After infecting a target machine, many malicious programs need to communicate with a command & control server ( C & C) that is controlled by the malware author. In order to avoid detection and subvert defensive measures, malware authors employ domain generation algorithms (DGA), which enable the malware to generate hundreds or thousands of new domains, one of which is then registered by the malware author as the location of the C&C server.

Because this problem involves high amounts of data (think thousands of domains generated by the malware) and an approach that is not amenable to rule writing (most domains follow random-like patterns), it is a great problem for machine learning to solve! In this talk, we will take a look at how one can train a supervised classification model in the Elastic stack to detect DGA domains and furthermore how one can use inference processors and ingest pipelines to deploy this model to classify network data at ingest time.

Useful background reading for this talk are these two blogposts

https://www.elastic.co/blog/machine-learning-in-cybersecurity-training-supervised-models-to-detect-dga-activity

https://www.elastic.co/blog/machine-learning-in-cybersecurity-detecting-dga-activity-in-network-data

More information about the talks is to follow.

Agenda:

17:00 Welcome online

17:02 Talk 1: Detecting DGA activity in network data with Elastic ML, Camilla Montonen

Camilla Montonen is a Senior Machine Learning Engineer working in the Machine Learning group at Elastic. Her areas of interest include ML interpretability and applying ML to solve problems in the field of computer security. 

17:35 Q&A and free discussion, networking

18:00 Meetup ends

THIS IS A FREE EVENT