Ruslan Vaulin

Sqrrl

A New Kind of Deep Learning

Finding advanced persistent threats in a large enterprise network requires analyzing terabytes of log data per day. Most of the activities performed by normal users as well as adversaries involve sequences of steps that themselves consist of many related actions and typically span hundreds or thousands of raw log records. In order to reduce number of false positives and achieve optimal performance the analysis workflow has to extract information and classify at different scales: from features of single log records to timeseries of records to patterns involving multiple entities and data sources. In this presentation we describe a hierarchical approach to analysis of information security data in which we use boosting and stacking machine learning algorithms. We compare and contrast it with the deep learning architectures based on convolutional neural networks that recently gained enormous popularity. We motivate development of the novel techniques that extend beyond convolutional networks paradigm. All throughout we use examples of real-life Tactics, Techniques and Procedures (TTPs).