12:45 - 13:25
Itsik Mantin & Johnathan Azaria - AI in a Minefield: Learning from Poisoned Data
a normality model constructed from previously seen traffic data. However, when the traffic originates from unreliable sources the learning process needs to mitigate potential reliability issues in order to avoid inclusion of malicious traffic patterns in this normality model. In this talk, we will present the challenges of learning from dirty data with focus on web traffic - probably the dirtiest data in the world, and explain different approaches for learning from dirty data. We will also discuss a mundane but no less important aspect of learning – time and memory complexity, and present a robust learning scheme optimized to work efficiently on streamed data. We will give examples from the web security arena with robust learning of URLs, parameters, character sets, cookies and more.
13:35 - 14:15
14:25 - 15:05
Vivek Malik & Kumar Vikramjeet - One Stop Anomaly Shop
One Stop Anomaly Shop (OSAS) is a complete machine learning framework aimed to discovered anomalies in a given dataset. The open source project represents an implementation of several Adobe’s Security Intelligence Team Patents and White papers.
The project aims to enable the user to create a custom pre-processing pipeline, using predefined recipes for numerical, categorical, text and combined datatypes. The output of the pipeline is a set of labels that describe the input data and that are later consumed by standard anomaly detection algorithms or supervised classifiers. The role of the pipeline/labels is to reduce data scarcity, while enhancing the accuracy of anomaly detection and supervised machine-learning algorithms even on small datasets.
Its unique manner of tagging allows it to be used for a diverse range of datasets and projects. The Expert Knowledge Based tagging component makes it highly efficient at targeting security threats and shifts the underlaying operation from unsupervised learning towards a semi-supervised one.
The open source initiative contains the full source code of the project but also a dockerized version, equipped with an OSAS Web UI and an Elastic Search OpenDistro installation and integration for fast graphical analysis of the results.
The presentation will contain an end to end hands on PoC of how to levrage the off the shelf OSAS or how to fully customize a pipeline in just a couple of minutes/clicks.
15:15 - 15:55
Miklos Kiss & János Kovács & Bence Horvath - The use of Threat Intelligence to Enhance Automotive Security
Engine power, fuel consumption, driving comfort, and handling of a car are just a few of the dimensions that define the quality of a car. With more and more core vehicle functions enabled by software running on specialized hardware chips, the security of those components is fast becoming another dimension of quality in the automotive industry, similar how physical safety is a major concern and quality parameter today. This talk aims to discuss the use of threat intelligence to empower both increased security in the design of new automotive systems, as well as keeping existing components secure against newly discovered vulnerabilities and attack vectors.
16:05 - 16:45
Daniel Nussko - Large-scale Security Analysis of IoT Firmware
Today, the number of IoT devices in both the private and corporate sectors are steadily increasing. IoT devices like IP cameras, routers, printers, and IP phones have become ubiquitous in our modern homes and enterprises. To evaluate the security of these devices, a security analysis has to be performed for every single device. Since manual analysis of a device and reverse engineering of a firmware image is very time-consuming, this is not practicable for large-scale analysis.
To be able to conduct a large-scale study on the security of embedded network devices, an approach was applied that allows a high number of firmware images to be statically analyzed. For data acquisition, a crawler was used to identify and retrieve publicly available firmware images from the Internet. In this way, more than 10,000 individual firmware images have been collected. The firmware was then automatically unpacked and analyzed regarding security-relevant aspects.
For the first time, this research provides insights into the distribution of outdated and vulnerable software components used in IoT firmware. Furthermore, a comprehensive picture of the use of compiler-based exploit mitigation mechanisms in applications and libraries is given. Factory default accounts were identified, and their passwords recovered as far as possible. Also, a large amount of cryptographic material was extracted and analyzed. Besides, a backdoor has been discovered in the firmware of several products that allows remote access to the devices via SSH after triggering the functionality. The backdoor has been verified and confirmed by the vendor and two official CVE numbers have been assigned.
The results of this large-scale analysis provide an interesting overview of the security of IoT devices from 20 different manufacturers. IoT firmware was analyzed regardless of device type or architecture and a broad picture of their security level was obtained.
16:55 - 17:35
Filipi Pires - Discovering C&C in Malicious PDF with Obfuscation, Encoding and other Techniques
17:45 - 17:50
Attila Marosi-Bauer - Closing Notes