Self Learning Networks An Overview

Similar documents
Threat Detection and Mitigation for IoT Systems using Self Learning Networks (SLN)

Securing Your Network with Anomaly Detection using Distributed Learning Architecture (Learning Networks)

Internet Behavioral Analytics (IBA) using Self Learning Networks. JP Vasseur, PhD, Cisco Fellow BRKSEC-3056

Introduction. Learning Network License Introduction

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Compare Security Analytics Solutions

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

Cognitive Threat Analytics Tech update

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

Protect vital DNS assets and identify malware

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Video-Aware Networking: Automating Networks and Applications to Simplify the Future of Video

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

The threat landscape is constantly

Battle between hackers and machine learning. Alexey Lukatsky Cybersecurity Business Consultant April 03, 2019

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

8 Must Have. Features for Risk-Based Vulnerability Management and More

The following describes an example Learning Network License deployment and example use cases.

FP7 NEMESYS Project: Advances on Mobile Network Security

How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

Monitoring and Threat Detection

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Software-Defined Secure Networks in Action

Orchestrating and Automating Trend Micro TippingPoint and IBM QRadar

The Oracle Trust Fabric Securing the Cloud Journey

Service Provider Security Architecture

Introduction Challenges with using ML Guidelines for using ML Conclusions

NETWORK FORENSIC ANALYSIS IN THE AGE OF CLOUD COMPUTING.

Use Cases. E-Commerce. Enterprise

NETWORK THREATS DEMAN

AKAMAI CLOUD SECURITY SOLUTIONS

MONITORING AND MANAGING NETWORK FLOWS IN VMWARE ENVIRONMENTS

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

Basic Concepts in Intrusion Detection

RSA NetWitness Suite Respond in Minutes, Not Months

EFFECTIVE SERVICE PROVIDER DDOS PROTECTION THAT SAVES DOLLARS AND MAKES SENSE

How Vectra Cognito enables the implementation of an adaptive security architecture

A quick-reference guide to secure your organization s data and reduce cybersecurity attacks

SECURING THE NEXT GENERATION DATA CENTER. Leslie K. Lambert Juniper Networks VP & Chief Information Security Officer July 18, 2011

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Advanced Malware Protection: A Buyer s Guide

Title DC Automation: It s a MARVEL!

The Telephony Denial of Service (TDoS) Threat

Artificial Intelligence Drives the next Generation of Internet Security

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

Stop Threats Before They Stop You

Design and Deployment of SourceFire NGIPS and NGFWL

The Invisible Threat of Modern Malware Lee Gitzes, CISSP Comm Solutions Company

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

ForeScout Extended Module for Splunk

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Wireless and Network Security Integration Solution Overview

Chapter 2 Malicious Networks for DDoS Attacks

HELP ME NETWORK VISIBILITY AND AI; YOU RE OUR ONLY HOPE

Intelligent and Secure Network

Implementing Cisco Network Security (IINS) 3.0

Transforming the Network for the Digital Business

Securing Your Amazon Web Services Virtual Networks

Endpoint Protection : Last line of defense?

A10 DDOS PROTECTION CLOUD

TRAPS ADVANCED ENDPOINT PROTECTION

Use Cases. Higher Education. Enterprise

Outwit Cyber Criminals with Comprehensive Malware and Exploit Protection.

Novetta Cyber Analytics

Security Experts Webinar

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

SAFE Architecture Guide. Places in the Network: Secure Campus

Prestigious hospital. Outdated network.

Agile Security Solutions

PALANTIR CYBERMESH INTRODUCTION

A10 HARMONY CONTROLLER

A New Security Model for the IoE World. Henry Ong SE Manager - ASEAN Cisco Global Security Sales Organization

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

How to Leverage Containers to Bolster Security and Performance While Moving to Google Cloud

Cisco ASA Next-Generation Firewall Services

Security for SIP-based VoIP Communications Solutions

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Automated Threat Management - in Real Time. Vectra Networks

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Imperva Incapsula Website Security

Corrigendum 3. Tender Number: 10/ dated

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Defence, Intelligence and Secure Communications Solutions

Technical Overview TDAC Anomaly Detection. copyright 2018 by Telesoft Technologies. All rights reserved.

Cisco Cyber Range. Paul Qiu Senior Solutions Architect June 2016

Detect & Respond to IoT Botnets AS AN ISP. Christoph Giese Telekom Security; Cyber DefenSe Center

Securing Your Microsoft Azure Virtual Networks

Vincent van Kooten, EMEA North Fraud & Risk Intelligence Specialist RSA, The Security Division of EMC

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

Enhanced Threat Detection, Investigation, and Response

Cisco Ransomware Defense The Ransomware Threat Is Real

PREEMPTIVE PREventivE Methodology and Tools to protect utilities

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Transcription:

Self Learning Networks An Overview Alvaro Retana aretana@cisco.com Distinguished Engineer, Cisco Services Slides by JP Vasseur and Jeff Apcar.

What Self Learning Networks is About SLN is fundamentally a hyper-distributed analytics platform... Putting together analytics and networking... Goldmine of untouched data on networking gear (sensing) Network learns and computes models on premise (analytics) The Network adapts, modifies its behavior (control) SLN for Security: attacks are incredibly sophisticated and targeted, ex- filtration of data being a major concern, requiring a nextgeneration approach => Stealthwatch Learning Networks

Harsh environments: instability of links, limited bandwidth, constrained nodes, stochastic networks (random probability distribution). Still need for some determinism, tight SLA and hyper-scale networks. And the network needs to be adaptive: every single network is different! From this SLN was incubated.

IoT/IoE Predictive models for large scale networks, enable: High performance High Resiliency Detection of disruptive subtle DDoS attacks IWAN Path Optimization Predict network behavior and traffic patterns based on multivariable and time- based modeling. Automatically select and optimize network path in realtime, adapt QoS, based on Business SLAs. SLN Internet Behavioral Analytics for Security Detect of multi-layer subtle DoS attacks and Anomaly Detection Auto learn new threats Massively Distributed, Global, real-time protection

SLN Architecture Principles For Security Fundamentally distributed, building models for visibility and detection at edge Mix of Machine Learning (ML) and Threat Intelligence Enrichment of context Ability to adapt to user feed-back (Reinforcement Learning) Advanced control handling networking complexity

Why Predictive Analytics? Multi-layered defense architectures no longer sufficient to prevent breaches caused by advanced malware... No longer a question of if or when but where... Many of the well-known assumptions are no longer true eg. Attacks come from the outside, deterministic, well understood Attacks are more and more subtle (Hard to detect...) Signature-based architectures vulnerable to mutating attacks (polymorphic) Dramatic increase of the number of 0-day attacks

What Is a Self Learning Network (SLN)? The network is truly adaptive thanks to advanced analytics A true paradigm shift! Move from Trial-and-Error model to a proactive approach using models built using advanced analytics The hard part is not just the analytics but the underlying architecture for self-learning and the how to

SLN Architecture

SLN Centralized Agent (SCA) Orchestration of DLAs. Advanced Visualization of anomalies Centralized policy for mitigation Interaction with other security components such as ISE and Threat Intelligence Feeds North bound API to SIEM/Database (e.g. Splunk) Evaluation of anomaly relevancy Distributed Learning Agent (DLA) Sensing (knowledge): granular data on control and data plane & local states Machine Learning: real-time embedded behavioral modeling and anomaly detection Control: autonomous embedded control, advanced networking control (police, shaper, recoloring, redirect,...)

The DLA Can Have Many Data Sources DLA has been designed for low footprint both in terms of memory and CPU Feature computation, ID & classification are performed locally Lightweight techniques employed with no significant impact on the edge device

DLA Internals

SCA Context Enrichment Identity Services Engine Username, domain, location, time Trigger for traffic mitigation ISE Edge AMP Threat Grid Feed for SLN Edge Control Advanced Malware Protection Advanced Malware Protection Adaptive Firewall w/ AMP Fire Power SCA Talos Feed DNS/IP Blacklists Reprogramming the network fabric (install new rules ) + close loop feed-back. Component to SLN Enhanced context, ML+Threat Intelligence Edge Control DLA Edge Learning: models normal traffic, graph-based anomalies. Edge Control: shape, police, drop, redirect,... Reroute, VLAN,...

On-Premise Edge Control Honeypot (Forensic Analysis) Controller infrastructure SCA Control Policy Smart Traffic flagging According to {Severity, Confidence, Anomaly_Score} Traffic segregation & selection Network-centric control (shaping, policing, divert/redirect) DSCP ReWrite CBWFQ Public/Private Internet DSCP ReWrite CBWFQ DLA DLA DLA Shaping

Anomaly Detection

Botnets and Data Ex-Filtration Techniques Size can range from thousands to millions of compromised hosts Botnet can cause DDoS & other malicious traffic (spam,...) to originate from the inside of the corporate network C&C (C2) servers become increasingly evasive Fast Flux Service Networks (FFSN), single or double Flux DGA-based malware (Domain Generation Algorithms) DNS/NTP Tunneling Peer-to-Peer (P2P) protocols Anonymized services (Tor) Steganography, potentially combined with Cryptography Social media updates or email messages Mixed protocols... Timing Channels

SLN Paradigm Shift (Current) Generation of Security Architectures and Product Specialized Security gear connected to the network (FW, IPS,...) Heavily signature-based... to detect known Malwares Dynamic update of signatures SLN is Machine Learning based and pervasive Use of adaptive Machine Learning (AI) technology to detect advanced, evasive Malware: build a model of normal pattern and detect outlier (deviations) High focus on 0-day attacks Use every node in the network as a security engine to detect attacks Complementary to all other technologies (FW, IPS,...)

SLN Anomaly Detection

Categories Of Anomalies

SLN Visibility

Graph-Based Visibility

Visualising Anomaly Detection Process

Visualising Likely/Unlikely Flows Visualising Likely/Unlikely Flows Sydney Chicago Belgium Grey Graph: Blue Graph: Green Graph: FTP/SCP VoIP Shell DLA Raleigh Data Centre New York Beijing Red Graph: Anomaly San Diego Dallas Data Centre Static Versus Dynamic cluster computation ML algorithms are used to computed intercluster relationship Colored graphs Simple property of likelihood

Visualising Seasonality

Visualising Behavioural Analytics

Host Anomalies Using Feature Vectors

SLN Targeted Outcomes For The User Who talks to whom? Normal Behaviors Active applications between clusters Applications displaying seasonal behaviours Additional application characterisation Contextual data; usernames, domains... Anomalous Behaviors Detection of new applications where never used Detection of abnormal behaviours (data exfiltration) Adaption: Is abnormal event of interest? Upon detecting anomalies; Explain why? What has changed? Ability to perform advanced control (Shape, route, redirect...) SLN adapting to user expectations!

Summary SLN is a disruptive approach for malware detection using behavioral analytics, relying on dynamic learning, fully auto-adaptive Network data is analyzed locally by SLN using advanced and lightweight analytics The router can perform local mitigation Lightweight and distributed architecture that is scalable Visualization is key with simple understandable UI

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback