ailpha大数据智能安全平台 刘博

1、AILPHA大数据智能安全平台智引新安全 数领未来浙江省专家 杭州安恒信息技术有限公司首席科学家、高级副总裁刘博 bo.liudbappsecurity威胁的风险风险增加企业无应对83的增长率 %很难找到他们需要的安全技 能应对这些风险 2012 ESG Research的安全是通过 67%第三方发现 Source: Mandiant 2014 THREAT REPORT的增长率 71%对比上一，解决一个恶意 攻击所花费的时间增长率 2012 - 2013 Juniper Mobile Threat Report229天 恶意攻击被风险前的平均潜伏时间 Source: Mandiant 201

2、4 THREAT REPORT的企业认为： 61%数据泄和恶意APT攻击是 他们面临的最大威胁 2012 IBM Global Reputational Risk & IT Study$3.5M是每次数据泄的平均损失 2014 Cost of Data Breach, Ponemon InstituteInternet事中防护事后审计FWIPSWAF能应对高级威胁误报过多难以处只能依靠单点处能 事前检测P2DR安全模型防护审计/响应检测视频让数据无忧，让应用恒久，让一切放心在线。 我们解决的安全痛点实时预警 安全威胁实时分析、秒级万亿存查 万亿级别的超大规模数据管和快速查询 异常检测 侦测越权

3、为帐户盗用等用户异常为 预警、安全取证 深度关联 深度联动分析识别影响智能学习 基于机学习为用户提供安全态势感知能 追踪溯源安全追溯范围有效安全 还原攻击轨迹 AILPHA大数据智能安全平台 关联：多源数据进关联分析 04分析：根据场景训练有针对性的分析模型 03性能：全方位性能优化满足各种复杂要求 02架构：基于业界领先大数据框架设计产品 01好的架构需要解决下面几个问题 维护性 伸缩性 扩展性 研发效率 业界领先Lambda大数据架构StormSparkKafkaElasticSearchPython+ETL产品价值安全能稳定可靠的性能1小时1键部署 10000EPS单台处能 10秒内任意

4、检索响应 10000亿存储规模 AILPHA分析模型0day检测异常流检测异常业务操作异常系统登录 恶意软件为检测 DGA 检 测垃圾邮件检测 智能机学习恶意访问检测 WebShell 检测恶意提权检测僵尸主机发现渗透攻击检测恶意操作检测木马回连检测DDoS攻击检测 安全场景模型潜伏型攻击检测 潜伏性低频数据窃取0246810141618202224Time12流数据分析 - 傅立叶变换模型公积网站数据窃取TimeTime攻击为判研攻击为取证异常为检测May 10 06:03:40 yangjf sshd28668: Accepted password for root from 172.16

5、.0.183 port 58915 ssh2 May 10 06:03:40 yangjf sshd28668: pam_unix(sshd:session): session opened for user root by (uid=0) May 10 08:56:27 yangjf sshd13361: Received disconnect from 172.16.5.195: 11: disconnected by user May 10 08:56:27 yangjf sshd13361: pam_unix(sshd:session): session closed for user

6、 rootMay 10 09:03:40 yangjf sshd28668: Accepted password for root from 172.16.0.183 port 58915 ssh2May 10 09:03:40 yangjf sshd28668: pam_unix(sshd:session): session opened for user root by (uid=0)0006121824异常为检测May 10 06:03:40 yangjf sshd28668: Accepted password for root from 172.16.0.183 port 58915

7、 ssh2 May 10 06:03:40 yangjf sshd28668: pam_unix(sshd:session): session opened for user root by (uid=0) May 10 08:56:27 yangjf sshd13361: Received disconnect from 172.16.5.195: 11: disconnected by user May 10 08:56:27 yangjf sshd13361: pam_unix(sshd:session): session closed for user rootMay 10 09:03

8、:40 yangjf sshd28668: Accepted password for root from 172.16.0.183 port 58915 ssh2May 10 09:03:40 yangjf sshd28668: pam_unix(sshd:session): session opened for user root by (uid=0)00061218240006121824贝叶斯混合高斯YYXX用户画像关道至简（减）安全设备越来越多，设备告层出穷，安全人安全警同比增加 安全人员的工作效率并没有安全风险可控，风险趋势得到提升 May May May May May May

9、May May May May2 18:18:236 yangjf dNkenerstnmweoal:rskqvMi1rab9nr2a0g:e:Druro1sip3np9g5inlog:cdfer(eastshue1rse):sodnsielnyvcifceoernsuotnaCqtSueUacMlihfafiendagtenu:ar7em.-es 8 (reason 0)2 18:18:236 yangjf dNkenerstnmweoal:srkqdMe1av9ni2ca0ege:vrire1ba3rd09-5/nei:ctrtesPdo-lp2icroaymdsdeisrtceuseso

10、tehu1s m(eotdhe1) as default for IPv4 routing and DNS. 2 18:18:263 yangjf dNkenerstnmweoal:srkqvMi1rab9nr2a0g:e:srtrae1ra3tdi9n5/gv:uaalcAibecvtSirTvtaP/tdfioannislme(dea,tshqs1t/a)drestufiancugcelkts.esarfdnudle,nl dhSeoTsvPticse- a0catdivdarteesds.es2 18:18:236 yangjf kdNenerstnmweoal:rskqiMp1_a9t

11、n2aa0bgle:rsr:e1(a3Cd9)5/2v:0a00l6AibcNvtieirvtaf/itlditonensrm(Ceaotsrhqe1/)TdeSatfmaugelt.5hosft5sf(ilIeP Configure Commit) complete.2 18:18:2763 yangjf kNk ertnweol:rkE8M0ba2tan1baqgl:eeasrdv1d23i.n90g5rVe:LgetdowHpaW_sfuilpteprlicoanndtesvtiacretevdirbr02 18:18:2567 yangjf akdeunrtsnomemal:osqul

12、on1:t9D12r50o9p:7psi:tnalgrotoTekSduO,pvf_eraerstaiudorn_ems2.as4isn8tcecera:nclohoeCksSiuzUpeM(n1fi5se0paltuusr)e:.couldnt locate nis+ table auto.master 2 18:18:2675 yang数jf据dakebn走rsntm向dea:l验:sIqnl证o-idt:hcDcoipsma1pb9le2td0eP,:reDivnHatCecPyr,inEIPgxtmr业eanan务signioe逻lno1s辑o9p2验.1证68.122.2 - 192

13、.168.12网2.络25链4,le验as证e time 1h2 18:18:23606 yangjf dlpinoblsvkmiirtads:q2C1o19u02l0d:s:ntouatsritfneignddldokaceaylmtaodbndfvrielesrs:ei/osenot0nc./ly9li6bfovurisriutn/ngkqraubua5tl.hiftoiaerbidt:ynNaiomspeulsechmfeinletaotriodnirelcotcoarly version 0.962 189:1485:26 yangjf kdenrsnmeal:sqBfur1si9de2gi0enif:tir(eAwaPdaIilvnleignrg/sieortencg/7isr.te1es3ro)elvd.conf2 189:141858:26 yangjf dskenarsnhmeoalr:sqev-i1rdb9ar2e0m:oDnuros2ipn2pg4in1nga:mTDSeNOsSe-frSevDaetriun2riet0is2a.sl1izn0ac1te.i1on7no2f.Ca3iS5lUe#dM53: fDeaetumroen. not running安全模型验证