AI Research

SophosAI presentations at Black Hat, BSides LV and DEF CON AI Village

Six presentations in Las Vegas this week cover multiple cybersecurity applications of machine learning

The SophosAI team, part of Sophos X-Ops, has a busy week coming up in Las Vegas, with presentations scheduled for BSides LV, Black Hat and DEF CON’s AI Village. The wide range of topics reflect the breadth of artificial intelligence research at Sophos, and how the technology may be (and in some cases, already is) applied to information security problems.

Below is a day-by-day preview of those talks, along with scheduling information. We’ll be following up with posts about the research behind them in the near future.

Tuesday, August 9: BSides Las Vegas

Sophos Chief Scientist Joshua Saxe kicks off the Ground Truth track of BSides LV at 10:30 am on August 9 with a presentation entitled “Security AI in the real world: Lessons learned from building practical machine learning systems deployed to hundreds of thousands of networks.”  The presentation will focus on best practices for applying machine learning to actual security practice, including how to deploy machine learning effectively in real-world environments.  The talk will include a number of case studies that cover using machine learning for alert prioritization, mobile malware detection, malicious web content detection, and phishing detection.

Sophos Senior Scientist Ben Gelman is also presenting at BSides at 2:00 pm on Tuesday, also in the Ground Truth track room. The presentation (entitled “That Escalated Quickly”) covers the development of a prototype machine learning system that captures the actions made by security operations center analysts in response security alerts. As the system is trained by the actions of analysts for each alert, it learns to predict which alerts analysts will escalate.  It presents alerts it predicts are actionable to analysts and improves its predictions as analysts make decisions about them.  The system has resulted in a dramatic reduction in alert volume that SOC analysts need to handle with minimal loss in detection rate, freeing up analysts to dive into alerts that truly matter. The research will also be discussed in a presentation at DEF CON’s AI Village on Saturday.

Wednesday, August 10: BSides LV and Black Hat

Joshua Saxe speaks again at 2:00 PM at BSides’ Ground Truth track, and at 4:20 PM at Black Hat, along with Senior Data Scientist Younghoo Lee, delivering dueling versions of a presentation entitled “GPT-3 and Me: How Supercomputer-scale Neural Network Models Apply to Defensive Cybersecurity Problems.”  This talk springboards off OpenAI’s GPT-3 natural language model, examining how supercomputer-scale neural networks could be applied to cybersecurity in new ways. Specifically, Saxe will focus on the potential to use such neural networks to generate custom, human-readable explanations of difficult-to-parse attacker behavior and  to detect emerging malicious behaviors even when there are very few examples of those behaviors available to learn from. Saxe will walk through both of these example applications and demonstrate how they can be used by others, or used for other large neural network experimentation—all using publicly available models like OpenAI’s GPT-3 series of models.

At 3:00 PM,  Senior Data Scientist Adarsh Kyadige presents his work on detecting the malicious use of living off the land binaries (LOLBins) with machine learning, a topic he’s previously posted about on the SophosAI blog. In his talk, entitled “Weeding Out Living-off-the-land Attacks at Scale,” Kyadige will discuss the difficulty of spotting the malicious command-line executions that are often the only artifact of LOLBin-based attacks—commands that often involve obfuscation and execution of downloaded content—and the details of a machine-learning based system developed by SophosAI to reliably detect those command lines.

August 12 and 13 at DEF CON’s AI Village

On Friday at 11:00 AM, Sophos Data Scientist Harini Kannan will be at DEF CON’s AI Village to present her research on user and entity behavior analysis (UEBA). Advancements in unsupervised machine learning methodologies have made the creation of UEBA models much more effective in detecting anomalous behavior that could indicate malicious activity by malware or an intruder. Entitled “I’m not Keylogging you! Just some benign data collection for User Behavior Modeling,” Kannan’s talk discusses her research into how to collect user behavior data to create baselines for monitoring without the privacy and security dangers created by collecting what nearly amounts to keylogging of user activity—limiting data collection by sending only aggregated data from the endpoint. She’ll also go through the entire model-building procedure.

And finally, on Saturday at noon, Data Scientist Salma Taoufiq will present for the DEF CON AI Village audience on the research she and Ben Gelman performed in prototyping a machine-learning based system for event prioritization described in the Tuesday BSides talk.