Adversarial vs behavioural-based defensive AI with joint, continual and active learning: automated evaluation of robustness to deception, poisoning and concept drift

International audienceRecent advancements in Artificial Intelligence (AI) have brought new capabilities to behavioural analysis (UEBA) for cyber-security consisting in the detection of hostile action based on the unusual nature of events observed on the Information System.In our previous work (presented at C&ESAR 2018 and FIC 2019), we have associated deep neural networks auto-encoders for anomaly detection and graph-based events correlation to address major limitations in UEBA systems. This resulted in reduced false positive and false negative rates, improved alert explainability, while maintaining real-time performances and scalability. However, we did not address the natural evolution of behaviours through time, also known as concept drift. To maintain effective detection capabilities, an anomaly-based detection system must be continually trained, which opens a door to an adversary that can conduct the so-called “frog-boiling” attack by progressively distilling unnoticed attack traces inside the behavioural models until the complete attack is considered normal. In this paper, we present a solution to effectively mitigate this attack by improving the detection process and efficiently leveraging human expertise. We also present preliminary work on adversarial AI conducting deception attack, which, in term, will be used to help assess and improve the defense system. These defensive and offensive AI implement joint, continual and active learning, in a step that is necessary in assessing, validating and certifying AI-based defensive solutions

Intelligence artificielle adversaire vs défensive en cyber-sécurité : un tournoi mutuellement profitable ?

International audienceL’intelligence artificielle comprend une diversité de sous-domaines au nombre desquels figure l’UEBA (User and Entity Behaviour Analytics). Ce dernier, en plein essor, repose sur l’analyse automatique des comportements humains et non humains. Plus spécifiquement, dans le domaine de la cyber-sécurité, un procédé UEBA consiste à détecter des actions hostiles en se basant sur la nature inhabituelle des événements observés sur un système d'information.Les systèmes défensifs de type UEBA existant à ce jour souffrent de certaines limitations que nous cherchons à contourner. À cette fin, nous avons conçu un système de type UEBA associant, d’une part, des réseaux de neurones profonds auto-encodeurs permettant la détection d'anomalies comportementales individuelles, avec d’autre part, un procédé permettant de corréler une pluralité d’événements organisés en graphes afin de détecter les scénarios hostiles constituant une attaque notamment de type APT (Advanced Persistent Threat).Déjà, notre système réduit le taux de faux positifs et négatifs, il produit des alertes fortement explicables et possède une capacité de mise à l’échelle horizontale. Cependant, nous n'avons pas encore adressé la problématique dite de la « dérive conceptuelle », laquelle se manifeste par une obsolescence progressive du modèle appris des comportements, inhérente à l'évolution temporelle naturelle des comportements du système observé.Pour contourner cette dérive, il est nécessaire d’entrainer en continu un système de détection basé sur les anomalies, ce qui ouvre la porte à un adversaire susceptible de mener une attaque dite de la « grenouille ébouillantée », laquelle consiste pour l’attaquant à distiller progressivement les traces d’une attaque afin que ces dernières demeures inaperçues et soient in fine intégrées au modèle des comportements normaux, rendant ainsi l’attaque indétectable.Nous présentons ici un aperçu de notre solution capable d’affaiblir efficacement une telle attaque en améliorant le processus de détection et en tirant parti de l'expertise humaine. Nous présentons également des travaux préliminaires sur une intelligence artificielle adversaire menant une attaque par leurrage, qui sera utilisée pour aider à évaluer et à améliorer le système de défense. Ces systèmes défensif et offensif mettent en œuvre un apprentissage joint, continu et actif, dans une étape qui est nécessaire à l'évaluation, à la validation et à la certification des solutions défensives basées sur l'intelligence artificielle de type UEBA ou autre

Benchmarking Robustness of Deep Reinforcement Learning approaches to Online Portfolio Management

Deep Reinforcement Learning approaches to Online Portfolio Selection have grown in popularity in recent years. The sensitive nature of training Reinforcement Learning agents implies a need for extensive efforts in market representation, behavior objectives, and training processes, which have often been lacking in previous works. We propose a training and evaluation process to assess the performance of classical DRL algorithms for portfolio management. We found that most Deep Reinforcement Learning algorithms were not robust, with strategies generalizing poorly and degrading quickly during backtesting

Disappearance of TBEV Circulation among Rodents in a Natural Focus in Alsace, Eastern France

International audienceTick-borne encephalitis virus (TBEV) depends mainly on a fragile mode of transmission, the co-feeding between infected nymphs and larvae on rodents, and thus persists under a limited set of biotic and abiotic conditions. If these conditions change, natural TBEV foci might be unstable over time. We conducted a longitudinal study over seven years in a mountain forest in Alsace, Eastern France, located at the western border of known TBEV distribution. The objectives were (i) to monitor the persistence of TBEV circulation between small mammals and ticks and (ii) to discuss the presence of TBEV circulation in relation to the synchronous activity of larvae and nymphs, to the densities of questing nymphs and small mammals, and to potential changes in meteorological conditions and deer densities. Small mammals were trapped five times per year from 2012 to 2018 to collect blood samples and record the presence of feeding ticks, and were then released. Questing nymphs were collected twice a year. Overall, 1344 different small mammals (Myodes glareolus and Apodemus flavicollis) were captured and 2031 serum samples were tested for the presence of antibodies against TBEV using an in-house ELISA. Seropositive rodents (2.1%) were only found from 2012 to 2015, suggesting that the virus disappeared afterwards. In parallel, we observed unusual variations in inter-annual nymph abundance and intra-annual larval activity that could be related to exceptional meteorological conditions. Changes in the densities of questing nymphs and deer associated with the natural stochastic variations in the frequency of contacts between rodents and infected ticks may have contributed to the endemic fadeout of TBEV on the study site. Further studies are needed to assess whether such events occur relatively frequently in the area, which could explain the low human incidence of TBE in Alsace and even in other areas of France

La tombe augustéenne de Fléré-la-Rivière (Indre) et les sépultures aristocratiques de la cité des Bituriges : en Berry au début de l’époque gallo-romaine : le fer, le vin, le pouvoir et la mort

International audienc