SlideShare a Scribd company logo

Anomaly Detection for Security

Download as PPTX, PDF
Cody Rioux, profile picture
Cody Rioux

The document discusses real-time analytics and anomaly detection techniques for enhanced security, particularly focusing on identifying phishing attacks and rogue agents. It highlights various methods for anomaly detection, including static thresholds, clustering, and advanced techniques, while also addressing challenges like the base rate fallacy. The goal is to develop autonomous systems that can detect and automatically remediate security incidents in near real-time.

Data & Analytics
Related topics:
Data Mining InsightsData Science Insights
1 of 38
Downloaded 69 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Anomaly Detection for Security Cody Rioux - @codyrioux Real-Time Analytics - Insight Engineering
Overview. ● Real-Time Analytics ● Anomaly: Fast Incident Detection ○ Techniques ○ Case Study: Detecting Phishing ○ Challenges: Base Rate Fallacy ● Outlier: Identifying Rogue Agents ○ Clustering ○ Case Study: Cleaning Up Rogue Agents ● Recap
We are drowning in information but starved for knowledge. - John Naisbitt Real-Time Analytics
Real-Time Analytics ● Part of Insight Engineering. ● Build systems that make intelligent decisions about our operational environment. ○ Make decisions in near real-time. ○ Automate actions in the production environment. ● Support operational availability and reliability.
Terminology Outlier Anomaly
Case Study: Phishing ● Just hired as the only security staff at a startup. ● Fell victim to a phishing attack last week. ○ They did not know it happened when it was happening. ○ They did not know what to do about it ● You’re tasked with solving this problem.
Incident Detection for Stats Geeks Anomaly Detection
Unexpected value for a given generating mechanism.
Terminology Outlier Anomaly
Anomaly Detection for Security
Anomaly Detection for Security
Techniques Basic ● Static thresholds ● Exponential Smoothing ● Three-sigma rule Advanced ● Robust Anomaly Detection (RAD) - Netflix ● Kolmogorov-Smirnov ● Highest density interval (HDI) ● t-digest ● Linear models
Anomaly Detection for Security
Anomaly Detection for Security
Anomaly Detection for Security
Anomaly Detection for Security
Anomaly Detection for Security
Techniques Basic ● Static thresholds - Doesn’t play well with nonstationary signals. ● Exponential Smoothing - Black Swan days like Christmas, Superbowl cause issues. ● Three-sigma rule - Works (very) well only for signals drawn from a Gaussian.
Show me the Money! ● No threshold configuration ● We require examples of normal, not examples of anomaly ● Automatically adapt to moving signals ● Higher accuracy enables automatic reaction ● Ensemble (combination) of techniques eliminates some downsides
Base Rate Fallacy Intrusion is comparatively rare which affords you many opportunities to generate a false positive.
Base Rate Fallacy ● 10,000 log entries ● 99% Accuracy ● 0.01% Intrusions 1 Real incident 100 false + and 10% chance of false -
Case Study So far we can automatically alert interested parties to the possibility of an intrusion.
Identifying Rogue Agents in a Production Environment Outlier Detection
Anomaly Detection for Security
Rogue Agents? ● Identify brute force attempts on login systems ● Flag cheaters in online video games ● Identify participating ip addresses in a phishing scam
Terminology Outlier Anomaly
Case Study Revisited You’ve devised an automated technique for identifying attacks, now we require an autonomous system for remediation of attacks.
Goal: identify accounts and IP Addresses that are not behaving like their peers.
Clustering ● DBSCAN ● K-Means ● Gaussian Mixture Models Conceptually ● If a point belongs to a group it should be near lots of other points as measured by some distance function.
Anomaly Detection for Security
Case Study Revisited Lets cluster accounts based on their login habits and initiate an automatic password reset and notification.
Case Study Revisited Lets cluster IP addresses based on their login habits and automatically ban them.
Full stack autonomous incident detection and remediation. Recap
Case Study Recap ● Anomaly Detection enables us to... ○ Automatically identify potential attacks in real-time. ○ Notify interested parties of the attack. ○ React to those attacks without user intervention. ● Outlier Detection with Clustering enables us to… ○ Identify rogue agents within the environment. ○ Reset customer passwords for potentially compromised accounts. ○ Ban IP Addresses identified to be participating in the phishing scheme.
Literature Machine Learning: The High Interest Credit Card of Technical Debt (Sculley et al., 2014)
Literature ● The Base-Rate Fallacy and its Implications for the Difficulty of Intrusion Detection (Alexsson, 1999) ● Practical Machine Learning: A New Look at Anomaly Detection (Dunning, 2014) ● ALADIN: Active Learning of Anomalies to Detect Intrusion (Stokes and Platt, 2008) ● Distinguishing cause from effect using observational data: methods and benchmarks (Mooij et al., 2014) ● Enhancing Performance Prediction Robustness by Combining Analytical Modeling and Machine Learning (Didona et al., 2015)
Implementations ● Robust Anomaly Detection (RAD) - Netflix ● Seasonal Hybrid ESD - Twitter ● Extendible Generic Anomaly Detection System (EGADS) - Yahoo ● Kale - Etsy
Questions? crioux@netflix.com @codyrioux linkedin.com/in/codyrioux

More Related Content

PPTX
A review of machine learning based anomaly detection
Mohamed Elfadly
 
PDF
Computer security - A machine learning approach
Sandeep Sabnani
 
PPTX
When Cyber Security Meets Machine Learning
Lior Rokach
 
PDF
145 148
Editor IJARCET
 
DOCX
Network intrusion detection using supervised machine learning technique with ...
CloudTechnologies
 
DOCX
Weapon detection using artificial intelligence and deep learning for security...
Venkat Projects
 
PPTX
Cognitive Computing in Security with AI
JoAnna Cheshire
 
PPTX
To use the concept of Data Mining and machine learning concept for Cyber secu...
Nishant Mehta
 
A review of machine learning based anomaly detection
Mohamed Elfadly
 
Computer security - A machine learning approach
Sandeep Sabnani
 
When Cyber Security Meets Machine Learning
Lior Rokach
 
145 148
Editor IJARCET
 
Network intrusion detection using supervised machine learning technique with ...
CloudTechnologies
 
Weapon detection using artificial intelligence and deep learning for security...
Venkat Projects
 
Cognitive Computing in Security with AI
JoAnna Cheshire
 
To use the concept of Data Mining and machine learning concept for Cyber secu...
Nishant Mehta
 

What's hot (19)

PPTX
Malware Detection Using Machine Learning Techniques
ArshadRaja786
 
PDF
Optimized Intrusion Detection System using Deep Learning Algorithm
ijtsrd
 
PDF
DB-OLS: An Approach for IDS1
IJITE
 
DOCX
robust malware detection for iot devices using deep eigen space learning
Venkat Projects
 
PDF
Volume 2-issue-6-2190-2194
Editor IJARCET
 
PDF
AI approach to malware similarity analysis: Maping the malware genome with a...
Priyanka Aash
 
PPTX
Cyber intrusion
Kishor Datta Gupta
 
PDF
Wmn06MODERNIZED INTRUSION DETECTION USING ENHANCED APRIORI ALGORITHM
ijwmn
 
PDF
Real Time Intrusion Detection System Using Computational Intelligence and Neu...
ijtsrd
 
PDF
2 14-1346479656-1- a study of feature selection methods in intrusion detectio...
Dr. Amrita .
 
PDF
IRJET- Improving Cyber Security using Artificial Intelligence
IRJET Journal
 
PPT
Intrusion Detection
butest
 
PDF
IRJET- Android Malware Detection using Machine Learning
IRJET Journal
 
PPTX
Role of data mining in cyber security
Pranto26
 
PDF
Intrusion Detection System - False Positive Alert Reduction Technique
IDES Editor
 
PPT
Pptbb
Rohit Shukla
 
PPTX
Databse Intrusion Detection Using Data Mining Approach
Suraj Chauhan
 
ODP
Malware Dectection Using Machine learning
Shubham Dubey
 
DOCX
A malware detection method for health sensor data based on machine learning
jaigera
 
Malware Detection Using Machine Learning Techniques
ArshadRaja786
 
Optimized Intrusion Detection System using Deep Learning Algorithm
ijtsrd
 
DB-OLS: An Approach for IDS1
IJITE
 
robust malware detection for iot devices using deep eigen space learning
Venkat Projects
 
Volume 2-issue-6-2190-2194
Editor IJARCET
 
AI approach to malware similarity analysis: Maping the malware genome with a...
Priyanka Aash
 
Cyber intrusion
Kishor Datta Gupta
 
Wmn06MODERNIZED INTRUSION DETECTION USING ENHANCED APRIORI ALGORITHM
ijwmn
 
Real Time Intrusion Detection System Using Computational Intelligence and Neu...
ijtsrd
 
2 14-1346479656-1- a study of feature selection methods in intrusion detectio...
Dr. Amrita .
 
IRJET- Improving Cyber Security using Artificial Intelligence
IRJET Journal
 
Intrusion Detection
butest
 
IRJET- Android Malware Detection using Machine Learning
IRJET Journal
 
Role of data mining in cyber security
Pranto26
 
Intrusion Detection System - False Positive Alert Reduction Technique
IDES Editor
 
Pptbb
Rohit Shukla
 
Databse Intrusion Detection Using Data Mining Approach
Suraj Chauhan
 
Malware Dectection Using Machine learning
Shubham Dubey
 
A malware detection method for health sensor data based on machine learning
jaigera
 
Ad

Viewers also liked (20)

PPTX
The Dark of Building an Production Incident Syste
Alois Reitbauer
 
PPTX
Traffic anomaly detection and attack
Qrator Labs
 
PPTX
Anomaly Detection for Real-World Systems
Manojit Nandi
 
PPTX
Where is Data Going? - RMDC Keynote
Ted Dunning
 
PDF
Parallel Programming in Python: Speeding up your analysis
Manojit Nandi
 
PPTX
Can a monitoring tool pass the turing test
Alois Reitbauer
 
PPTX
Monitoring without alerts
Alois Reitbauer
 
PPTX
Monitoring large scale Docker production environments
Alois Reitbauer
 
PPTX
The Dark Art of Production Alerting
Alois Reitbauer
 
PPTX
PyGotham 2016
Manojit Nandi
 
PPTX
The definition of normal - An introduction and guide to anomaly detection.
Alois Reitbauer
 
PDF
SSL Certificate Expiration and Howler Monkey's Inception
royrapoport
 
PDF
Cloud Tech III: Actionable Metrics
royrapoport
 
PDF
Python Through the Back Door: Netflix Presentation at CodeMash 2014
royrapoport
 
PPTX
Monitoring Docker Application in Production
Alois Reitbauer
 
PPTX
Ruxit - How we launched a global monitoring platform on AWS in 80 days.
Alois Reitbauer
 
PDF
Anomaly Detection for Global Scale at Netflix
Extract Data Conference
 
PPTX
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
tboubez
 
PDF
Anomaly Detection at Scale
Jeff Henrikson
 
PDF
Operational Insight: Concepts and Examples (w/o Presenter Notes)
royrapoport
 
The Dark of Building an Production Incident Syste
Alois Reitbauer
 
Traffic anomaly detection and attack
Qrator Labs
 
Anomaly Detection for Real-World Systems
Manojit Nandi
 
Where is Data Going? - RMDC Keynote
Ted Dunning
 
Parallel Programming in Python: Speeding up your analysis
Manojit Nandi
 
Can a monitoring tool pass the turing test
Alois Reitbauer
 
Monitoring without alerts
Alois Reitbauer
 
Monitoring large scale Docker production environments
Alois Reitbauer
 
The Dark Art of Production Alerting
Alois Reitbauer
 
PyGotham 2016
Manojit Nandi
 
The definition of normal - An introduction and guide to anomaly detection.
Alois Reitbauer
 
SSL Certificate Expiration and Howler Monkey's Inception
royrapoport
 
Cloud Tech III: Actionable Metrics
royrapoport
 
Python Through the Back Door: Netflix Presentation at CodeMash 2014
royrapoport
 
Monitoring Docker Application in Production
Alois Reitbauer
 
Ruxit - How we launched a global monitoring platform on AWS in 80 days.
Alois Reitbauer
 
Anomaly Detection for Global Scale at Netflix
Extract Data Conference
 
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
tboubez
 
Anomaly Detection at Scale
Jeff Henrikson
 
Operational Insight: Concepts and Examples (w/o Presenter Notes)
royrapoport
 
Ad

Similar to Anomaly Detection for Security (20)

PPTX
Anomaly Detection - Real World Scenarios, Approaches and Live Implementation
Impetus Technologies
 
PDF
Strata 2014 Anomaly Detection
Ted Dunning
 
PPTX
A review of machine learning based anomaly detection
Mohamed Elfadly
 
PDF
Strata 2014-tdunning-anomaly-detection-140211162923-phpapp01
MapR Technologies
 
PPTX
Splunk live! Customer Presentation – Prelert
Splunk
 
PDF
Whitepaper- User Behavior-Based Anomaly Detection for Cyber Network Security
Happiest Minds Technologies
 
PDF
AI in anomaly detection.pdf
StephenAmell4
 
PPTX
Anomaly Detection and Spark Implementation - Meetup Presentation.pptx
Impetus Technologies
 
PDF
AI in anomaly detection - An Overview.pdf
StephenAmell4
 
PDF
Anomaly detection (Unsupervised Learning) in Machine Learning
Kuppusamy P
 
PDF
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Alex Pinto
 
PDF
A review of anomaly based intrusions detection in multi tier web applications
iaemedu
 
PDF
A review of anomaly based intrusions detection in multi tier web applications
IAEME Publication
 
PDF
A review of anomaly based intrusions detection in
IAEME Publication
 
DOC
Enhancing SIEM Correlation Rules Through Baselining
Ertugrul Akbas
 
DOC
Log management siem 5651 sayılı yasa
Ertugrul Akbas
 
PDF
A Comprehensive Introduction to Anomaly Detection in Machine Learning | USAII®
United States Artificial Intelligence Institute
 
DOCX
Meet anomaly detection: a powerful cybersecurity defense mechanism when its w...
ITrust - Cybersecurity as a Service
 
PDF
Review of Intrusion and Anomaly Detection Techniques
IJMER
 
PPTX
Anomaly Detection - New York Machine Learning
Ted Dunning
 
Anomaly Detection - Real World Scenarios, Approaches and Live Implementation
Impetus Technologies
 
Strata 2014 Anomaly Detection
Ted Dunning
 
A review of machine learning based anomaly detection
Mohamed Elfadly
 
Strata 2014-tdunning-anomaly-detection-140211162923-phpapp01
MapR Technologies
 
Splunk live! Customer Presentation – Prelert
Splunk
 
Whitepaper- User Behavior-Based Anomaly Detection for Cyber Network Security
Happiest Minds Technologies
 
AI in anomaly detection.pdf
StephenAmell4
 
Anomaly Detection and Spark Implementation - Meetup Presentation.pptx
Impetus Technologies
 
AI in anomaly detection - An Overview.pdf
StephenAmell4
 
Anomaly detection (Unsupervised Learning) in Machine Learning
Kuppusamy P
 
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Alex Pinto
 
A review of anomaly based intrusions detection in multi tier web applications
iaemedu
 
A review of anomaly based intrusions detection in multi tier web applications
IAEME Publication
 
A review of anomaly based intrusions detection in
IAEME Publication
 
Enhancing SIEM Correlation Rules Through Baselining
Ertugrul Akbas
 
Log management siem 5651 sayılı yasa
Ertugrul Akbas
 
A Comprehensive Introduction to Anomaly Detection in Machine Learning | USAII®
United States Artificial Intelligence Institute
 
Meet anomaly detection: a powerful cybersecurity defense mechanism when its w...
ITrust - Cybersecurity as a Service
 
Review of Intrusion and Anomaly Detection Techniques
IJMER
 
Anomaly Detection - New York Machine Learning
Ted Dunning
 

Recently uploaded (20)

PPTX
STUDY DESIGN details- Lt Col Maksud (21).pptx
AyeshaAsha11
 
PPTX
Introduction to Firewall Analytics - Interfirewall and Transfirewall.pptx
kuthubussaman1
 
PDF
“Getting Started with Data Analytics Using R – Concepts, Tools & Case Studies”
Nusrat Gulbarga
 
PPTX
climate analysis of Dhaka ,Banglades.pptx
rrawjatun
 
PDF
Mega Projects Data Mega Projects Data
saidsalah8181
 
PDF
TRAFFIC-MANAGEMENT-AND-ACCIDENT-INVESTIGATION-WITH-DRIVING-PDF-FILE.pdf
chouziyu14
 
PPTX
01_intro xxxxxxxxxxfffffffffffaaaaaaaaaaafg
Vittaya Boon Suwansiri
 
PPTX
IB Computer Science - Internal Assessment.pptx
agarwal18harsh08
 
PPTX
Acceptance and paychological effects of mandatory extra coach I classes.pptx
ZaheerAhmad228692
 
PDF
Clinical guidelines as a resource for EBP(1).pdf
MashalKhan626345
 
PPTX
Introduction to Knowledge Engineering Part 1
busyprogrammersguide
 
PDF
BF and FI - Blockchain, fintech and Financial Innovation Lesson 2.pdf
JamesWilliams752225
 
PPTX
Computer network topology notes for revision
BatoolRawat
 
PDF
Foundation of Data Science unit number two notes
sanguleumeshit
 
PPT
Miokarditis (Inflamasi pada Otot Jantung)
NandaAndini1
 
PPTX
IBA_Chapter_11_Slides_Final_Accessible.pptx
SrikantKapoor1
 
PDF
annual-report-2024-2025 original latest.
nityanema19
 
PPTX
Business Ppt On Nestle.pptx huunnnhhgfvu
ashaurya327
 
PDF
Lecture1 pattern recognition............
ZafriFarid
 
PPTX
advance b rammar.pptxfdgdfgdfsgdfgsdgfdfgdfgsdfgdfgdfg
rohullahansari5
 
STUDY DESIGN details- Lt Col Maksud (21).pptx
AyeshaAsha11
 
Introduction to Firewall Analytics - Interfirewall and Transfirewall.pptx
kuthubussaman1
 
“Getting Started with Data Analytics Using R – Concepts, Tools & Case Studies”
Nusrat Gulbarga
 
climate analysis of Dhaka ,Banglades.pptx
rrawjatun
 
Mega Projects Data Mega Projects Data
saidsalah8181
 
TRAFFIC-MANAGEMENT-AND-ACCIDENT-INVESTIGATION-WITH-DRIVING-PDF-FILE.pdf
chouziyu14
 
01_intro xxxxxxxxxxfffffffffffaaaaaaaaaaafg
Vittaya Boon Suwansiri
 
IB Computer Science - Internal Assessment.pptx
agarwal18harsh08
 
Acceptance and paychological effects of mandatory extra coach I classes.pptx
ZaheerAhmad228692
 
Clinical guidelines as a resource for EBP(1).pdf
MashalKhan626345
 
Introduction to Knowledge Engineering Part 1
busyprogrammersguide
 
BF and FI - Blockchain, fintech and Financial Innovation Lesson 2.pdf
JamesWilliams752225
 
Computer network topology notes for revision
BatoolRawat
 
Foundation of Data Science unit number two notes
sanguleumeshit
 
Miokarditis (Inflamasi pada Otot Jantung)
NandaAndini1
 
IBA_Chapter_11_Slides_Final_Accessible.pptx
SrikantKapoor1
 
annual-report-2024-2025 original latest.
nityanema19
 
Business Ppt On Nestle.pptx huunnnhhgfvu
ashaurya327
 
Lecture1 pattern recognition............
ZafriFarid
 
advance b rammar.pptxfdgdfgdfsgdfgsdgfdfgdfgsdfgdfgdfg
rohullahansari5
 

Anomaly Detection for Security

  • 1. Anomaly Detection for Security Cody Rioux - @codyrioux Real-Time Analytics - Insight Engineering
  • 2. Overview. ● Real-Time Analytics ● Anomaly: Fast Incident Detection ○ Techniques ○ Case Study: Detecting Phishing ○ Challenges: Base Rate Fallacy ● Outlier: Identifying Rogue Agents ○ Clustering ○ Case Study: Cleaning Up Rogue Agents ● Recap
  • 3. We are drowning in information but starved for knowledge. - John Naisbitt Real-Time Analytics
  • 4. Real-Time Analytics ● Part of Insight Engineering. ● Build systems that make intelligent decisions about our operational environment. ○ Make decisions in near real-time. ○ Automate actions in the production environment. ● Support operational availability and reliability.
  • 6. Case Study: Phishing ● Just hired as the only security staff at a startup. ● Fell victim to a phishing attack last week. ○ They did not know it happened when it was happening. ○ They did not know what to do about it ● You’re tasked with solving this problem.
  • 7. Incident Detection for Stats Geeks Anomaly Detection
  • 12. Techniques Basic ● Static thresholds ● Exponential Smoothing ● Three-sigma rule Advanced ● Robust Anomaly Detection (RAD) - Netflix ● Kolmogorov-Smirnov ● Highest density interval (HDI) ● t-digest ● Linear models
  • 18. Techniques Basic ● Static thresholds - Doesn’t play well with nonstationary signals. ● Exponential Smoothing - Black Swan days like Christmas, Superbowl cause issues. ● Three-sigma rule - Works (very) well only for signals drawn from a Gaussian.
  • 19. Show me the Money! ● No threshold configuration ● We require examples of normal, not examples of anomaly ● Automatically adapt to moving signals ● Higher accuracy enables automatic reaction ● Ensemble (combination) of techniques eliminates some downsides
  • 20. Base Rate Fallacy Intrusion is comparatively rare which affords you many opportunities to generate a false positive.
  • 21. Base Rate Fallacy ● 10,000 log entries ● 99% Accuracy ● 0.01% Intrusions 1 Real incident 100 false + and 10% chance of false -
  • 22. Case Study So far we can automatically alert interested parties to the possibility of an intrusion.
  • 23. Identifying Rogue Agents in a Production Environment Outlier Detection
  • 25. Rogue Agents? ● Identify brute force attempts on login systems ● Flag cheaters in online video games ● Identify participating ip addresses in a phishing scam
  • 27. Case Study Revisited You’ve devised an automated technique for identifying attacks, now we require an autonomous system for remediation of attacks.
  • 28. Goal: identify accounts and IP Addresses that are not behaving like their peers.
  • 29. Clustering ● DBSCAN ● K-Means ● Gaussian Mixture Models Conceptually ● If a point belongs to a group it should be near lots of other points as measured by some distance function.
  • 31. Case Study Revisited Lets cluster accounts based on their login habits and initiate an automatic password reset and notification.
  • 32. Case Study Revisited Lets cluster IP addresses based on their login habits and automatically ban them.
  • 33. Full stack autonomous incident detection and remediation. Recap
  • 34. Case Study Recap ● Anomaly Detection enables us to... ○ Automatically identify potential attacks in real-time. ○ Notify interested parties of the attack. ○ React to those attacks without user intervention. ● Outlier Detection with Clustering enables us to… ○ Identify rogue agents within the environment. ○ Reset customer passwords for potentially compromised accounts. ○ Ban IP Addresses identified to be participating in the phishing scheme.
  • 35. Literature Machine Learning: The High Interest Credit Card of Technical Debt (Sculley et al., 2014)
  • 36. Literature ● The Base-Rate Fallacy and its Implications for the Difficulty of Intrusion Detection (Alexsson, 1999) ● Practical Machine Learning: A New Look at Anomaly Detection (Dunning, 2014) ● ALADIN: Active Learning of Anomalies to Detect Intrusion (Stokes and Platt, 2008) ● Distinguishing cause from effect using observational data: methods and benchmarks (Mooij et al., 2014) ● Enhancing Performance Prediction Robustness by Combining Analytical Modeling and Machine Learning (Didona et al., 2015)
  • 37. Implementations ● Robust Anomaly Detection (RAD) - Netflix ● Seasonal Hybrid ESD - Twitter ● Extendible Generic Anomaly Detection System (EGADS) - Yahoo ● Kale - Etsy