All the hype around AI and Machine Learning (ML) and its application in Infosec is enough to make you ignore it, but that would be a mistake. The hype is an issue; a recent report from a venture capital firm says that 40% of startups that’s claiming to use AI don’t actually use the technology.
But AI and ML are real and are being used in infosec to do some pretty cool things. I’ve found a specific example I look forward to showing you in this real training for free event.
First though, we will provide an introduction to artificial intelligence and ML and differentiate them. AI and ML are not the same. ML having a bigger impact and being put to work in infosec right now.
Here’s a short list of topics we’ll discuss
- What are AI and ML and how are they different?
- How can you identify technologies that really use ML and those that just claim to for marketing purposes?
- What is the difference between supervised and unsupervised learning?
Then, my guest, John “Turbo” Conwell, will show you a real-life example of true ML that solves an important infosec problem: recognizing a malicious domain name before it is weaponized. Turbo is a data scientist at our sponsor, DomainTools, and has been in the data science and ML field for 10 years, and currently focuses on building models to identify domains created for malicious intent as soon as they are created.
Turbo will tell us how he and his colleagues built Domain Risk Score and how it implements ML. This is a great example of how ML can solve a real-world security problem.
Most domain or IP reputation feeds rely on observing dangerous behavior, meaning that someone gets hurt before the domain or IP gets blacklisted. The reactive nature of such reputation systems creates a window of vulnerability, leaving organizations exposed to new attack methods from new or previously unseen “sleeper” domains. The DomainTools Risk Score predicts the risk level and likely threats from a domain that has not been observed in malicious activities, by analyzing various properties of the domain that exist as soon as the domain is registered.
The above graphic shows how ML is used to analyze known malicious domain and train the model to predict which newly registered domains are likely to be malicious.
You’ll learn about what goes into bringing ML to bear on an infosec issue like this. Turbo will talk about how they use supervised ML classifiers to build threat profiles of bad domains.
Each classifier is selected and tuned independently to best identify domains used for phishing, malware, and spam respectively.
The overall process:
- Create training and test datasets using curated blacklist data and Whois and DNS databases
- Use domain knowledge of bad actors, DomainTools expertise in cybersecurity TTPs to determine which intrinsic properties of the domains, a.k.a. features, are most useful for identifying malicious intent
- Run grid searches using ML infrastructure over different sets of features and tunings to optimize classification models
- Compare the model’s accuracy on the test dataset using standard classification metrics
I think you’ll love this session because rather than being vague and theoretical, we’ll dive into the details of a successful, specific application of ML with the help of someone intimately involved in its implementation. Not only that, but Turbo is a great communicator. So please join us for this real training for free event!