<html><head></head><body><div style="color:#000; background-color:#fff; font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px"><div id="yui_3_16_0_ym19_1_1498257542432_6988"><span>There are two kinds of AI/ML:</span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1498257542432_6989"><span id="yui_3_16_0_ym19_1_1498257542432_7423">1. the kind that recognizes what humans recognize (faces, cars, etc.)</span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1498257542432_6990"><span id="yui_3_16_0_ym19_1_1498257542432_7422">2. the kind that recognizes things humans can't see (stock market trends, etc.)</span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1498257542432_6991"><span><br></span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1498257542432_6986"><span id="yui_3_16_0_ym19_1_1498257542432_6985">The first item is real, and is slowly changing the world. The second is bogus, snake oil, emperors without clothes.</span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1498257542432_6986"><span><br></span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1498257542432_6986">As long as I've been in the field of network intrusion detection (more than 2 decades), there have been a stream of papers every year promising machines can see evil on the network that humans couldn't see. They've never worked in practice.</div><div dir="ltr" id="yui_3_16_0_ym19_1_1498257542432_6986"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1498257542432_6986">That's not to say good things don't exist. Arbor Networks, for example, does fine job at pointing out anomalies. But it's based on human ingenuity, not machine learning, and it requires human effort to use.</div><div dir="ltr" id="yui_3_16_0_ym19_1_1498257542432_6986"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1498257542432_6986"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1498257542432_6984"><span><br></span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1498257542432_6983"><span><br></span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1498257542432_6982"><span><br></span></div> <div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 13px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"><font size="2" face="Arial"> On Wednesday, June 21, 2017 10:40 AM, dave aitel <dave@immunityinc.com> wrote:<br></font></div> <br><br> <div class="y_msg_container"><div id="yiv4371636153">
<div>
<div>Let's talk about the <a rel="nofollow" target="_blank" href="http://www.cnbc.com/2017/06/20/cisco-introduces-encrypted-traffic-analytics-to-detect-malwre.html">giant
pile of wrong that is this reporting on Cisco's new marketing
campaign</a> around detecting encrypted malware traffic. "This
is a seminal moment in networking" is the quote from their CEO
that CNBC decided to run. Let's revisit the basics of this "new"
technology: do statistical analysis on encrypted data to find
malware traffic. <br>
</div>
<div>People have <a rel="nofollow" target="_blank" href="https://www.schneier.com/blog/archives/2008/06/eavesdropping_o_2.html">literally
decoded conversations</a> from encrypted data using that same
basic technique. Not even recently - that work is from 2008 and
was not surprising even then.<br>
</div>
<div>"<span style="color:rgb(66, 72, 88);font-size:16px;font-style:normal;font-weight:normal;letter-spacing:normal;orphans:2;text-indent:0px;text-transform:none;white-space:normal;widows:2;word-spacing:0px;background-color:rgb(255, 255, 255);text-decoration-color:initial;display:inline;float:none;">The software,
which will be offered as a subscription service, is currently in
field trials with 75 customers, and according to Robbins, is 99
percent effective."</span></div>
<div><span style="color:rgb(66, 72, 88);font-size:16px;font-style:normal;font-weight:normal;letter-spacing:normal;orphans:2;text-indent:0px;text-transform:none;white-space:normal;widows:2;word-spacing:0px;background-color:rgb(255, 255, 255);text-decoration-color:initial;display:inline;float:none;">99% effective
with the kind of traffic a normal network sees means you are
FLOODED AND OVERWHELMED WITH FALSE POSITIVES. Although they
don't specify what that number even means. Is it false
positives? False negatives? Both? Let's just say this: 99.99% is
useless when doing a network-based IDS. All that might get you
is an indicator you can use to remotely load a more
sophisticated remote tool onto an endpoint for further detailed
analysis. You essentially, need BOTH if you have this level of
network-based IDS, and the endpoint people will probably say you
don't need the network sniffer anymore, because scaling good
analysis at that level at anything near realtime is nearly
impossible (c.f. <a rel="nofollow" target="_blank" href="https://www.youtube.com/watch?v=2OTRU--HtLM">Alex
Stamos's talk</a>) to the point where they still try to sell
you stuff that has 1% false positive rates. :)</span></div>
<div><span style="color:rgb(66, 72, 88);font-size:16px;font-style:normal;font-weight:normal;letter-spacing:normal;orphans:2;text-indent:0px;text-transform:none;white-space:normal;widows:2;word-spacing:0px;background-color:rgb(255, 255, 255);text-decoration-color:initial;display:inline;float:none;">I'm going to
bug our big customers to see if any of them are in this 75 field
trial and what they think in real life. And I'm going to be
honest and say that if you are thinking of investing in this
sort of thing, but you haven't tested it against <a rel="nofollow" target="_blank" href="https://www.cobaltstrike.com/">Cobalt Strike</a> and <a rel="nofollow" target="_blank" href="https://www.immunityinc.com/products/innuendo/">INNUENDO</a>,
then you are knowingly buying snake oil. A good percentage of
our consulting business right now is literally just that because
these anomaly detection products are so expensive and so hard to
test.</span></div>
<div><span style="color:rgb(66, 72, 88);font-size:16px;font-style:normal;font-weight:normal;letter-spacing:normal;orphans:2;text-indent:0px;text-transform:none;white-space:normal;widows:2;word-spacing:0px;background-color:rgb(255, 255, 255);text-decoration-color:initial;display:inline;float:none;">Anyways,
maybe I am wrong! If you are one of the privileged 75 and you
love this and it is amazing, let me/us know!<br>
</span></div>
<div><span style="color:rgb(66, 72, 88);font-size:16px;font-style:normal;font-weight:normal;letter-spacing:normal;orphans:2;text-indent:0px;text-transform:none;white-space:normal;widows:2;word-spacing:0px;background-color:rgb(255, 255, 255);text-decoration-color:initial;display:inline;float:none;">-dave</span></div>
<div><span style="color:rgb(66, 72, 88);font-size:16px;font-style:normal;font-weight:normal;letter-spacing:normal;orphans:2;text-indent:0px;text-transform:none;white-space:normal;widows:2;word-spacing:0px;background-color:rgb(255, 255, 255);text-decoration-color:initial;display:inline;float:none;"><br>
</span></div>
<div><span style="color:rgb(66, 72, 88);font-size:16px;font-style:normal;font-weight:normal;letter-spacing:normal;orphans:2;text-indent:0px;text-transform:none;white-space:normal;widows:2;word-spacing:0px;background-color:rgb(255, 255, 255);text-decoration-color:initial;display:inline;float:none;"><br>
</span></div>
</div>
</div>_______________________________________________<br>Dailydave mailing list<br><a ymailto="mailto:Dailydave@lists.immunityinc.com" href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br><a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br><br><br></div> </div> </div> </div></div></body></html>