SlideShare a Scribd company logo

Anomaly Detection for Security

Download as PPTX, PDF
Cody Rioux, profile picture
Cody Rioux

The document discusses real-time analytics and anomaly detection techniques for enhanced security, particularly focusing on identifying phishing attacks and rogue agents. It highlights various methods for anomaly detection, including static thresholds, clustering, and advanced techniques, while also addressing challenges like the base rate fallacy. The goal is to develop autonomous systems that can detect and automatically remediate security incidents in near real-time.

Data & Analytics
1 of 38
Downloaded 69 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Anomaly Detection for Security Cody Rioux - @codyrioux Real-Time Analytics - Insight Engineering
Overview. ● Real-Time Analytics ● Anomaly: Fast Incident Detection ○ Techniques ○ Case Study: Detecting Phishing ○ Challenges: Base Rate Fallacy ● Outlier: Identifying Rogue Agents ○ Clustering ○ Case Study: Cleaning Up Rogue Agents ● Recap
We are drowning in information but starved for knowledge. - John Naisbitt Real-Time Analytics
Real-Time Analytics ● Part of Insight Engineering. ● Build systems that make intelligent decisions about our operational environment. ○ Make decisions in near real-time. ○ Automate actions in the production environment. ● Support operational availability and reliability.
Terminology Outlier Anomaly
Case Study: Phishing ● Just hired as the only security staff at a startup. ● Fell victim to a phishing attack last week. ○ They did not know it happened when it was happening. ○ They did not know what to do about it ● You’re tasked with solving this problem.
Incident Detection for Stats Geeks Anomaly Detection
Unexpected value for a given generating mechanism.
Terminology Outlier Anomaly
Anomaly Detection for Security
Anomaly Detection for Security
Techniques Basic ● Static thresholds ● Exponential Smoothing ● Three-sigma rule Advanced ● Robust Anomaly Detection (RAD) - Netflix ● Kolmogorov-Smirnov ● Highest density interval (HDI) ● t-digest ● Linear models
Anomaly Detection for Security
Anomaly Detection for Security
Anomaly Detection for Security
Anomaly Detection for Security
Anomaly Detection for Security
Techniques Basic ● Static thresholds - Doesn’t play well with nonstationary signals. ● Exponential Smoothing - Black Swan days like Christmas, Superbowl cause issues. ● Three-sigma rule - Works (very) well only for signals drawn from a Gaussian.
Show me the Money! ● No threshold configuration ● We require examples of normal, not examples of anomaly ● Automatically adapt to moving signals ● Higher accuracy enables automatic reaction ● Ensemble (combination) of techniques eliminates some downsides
Base Rate Fallacy Intrusion is comparatively rare which affords you many opportunities to generate a false positive.
Base Rate Fallacy ● 10,000 log entries ● 99% Accuracy ● 0.01% Intrusions 1 Real incident 100 false + and 10% chance of false -
Case Study So far we can automatically alert interested parties to the possibility of an intrusion.
Identifying Rogue Agents in a Production Environment Outlier Detection
Anomaly Detection for Security
Rogue Agents? ● Identify brute force attempts on login systems ● Flag cheaters in online video games ● Identify participating ip addresses in a phishing scam
Terminology Outlier Anomaly
Case Study Revisited You’ve devised an automated technique for identifying attacks, now we require an autonomous system for remediation of attacks.
Goal: identify accounts and IP Addresses that are not behaving like their peers.
Clustering ● DBSCAN ● K-Means ● Gaussian Mixture Models Conceptually ● If a point belongs to a group it should be near lots of other points as measured by some distance function.
Anomaly Detection for Security
Case Study Revisited Lets cluster accounts based on their login habits and initiate an automatic password reset and notification.
Case Study Revisited Lets cluster IP addresses based on their login habits and automatically ban them.
Full stack autonomous incident detection and remediation. Recap
Case Study Recap ● Anomaly Detection enables us to... ○ Automatically identify potential attacks in real-time. ○ Notify interested parties of the attack. ○ React to those attacks without user intervention. ● Outlier Detection with Clustering enables us to… ○ Identify rogue agents within the environment. ○ Reset customer passwords for potentially compromised accounts. ○ Ban IP Addresses identified to be participating in the phishing scheme.
Literature Machine Learning: The High Interest Credit Card of Technical Debt (Sculley et al., 2014)
Literature ● The Base-Rate Fallacy and its Implications for the Difficulty of Intrusion Detection (Alexsson, 1999) ● Practical Machine Learning: A New Look at Anomaly Detection (Dunning, 2014) ● ALADIN: Active Learning of Anomalies to Detect Intrusion (Stokes and Platt, 2008) ● Distinguishing cause from effect using observational data: methods and benchmarks (Mooij et al., 2014) ● Enhancing Performance Prediction Robustness by Combining Analytical Modeling and Machine Learning (Didona et al., 2015)
Implementations ● Robust Anomaly Detection (RAD) - Netflix ● Seasonal Hybrid ESD - Twitter ● Extendible Generic Anomaly Detection System (EGADS) - Yahoo ● Kale - Etsy
Questions? crioux@netflix.com @codyrioux linkedin.com/in/codyrioux

More Related Content

What's hot (19)

PPTX
Malware Detection Using Machine Learning Techniques
ArshadRaja786
 
PDF
Optimized Intrusion Detection System using Deep Learning Algorithm
ijtsrd
 
PDF
DB-OLS: An Approach for IDS1
IJITE
 
DOCX
robust malware detection for iot devices using deep eigen space learning
Venkat Projects
 
PDF
Volume 2-issue-6-2190-2194
Editor IJARCET
 
PDF
AI approach to malware similarity analysis: Maping the malware genome with a...
Priyanka Aash
 
PPTX
Cyber intrusion
Kishor Datta Gupta
 
PDF
Wmn06MODERNIZED INTRUSION DETECTION USING ENHANCED APRIORI ALGORITHM
ijwmn
 
PDF
Real Time Intrusion Detection System Using Computational Intelligence and Neu...
ijtsrd
 
PDF
2 14-1346479656-1- a study of feature selection methods in intrusion detectio...
Dr. Amrita .
 
PDF
IRJET- Improving Cyber Security using Artificial Intelligence
IRJET Journal
 
PPT
Intrusion Detection
butest
 
PDF
IRJET- Android Malware Detection using Machine Learning
IRJET Journal
 
PPTX
Role of data mining in cyber security
Pranto26
 
PDF
Intrusion Detection System - False Positive Alert Reduction Technique
IDES Editor
 
PPT
Pptbb
Rohit Shukla
 
PPTX
Databse Intrusion Detection Using Data Mining Approach
Suraj Chauhan
 
ODP
Malware Dectection Using Machine learning
Shubham Dubey
 
DOCX
A malware detection method for health sensor data based on machine learning
jaigera
 
Malware Detection Using Machine Learning Techniques
ArshadRaja786
 
Optimized Intrusion Detection System using Deep Learning Algorithm
ijtsrd
 
DB-OLS: An Approach for IDS1
IJITE
 
robust malware detection for iot devices using deep eigen space learning
Venkat Projects
 
Volume 2-issue-6-2190-2194
Editor IJARCET
 
AI approach to malware similarity analysis: Maping the malware genome with a...
Priyanka Aash
 
Cyber intrusion
Kishor Datta Gupta
 
Wmn06MODERNIZED INTRUSION DETECTION USING ENHANCED APRIORI ALGORITHM
ijwmn
 
Real Time Intrusion Detection System Using Computational Intelligence and Neu...
ijtsrd
 
2 14-1346479656-1- a study of feature selection methods in intrusion detectio...
Dr. Amrita .
 
IRJET- Improving Cyber Security using Artificial Intelligence
IRJET Journal
 
Intrusion Detection
butest
 
IRJET- Android Malware Detection using Machine Learning
IRJET Journal
 
Role of data mining in cyber security
Pranto26
 
Intrusion Detection System - False Positive Alert Reduction Technique
IDES Editor
 
Pptbb
Rohit Shukla
 
Databse Intrusion Detection Using Data Mining Approach
Suraj Chauhan
 
Malware Dectection Using Machine learning
Shubham Dubey
 
A malware detection method for health sensor data based on machine learning
jaigera
 

Viewers also liked (20)

PPTX
The Dark of Building an Production Incident Syste
Alois Reitbauer
 
PPTX
Traffic anomaly detection and attack
Qrator Labs
 
PPTX
Anomaly Detection for Real-World Systems
Manojit Nandi
 
PPTX
Where is Data Going? - RMDC Keynote
Ted Dunning
 
PDF
Parallel Programming in Python: Speeding up your analysis
Manojit Nandi
 
PPTX
Can a monitoring tool pass the turing test
Alois Reitbauer
 
PPTX
Monitoring without alerts
Alois Reitbauer
 
PPTX
Monitoring large scale Docker production environments
Alois Reitbauer
 
PPTX
The Dark Art of Production Alerting
Alois Reitbauer
 
PPTX
PyGotham 2016
Manojit Nandi
 
PPTX
The definition of normal - An introduction and guide to anomaly detection.
Alois Reitbauer
 
PDF
SSL Certificate Expiration and Howler Monkey's Inception
royrapoport
 
PDF
Cloud Tech III: Actionable Metrics
royrapoport
 
PDF
Python Through the Back Door: Netflix Presentation at CodeMash 2014
royrapoport
 
PPTX
Monitoring Docker Application in Production
Alois Reitbauer
 
PPTX
Ruxit - How we launched a global monitoring platform on AWS in 80 days.
Alois Reitbauer
 
PDF
Anomaly Detection for Global Scale at Netflix
Extract Data Conference
 
PPTX
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
tboubez
 
PDF
Anomaly Detection at Scale
Jeff Henrikson
 
PDF
Operational Insight: Concepts and Examples (w/o Presenter Notes)
royrapoport
 
The Dark of Building an Production Incident Syste
Alois Reitbauer
 
Traffic anomaly detection and attack
Qrator Labs
 
Anomaly Detection for Real-World Systems
Manojit Nandi
 
Where is Data Going? - RMDC Keynote
Ted Dunning
 
Parallel Programming in Python: Speeding up your analysis
Manojit Nandi
 
Can a monitoring tool pass the turing test
Alois Reitbauer
 
Monitoring without alerts
Alois Reitbauer
 
Monitoring large scale Docker production environments
Alois Reitbauer
 
The Dark Art of Production Alerting
Alois Reitbauer
 
PyGotham 2016
Manojit Nandi
 
The definition of normal - An introduction and guide to anomaly detection.
Alois Reitbauer
 
SSL Certificate Expiration and Howler Monkey's Inception
royrapoport
 
Cloud Tech III: Actionable Metrics
royrapoport
 
Python Through the Back Door: Netflix Presentation at CodeMash 2014
royrapoport
 
Monitoring Docker Application in Production
Alois Reitbauer
 
Ruxit - How we launched a global monitoring platform on AWS in 80 days.
Alois Reitbauer
 
Anomaly Detection for Global Scale at Netflix
Extract Data Conference
 
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
tboubez
 
Anomaly Detection at Scale
Jeff Henrikson
 
Operational Insight: Concepts and Examples (w/o Presenter Notes)
royrapoport
 
Ad

Similar to Anomaly Detection for Security (20)

PPTX
Anomaly Detection - Real World Scenarios, Approaches and Live Implementation
Impetus Technologies
 
PDF
Strata 2014 Anomaly Detection
Ted Dunning
 
PPTX
A review of machine learning based anomaly detection
Mohamed Elfadly
 
PDF
Strata 2014-tdunning-anomaly-detection-140211162923-phpapp01
MapR Technologies
 
PPTX
Splunk live! Customer Presentation – Prelert
Splunk
 
PDF
Whitepaper- User Behavior-Based Anomaly Detection for Cyber Network Security
Happiest Minds Technologies
 
PDF
AI in anomaly detection.pdf
StephenAmell4
 
PPTX
Anomaly Detection and Spark Implementation - Meetup Presentation.pptx
Impetus Technologies
 
PDF
AI in anomaly detection - An Overview.pdf
StephenAmell4
 
PDF
Anomaly detection (Unsupervised Learning) in Machine Learning
Kuppusamy P
 
PDF
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Alex Pinto
 
PDF
A review of anomaly based intrusions detection in multi tier web applications
iaemedu
 
PDF
A review of anomaly based intrusions detection in multi tier web applications
IAEME Publication
 
PDF
A review of anomaly based intrusions detection in
IAEME Publication
 
DOC
Enhancing SIEM Correlation Rules Through Baselining
Ertugrul Akbas
 
DOC
Log management siem 5651 sayılı yasa
Ertugrul Akbas
 
PDF
A Comprehensive Introduction to Anomaly Detection in Machine Learning | USAII®
United States Artificial Intelligence Institute
 
DOCX
Meet anomaly detection: a powerful cybersecurity defense mechanism when its w...
ITrust - Cybersecurity as a Service
 
PDF
Review of Intrusion and Anomaly Detection Techniques
IJMER
 
PPTX
Anomaly Detection - New York Machine Learning
Ted Dunning
 
Anomaly Detection - Real World Scenarios, Approaches and Live Implementation
Impetus Technologies
 
Strata 2014 Anomaly Detection
Ted Dunning
 
A review of machine learning based anomaly detection
Mohamed Elfadly
 
Strata 2014-tdunning-anomaly-detection-140211162923-phpapp01
MapR Technologies
 
Splunk live! Customer Presentation – Prelert
Splunk
 
Whitepaper- User Behavior-Based Anomaly Detection for Cyber Network Security
Happiest Minds Technologies
 
AI in anomaly detection.pdf
StephenAmell4
 
Anomaly Detection and Spark Implementation - Meetup Presentation.pptx
Impetus Technologies
 
AI in anomaly detection - An Overview.pdf
StephenAmell4
 
Anomaly detection (Unsupervised Learning) in Machine Learning
Kuppusamy P
 
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Alex Pinto
 
A review of anomaly based intrusions detection in multi tier web applications
iaemedu
 
A review of anomaly based intrusions detection in multi tier web applications
IAEME Publication
 
A review of anomaly based intrusions detection in
IAEME Publication
 
Enhancing SIEM Correlation Rules Through Baselining
Ertugrul Akbas
 
Log management siem 5651 sayılı yasa
Ertugrul Akbas
 
A Comprehensive Introduction to Anomaly Detection in Machine Learning | USAII®
United States Artificial Intelligence Institute
 
Meet anomaly detection: a powerful cybersecurity defense mechanism when its w...
ITrust - Cybersecurity as a Service
 
Review of Intrusion and Anomaly Detection Techniques
IJMER
 
Anomaly Detection - New York Machine Learning
Ted Dunning
 
Ad

Recently uploaded (20)

PDF
D9110.pdfdsfvsdfvsdfvsdfvfvfsvfsvffsdfvsdfvsd
minhn6673
 
PPTX
The whitetiger novel review for collegeassignment.pptx
DhruvPatel754154
 
PPTX
Introduction-to-Python-Programming-Language (1).pptx
dhyeysapariya
 
PPTX
IP_Journal_Articles_2025IP_Journal_Articles_2025
mishell212144
 
PPTX
UVA-Ortho-PPT-Final-1.pptx Data analytics relevant to the top
chinnusindhu1
 
PDF
McKinsey - Global Energy Perspective 2023_11.pdf
niyudha
 
PDF
Blitz Campinas - Dia 24 de maio - Piettro.pdf
fabigreek
 
PPTX
Customer Segmentation: Seeing the Trees and the Forest Simultaneously
Sione Palu
 
PDF
apidays Munich 2025 - The Double Life of the API Product Manager, Emmanuel Pa...
apidays
 
PPTX
short term internship project on Data visualization
JMJCollegeComputerde
 
PPTX
7 Easy Ways to Improve Clarity in Your BI Reports
sophiegracewriter
 
PPTX
lecture 13 mind test academy it skills.pptx
ggesjmrasoolpark
 
PDF
Top Civil Engineer Canada Services111111
nengineeringfirms
 
PPTX
Presentation (1) (1).pptx k8hhfftuiiigff
karthikjagath2005
 
PPTX
World-population.pptx fire bunberbpeople
umutunsalnsl4402
 
PDF
apidays Munich 2025 - Making Sense of AI-Ready APIs in a Buzzword World, Andr...
apidays
 
PPTX
Future_of_AI_Presentation for everyone.pptx
boranamanju07
 
PDF
717629748-Databricks-Certified-Data-Engineer-Professional-Dumps-by-Ball-21-03...
pedelli41
 
PPTX
MR and reffffffvvvvvvvfversal_083605.pptx
manjeshjain
 
PDF
apidays Munich 2025 - Integrate Your APIs into the New AI Marketplace, Senthi...
apidays
 
D9110.pdfdsfvsdfvsdfvsdfvfvfsvfsvffsdfvsdfvsd
minhn6673
 
The whitetiger novel review for collegeassignment.pptx
DhruvPatel754154
 
Introduction-to-Python-Programming-Language (1).pptx
dhyeysapariya
 
IP_Journal_Articles_2025IP_Journal_Articles_2025
mishell212144
 
UVA-Ortho-PPT-Final-1.pptx Data analytics relevant to the top
chinnusindhu1
 
McKinsey - Global Energy Perspective 2023_11.pdf
niyudha
 
Blitz Campinas - Dia 24 de maio - Piettro.pdf
fabigreek
 
Customer Segmentation: Seeing the Trees and the Forest Simultaneously
Sione Palu
 
apidays Munich 2025 - The Double Life of the API Product Manager, Emmanuel Pa...
apidays
 
short term internship project on Data visualization
JMJCollegeComputerde
 
7 Easy Ways to Improve Clarity in Your BI Reports
sophiegracewriter
 
lecture 13 mind test academy it skills.pptx
ggesjmrasoolpark
 
Top Civil Engineer Canada Services111111
nengineeringfirms
 
Presentation (1) (1).pptx k8hhfftuiiigff
karthikjagath2005
 
World-population.pptx fire bunberbpeople
umutunsalnsl4402
 
apidays Munich 2025 - Making Sense of AI-Ready APIs in a Buzzword World, Andr...
apidays
 
Future_of_AI_Presentation for everyone.pptx
boranamanju07
 
717629748-Databricks-Certified-Data-Engineer-Professional-Dumps-by-Ball-21-03...
pedelli41
 
MR and reffffffvvvvvvvfversal_083605.pptx
manjeshjain
 
apidays Munich 2025 - Integrate Your APIs into the New AI Marketplace, Senthi...
apidays
 

Anomaly Detection for Security

  • 1. Anomaly Detection for Security Cody Rioux - @codyrioux Real-Time Analytics - Insight Engineering
  • 2. Overview. ● Real-Time Analytics ● Anomaly: Fast Incident Detection ○ Techniques ○ Case Study: Detecting Phishing ○ Challenges: Base Rate Fallacy ● Outlier: Identifying Rogue Agents ○ Clustering ○ Case Study: Cleaning Up Rogue Agents ● Recap
  • 3. We are drowning in information but starved for knowledge. - John Naisbitt Real-Time Analytics
  • 4. Real-Time Analytics ● Part of Insight Engineering. ● Build systems that make intelligent decisions about our operational environment. ○ Make decisions in near real-time. ○ Automate actions in the production environment. ● Support operational availability and reliability.
  • 6. Case Study: Phishing ● Just hired as the only security staff at a startup. ● Fell victim to a phishing attack last week. ○ They did not know it happened when it was happening. ○ They did not know what to do about it ● You’re tasked with solving this problem.
  • 7. Incident Detection for Stats Geeks Anomaly Detection
  • 12. Techniques Basic ● Static thresholds ● Exponential Smoothing ● Three-sigma rule Advanced ● Robust Anomaly Detection (RAD) - Netflix ● Kolmogorov-Smirnov ● Highest density interval (HDI) ● t-digest ● Linear models
  • 18. Techniques Basic ● Static thresholds - Doesn’t play well with nonstationary signals. ● Exponential Smoothing - Black Swan days like Christmas, Superbowl cause issues. ● Three-sigma rule - Works (very) well only for signals drawn from a Gaussian.
  • 19. Show me the Money! ● No threshold configuration ● We require examples of normal, not examples of anomaly ● Automatically adapt to moving signals ● Higher accuracy enables automatic reaction ● Ensemble (combination) of techniques eliminates some downsides
  • 20. Base Rate Fallacy Intrusion is comparatively rare which affords you many opportunities to generate a false positive.
  • 21. Base Rate Fallacy ● 10,000 log entries ● 99% Accuracy ● 0.01% Intrusions 1 Real incident 100 false + and 10% chance of false -
  • 22. Case Study So far we can automatically alert interested parties to the possibility of an intrusion.
  • 23. Identifying Rogue Agents in a Production Environment Outlier Detection
  • 25. Rogue Agents? ● Identify brute force attempts on login systems ● Flag cheaters in online video games ● Identify participating ip addresses in a phishing scam
  • 27. Case Study Revisited You’ve devised an automated technique for identifying attacks, now we require an autonomous system for remediation of attacks.
  • 28. Goal: identify accounts and IP Addresses that are not behaving like their peers.
  • 29. Clustering ● DBSCAN ● K-Means ● Gaussian Mixture Models Conceptually ● If a point belongs to a group it should be near lots of other points as measured by some distance function.
  • 31. Case Study Revisited Lets cluster accounts based on their login habits and initiate an automatic password reset and notification.
  • 32. Case Study Revisited Lets cluster IP addresses based on their login habits and automatically ban them.
  • 33. Full stack autonomous incident detection and remediation. Recap
  • 34. Case Study Recap ● Anomaly Detection enables us to... ○ Automatically identify potential attacks in real-time. ○ Notify interested parties of the attack. ○ React to those attacks without user intervention. ● Outlier Detection with Clustering enables us to… ○ Identify rogue agents within the environment. ○ Reset customer passwords for potentially compromised accounts. ○ Ban IP Addresses identified to be participating in the phishing scheme.
  • 35. Literature Machine Learning: The High Interest Credit Card of Technical Debt (Sculley et al., 2014)
  • 36. Literature ● The Base-Rate Fallacy and its Implications for the Difficulty of Intrusion Detection (Alexsson, 1999) ● Practical Machine Learning: A New Look at Anomaly Detection (Dunning, 2014) ● ALADIN: Active Learning of Anomalies to Detect Intrusion (Stokes and Platt, 2008) ● Distinguishing cause from effect using observational data: methods and benchmarks (Mooij et al., 2014) ● Enhancing Performance Prediction Robustness by Combining Analytical Modeling and Machine Learning (Didona et al., 2015)
  • 37. Implementations ● Robust Anomaly Detection (RAD) - Netflix ● Seasonal Hybrid ESD - Twitter ● Extendible Generic Anomaly Detection System (EGADS) - Yahoo ● Kale - Etsy