<p dir="ltr">Yes. Sorry. I'll try to elaborate with an example. Not really supervised or unsupervised learning but I think that it gets to the point..... Say for example that one of my indicators is low probability parent child process relationships that lead to potential high risk applications such as powershell or reg. I haven't tried this one, but I am willing bet that the intersection of these conditions is a fairly high signal to noise ratio.</p>
<p dir="ltr">If I understood Halvar's comment, as this becomes well known, the adversary will take measures to avoid "tripping" this analytic. Thinking about the ways that they might approach this, they might inject code into common processes in order to avoid the odd parent child relationship, or they might bring their own tools to avoid using powershell or reg. </p>
<p dir="ltr">My response is two fold: Either of these scenarios is also detectable and it becomes an arms race of sensors and analytics versus techniques. Event Tracing for Windows and various COTS tools already give you some of the capabilities to detect. The point that I poorly explained earlier is that making the adversary work harder to stay on our systems is game changing. I'd argue that we don't do a lot in this area and that the old techniques for credential access, exfiltration, and command and control keep working. When we can begin to challenge the adversary and make our systems contested space, we raise their cost of information. Finally. </p>
<p dir="ltr">Hope this makes more sense,<br>
--Willie</p>
<div class="gmail_quote">On Nov 22, 2014 4:30 AM, "shadown [at] gmail" <<a href="mailto:shadown@gmail.com">shadown@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div>Willie, could you elaborate?</div><div>I'm interested in details, from vague statements we don't learn anything new. Please remember this is not the physical world, and very different rules apply.<br><br>Cheers,<br> Sergio</div><div><br>On 21.11.2014, at 22:19, William Kupersanin <<a href="mailto:wkupersa@gmail.com" target="_blank">wkupersa@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr"><br><div>The implications are though, that even if the adversary adapts, that the ML analytic is forcing the adversary to operate in a smaller space to avoid appearing anomalous. I consider anything that can shift the balance of cost from the defender to the adversary to be wildly successful. </div><div><br></div><div>--Willie</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Nov 20, 2014 at 5:25 PM, Halvar Flake <span dir="ltr"><<a href="mailto:HalVar@gmx.de" target="_blank">HalVar@gmx.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="font-family:Verdana;font-size:12.0px"><div>Hey all,</div>
<div> </div>
<div>thanks for the link, and it is indeed a fun talk :-)</div>
<div> </div>
<div>An important detail that many people in "machine learning for security" <span style="line-height:1.6em">neglect is that the vast </span><span style="line-height:1.6em">majority </span></div>
<div><span style="line-height:1.6em">of ML algorithms were not designed for (and will not </span><span style="line-height:1.6em">function well) in an adversarial model. Normally,</span></div>
<div><span style="line-height:1.6em">one is trying to model an unknown statistical process based on past observables; the concept that the </span></div>
<div><span style="line-height:1.6em">statistical process may adapt itself with the intent of fooling you isn't really of interest when you try to</span></div>
<div><span style="line-height:1.6em">recognize faces / letters / cats / copyrighted content programmatically.</span></div>
<div> </div>
<div><span style="line-height:1.6em">For entertainment, I think everyone that plays with statistics / curve fitting / machine learning in our field</span></div>
<div><span style="line-height:1.6em">should have a look at two things:</span></div>
<div> </div>
<div> <a href="http://cvdazzle.com/" target="_blank">http://cvdazzle.com/</a> - people trying crazy makeup / hair styles to screw with face detection.</div>
<div><span style="font-family:Verdana;font-size:12px;line-height:19.2000007629395px"> <a href="http://blaine-nelson.com/research/pubs/Huang-Joseph-AISec-2011" target="_blank">http://blaine-nelson.com/research/pubs/Huang-Joseph-AISec-2011</a> - a riot of a paper that introduces "Adversarial Machine Learning"</span></div>
<div> </div>
<div>This doesn't mean that you can't have huge successes temporarily using ML / curve fitting / statistics;</div>
<div>attackers <span style="line-height:1.6em">haven't felt the need to adapt to anything but AV signatures and DNS blacklisting yet, so </span><span style="line-height:1.6em">relatively simple </span></div>
<div><span style="line-height:1.6em">ML will have big gains initially. I suspect, though, that a really important part of using ML for defense in any form</span></div>
<div><span style="line-height:1.6em">is "not becoming an oracle" - which is often counter to commercial success. It may be that the only good, long-term</span></div>
<div><span style="line-height:1.6em">ML-based defense is one that can't be bought.</span></div>
<div> </div>
<div><span style="line-height:1.6em">Cheers,</span></div>
<div><span style="line-height:1.6em">Halvar</span></div>
<div> </div>
<div> </div>
<div> </div>
<div>
<div name="quote" style="margin:10px 5px 5px 10px;padding:10px 0 10px 10px;border-left:2px solid #c3d9e5;word-wrap:break-word">
<div style="margin:0 0 10px 0"><b>Gesendet:</b> Donnerstag, 20. November 2014 um 19:16 Uhr<br>
<b>Von:</b> "Dave Aitel" <<a href="mailto:dave@immunityinc.com" target="_blank">dave@immunityinc.com</a>><br>
<b>An:</b> <a href="mailto:dailydave@lists.immunityinc.com" target="_blank">dailydave@lists.immunityinc.com</a><br>
<b>Betreff:</b> [Dailydave] Machine Learning and Dimensions and stuff</div>
<div name="quoted-content"><div><div><a href="https://vimeo.com/112322888" target="_blank">https://vimeo.com/112322888</a><br>
<br>
Dmitri pointed me at the above talk which is essentially a good<br>
specialized 101-level lecture on how machine learning works in the<br>
security space.<br>
<br>
There's not much to criticize in the talk! (It has a lot of the features<br>
of El Jefe!) They use a real graph database to run their algorithms<br>
against process trees - but if you wanted to heckle you'd ask "Doesn't<br>
the CreateProcess() system call also take "parent process" as an<br>
argument? What IS the rate of false positives? Because if you can't get<br>
it down to basically 0 then you are essentially wasting your time? etc." :><br>
<br>
But again, nobody asked any hard questions - and while the talk nibbled<br>
around the edges of the tradeoffs with using machine learning techniques<br>
on this kind of data, it didn't go into any depth at all about which<br>
ones they've tried and failed at. It's a technical talk, but it's not a<br>
DETAILED talk in the sense of "Here's some outliers that show us where<br>
we fail and where we succeed and perhaps why".<br>
<br>
That said, if you don't have a plan to do this sort of thing, then<br>
you're probably failing at some level, so worth a watch. :><br>
<br>
-dave<br>
<br>
<br></div></div>
_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com" target="_blank">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a></div>
</div>
</div></div></div>
<br>_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com" target="_blank">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
<br></blockquote></div><br></div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Dailydave mailing list</span><br><span><a href="mailto:Dailydave@lists.immunityinc.com" target="_blank">Dailydave@lists.immunityinc.com</a></span><br><span><a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a></span><br></div></blockquote></div></blockquote></div>