《SANS360 - SCADE:检测数据中心中的隐藏威胁.pdf》由会员分享,可在线阅读,更多相关《SANS360 - SCADE:检测数据中心中的隐藏威胁.pdf(9页珍藏版)》请在三个皮匠报告上搜索。
1、SCADE:Detecting Hidden Threats in SCADE:Detecting Hidden Threats in Data CentersData CentersVaishali VinaySenior Data&Applied Scientist,Microsoft ResearchWhy Traditional Security Tools Fail in Data Centers?Built for Endpoints,Not Automation Alert Fatigue from High Volume Short-Lived Workloads&Visibi
2、lity Gaps No labeled datasetSCADE solves these problems with a Dual Layered ApproachPROCESSTelemetryFilter Process Creation logs(Event Id:4688)Identify commands that are statistically unusual across workloads.Assigns a rarity score to each command by analyzing historical execution patterns.Identify
3、commands that are statistically unusual across workloads.Assigns a rarity score to each command by analyzing historical execution patterns.High Confident AlertGlobal Analysis Detects Rare CommandAzure Security LogsLocal Analysis Detects True AnomaliesPROCESSTelemetryFilter Process Creation logs(Even
4、t Id:4688)Identify commands that are statistically unusual across workloads.Assigns a rarity score to each command by analyzing historical execution patterns.Executes behavioral analysis.Eliminates false positives from expected-rare-but-benign activity.High Confident AlertGlobal Analysis Detects Rar
5、e CommandAzure Security LogsLocal Analysis Detects True AnomaliesPowered by Statistical Methods:Log Entropy and BM25Powered by ML Model:Isolation ForestWhy SCADE?Smarter Anomaly Detection for Automation Heavy Environments Reduces False Positives Focuses on Meaningful Threats Works Without Labeled Da
6、ta Detects New&Unknown Attacks Explainability No More Black-Box Alerts Dynamic Thresholding Adapts to Workload Changes in Real-Time Designed for High-Scale EnvironmentsSCADE in Action:POC Data OverviewWe conducted a Proof of Concept(PoC)using real execution lo