Early Detection of Malicious Patterns in Event-Streaming Data

Explore advanced techniques for detecting malicious patterns in event-streaming data in this 50-minute conference talk from nullcon Goa 2019. Delve into the challenges of identifying adversarial activity using behavioral indicators rather than static indicators of compromise. Learn about tools for hunting known complex behavioral patterns and discover a deep learning approach for automatically uncovering behavioral patterns from event logs. Gain insights from Hyrum Anderson, Chief Scientist at Endgame, as he discusses the importance of early detection, the use of machine learning on sequence data, and model design considerations including features, embedding, recurrent networks, and conviction patterns. Examine the effectiveness of these methods through analysis of false positives and negatives, and understand the broader implications for information security and situational awareness.

Intro
CONTEXT
EQL BY EXAMPLE
SEQUENCES: ORDER MATTERS
THE DREAM: SEMI-AUTOMATIC
MACHINE LEARNING ON SEQUENCE DATA
MODEL DESIGN: FEATURES
MODEL DESIGN: EMBEDDING
MODEL DESIGN: RECURRENT
MODEL DESIGN: CONVICTION
PATTERN EARLINESS?
UPDATED MODEL SUMMARY
LEARNED PATTERNS?
FALSE NEGATIVE
FALSE POSITIVE
STEP BACK: WHAT HAVE WE DONE?