AppSec Israel 2018 has ended
Back To Schedule
Wednesday, September 5 • 18:00 - 18:30
DNS Exfiltration or Why I threw away my supervised learning models for anomaly detection

Log in to save this to your schedule, view media, leave feedback and see who's attending!

Supervised learning (or “machine learning by examples”) is here to stay, but is it always the optimal solution? Whenever engineers need to tell the difference between cats and dogs they will turn to supervised learning models provided with lots of training examples. But what happens when you’re looking for a rare and extraordinary phenomenon such as a unicorn? In that case you might have abundant examples of horses but almost no unicorn examples. In our story, the unicorn is the problem of detecting “low and slow” DNS exfiltration attacks, such as the 2014 cyberattack on Home Depot that resulted in the theft of 65M credit card numbers. While the Home Depot attack establishes the importance of the problem, it’s rare to find enough similar examples in order to predict the next DNS exfiltration cyber campaign. In this talk we will discuss the advantages of Anomaly Detection in the absence of training samples and walk through our solution based on the Isolation Forest algorithm and the challenges we faced implementing it as a large-scale solution in Spark Scala. This is the story of how we had to take a different approach to our problem and how we got to catch and block a live ‘white-hat’ cyber attack on one of our clients’ platform.

avatar for Ada Sharoni

Ada Sharoni

Senior Software Developer, Akamai
Originally started as an algorithm developer in signal processing and for the past several years have been a back-end developer. As a "Talpiot" graduate, I served in the Israeli intelligence community and as a commander of Talpiot cadets. When asked about my favorite book I still... Read More →

Wednesday September 5, 2018 18:00 - 18:30 IDT
Room 001