.

Data + Incongruity score

AIcorrelation

:19%( )872

415

106

Feed

AIlearning

Behavioural model

Read

AIinference

Behavioural model

Datavector( )8

72

415

106

A. Achieved expected results.

11. POC #2: results

A

Each event / signal

is an action

MAIN RESULTS Detection is complete with good explainability :

• Execution of the BASH script (score 0.1).

• Execution of the WGET command (score 0.6).

• Three executions of the GCC command (score 0.29).

• Execution of the exploit (score 0.29).

The BASH process has a low incongruity score, but it still contributes to the major interest

graph because it connects other actions.

Some false positives resulting from rare actions, which could be avoided by optimising

training.

No false negatives.

Execution(BASH script)

Score : 0.1

Is parentprocess of

Execution(WGET)

Score : 0.6

Execution(GCC)

Score : 0.29

Execution(GCC)

Score : 0.29

Execution(GCC)

Score : 0.29

Execution(exploit)

Score : 0.29Score

Time

Is parent

process of

Is parentprocess of

A. Biases versus progress.


Few false positives, but could be avoided.

No false negatives. Many false positives

Over-simplification of problems Training on the entire dataset, directly from raw logs.

Multivariate events of different types.

Slightly explainable result Detection is complete with good explainability.

Little consideration of events

temporality

Our algorithm uses events temporality, it adapts to any time

scale, from microseconds to years.

Low management of behavioural

model, boiled frog paradox

To be done, we will use AI for synchronisation of the

behavioural model.

Frequent presence of a simple

time window alerts counter

We don’t use counters but graphs on sliding and variable

time windows over wide temporal ranges.

Learning + inference + correlation : horizontal scaling (cloud

friendly). Training performance

Other limitations Simplistic scenario.

MAIN BIASES OF AVAILABLE SOLUTIONS OUR RESULTS FOR POC #2 A

A. Progress and limits.

B. Remaining work.

13. Situation and future

SITUATION Effective association of UEBA with correlation process.

Good explainability of alerts.

Few but avoidable false positives.

Temporality taken into account from microseconds to years.

Real time 3 phases algorithm + horizontal scaling.

Integration issues partially addressed (ELK).

Encouraging results.

Results confirmed in various contexts.

Co

nte

xts

Data:

Real

Synthetic

Signal type:

Flows

Actions

Theatre:

All over an IS

Inside a PC

Algorithm:

Isolation forest

Autoencoder

A B A B

FUTURE More realistic scenarios.

Adversarial AI*.

Memorisation AI*.

Interoperation with SIEM.

(*) PhD thesis 2019 : « Continuous Model

Learning for Anomaly Detection In the

Presence of Highly Adaptative Cyberattacks ».

EXISTING SOC UEBA SOLUTION

AIinference

AIlearning

AI memori-sation

AIcorrelation

Observedworld

Sensors

Sensors

SIEM

HMIAlerts

dashboard

HMIIncident and

ticket manag.

HMIMetrics

dashboard

HMISupervision

HMIRisk

assessement

Collectdata

Collectevents

Collectnetwork flows

Threat intelligence

Alerts

Expert

14. Your questions

Questions (and answers !)

Protection d’un système d’information par une intelligence ... · Avoid boiled frog paradox:...

Documents

Transcript of Protection d’un système d’information par une intelligence ... · Avoid boiled frog paradox:...