cansecwest 2014 presentation: "intelligent use of intelligence: design to discover"

INTELLIGENT USE OF INTELLIGENCE

DESIGN TO DISCOVERCanSecWest 2014

Ping Yan : @pingpingya&

Thibault Reuille : @ThibaultReuille

1

Monday, March 17, 14

PING@pingpingya

Data Mining, Machine Learning

InfoSec2

Monday, March 17, 14

THIBAULT

Parisian, moved to Cali in 2010

Security and Visualization ?

Demoscene rocks !3

Monday, March 17, 14

4

Monday, March 17, 14

AGENDA

01100100011000010111010001100001

Use cases - Cryptolocker

Conclusion

5

Big Data

Intelligence

Monday, March 17, 14

6

Continuous monitoring of everything? Yeah, sure …

data != intelligence

THE HAYSTACK PROBLEM

Monday, March 17, 14

7

Monday, March 17, 14

8

Monday, March 17, 14

8

Monday, March 17, 14

9

Monday, March 17, 14

10

EXPLORATION PROCESS

Monday, March 17, 14

10

seed

EXPLORATION PROCESS

Monday, March 17, 14

10

seed

EXPLORATION PROCESS

Monday, March 17, 14

10

seed

EXPLORATION PROCESS

Monday, March 17, 14

10

seed

EXPLORATION PROCESS

Monday, March 17, 14

10

seed Raw

Refined

EXPLORATION PROCESS

Monday, March 17, 14

10

seed Raw

Refined

Intelligence

EXPLORATION PROCESS

Monday, March 17, 14

11

TIME SPACE

TRANSACTIONS/NETWORK Hunches

spiked in the past hour? clustered by geo?

Alice talked to Bob?

4-D APPROACH TO DATA

Monday, March 17, 14

12

22+

OPENDNS’S HAYSTACK

Monday, March 17, 14

13

Monday, March 17, 14

14

3D view !

Monday, March 17, 14

15

Security Graph 3D

Monday, March 17, 14

FRAMEWORK

16

Data Extraction

Monday, March 17, 14

FRAMEWORK

17

Visualization Engine

Monday, March 17, 14

PARTICLE PHYSICS

18

Force Directed Layout

Monday, March 17, 14

PARTICLES

19

Monday, March 17, 14

WHY ?Shape Algorithms populate our knowledge graph Creation is understood, output is complex Layout defined by model structure Closer to the “natural shape” of data Take advantage of the GPU to untangle information

Evolution Security Graph is dynamic, constantly changing Monitoring evolution over time

Investigation Humans are better at processing shapes than numbers Solid tool to build hypothesis / heuristics

20

Monday, March 17, 14

NATURAL CLUSTERING

21

Malicious domains hosting Nuclear exploit kits (pink) to Hosting IPs (Yellow) graph

Monday, March 17, 14

1. Infection2. Retrieve encryption key from CnC3. Encrypt data files4. Collect money

IP CnC fails quickly

DGA!

22

USE CASE #2 : CRYPTOLOCKER

Monday, March 17, 14

23

Monday, March 17, 14

24

CO-OCCURRENCES

Monday, March 17, 14

CO-OCCURRENCES

25

Monday, March 17, 14

ALGORITHM

26

Monday, March 17, 14

Ripple Effect on Co-occurrences

27

Monday, March 17, 14

USE CASE #3

28

Random Walk Live Demo

Monday, March 17, 14

FUTURE WORK

Over-TimeVisualizing data evolution over time (Currently in development)

ScalingPort Force-Directed algorithm to OpenCL

DetectionThreat pattern detection (Find sub-graph inside Security Graph)

Example: DGA “nests”

Modern Human-Computer interactionLeap Motion, Oculus, 3D glasses ...

29

Monday, March 17, 14

Pingping@opendns.com

@pingpingya

Thibaultthibault@opendns.com

@ThibaultReuillethibaultreuille.tumblr.com

Bloghttp://labs.umbrella.com

30

Monday, March 17, 14