SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals™

Overview

This section introduces some of the terminology in the data science and machine learning fields, in addition to introducing a number of the technologies that are used as data sources. Since the first step in any data science or machine learning project is to acquire data, the balance of the day is focused on hands-on exercises to prepare the student for these tasks.

The first necessary skill is the use of Python, our chosen language for this course. The only course prerequisite is a fundamental understanding of Python. If you've written even one line of Python, you are probably knowledgeable enough to get started! We will cover lists, arrays, tuples, dictionaries, comprehensions and then begin introducing the numpy variants.

Following the Python refresher the course provides some theory followed immediately by hands-on exercises to give you just enough knowledge of SQL, MongoDB, and webscraping to get real work done.

Exercises

• Python Refresher
• Accessing, Manipulating, and Retrieving SQL data
• Accessing, Manipulating, and Retrieving NoSQL data: MongoDB
• Webscraping for data acquisition

Topics

• Data Science
• Python
• SQL
• NoSQL
• Webscraping

Overview

This section begins with the fundamentals of statistics that matter for data science and machine learning. Following this introduction and hands-on exercises that provide practical uses for these techniques against real-world data, the course transitions to probability theory.

Probability theory is an extensive field of its own. Following the introduction of some fundamentals, the course works directly toward deriving the Bayesian theorem. Building on this introduction, students then engage in a hands-on lab that builds a useful Bayesian analysis tool, upon which students will improve later in the course.

The remainder of this section is translating the statistical knowledge gained into the field of signals analysis. After a discussion concerning the derivation and applications of the Fourier series, the Fast Fourier Transformation, and the Discrete Fourier Transformation, students use these tools in a real-world threat hunting activity.

Exercises

• Statistics Fundamentals: Medians and Means
• Statistics Fundamentals: Variance, Deviations, and Robust Measures
• Applications of Statistics to Data Identification
• Probabiltiy, Beyes, and Phishing
• Threat Hunting through Signals Analysis

Topics

• Statistics
• Robust Measures
• Probability
• Bayes Theorem and Inference
• Fourier Series and Related Derivations

Overview

The remaining 18+ contact hours of this course are spent learning about and immediately applying various machine learning models. After each topic is introduced and discussed, students engage in lengthy hands-on labs to develop an intuitive understanding and apply the technique to real problems.

The section begins with various clustering approaches and unsupervised machine learning. The exploration begins with Support Vector Classifiers, kernel functions, and Support Vector Machines. Following this discussion and exercises, we continue the clustering theme by considering the K-Means and KNN approaches. After working through examples in just two or three dimensions, we turn our attention to methods for determining the ideal number of clusters. With this done, we finally explore high-dimensional applications and dimensionality reduction through Primary Component Analysis. The DBSCAN algorithm is covered in some depth, with application made to threat hunting and efficient SOC analysis of large scale data.

The balance of this section is spent discussing Decision Trees. After a hands-on activity and discussion of the limitations of Decision Trees, we expand into Random Forests and explore hands-on how these provide better inferences in most cases. The section wraps up with a cluster-based approach to finding anomalies in user activity on a network.

Exercises

• K-Means / KNN
• Elbow Functions and PCA
• DNSCAN for Clustering
• Support Vector Classifiers
• Support Vector Machines
• Decision Trees
• Random Forests

Topics

• Support Vector Classifiers
• Support Vector Machines
• Kernel Functions
• Primary Component Analysis
• DBSCAN
• K-Means
• KNN
• Elbow Functions
• Decision Trees
• Random Forests
• Anomaly Detection

Overview

The entire focus of this section is on the theory, development, and use of supervised learning approaches in the field of information security. Building on the mathematics and statistics covered in section 2, this section begins with linear regressions and ends with the application of deep learning neural networks to multi-class classification problems involving real-time network data.

The material is focused on using supervised machine learning and mathematics to create predictive models. The initial discussion and exercises center around forecasting and trends analysis for anomaly detection. Following this, the majority of the material focuses on classification problems.

Building on the Bayes approach used in section 2, this section introduces deep learning neural networks and fully connected dense networks through the development of a far more accurate phishing detection network. Following this, the course explores visualization and measurement of neural network training performance, in addition to discussing overfitting, overtraining, and how to identify (and avoid!) them.

The next portion of this section turns to categorical problems, during which students will build a real-time network protocol classification system. More importantly, students will implement anomaly detection in this classification system, a task typically reserved for unsupervised approaches.

Exercises

• Polyfit Regressions
• Hello, World! Sentiment Analysis
• Ham vs. Spam via Deep Learning
• Identifying Protocols
• Protocol Anomaly Detection

Topics

• Regression and fitting
• Loss and Error functions
• Vectors, Matrices, and Tensors
• Fundamentals of the Perceptron
• Dense Networks

Overview

This section of the course is dedicated to expanding students' knowledge of deep learning solutions. The first half of the section is focused entirely on convolutional networks (CNNs). The class explores the application of CNNs to text classification problems, but also to predictive identification of zero-day malware.

The second half of this section of the course focuses on autoencoders. The class examines what autoencoders do, why they work, how to select a latent representation, and how reconstruction loss functions work. This knowledge is then applied to creating an automatic log anomaly detection solution that does not use any signatures or human intervention to identify anomalies. Building on this, students work on the building blocks for a large-scale ensemble autoencoder for detecting network threats.

Exercises

• Predictive Malware Identification - Finding Zero Days
• Ham vs. Spam, CNN Style
• Multi-class text classification via CNNs
• Log Anomaly Detection using Autoencoders
• Real-time Network Anomalies

Topics

• Convolutional Neural Networks
• Embedding Layers
• Applying CNNs to text problems
• Autoencoders
• Reconstruction loss measurements
• Creating ensemble autoencoders

Overview

The final section of this course continues discussing Convolutional Neural Networks and the application of CNNs and fully connected networks for solving regression problems. The major focus of this section is on the creation of a deep neural network using TensorFlow's functional pattern, allowing you to build networks with complex structures, multiple inputs, and multiple outputs. The main task used to learn about these techniques will be using neural networks for both testing the quality of and solving CAPTCHAs. Whether you are on a red, blue, or purple team, you will learn how to think through and use machine learning to solve what amounts to a computer vision problem and to solve it at greater than 95% accuracy! Along the way you will also learn the key concepts behind the creation of representative synthetic data, how to build synthetic data with generators, and how things can go wrongly. You will also learn how to make use of data augmentation layers.

Following this project, the class covers the use of genetic techniques for hyperparameter optimization. Students are provided with a starting point for genetic optimization for use on their own after class.

The final discussion and demonstration in the course covers practical deployment approaches, including stand-alone deployments for real time critical applications and, for less time critical applications, the more common containerized approaches that can be used with Docker, Rancher, or Kubernetes.

Exercises

• Solving CAPTCHAs: POC
• Solving CAPTCHAs: Functional API
• Solving CAPTCHAs: Split model

Topics

• Convolutional Neural Networks and Regressions
• Functional definition of Neural Networks
• Deep Learning Networks with Multiple Outputs
• Thinking about Machine Learning Problems
• Genetic Algorithms
• Deployment using Containers