1 00:00:17,840 --> 00:00:25,800 mananas moon a star vehicle hacia poor 2 00:00:21,000 --> 00:00:30,000 presentation look well maybe it'll thank 3 00:00:25,800 --> 00:00:31,560 you very much for introducing me just 4 00:00:30,000 --> 00:00:35,130 like to say that I leave the 5 00:00:31,560 --> 00:00:38,070 cybersecurity laboratory and that 6 00:00:35,130 --> 00:00:43,199 belongs to the BBVA a group where we do 7 00:00:38,070 --> 00:00:46,559 many things that are very there are lots 8 00:00:43,199 --> 00:00:50,519 of fun so what are we going to speak of 9 00:00:46,559 --> 00:00:53,578 the title the heading is quite ambitious 10 00:00:50,519 --> 00:00:55,230 because it's called advancements in 11 00:00:53,579 --> 00:00:59,040 machine learning applied to 12 00:00:55,230 --> 00:01:03,148 cybersecurity I have a now so what I'm 13 00:00:59,040 --> 00:01:08,910 going to do is to try and do away with 14 00:01:03,149 --> 00:01:12,690 the myth of what AI is not good for and 15 00:01:08,910 --> 00:01:15,539 I'd like to tell you what it is good for 16 00:01:12,690 --> 00:01:19,050 so I'm going to summarize how to attack 17 00:01:15,539 --> 00:01:22,410 machine learning algorithms so we're 18 00:01:19,050 --> 00:01:24,929 going to take our going to make a trip 19 00:01:22,410 --> 00:01:28,860 around these things so what are we gonna 20 00:01:24,930 --> 00:01:33,600 do this is a very quick introduction to 21 00:01:28,860 --> 00:01:37,650 a I even though it's true that I speak a 22 00:01:33,600 --> 00:01:41,339 lot about AI but in any case I've had to 23 00:01:37,650 --> 00:01:42,689 learn some things on cybersecurity and 24 00:01:41,340 --> 00:01:46,939 I'm gonna give you a very short 25 00:01:42,689 --> 00:01:49,710 introduction regarding the context of 26 00:01:46,939 --> 00:01:51,329 artificial intelligence and then I'm 27 00:01:49,710 --> 00:01:55,320 gonna tell you about things you cannot 28 00:01:51,329 --> 00:01:58,408 use it for that is limitations many of 29 00:01:55,320 --> 00:02:02,669 which lie on a defensive security and 30 00:01:58,409 --> 00:02:05,820 then I'm going to speak about offensive 31 00:02:02,670 --> 00:02:10,940 security which is where we see there are 32 00:02:05,820 --> 00:02:13,859 more advancements now formalized a 33 00:02:10,940 --> 00:02:16,260 formalizing of artificial intelligence 34 00:02:13,860 --> 00:02:18,540 from the point of your security and then 35 00:02:16,260 --> 00:02:20,850 conclusions so what are we going to do 36 00:02:18,540 --> 00:02:22,679 in the next are 58 minutes we're going 37 00:02:20,850 --> 00:02:25,239 to try and do away with our myths 38 00:02:22,680 --> 00:02:32,940 regarding artificial 39 00:02:25,240 --> 00:02:36,700 and as I've applied to cyber security I 40 00:02:32,940 --> 00:02:40,090 of any use well it is or as we will be 41 00:02:36,700 --> 00:02:42,850 speaking about it from this slide we can 42 00:02:40,090 --> 00:02:46,030 see the different techniques that are 43 00:02:42,850 --> 00:02:50,410 learned like supervised learning non 44 00:02:46,030 --> 00:02:54,390 supervised and reinforcement the 45 00:02:50,410 --> 00:02:58,750 traditional things like image 46 00:02:54,390 --> 00:03:03,040 classification recommendation systems 47 00:02:58,750 --> 00:03:05,830 etc etc so here we have a large part of 48 00:03:03,040 --> 00:03:09,100 domains where would be interesting to 49 00:03:05,830 --> 00:03:11,470 use artificial intelligence and in fact 50 00:03:09,100 --> 00:03:13,720 it's very interesting and this chart is 51 00:03:11,470 --> 00:03:15,580 quite very well known and by the way 52 00:03:13,720 --> 00:03:18,790 there is a multitude of companies that 53 00:03:15,580 --> 00:03:23,530 are trying to apply AI to the own 54 00:03:18,790 --> 00:03:26,890 domains because thus they can achieve an 55 00:03:23,530 --> 00:03:31,540 advantage competitive edge if you look 56 00:03:26,890 --> 00:03:33,160 at this chart chart the part on security 57 00:03:31,540 --> 00:03:35,380 is very small there are many scenarios 58 00:03:33,160 --> 00:03:39,010 where AI is very useful indeed 59 00:03:35,380 --> 00:03:39,960 but in the security they are very but 60 00:03:39,010 --> 00:03:44,590 there are very few companies 61 00:03:39,960 --> 00:03:48,340 specializing in security some companies 62 00:03:44,590 --> 00:03:52,990 are trying to apply it but there are not 63 00:03:48,340 --> 00:03:54,970 many companies that specialize in during 64 00:03:52,990 --> 00:04:00,780 the potential of these algorithms 65 00:03:54,970 --> 00:04:03,400 applied to security and not let me move 66 00:04:00,780 --> 00:04:06,640 well there are some areas that are of 67 00:04:03,400 --> 00:04:09,850 great concern the regarding AI have 68 00:04:06,640 --> 00:04:12,519 related to this this has to do to 69 00:04:09,850 --> 00:04:15,489 whether these so this software can be 70 00:04:12,520 --> 00:04:18,190 controlled by humans if they could reach 71 00:04:15,490 --> 00:04:21,250 a stage where they would be harmful for 72 00:04:18,190 --> 00:04:24,010 humans understand difficult after 1 min 73 00:04:21,250 --> 00:04:25,570 take some time right now few pictures of 74 00:04:24,010 --> 00:04:28,810 scientists who are working with 75 00:04:25,570 --> 00:04:30,070 artificial intelligence where some of 76 00:04:28,810 --> 00:04:33,370 them are well known 77 00:04:30,070 --> 00:04:38,020 they teach in Stanford etc at least some 78 00:04:33,370 --> 00:04:41,590 of them and one of the main problems is 79 00:04:38,020 --> 00:04:45,520 right now we have to regulate the way in 80 00:04:41,590 --> 00:04:48,369 which these algorithms are used to see 81 00:04:45,520 --> 00:04:50,349 if we can cope or manage the moral 82 00:04:48,370 --> 00:04:52,840 component in order to see whether these 83 00:04:50,350 --> 00:04:55,990 algorithms are going to be good or not 84 00:04:52,840 --> 00:05:00,179 there are many cases comportamiento how 85 00:04:55,990 --> 00:05:05,680 I am iterator replicates the negative 86 00:05:00,180 --> 00:05:09,600 attitudes of humans like racism etc and 87 00:05:05,680 --> 00:05:12,670 this not only affect the net saving 88 00:05:09,600 --> 00:05:16,870 safety but this is also related to 89 00:05:12,670 --> 00:05:19,150 society and the economics and there are 90 00:05:16,870 --> 00:05:22,480 many people that are proposing a 91 00:05:19,150 --> 00:05:25,270 universal source of income so that by 92 00:05:22,480 --> 00:05:29,230 the time that the AI is more developed 93 00:05:25,270 --> 00:05:32,820 those people we won't be able to find a 94 00:05:29,230 --> 00:05:35,770 job we'll be able to get an income via 95 00:05:32,820 --> 00:05:38,140 taxes are paid by artificial 96 00:05:35,770 --> 00:05:43,030 intelligence this sounds like something 97 00:05:38,140 --> 00:05:45,630 out of a movie but nowadays they have we 98 00:05:43,030 --> 00:05:50,020 have many other problems perhaps 99 00:05:45,630 --> 00:05:53,640 tomorrow we will be murdered by a robot 100 00:05:50,020 --> 00:05:56,560 but there may be other problems such as 101 00:05:53,640 --> 00:05:58,450 wars between different cultures and the 102 00:05:56,560 --> 00:06:02,220 problem is that we need artificial 103 00:05:58,450 --> 00:06:04,599 intelligence in order to solve more real 104 00:06:02,220 --> 00:06:07,600 problems that will affect us as a 105 00:06:04,600 --> 00:06:10,420 species so obviously we can not do 106 00:06:07,600 --> 00:06:13,300 without AI we need to develop it more 107 00:06:10,420 --> 00:06:15,760 and more even though we run the risk of 108 00:06:13,300 --> 00:06:18,130 reaching up where we won't be able to 109 00:06:15,760 --> 00:06:23,969 control it and in fact when we speak 110 00:06:18,130 --> 00:06:28,759 about the rapid of evolution 111 00:06:23,969 --> 00:06:33,199 ái we tend to show just like this of 112 00:06:28,759 --> 00:06:39,569 algorithms here we have several examples 113 00:06:33,199 --> 00:06:44,399 here we have a game that top and we can 114 00:06:39,569 --> 00:06:48,089 come up with specific algorithms that in 115 00:06:44,399 --> 00:06:51,089 specific tasks will achieve better 116 00:06:48,089 --> 00:06:53,189 outcomes or results than humans will 117 00:06:51,089 --> 00:06:56,669 would reach when solving specific 118 00:06:53,189 --> 00:06:59,669 problems this is the alphago zero and so 119 00:06:56,669 --> 00:07:03,119 AI will be substituting humans in some 120 00:06:59,669 --> 00:07:06,029 areas but the true thing is that this is 121 00:07:03,119 --> 00:07:08,789 not all the way true and that we speak 122 00:07:06,029 --> 00:07:11,789 about singularity this precise moment 123 00:07:08,789 --> 00:07:20,969 where an artificial intelligence will be 124 00:07:11,789 --> 00:07:23,669 able to perform better humans specific 125 00:07:20,969 --> 00:07:26,069 tasks the problem is that there's a lot 126 00:07:23,669 --> 00:07:28,919 of uncertainty nobody knows when this is 127 00:07:26,069 --> 00:07:31,379 going to happen it is bound to help 128 00:07:28,919 --> 00:07:34,349 happen but we don't know when the most 129 00:07:31,379 --> 00:07:45,919 rigorous study that we found that tries 130 00:07:34,349 --> 00:07:49,229 to establishes some possible scenarios 131 00:07:45,919 --> 00:07:52,198 when this will happen and things that 132 00:07:49,229 --> 00:07:55,079 would impact us as a society so what 133 00:07:52,199 --> 00:07:59,939 this study says is that from now until 134 00:07:55,079 --> 00:08:03,419 the 4th and from now till 40 years ahead 135 00:07:59,939 --> 00:08:06,089 of us many things will be substituted by 136 00:08:03,419 --> 00:08:10,159 a high here for instance the ability to 137 00:08:06,089 --> 00:08:15,529 write a book as human would do it by the 138 00:08:10,159 --> 00:08:17,639 year 2040 9 writing a book by 2050 139 00:08:15,529 --> 00:08:22,259 different scenarios for instance 140 00:08:17,639 --> 00:08:25,439 replicating the performance of physician 141 00:08:22,259 --> 00:08:29,219 and other tasks in 45 years 142 00:08:25,439 --> 00:08:32,490 AI supposedly will be able to solve some 143 00:08:29,219 --> 00:08:35,130 problems that only a human being can so 144 00:08:32,490 --> 00:08:36,549 now this is an opportunity but also a 145 00:08:35,130 --> 00:08:40,149 risk 146 00:08:36,549 --> 00:08:46,089 handle this adequately so these are 147 00:08:40,149 --> 00:08:51,070 things that people technicians and 148 00:08:46,089 --> 00:08:52,839 specialists in technologies are dealing 149 00:08:51,070 --> 00:08:55,480 with right now we don't know how much 150 00:08:52,839 --> 00:08:59,470 money major companies are spending and 151 00:08:55,480 --> 00:09:02,500 developing this technology AI has 152 00:08:59,470 --> 00:09:04,420 evolved a lot in the last decade because 153 00:09:02,500 --> 00:09:06,880 there are many companies investing huge 154 00:09:04,420 --> 00:09:08,640 amounts of money in this area and 155 00:09:06,880 --> 00:09:12,130 there's something that I'd like 156 00:09:08,640 --> 00:09:15,880 highlighting everything related to AI is 157 00:09:12,130 --> 00:09:20,680 considered like the atom born bomb and 158 00:09:15,880 --> 00:09:23,620 there's parallelism with the Manhattan 159 00:09:20,680 --> 00:09:26,620 Project when the experiments were done 160 00:09:23,620 --> 00:09:29,260 at the beginning with this energy that 161 00:09:26,620 --> 00:09:32,230 they were afraid that they would burn 162 00:09:29,260 --> 00:09:36,700 the atmosphere and the same is happening 163 00:09:32,230 --> 00:09:38,890 with AI we've detected technology with a 164 00:09:36,700 --> 00:09:41,730 huge potential but we still don't know 165 00:09:38,890 --> 00:09:49,360 whether we'll be able to handle it as a 166 00:09:41,730 --> 00:09:51,880 major powers investing in these 167 00:09:49,360 --> 00:09:54,040 technologies because supposedly in the 168 00:09:51,880 --> 00:09:57,640 next few years the economic social a 169 00:09:54,040 --> 00:10:00,699 military impact is going to be huge and 170 00:09:57,640 --> 00:10:02,800 this is related to you the introduction 171 00:10:00,700 --> 00:10:05,020 of machine learning many people speak 172 00:10:02,800 --> 00:10:08,079 about machine learning there are some 173 00:10:05,020 --> 00:10:10,300 very good courses last year in cyber 174 00:10:08,079 --> 00:10:15,459 camp there was a very interesting talk 175 00:10:10,300 --> 00:10:19,270 talked on this issue and I have about 15 176 00:10:15,459 --> 00:10:22,989 minutes ahead and I'd like to touch upon 177 00:10:19,270 --> 00:10:24,910 some issues related to AI plus machine 178 00:10:22,990 --> 00:10:29,470 learning and applying to the world of 179 00:10:24,910 --> 00:10:34,420 cyber security the first slide has to do 180 00:10:29,470 --> 00:10:37,899 with working without complex many people 181 00:10:34,420 --> 00:10:39,969 here I'm sure have no idea had know how 182 00:10:37,899 --> 00:10:42,850 to apply machine learning to cyber 183 00:10:39,970 --> 00:10:44,270 security and possibly nobody knows how 184 00:10:42,850 --> 00:10:48,950 to and there's 185 00:10:44,270 --> 00:10:51,350 I really like and that is part of all 186 00:10:48,950 --> 00:10:53,300 this marketing strategy around these 187 00:10:51,350 --> 00:10:55,630 technologies applied to the field of 188 00:10:53,300 --> 00:10:58,819 security says everyone talks about it 189 00:10:55,630 --> 00:11:01,370 but nobody really knows how to do it 190 00:10:58,820 --> 00:11:04,310 everyone thinks everyone everyone else 191 00:11:01,370 --> 00:11:10,180 is doing it so everyone claims they are 192 00:11:04,310 --> 00:11:10,180 doing it and there's a whole scenario 193 00:11:10,510 --> 00:11:17,780 technology's contributing with some 194 00:11:14,990 --> 00:11:22,340 differentials that are value so the next 195 00:11:17,780 --> 00:11:27,290 few minutes I'm going to try and give a 196 00:11:22,340 --> 00:11:29,450 few brushstrokes this issue about this 197 00:11:27,290 --> 00:11:31,849 subject in order to see whether we can 198 00:11:29,450 --> 00:11:33,800 solve this problem in fact there is 199 00:11:31,850 --> 00:11:38,230 something we should reflect upon and 200 00:11:33,800 --> 00:11:42,109 that is whether a may solve actual 201 00:11:38,230 --> 00:11:44,540 cybersecurity problems let me read to 202 00:11:42,110 --> 00:11:46,850 you a paragraph of the publisher of this 203 00:11:44,540 --> 00:11:49,040 an agenda that says this is a world 204 00:11:46,850 --> 00:11:51,110 where massive amounts of data are 205 00:11:49,040 --> 00:11:53,360 replacing any other tool that can be 206 00:11:51,110 --> 00:11:55,640 applied let's forget about the human 207 00:11:53,360 --> 00:11:58,280 behavioral theories and linguistics or 208 00:11:55,640 --> 00:12:00,710 sociology let's forget about taxonomy or 209 00:11:58,280 --> 00:12:02,300 psychology who knows why people do what 210 00:12:00,710 --> 00:12:03,980 they do the important thing is that they 211 00:12:02,300 --> 00:12:06,439 do what they do and we can do a 212 00:12:03,980 --> 00:12:09,740 follow-up and measure it with enough 213 00:12:06,440 --> 00:12:12,410 data figures speak for themselves 214 00:12:09,740 --> 00:12:15,050 and this is an opinion by the publisher 215 00:12:12,410 --> 00:12:16,790 of this journal and I'm against this I 216 00:12:15,050 --> 00:12:19,040 oppose this opinion I believe that 217 00:12:16,790 --> 00:12:22,520 there's a human thing to this there 218 00:12:19,040 --> 00:12:24,860 contributes with differential on added 219 00:12:22,520 --> 00:12:26,750 value that AI won't be able to provide 220 00:12:24,860 --> 00:12:30,980 or at least not in the next few decades 221 00:12:26,750 --> 00:12:35,150 and there are many stories many articles 222 00:12:30,980 --> 00:12:37,660 and papers that speak and justify the 223 00:12:35,150 --> 00:12:40,449 existence of many scenarios where human 224 00:12:37,660 --> 00:12:43,480 component provides or 225 00:12:40,450 --> 00:12:46,750 contributes with an other component 226 00:12:43,480 --> 00:12:49,440 where these AI systems are failed there 227 00:12:46,750 --> 00:12:52,540 are other scenarios though where I can 228 00:12:49,440 --> 00:12:54,930 simply not be applied imagine that in 229 00:12:52,540 --> 00:12:57,790 cybersecurity we have the best possible 230 00:12:54,930 --> 00:13:00,819 algorithm in order to identify a user or 231 00:12:57,790 --> 00:13:02,500 an attacker but then there's a law 232 00:13:00,820 --> 00:13:05,920 there's a rule that prevents us from 233 00:13:02,500 --> 00:13:07,269 applying that procedure and doesn't 234 00:13:05,920 --> 00:13:10,180 matter whether it's good or bad 235 00:13:07,269 --> 00:13:13,019 we simply cannot apply and on this slide 236 00:13:10,180 --> 00:13:16,660 I'm giving you an example in the case of 237 00:13:13,019 --> 00:13:19,269 giving a loan a bank giving a loan 238 00:13:16,660 --> 00:13:22,029 and here we cannot use machine learning 239 00:13:19,269 --> 00:13:25,779 algorithm well why why because due to 240 00:13:22,029 --> 00:13:27,730 the data protection law says that 241 00:13:25,779 --> 00:13:30,510 there's decisions that may have an 242 00:13:27,730 --> 00:13:35,199 effect on the life of citizens must be 243 00:13:30,510 --> 00:13:38,230 reasoned and consents and revised this 244 00:13:35,199 --> 00:13:43,359 means that if you know anything about AI 245 00:13:38,230 --> 00:13:46,140 we have some environments where we get 246 00:13:43,360 --> 00:13:49,029 where we are trained there are some 247 00:13:46,140 --> 00:13:51,640 entries and outputs 248 00:13:49,029 --> 00:13:56,290 and we don't know how this output has 249 00:13:51,640 --> 00:13:58,930 taken place we don't know why so there 250 00:13:56,290 --> 00:14:01,540 are scenarios where this is simply not 251 00:13:58,930 --> 00:14:04,149 possible that is we need to be able to 252 00:14:01,540 --> 00:14:09,189 negotiate there needs to be a 253 00:14:04,149 --> 00:14:12,640 negotiation between an entry and exit in 254 00:14:09,190 --> 00:14:14,320 terms of security privacy identification 255 00:14:12,640 --> 00:14:16,199 we need to bear in mind all of these 256 00:14:14,320 --> 00:14:19,720 things because even though algorithms 257 00:14:16,199 --> 00:14:21,609 work we wouldn't be able to do anything 258 00:14:19,720 --> 00:14:23,079 about this and this is the example that 259 00:14:21,610 --> 00:14:25,779 I wanted to tell you about this is a 260 00:14:23,079 --> 00:14:28,989 research we did I don't know three years 261 00:14:25,779 --> 00:14:32,939 ago and this is a very specific example 262 00:14:28,990 --> 00:14:36,920 this was a malware detection issues in 263 00:14:32,940 --> 00:14:42,049 Android with AI in this case with 264 00:14:36,920 --> 00:14:43,729 and so we started using AI in order to 265 00:14:42,049 --> 00:14:48,499 detect everything in order to detect 266 00:14:43,730 --> 00:14:53,959 malware and many what's going well well 267 00:14:48,499 --> 00:14:58,549 characterized that worked half way well 268 00:14:53,959 --> 00:15:04,429 but we needed more accuracy in order to 269 00:14:58,549 --> 00:15:06,589 work like human analysts would so in the 270 00:15:04,429 --> 00:15:10,899 case of Android applications we saw that 271 00:15:06,589 --> 00:15:13,609 there were certain elements that were 272 00:15:10,899 --> 00:15:16,189 differential advantage and made this 273 00:15:13,609 --> 00:15:19,369 model work better there's this example 274 00:15:16,189 --> 00:15:22,899 on the left and we realized that by 275 00:15:19,369 --> 00:15:25,910 using natural language processing 276 00:15:22,899 --> 00:15:29,449 techniques we realized that an attacker 277 00:15:25,910 --> 00:15:33,618 when publishing Marwa in the Android 278 00:15:29,449 --> 00:15:36,829 Market his or her description had a very 279 00:15:33,619 --> 00:15:37,279 poor linguistic quality using very few 280 00:15:36,829 --> 00:15:41,839 words 281 00:15:37,279 --> 00:15:47,689 not many ejectives verbs per company to 282 00:15:41,839 --> 00:15:50,569 the legitimate applications did better 283 00:15:47,689 --> 00:15:55,759 descriptions that is longer descriptions 284 00:15:50,569 --> 00:15:58,339 and much better written much richer 285 00:15:55,759 --> 00:15:59,509 language so this proves that the human 286 00:15:58,339 --> 00:16:02,959 component 287 00:15:59,509 --> 00:16:06,169 still still makes a difference compare 288 00:16:02,959 --> 00:16:09,498 wave AI which could be an addition a 289 00:16:06,169 --> 00:16:12,290 compliment but by no means is it a 290 00:16:09,499 --> 00:16:17,739 solution so what is actually being done 291 00:16:12,290 --> 00:16:21,469 in machine learning applied to 292 00:16:17,739 --> 00:16:24,429 cybersecurity well I think machine 293 00:16:21,470 --> 00:16:25,789 intelligence is useful for defense 294 00:16:24,429 --> 00:16:30,589 defense 295 00:16:25,789 --> 00:16:34,850 no offense as shamea what i'm going to 296 00:16:30,589 --> 00:16:37,429 show you right now has to do with public 297 00:16:34,850 --> 00:16:41,089 information that's known from companies 298 00:16:37,429 --> 00:16:44,029 and academic studies and part of this 299 00:16:41,089 --> 00:16:45,169 top is justified by this person do you 300 00:16:44,029 --> 00:16:46,740 guys know who this is 301 00:16:45,169 --> 00:16:53,160 please raise your hands 302 00:16:46,740 --> 00:16:56,130 that is the case this is Samir and one 303 00:16:53,160 --> 00:16:59,430 of his last presentations or conferences 304 00:16:56,130 --> 00:17:04,290 he said I think machine intelligence is 305 00:16:59,430 --> 00:17:10,919 useful for defense no offense 306 00:17:04,290 --> 00:17:12,270 this is sentence was very important for 307 00:17:10,920 --> 00:17:14,610 me because 308 00:17:12,270 --> 00:17:17,339 Shammi is possibly one of the most 309 00:17:14,609 --> 00:17:20,059 brilliant people on earth I know I was 310 00:17:17,339 --> 00:17:23,359 surprised by this because in the 311 00:17:20,059 --> 00:17:28,678 presentation we are going to see that 312 00:17:23,359 --> 00:17:34,320 offensive security is what has evolved 313 00:17:28,679 --> 00:17:37,679 the most unlike a defensive security so 314 00:17:34,320 --> 00:17:43,309 what is AI used for right now when 315 00:17:37,679 --> 00:17:46,710 speaking about security or defence 316 00:17:43,309 --> 00:17:50,370 security or defence traditionally 317 00:17:46,710 --> 00:17:53,340 speaking normally it is used for 318 00:17:50,370 --> 00:17:58,159 detecting fraud now where everything 319 00:17:53,340 --> 00:18:01,980 related to analysis and monitoring and 320 00:17:58,160 --> 00:18:05,309 variant and more and more in everything 321 00:18:01,980 --> 00:18:08,010 related to authentic authentication a 322 00:18:05,309 --> 00:18:10,770 control official Parowan i'ma chose out 323 00:18:08,010 --> 00:18:14,309 the other scenarios where it would be 324 00:18:10,770 --> 00:18:17,160 very interesting to use this like in the 325 00:18:14,309 --> 00:18:20,340 development of software and this is the 326 00:18:17,160 --> 00:18:26,309 normal scenario where all the major 327 00:18:20,340 --> 00:18:27,750 companies want to contribute where their 328 00:18:26,309 --> 00:18:31,530 own thing 329 00:18:27,750 --> 00:18:33,980 using a this is the normal cycle that is 330 00:18:31,530 --> 00:18:33,980 always 331 00:18:34,690 --> 00:18:46,310 presented algorithms a training process 332 00:18:39,310 --> 00:18:52,399 identification etc so what public 333 00:18:46,310 --> 00:18:54,889 information exists in this field we go 334 00:18:52,400 --> 00:18:57,910 to companies and more and more we start 335 00:18:54,890 --> 00:19:00,910 seeing projects that are starting to 336 00:18:57,910 --> 00:19:05,360 distribute tutorials and information 337 00:19:00,910 --> 00:19:09,770 focused on defense security we have ml 338 00:19:05,360 --> 00:19:16,389 SEC for instance where we see the work 339 00:19:09,770 --> 00:19:20,560 by many researchers and most of these 340 00:19:16,390 --> 00:19:24,440 proposals focus on two things basically 341 00:19:20,560 --> 00:19:27,470 on the one hand traffic analysis and 342 00:19:24,440 --> 00:19:30,310 network monitoring and everything that 343 00:19:27,470 --> 00:19:34,940 has to do with malware detection or 344 00:19:30,310 --> 00:19:39,040 preventing malware from exploiting a 345 00:19:34,940 --> 00:19:43,880 serious certain characteristics as you 346 00:19:39,040 --> 00:19:46,909 possibly know these are proposed these 347 00:19:43,880 --> 00:19:49,610 proposals major suppliers major 348 00:19:46,910 --> 00:19:52,010 technological companies or security 349 00:19:49,610 --> 00:19:56,149 companies are trying to use these 350 00:19:52,010 --> 00:19:58,210 algorithms with their products in many 351 00:19:56,150 --> 00:20:02,960 of these cases as we shall see later 352 00:19:58,210 --> 00:20:04,430 technology is not that disruptive these 353 00:20:02,960 --> 00:20:06,370 are twenty-year-old 354 00:20:04,430 --> 00:20:09,380 proposals with twenty-year-old 355 00:20:06,370 --> 00:20:13,219 algorithms webpart which perhaps do you 356 00:20:09,380 --> 00:20:17,060 make a difference somewhat but not their 357 00:20:13,220 --> 00:20:19,610 associated Association associated to the 358 00:20:17,060 --> 00:20:22,070 sort of marketing related to these 359 00:20:19,610 --> 00:20:24,800 proposals this is an example of 360 00:20:22,070 --> 00:20:27,830 companies that have greater potential 361 00:20:24,800 --> 00:20:31,090 from the point of view of AI you can see 362 00:20:27,830 --> 00:20:34,040 a small square in red where we can see 363 00:20:31,090 --> 00:20:36,249 some of them focused on cyber security 364 00:20:34,040 --> 00:20:39,619 and AI 365 00:20:36,249 --> 00:20:42,289 let's hear something silence we see the 366 00:20:39,619 --> 00:20:44,678 names of the companies plus a couple 367 00:20:42,289 --> 00:20:49,789 more I don't know if you can see them 368 00:20:44,679 --> 00:20:54,710 basically countries that work in this 369 00:20:49,789 --> 00:20:57,739 area is the US UK and Israel Jews are 370 00:20:54,710 --> 00:21:00,080 the three main three most important 371 00:20:57,739 --> 00:21:03,200 countries that work in this tension in 372 00:21:00,080 --> 00:21:05,989 this area and they basically work on 373 00:21:03,200 --> 00:21:11,570 network and monitoring and in everything 374 00:21:05,989 --> 00:21:15,409 related to preventing software from 375 00:21:11,570 --> 00:21:20,689 exploiting certain behaviors so what 376 00:21:15,409 --> 00:21:22,669 prevents us from applying real AI well 377 00:21:20,690 --> 00:21:25,700 I'm going to summarize are these things 378 00:21:22,669 --> 00:21:27,739 or the one we see the amount and the 379 00:21:25,700 --> 00:21:31,849 quantity and quality of data if any of 380 00:21:27,739 --> 00:21:34,129 you use as a are probably I asked you a 381 00:21:31,849 --> 00:21:36,889 question how many data do we need in 382 00:21:34,129 --> 00:21:39,049 order to train the system answering this 383 00:21:36,889 --> 00:21:41,029 question is difficult because the answer 384 00:21:39,049 --> 00:21:43,609 normally is the more the data the better 385 00:21:41,029 --> 00:21:46,159 but that's no scientific answer what do 386 00:21:43,609 --> 00:21:49,009 you mean by the more data the better so 387 00:21:46,159 --> 00:21:51,019 I guess it depends it depends on the 388 00:21:49,009 --> 00:21:52,999 quality of the data what does this mean 389 00:21:51,019 --> 00:21:55,519 I mean how do you measure the quality of 390 00:21:52,999 --> 00:21:58,580 the data these are abstract things and 391 00:21:55,519 --> 00:22:01,159 if we apply this to cybersecurity this 392 00:21:58,580 --> 00:22:04,399 makes things much more difficult and 393 00:22:01,159 --> 00:22:07,399 prevents us from detecting as an attack 394 00:22:04,399 --> 00:22:10,070 attack vectors for instance a threat 395 00:22:07,399 --> 00:22:12,549 we've never seen what do we do we 396 00:22:10,070 --> 00:22:18,408 normally do a profile of the normal 397 00:22:12,549 --> 00:22:21,080 behavior and if it deviates from this it 398 00:22:18,409 --> 00:22:24,049 means that this behavior is related to 399 00:22:21,080 --> 00:22:26,269 human so from that point of view and 400 00:22:24,049 --> 00:22:28,879 conceptually speaking we are still 401 00:22:26,269 --> 00:22:32,299 working like we used to 20 30 years ago 402 00:22:28,879 --> 00:22:34,189 so we haven't evolved beyond white or 403 00:22:32,299 --> 00:22:36,320 black artists and there's another thing 404 00:22:34,190 --> 00:22:40,450 that's very important that's related to 405 00:22:36,320 --> 00:22:43,689 static training normally not the visual 406 00:22:40,450 --> 00:22:47,590 I people trained in our systems and they 407 00:22:43,690 --> 00:22:49,570 apply them but if we go underneath and 408 00:22:47,590 --> 00:22:52,149 it will go deeper into this actual 409 00:22:49,570 --> 00:22:55,210 training for real training is not an 410 00:22:52,150 --> 00:22:57,820 ongoing training and by this I mean that 411 00:22:55,210 --> 00:23:00,730 these algorithms would learn as they go 412 00:22:57,820 --> 00:23:02,770 go with an important new ones and that 413 00:23:00,730 --> 00:23:05,560 is that this training has to bear in 414 00:23:02,770 --> 00:23:08,080 mind the presence of an active attacker 415 00:23:05,560 --> 00:23:11,500 that is the actual proposals that are 416 00:23:08,080 --> 00:23:13,929 being worked on is having an intelligent 417 00:23:11,500 --> 00:23:15,880 that works about with the presence of an 418 00:23:13,930 --> 00:23:20,500 attacker that will make you more room 419 00:23:15,880 --> 00:23:22,270 succeed or fail more points that will be 420 00:23:20,500 --> 00:23:24,490 developing more in-depth and that's 421 00:23:22,270 --> 00:23:27,430 really important and everything that's 422 00:23:24,490 --> 00:23:30,850 related to the privacy of algorithms and 423 00:23:27,430 --> 00:23:33,970 models when we use AI we develop a 424 00:23:30,850 --> 00:23:35,500 series of models and these models what 425 00:23:33,970 --> 00:23:37,570 we do we publish these models can 426 00:23:35,500 --> 00:23:39,670 somebody steal them can somebody 427 00:23:37,570 --> 00:23:41,500 manipulate them which would affect the 428 00:23:39,670 --> 00:23:45,010 security of our systems the answer is 429 00:23:41,500 --> 00:23:48,880 yes and this is something we'll see very 430 00:23:45,010 --> 00:23:54,340 quickly and a couple of issues in the 431 00:23:48,880 --> 00:23:57,250 end and that is offense security exists 432 00:23:54,340 --> 00:23:59,860 in AI that is today but it's possible to 433 00:23:57,250 --> 00:24:03,670 manipulate AI algorithms that are used 434 00:23:59,860 --> 00:24:06,520 in defense in order to provoke different 435 00:24:03,670 --> 00:24:10,150 scenarios like I will show you but 436 00:24:06,520 --> 00:24:13,060 normally these are targeted attacks or 437 00:24:10,150 --> 00:24:16,840 mass attacks 438 00:24:13,060 --> 00:24:19,780 and major openers institutions like 439 00:24:16,840 --> 00:24:23,230 DARPA that willing to give lots of money 440 00:24:19,780 --> 00:24:26,649 to those who can define AI systems that 441 00:24:23,230 --> 00:24:29,320 will be able to learn in an ongoing way 442 00:24:26,650 --> 00:24:33,040 but in the presence of an attacker and 443 00:24:29,320 --> 00:24:37,480 the role of the attacker is to make this 444 00:24:33,040 --> 00:24:39,399 system fail not work and if somebody has 445 00:24:37,480 --> 00:24:41,290 the solution to this this company will 446 00:24:39,400 --> 00:24:43,300 be delighted to give them lots of money 447 00:24:41,290 --> 00:24:49,470 in order to you work on this so when we 448 00:24:43,300 --> 00:24:53,409 speak about the real defense and offense 449 00:24:49,470 --> 00:24:56,860 security we need to import we need to 450 00:24:53,410 --> 00:25:00,090 understand what a generative adversarial 451 00:24:56,860 --> 00:25:07,510 Network basically we have a 452 00:25:00,090 --> 00:25:14,560 discriminator that acts like what the 453 00:25:07,510 --> 00:25:20,470 charge of defense makes a decision we 454 00:25:14,560 --> 00:25:24,750 have generated trick the system so what 455 00:25:20,470 --> 00:25:29,010 degenerate does is to enter information 456 00:25:24,750 --> 00:25:29,010 to the discrimination 457 00:25:30,170 --> 00:25:34,490 so that generator is going to be 458 00:25:32,660 --> 00:25:39,740 learning as a ghost and on the other 459 00:25:34,490 --> 00:25:46,370 hand the this screaming nature based on 460 00:25:39,740 --> 00:25:55,750 the sample she receives it learns so it 461 00:25:46,370 --> 00:25:59,139 will learn more from the attacker with 462 00:25:55,750 --> 00:26:03,530 AI where an attacker can attack a system 463 00:25:59,140 --> 00:26:06,290 trying to beat it and in defense 464 00:26:03,530 --> 00:26:08,450 security well this is a very complex 465 00:26:06,290 --> 00:26:10,520 scenario for which there is no ideal 466 00:26:08,450 --> 00:26:12,500 solution that many of the existing ones 467 00:26:10,520 --> 00:26:17,480 are still being studied on a theoretical 468 00:26:12,500 --> 00:26:19,070 level we don't have a lot of time I'm 469 00:26:17,480 --> 00:26:23,500 just going to show you a couple of 470 00:26:19,070 --> 00:26:26,510 examples in the area of defense security 471 00:26:23,500 --> 00:26:31,430 which I believe are interesting apart 472 00:26:26,510 --> 00:26:35,210 from the network monitoring once malware 473 00:26:31,430 --> 00:26:38,840 detection and this is related to data 474 00:26:35,210 --> 00:26:41,600 protection and I'm going to speak a 475 00:26:38,840 --> 00:26:44,750 little bit about cryptograms 476 00:26:41,600 --> 00:26:47,300 and I'm going to show you a research 477 00:26:44,750 --> 00:26:52,970 done by Google a few years ago and the 478 00:26:47,300 --> 00:26:59,139 headline said that they were able to use 479 00:26:52,970 --> 00:27:03,470 a single use algorithms cryptographic 480 00:26:59,140 --> 00:27:06,580 single use algorithms and we have this 481 00:27:03,470 --> 00:27:10,340 system like the one I showed you earlier 482 00:27:06,580 --> 00:27:12,710 whereby Alice and Bob want to encrypt 483 00:27:10,340 --> 00:27:14,860 information in this communication we 484 00:27:12,710 --> 00:27:18,440 have the presence of an attacker 485 00:27:14,860 --> 00:27:21,350 she's a neural network so Alice and Bob 486 00:27:18,440 --> 00:27:25,430 without saying anything or because of 487 00:27:21,350 --> 00:27:28,820 the way that the network is working they 488 00:27:25,430 --> 00:27:32,420 detect the presence of an algorithm 489 00:27:28,820 --> 00:27:37,460 and in the algorithm is such that the 490 00:27:32,420 --> 00:27:39,310 attacker could not decipher it a human 491 00:27:37,460 --> 00:27:43,550 being wouldn't do absolutely anything 492 00:27:39,310 --> 00:27:48,250 okay what is the problem about this well 493 00:27:43,550 --> 00:27:52,190 a human being sees this this is 494 00:27:48,250 --> 00:27:54,800 basically anyone a soliloquy told a 495 00:27:52,190 --> 00:27:58,130 figure better tsunami an X or that is 496 00:27:54,800 --> 00:28:02,870 what is being calculated it is a very 497 00:27:58,130 --> 00:28:05,900 interesting proposal and it may entail a 498 00:28:02,870 --> 00:28:07,580 significant change in cryptography here 499 00:28:05,900 --> 00:28:11,150 is another example a quick simulation 500 00:28:07,580 --> 00:28:14,480 we've made of this attack basically we 501 00:28:11,150 --> 00:28:16,430 have a G a and scenario where one of the 502 00:28:14,480 --> 00:28:19,130 neural networks is able to create 503 00:28:16,430 --> 00:28:21,890 digital pictures that look very much 504 00:28:19,130 --> 00:28:25,100 like pictures of celebrities for example 505 00:28:21,890 --> 00:28:27,860 and in that process of deceiving the 506 00:28:25,100 --> 00:28:30,139 detector it is hiding information behind 507 00:28:27,860 --> 00:28:32,149 the pictures it also includes an 508 00:28:30,140 --> 00:28:34,700 additional component that tries to 509 00:28:32,150 --> 00:28:38,120 detect whether the information that's 510 00:28:34,700 --> 00:28:40,490 been hidden is well hidden or not the 511 00:28:38,120 --> 00:28:42,530 deduction of this study which is more 512 00:28:40,490 --> 00:28:45,950 interesting than the one we showed 513 00:28:42,530 --> 00:28:47,870 before is that with this gan system with 514 00:28:45,950 --> 00:28:50,630 neural networks we can create new 515 00:28:47,870 --> 00:28:53,659 algorithms which are more robust than 516 00:28:50,630 --> 00:28:57,370 the ones that we have now if you have 517 00:28:53,660 --> 00:28:59,450 the chance of taking a look at this 518 00:28:57,370 --> 00:29:02,659 research and you know a little bit about 519 00:28:59,450 --> 00:29:05,090 thin air stately and ography you will be 520 00:29:02,660 --> 00:29:07,420 able to value the importance of this 521 00:29:05,090 --> 00:29:11,659 study this is what we've seen about 522 00:29:07,420 --> 00:29:15,380 defensive security now regarding 523 00:29:11,660 --> 00:29:18,680 particular problems an issue here is the 524 00:29:15,380 --> 00:29:22,820 privacy of models where do I publish 525 00:29:18,680 --> 00:29:24,530 models and can attackers attack me this 526 00:29:22,820 --> 00:29:27,379 is something we will understand in a few 527 00:29:24,530 --> 00:29:30,260 minutes what are we trying to do in 528 00:29:27,380 --> 00:29:33,800 order to protect that's an area well 529 00:29:30,260 --> 00:29:37,510 crypto nets are being researched which 530 00:29:33,800 --> 00:29:40,520 is the fact of creating ciphered a i 531 00:29:37,510 --> 00:29:41,360 creating cryptography and apply it to 532 00:29:40,520 --> 00:29:44,810 new 533 00:29:41,360 --> 00:29:47,209 networks so if we are creating a 534 00:29:44,810 --> 00:29:49,970 training model with Amazon and someone 535 00:29:47,210 --> 00:29:53,870 is able to steal our model that model 536 00:29:49,970 --> 00:29:58,130 would be coded that's how the attacker 537 00:29:53,870 --> 00:30:02,149 wouldn't be wouldn't be able to draw our 538 00:29:58,130 --> 00:30:05,600 knowledge from there only users with a 539 00:30:02,150 --> 00:30:10,760 cryptographic key would be able to use 540 00:30:05,600 --> 00:30:13,750 it if this and stop working in a more 541 00:30:10,760 --> 00:30:17,720 professional way in the future 542 00:30:13,750 --> 00:30:20,300 stealing training models will be an 543 00:30:17,720 --> 00:30:22,970 issue that may be solved in the future 544 00:30:20,300 --> 00:30:25,250 and what we say in the world we said in 545 00:30:22,970 --> 00:30:27,530 the beginning one of the main problems 546 00:30:25,250 --> 00:30:30,200 in cyber security is that sometimes we 547 00:30:27,530 --> 00:30:32,950 try to detect some things where we have 548 00:30:30,200 --> 00:30:36,800 very small samples of information from 549 00:30:32,950 --> 00:30:39,110 that is the samples we have our scars 550 00:30:36,800 --> 00:30:42,169 and they aren't enough and on the to 551 00:30:39,110 --> 00:30:44,240 make an identification will we be able 552 00:30:42,170 --> 00:30:47,330 to solve that problem we don't know 553 00:30:44,240 --> 00:30:49,610 there are other domains of application 554 00:30:47,330 --> 00:30:52,330 where a solution has been found for 555 00:30:49,610 --> 00:30:55,780 example in robotics 556 00:30:52,330 --> 00:30:59,649 there is one shot learning which is 557 00:30:55,780 --> 00:31:02,420 applying models with just one sample 558 00:30:59,650 --> 00:31:05,450 this is what can be done in certain 559 00:31:02,420 --> 00:31:07,880 scenarios in robotics a robot sees just 560 00:31:05,450 --> 00:31:11,720 one single example and can replicate 561 00:31:07,880 --> 00:31:14,630 that behavior then for example in terms 562 00:31:11,720 --> 00:31:18,110 of languages there is the cell soft 563 00:31:14,630 --> 00:31:24,980 learning for example this is what Google 564 00:31:18,110 --> 00:31:28,040 does language the system is able to 565 00:31:24,980 --> 00:31:30,910 understand a new language without any 566 00:31:28,040 --> 00:31:35,240 training without any samples learn and 567 00:31:30,910 --> 00:31:36,830 replicate that language will we are we 568 00:31:35,240 --> 00:31:40,610 able to do that in cybersecurity 569 00:31:36,830 --> 00:31:42,679 not yet will we be able to do it well we 570 00:31:40,610 --> 00:31:45,469 don't know yet these are challenges we 571 00:31:42,680 --> 00:31:49,280 are currently working on when we focus 572 00:31:45,470 --> 00:31:52,190 more on offensive security we will talk 573 00:31:49,280 --> 00:31:53,660 more closely about machine learning and 574 00:31:52,190 --> 00:31:56,370 how 575 00:31:53,660 --> 00:32:01,190 software and hardware need to be 576 00:31:56,370 --> 00:32:04,169 understood as one more element in our 577 00:32:01,190 --> 00:32:08,940 industry and included in pen testing 578 00:32:04,170 --> 00:32:14,460 software development etc in all the 579 00:32:08,940 --> 00:32:17,430 words AI is one more element that needs 580 00:32:14,460 --> 00:32:19,740 to be included and our industry well 581 00:32:17,430 --> 00:32:22,050 this was a brief introduction there 582 00:32:19,740 --> 00:32:24,090 we're going to focus on the advances in 583 00:32:22,050 --> 00:32:27,930 terms of offensive cybersecurity this 584 00:32:24,090 --> 00:32:29,970 year's where the greatest progress has 585 00:32:27,930 --> 00:32:32,070 been made we need to tell you about four 586 00:32:29,970 --> 00:32:35,450 different types of attacks attacks we 587 00:32:32,070 --> 00:32:39,810 know of the classic attacks which is 588 00:32:35,450 --> 00:32:43,290 using AI in order to do what we usually 589 00:32:39,810 --> 00:32:45,450 do with all the tools or pen testing or 590 00:32:43,290 --> 00:32:50,159 hacking techniques but is an improved 591 00:32:45,450 --> 00:32:53,420 way then synthetic systems that attack 592 00:32:50,160 --> 00:32:56,850 machine learning with proposals 593 00:32:53,420 --> 00:32:59,520 another type of interesting proposals 594 00:32:56,850 --> 00:33:04,290 which have to do with applying machine 595 00:32:59,520 --> 00:33:06,240 learning to defensive security based on 596 00:33:04,290 --> 00:33:10,440 machine learning and then a fourth 597 00:33:06,240 --> 00:33:14,400 category where everything goes into we 598 00:33:10,440 --> 00:33:17,250 will see how we can steal a I models and 599 00:33:14,400 --> 00:33:20,850 how to introduce backdoors it's 600 00:33:17,250 --> 00:33:24,540 important to focus on the picture we 601 00:33:20,850 --> 00:33:27,240 have on the top right corner here if you 602 00:33:24,540 --> 00:33:30,840 are into pen testing and black box pen 603 00:33:27,240 --> 00:33:32,190 testing for example this is very similar 604 00:33:30,840 --> 00:33:37,439 think about that 605 00:33:32,190 --> 00:33:40,200 scheme and think what an attacker would 606 00:33:37,440 --> 00:33:43,410 be able to do if an attacker can access 607 00:33:40,200 --> 00:33:47,130 only the inputs the entrances what can 608 00:33:43,410 --> 00:33:50,010 they do and if they can only access the 609 00:33:47,130 --> 00:33:53,400 outlets would can they do using that 610 00:33:50,010 --> 00:33:55,770 logic we can create attacker models and 611 00:33:53,400 --> 00:33:59,550 build better systems in order to avoid 612 00:33:55,770 --> 00:34:03,450 attacks we will now see some examples of 613 00:33:59,550 --> 00:34:05,280 each when it comes to classic attacks he 614 00:34:03,450 --> 00:34:09,870 have a couple of examples 615 00:34:05,280 --> 00:34:11,250 the first one is passed Gann it's a tool 616 00:34:09,870 --> 00:34:15,379 that's ready for use 617 00:34:11,250 --> 00:34:18,480 imagine someone steals a password 618 00:34:15,379 --> 00:34:22,290 dictionary from LinkedIn on a door a 619 00:34:18,480 --> 00:34:25,469 different network then using neural 620 00:34:22,290 --> 00:34:28,469 networks you send over that list of keys 621 00:34:25,469 --> 00:34:32,100 and this proposal is able to create a 622 00:34:28,469 --> 00:34:34,560 cracking rule a rule that will not only 623 00:34:32,100 --> 00:34:37,560 match with the keys it sing but with 624 00:34:34,560 --> 00:34:38,370 other similar keys as well so what is 625 00:34:37,560 --> 00:34:41,879 this for 626 00:34:38,370 --> 00:34:46,350 this proves that with this technique we 627 00:34:41,879 --> 00:34:52,190 can hack passwords more efficiently and 628 00:34:46,350 --> 00:34:55,469 quicker also this is the proof of that 629 00:34:52,190 --> 00:34:58,340 because you can generalize the rules and 630 00:34:55,469 --> 00:35:03,870 then apply them in future incidences 631 00:34:58,340 --> 00:35:06,810 this is an example of the last D if 632 00:35:03,870 --> 00:35:10,140 where neural networks were used in order 633 00:35:06,810 --> 00:35:16,970 to create sequel injection attacks when 634 00:35:10,140 --> 00:35:21,330 you have the rule already instead of 635 00:35:16,970 --> 00:35:27,709 following your your own criterion or 636 00:35:21,330 --> 00:35:27,710 using the brute force you can reduce 637 00:35:29,930 --> 00:35:36,960 that database so this is the way of 638 00:35:33,330 --> 00:35:41,100 improving traditional hacking tools with 639 00:35:36,960 --> 00:35:44,280 neural networks second type of attacks 640 00:35:41,100 --> 00:35:45,900 synthetic attacks this is very well 641 00:35:44,280 --> 00:35:49,950 known it's been under the price many 642 00:35:45,900 --> 00:35:52,050 times but we have to underline that it 643 00:35:49,950 --> 00:35:54,509 is more and more complicated to tell 644 00:35:52,050 --> 00:35:57,930 real information from unreal information 645 00:35:54,510 --> 00:36:00,750 particularly in audio and video because 646 00:35:57,930 --> 00:36:04,259 systems are getting more complicated and 647 00:36:00,750 --> 00:36:10,140 they are able to falsify to forge system 648 00:36:04,260 --> 00:36:15,190 use here somebody with a pair of 649 00:36:10,140 --> 00:36:18,430 modified glasses can trick the systems 650 00:36:15,190 --> 00:36:21,160 it can mislead faces here's another 651 00:36:18,430 --> 00:36:26,399 example of how to manipulate a video in 652 00:36:21,160 --> 00:36:30,310 real time here you can see how the 653 00:36:26,400 --> 00:36:33,730 gestures of the actor on the screen can 654 00:36:30,310 --> 00:36:35,799 be changed by using this program they've 655 00:36:33,730 --> 00:36:38,140 used this with many celebrities 656 00:36:35,800 --> 00:36:40,839 including Schwarzenegger so I encourage 657 00:36:38,140 --> 00:36:46,000 you to take a look at it then there are 658 00:36:40,839 --> 00:36:48,880 other programs to replicate voices with 659 00:36:46,000 --> 00:36:54,400 just a sample of 30 seconds of 660 00:36:48,880 --> 00:36:58,869 somebody's voice it is difficult to tell 661 00:36:54,400 --> 00:37:02,440 from the human ear what the real speech 662 00:36:58,869 --> 00:37:05,290 is and what the unreal or fake one is 663 00:37:02,440 --> 00:37:07,839 and this is the kind of attacks that are 664 00:37:05,290 --> 00:37:11,740 becoming more and more popular now the 665 00:37:07,839 --> 00:37:14,830 third type are the offensive attacks 666 00:37:11,740 --> 00:37:17,740 that I think are more interesting there 667 00:37:14,830 --> 00:37:20,230 are three types of attacks evasion 668 00:37:17,740 --> 00:37:23,919 attacks and poisoning attacks the first 669 00:37:20,230 --> 00:37:26,130 one has to do with how to evade a 670 00:37:23,920 --> 00:37:29,250 classification mechanism that's already 671 00:37:26,130 --> 00:37:33,369 established for example if our antivirus 672 00:37:29,250 --> 00:37:36,339 classifies between malware and good work 673 00:37:33,369 --> 00:37:39,849 we can make the antivirus classify 674 00:37:36,339 --> 00:37:41,680 malware as good we're a good where and 675 00:37:39,849 --> 00:37:44,619 the other way around when it comes to 676 00:37:41,680 --> 00:37:46,029 poisoning it is about introducing poison 677 00:37:44,619 --> 00:37:48,550 into the systems so that they can 678 00:37:46,030 --> 00:37:52,690 perform particular actions now talking 679 00:37:48,550 --> 00:37:56,080 about offensive attacks here we have 680 00:37:52,690 --> 00:37:58,150 another example of a defender and an 681 00:37:56,080 --> 00:38:01,080 attacker competing at the same time 682 00:37:58,150 --> 00:38:04,210 there is a lot of literature around this 683 00:38:01,080 --> 00:38:06,190 many from the academia having to do with 684 00:38:04,210 --> 00:38:08,800 mathematical formulae well if you're 685 00:38:06,190 --> 00:38:13,060 interested we can delve into that but we 686 00:38:08,800 --> 00:38:15,220 want it today but the goal my point is 687 00:38:13,060 --> 00:38:19,480 that there are libraries that people can 688 00:38:15,220 --> 00:38:20,970 download at models in an actual way 689 00:38:19,480 --> 00:38:23,280 without 690 00:38:20,970 --> 00:38:28,828 reading a lot of manuals and without 691 00:38:23,280 --> 00:38:32,599 being John Nash so clever hands in deep 692 00:38:28,829 --> 00:38:35,520 boning are the most developed ones 693 00:38:32,599 --> 00:38:38,940 particularly clever hands which I will 694 00:38:35,520 --> 00:38:41,819 show you some demos now and then we also 695 00:38:38,940 --> 00:38:44,849 have deep deep pounding which is 696 00:38:41,819 --> 00:38:47,009 presented as the Metasploit for machine 697 00:38:44,849 --> 00:38:49,760 learning it was a very promising tool 698 00:38:47,010 --> 00:38:53,790 for attacks but it's true that they 699 00:38:49,760 --> 00:38:56,579 haven't updates it's their github for a 700 00:38:53,790 --> 00:39:00,540 few months so the project isn't dead it 701 00:38:56,579 --> 00:39:02,880 is close to death anyway now I will show 702 00:39:00,540 --> 00:39:04,740 you some example of some significant 703 00:39:02,880 --> 00:39:07,109 attacks the most representative ones 704 00:39:04,740 --> 00:39:09,509 from clever hands and then you will see 705 00:39:07,109 --> 00:39:12,210 some videos are showcasing a little bit 706 00:39:09,510 --> 00:39:16,079 type two attacks I will try to simplify 707 00:39:12,210 --> 00:39:18,210 it with human words as much as I can so 708 00:39:16,079 --> 00:39:21,599 these attacks provide two scenarios 709 00:39:18,210 --> 00:39:25,020 white box and black box in white box 710 00:39:21,599 --> 00:39:27,300 attacks what the attacker needs is to 711 00:39:25,020 --> 00:39:31,259 know the entire training model and all 712 00:39:27,300 --> 00:39:34,079 the configuration parameters this may 713 00:39:31,260 --> 00:39:35,760 not be very realistic but you need to 714 00:39:34,079 --> 00:39:40,230 have all that information once you have 715 00:39:35,760 --> 00:39:43,170 it you need to introduce inputs into the 716 00:39:40,230 --> 00:39:45,720 model and get its outputs so you know 717 00:39:43,170 --> 00:39:48,060 the configuration you add inputs and 718 00:39:45,720 --> 00:39:51,770 obtain outputs and with that information 719 00:39:48,060 --> 00:39:56,880 you're able to generate adversarial 720 00:39:51,770 --> 00:40:00,540 examples that may lead the system to 721 00:39:56,880 --> 00:40:04,050 miss classify this means two things 722 00:40:00,540 --> 00:40:05,910 first the ability of performing massive 723 00:40:04,050 --> 00:40:09,540 attacks imagine that a classification 724 00:40:05,910 --> 00:40:15,060 system can detect numbers from 0 to 9 I 725 00:40:09,540 --> 00:40:18,450 input 1 9 or 1 0 and I want the system 726 00:40:15,060 --> 00:40:21,750 to classify it as something different 727 00:40:18,450 --> 00:40:26,240 than 0 it doesn't matter where for 728 00:40:21,750 --> 00:40:29,310 example in more where I don't want it to 729 00:40:26,240 --> 00:40:31,109 classified as family but as a different 730 00:40:29,310 --> 00:40:33,900 thing this is what we call a massive 731 00:40:31,109 --> 00:40:36,630 attack on the other hand targeted 732 00:40:33,900 --> 00:40:39,690 attacks are different I introduced a 733 00:40:36,630 --> 00:40:43,319 zero and I always wanted to classify it 734 00:40:39,690 --> 00:40:45,660 always as two or always as a nine so 735 00:40:43,319 --> 00:40:50,640 depending on the system we will be more 736 00:40:45,660 --> 00:40:58,499 interested in massive or in a targeted 737 00:40:50,640 --> 00:41:02,989 attack box attacks they've been widely 738 00:40:58,499 --> 00:41:06,118 developed in 2017 what do they enable 739 00:41:02,989 --> 00:41:08,519 they have quite an important potential 740 00:41:06,119 --> 00:41:11,009 because we don't need to know anything 741 00:41:08,519 --> 00:41:15,749 about the artificial intelligence system 742 00:41:11,009 --> 00:41:17,700 there is a system in Google enabling a I 743 00:41:15,749 --> 00:41:20,609 and I don't need to know it I don't need 744 00:41:17,700 --> 00:41:25,259 to know its configuration all I need is 745 00:41:20,609 --> 00:41:27,869 to make some requests that is put in 746 00:41:25,259 --> 00:41:30,900 some inputs and obtain some outputs 747 00:41:27,869 --> 00:41:34,529 that's perfectly feasible and these 748 00:41:30,900 --> 00:41:39,390 attacks are usually against Google for 749 00:41:34,529 --> 00:41:43,019 example so what we create is a 750 00:41:39,390 --> 00:41:46,109 replacement model it's as if I could 751 00:41:43,019 --> 00:41:49,049 create a model at home without knowing 752 00:41:46,109 --> 00:41:53,670 anything about the system I want to 753 00:41:49,049 --> 00:41:55,920 attack once I have my model I can do the 754 00:41:53,670 --> 00:41:59,309 tests you know that you know wood inputs 755 00:41:55,920 --> 00:42:02,700 I need to put into the real system in 756 00:41:59,309 --> 00:42:06,390 order to generate targeted or massive 757 00:42:02,700 --> 00:42:09,299 attacks that's why black box attacks are 758 00:42:06,390 --> 00:42:13,499 very useful and in practical terms can 759 00:42:09,299 --> 00:42:15,749 be applied to any AI we don't have a lot 760 00:42:13,499 --> 00:42:19,379 of time left so I will be pretty brief 761 00:42:15,749 --> 00:42:22,999 here this is an attack from clever hands 762 00:42:19,380 --> 00:42:22,999 this would be a white box attack 763 00:42:27,090 --> 00:42:33,960 ASIMO londo serum this is the simulation 764 00:42:31,590 --> 00:42:36,420 I would like to deal with it in more 765 00:42:33,960 --> 00:42:48,750 depth but we don't have time here you 766 00:42:36,420 --> 00:42:52,350 have a few pictures you can see a lot of 767 00:42:48,750 --> 00:42:55,470 number running numbers running three on 768 00:42:52,350 --> 00:42:57,420 the Left you have some noise and on the 769 00:42:55,470 --> 00:42:59,970 right you have what the classification 770 00:42:57,420 --> 00:43:03,240 system would see here are several 771 00:42:59,970 --> 00:43:05,339 examples and the final table that's a 772 00:43:03,240 --> 00:43:20,100 summary of it all and that's the 773 00:43:05,340 --> 00:43:21,900 interesting part so this this mean what 774 00:43:20,100 --> 00:43:23,970 is this table I do have a scenario where 775 00:43:21,900 --> 00:43:26,310 the attacker knows the model and the 776 00:43:23,970 --> 00:43:29,459 configuration parameters we have inputs 777 00:43:26,310 --> 00:43:32,460 and outputs and our goal is no and what 778 00:43:29,460 --> 00:43:34,710 we have to do at the input in order to 779 00:43:32,460 --> 00:43:38,910 make the system react the way we want 780 00:43:34,710 --> 00:43:42,840 this is what that would be like for 781 00:43:38,910 --> 00:43:48,379 example on top we have ten columns from 782 00:43:42,840 --> 00:43:52,320 0 to 9 so this silly example classifies 783 00:43:48,380 --> 00:43:56,790 numbers imagine we input 0 and we want 784 00:43:52,320 --> 00:43:59,730 the system to identify 0 so we introduce 785 00:43:56,790 --> 00:44:02,910 our input and leave it as it is now 786 00:43:59,730 --> 00:44:06,360 imagine we input a serial but we want 787 00:44:02,910 --> 00:44:08,819 the system to classify it as a number 1 788 00:44:06,360 --> 00:44:14,150 so if you look to your right you will 789 00:44:08,820 --> 00:44:19,650 see that that 0 that we introduced will 790 00:44:14,150 --> 00:44:23,550 incorporate several alterations in order 791 00:44:19,650 --> 00:44:28,970 to classify to to make it be classified 792 00:44:23,550 --> 00:44:33,470 as 1 or s 2 or 3 that is we can create 793 00:44:28,970 --> 00:44:36,299 this table to know which input in which 794 00:44:33,470 --> 00:44:38,520 perturbation is input in order to have a 795 00:44:36,300 --> 00:44:43,610 particular output what the 796 00:44:38,520 --> 00:44:46,920 this means in many cyber security 797 00:44:43,610 --> 00:44:50,220 environments white box attacks and black 798 00:44:46,920 --> 00:44:53,520 box attacks allow you to do this and 799 00:44:50,220 --> 00:44:55,740 make the classification system fail so 800 00:44:53,520 --> 00:44:59,000 this is a current challenge now in 801 00:44:55,740 --> 00:45:01,379 offensive security the number of 802 00:44:59,000 --> 00:45:03,540 requests that you have to do to real 803 00:45:01,380 --> 00:45:07,920 system needs to be as reduced as 804 00:45:03,540 --> 00:45:12,259 possible for example many techniques are 805 00:45:07,920 --> 00:45:16,400 able to trick Google or Amazon's 806 00:45:12,260 --> 00:45:19,590 classification systems with only 800 807 00:45:16,400 --> 00:45:22,800 requests with that you can create your 808 00:45:19,590 --> 00:45:27,000 own model train it and if you want to 809 00:45:22,800 --> 00:45:29,280 perform a targeted attack you know the 810 00:45:27,000 --> 00:45:33,320 table you need to use in order to yield 811 00:45:29,280 --> 00:45:35,730 a particular results here are some other 812 00:45:33,320 --> 00:45:38,610 examples with the other tool I was 813 00:45:35,730 --> 00:45:42,060 telling you about that hasn't evolved 814 00:45:38,610 --> 00:45:44,730 much but the basic idea is the same mode 815 00:45:42,060 --> 00:45:47,009 for black box and white box attacks and 816 00:45:44,730 --> 00:45:50,430 if you have time I would recommend you 817 00:45:47,010 --> 00:45:52,680 to read this paper on how to perform 818 00:45:50,430 --> 00:45:55,560 black box attacks on artificial 819 00:45:52,680 --> 00:45:59,279 intelligence system it has a great 820 00:45:55,560 --> 00:46:03,480 potential because you can generalize 821 00:45:59,280 --> 00:46:06,210 this to any algorithm of a I type number 822 00:46:03,480 --> 00:46:09,510 4 this is a little bit of everything and 823 00:46:06,210 --> 00:46:11,520 I'm going to underline just to one that 824 00:46:09,510 --> 00:46:14,070 has to do with model stealing and 825 00:46:11,520 --> 00:46:19,910 another one has to do with backdoors 826 00:46:14,070 --> 00:46:19,910 what's been proved is that in many cases 827 00:46:20,360 --> 00:46:27,920 we either know everything or try to 828 00:46:25,010 --> 00:46:30,930 approach it to inputs and outputs 829 00:46:27,920 --> 00:46:33,930 creating our own model in these attacks 830 00:46:30,930 --> 00:46:36,480 we just tried to steal the original 831 00:46:33,930 --> 00:46:41,310 model that little or Amazon is using how 832 00:46:36,480 --> 00:46:43,560 can we do this there are many ways I'm 833 00:46:41,310 --> 00:46:45,509 going to give you an example please 834 00:46:43,560 --> 00:46:49,020 don't be scared this is a very basic 835 00:46:45,510 --> 00:46:51,630 formula which is the logistic regression 836 00:46:49,020 --> 00:46:53,549 formula one of the multiple algorithms 837 00:46:51,630 --> 00:46:56,069 we have you know the to create 838 00:46:53,549 --> 00:46:59,038 artificial intelligence how can we 839 00:46:56,069 --> 00:47:01,349 attack the system and steal the model 840 00:46:59,039 --> 00:47:05,039 for example the model that Amazon is 841 00:47:01,349 --> 00:47:08,789 using well in this case we need to 842 00:47:05,039 --> 00:47:13,400 introduce queries and obtain the 843 00:47:08,789 --> 00:47:13,400 responses X&Y 844 00:47:14,089 --> 00:47:19,369 we just have to replace in the equation 845 00:47:20,660 --> 00:47:31,288 X plus B and with this we will obtain 846 00:47:26,209 --> 00:47:35,279 number of equations for example we 847 00:47:31,289 --> 00:47:37,979 create 100 queries for 1 sorry 100 848 00:47:35,279 --> 00:47:42,119 equations for 100 queries these are 849 00:47:37,979 --> 00:47:43,669 normal equations equations we will learn 850 00:47:42,119 --> 00:47:47,069 in high school 851 00:47:43,670 --> 00:47:49,680 so once you solve the equation you would 852 00:47:47,069 --> 00:47:54,839 have all the configuration parameters of 853 00:47:49,680 --> 00:47:57,029 this area so with M petitions input 854 00:47:54,839 --> 00:48:00,328 requests and with the outputs that would 855 00:47:57,029 --> 00:48:03,239 be enough to copy replicate or steal 856 00:48:00,329 --> 00:48:06,660 those models models I as I said from 857 00:48:03,239 --> 00:48:08,699 Amazon or from Google here is more 858 00:48:06,660 --> 00:48:11,578 information if you are interested in 859 00:48:08,699 --> 00:48:13,349 knowing more and the last attack I 860 00:48:11,579 --> 00:48:15,209 wanted to talk to you about was the 861 00:48:13,349 --> 00:48:19,019 introduction of backdoors in AI 862 00:48:15,209 --> 00:48:23,489 algorithms this starts from the idea 863 00:48:19,019 --> 00:48:26,698 that people to share their AI algorithms 864 00:48:23,489 --> 00:48:29,609 more and more in all the that all the 865 00:48:26,699 --> 00:48:33,449 people can use it now technically we can 866 00:48:29,609 --> 00:48:34,920 use backdoors in different ways would we 867 00:48:33,449 --> 00:48:37,319 understand my black door in this 868 00:48:34,920 --> 00:48:40,049 scenario for example if we work with 869 00:48:37,319 --> 00:48:42,930 neural networks it is about introducing 870 00:48:40,049 --> 00:48:44,880 more of neural networks network networks 871 00:48:42,930 --> 00:48:48,749 so that the system continues working 872 00:48:44,880 --> 00:48:50,940 normally but it now has an additional 873 00:48:48,749 --> 00:48:54,660 channel that makes the system work 874 00:48:50,940 --> 00:48:59,530 otherwise this is for example useful for 875 00:48:54,660 --> 00:49:02,379 the systems that classify traffic signs 876 00:48:59,530 --> 00:49:05,260 if this mechanism that controls traffic 877 00:49:02,380 --> 00:49:09,100 signs had a back door we could use a 878 00:49:05,260 --> 00:49:13,270 small sticker or a Mac so that the car 879 00:49:09,100 --> 00:49:15,730 would stop instead of accelerating this 880 00:49:13,270 --> 00:49:20,440 is really serious as you cannot control 881 00:49:15,730 --> 00:49:21,130 it is an additional problem here which 882 00:49:20,440 --> 00:49:23,950 is called 883 00:49:21,130 --> 00:49:26,350 transfer learning I will give you an 884 00:49:23,950 --> 00:49:28,990 example imagine a University of Research 885 00:49:26,350 --> 00:49:32,980 Center develops an algorithm that is 886 00:49:28,990 --> 00:49:35,319 able to identify objects in general they 887 00:49:32,980 --> 00:49:37,450 publish it on the internet and somebody 888 00:49:35,320 --> 00:49:39,850 takes that algorithm and what they do is 889 00:49:37,450 --> 00:49:43,270 to make some minor changes so that 890 00:49:39,850 --> 00:49:45,509 instead of detecting objects in general 891 00:49:43,270 --> 00:49:49,330 it can detect lumps or chairs or tables 892 00:49:45,510 --> 00:49:53,170 so that this is an ideal scenario where 893 00:49:49,330 --> 00:49:57,930 everybody shares their knowledge but if 894 00:49:53,170 --> 00:50:01,240 there is a back door in the original 895 00:49:57,930 --> 00:50:04,899 original one thanks to the transfer 896 00:50:01,240 --> 00:50:06,850 learning that back door continues to be 897 00:50:04,900 --> 00:50:11,260 that the back door will remain there 898 00:50:06,850 --> 00:50:14,049 so to summarize you need to be careful 899 00:50:11,260 --> 00:50:17,080 whose models you are using and where you 900 00:50:14,050 --> 00:50:20,080 are publishing your models with which 901 00:50:17,080 --> 00:50:23,130 provider is because there is the 902 00:50:20,080 --> 00:50:25,990 technical capability of introducing 903 00:50:23,130 --> 00:50:29,590 backdoors to make your systems work 904 00:50:25,990 --> 00:50:31,720 differently so now in summary machine 905 00:50:29,590 --> 00:50:34,620 learning allows us to create better 906 00:50:31,720 --> 00:50:38,230 hacking tools the identification 907 00:50:34,620 --> 00:50:41,290 authorization can be deceit with or 908 00:50:38,230 --> 00:50:44,110 without machine learning it is possible 909 00:50:41,290 --> 00:50:47,290 to steal models so we need to take care 910 00:50:44,110 --> 00:50:50,830 of our privacy we can perform targeted 911 00:50:47,290 --> 00:50:53,320 or massive attacks we can replicate 912 00:50:50,830 --> 00:50:56,350 models without knowing anything about 913 00:50:53,320 --> 00:50:59,380 the system then we also talked about the 914 00:50:56,350 --> 00:51:02,529 manipulation of backdoors and models and 915 00:50:59,380 --> 00:51:05,170 what's very important is that these 916 00:51:02,530 --> 00:51:07,720 attacks are more and more practical and 917 00:51:05,170 --> 00:51:09,550 what I mean is that in many cases the 918 00:51:07,720 --> 00:51:11,060 input information needs to be slightly 919 00:51:09,550 --> 00:51:14,770 modified 920 00:51:11,060 --> 00:51:18,790 the system yields the results you want 921 00:51:14,770 --> 00:51:21,830 this ability is growing more and more 922 00:51:18,790 --> 00:51:25,670 and in terms of digital applications we 923 00:51:21,830 --> 00:51:26,779 can modify by two or three percent very 924 00:51:25,670 --> 00:51:31,100 small amounts 925 00:51:26,780 --> 00:51:37,670 after 600 700 or 800 requests to a 926 00:51:31,100 --> 00:51:39,470 provider you can actually do it just a 927 00:51:37,670 --> 00:51:43,760 couple of things regarding the 928 00:51:39,470 --> 00:51:47,359 formalization of offensive security well 929 00:51:43,760 --> 00:51:51,470 now everyone who wants to use these 930 00:51:47,360 --> 00:51:54,530 technologies and technology or in 931 00:51:51,470 --> 00:51:56,899 cybersecurity in particular they they 932 00:51:54,530 --> 00:51:58,760 should apply the pen testing we are 933 00:51:56,900 --> 00:52:00,860 currently applying you know the to check 934 00:51:58,760 --> 00:52:03,800 how secure they are in terms of 935 00:52:00,860 --> 00:52:09,820 cybersecurity and for that we have 936 00:52:03,800 --> 00:52:12,730 several ways the traditional one more 937 00:52:09,820 --> 00:52:15,200 related to academia creating better 938 00:52:12,730 --> 00:52:17,930 algorithms but then there are others 939 00:52:15,200 --> 00:52:20,149 that have to do with cryptography if you 940 00:52:17,930 --> 00:52:22,399 know anything about cryptography hash 941 00:52:20,150 --> 00:52:25,790 algorithms etc you will know that 942 00:52:22,400 --> 00:52:31,910 certain functions for example m5 in hash 943 00:52:25,790 --> 00:52:34,759 an attacker can provoke changes in 944 00:52:31,910 --> 00:52:37,490 results so for this we can create either 945 00:52:34,760 --> 00:52:39,830 that algorithms or use another 946 00:52:37,490 --> 00:52:41,479 alternative which has to do with using 947 00:52:39,830 --> 00:52:44,990 several algorithms at the same time 948 00:52:41,480 --> 00:52:47,780 although they are insecure why because 949 00:52:44,990 --> 00:52:50,839 using more than one algorithm as it 950 00:52:47,780 --> 00:52:55,610 happens in many other scenarios you may 951 00:52:50,840 --> 00:52:59,030 have two different inputs and achieve 952 00:52:55,610 --> 00:53:03,170 that the system doesn't classify the way 953 00:52:59,030 --> 00:53:10,660 it should be here you can see x and y 954 00:53:03,170 --> 00:53:14,300 and the function may work differently 955 00:53:10,660 --> 00:53:18,440 this may happen with correct algorithm 956 00:53:14,300 --> 00:53:21,100 for example m5 and that is quite 957 00:53:18,440 --> 00:53:24,410 difficult in artificial intelligence 958 00:53:21,100 --> 00:53:25,940 this is the same thing we may have 959 00:53:24,410 --> 00:53:30,580 model that may be attacked with 960 00:53:25,940 --> 00:53:35,600 offensive attacks but with the 961 00:53:30,580 --> 00:53:39,350 combination of both and using the black 962 00:53:35,600 --> 00:53:42,140 box we can create white box and black 963 00:53:39,350 --> 00:53:45,319 box attacks so that our system doesn't 964 00:53:42,140 --> 00:53:50,330 classify it more work correctly and this 965 00:53:45,320 --> 00:53:54,440 is what we are working on achieve 966 00:53:50,330 --> 00:53:57,310 solution so these are now the recipes we 967 00:53:54,440 --> 00:54:01,240 would need in order to make more robust 968 00:53:57,310 --> 00:54:03,770 defensive security against these attacks 969 00:54:01,240 --> 00:54:06,970 we are now defining the so called 970 00:54:03,770 --> 00:54:10,490 rubbish class one of the usual problems 971 00:54:06,970 --> 00:54:12,680 in classification is that whenever we 972 00:54:10,490 --> 00:54:14,959 have an input there is an output within 973 00:54:12,680 --> 00:54:17,299 a range of possible values we have a 974 00:54:14,960 --> 00:54:20,060 system that identifies numbers from 0 to 975 00:54:17,300 --> 00:54:22,520 10 so the output will always be a number 976 00:54:20,060 --> 00:54:24,590 from 0 to 10 and in terms of security 977 00:54:22,520 --> 00:54:27,830 that doesn't make a lot of sense 978 00:54:24,590 --> 00:54:33,680 the ideal situation would be that 0 979 00:54:27,830 --> 00:54:36,880 would be classified as 0 and if not we 980 00:54:33,680 --> 00:54:39,970 would need to have a different class 981 00:54:36,880 --> 00:54:44,240 going through that same way that's why 982 00:54:39,970 --> 00:54:46,250 the rubbish class has been introduced so 983 00:54:44,240 --> 00:54:51,020 that things that are a little bit off 984 00:54:46,250 --> 00:54:54,790 the established path going to that class 985 00:54:51,020 --> 00:54:58,310 we are trying to deceive the attacker 986 00:54:54,790 --> 00:55:00,860 this is a classic solution and many 987 00:54:58,310 --> 00:55:04,040 companies are currently doing that but 988 00:55:00,860 --> 00:55:08,840 we need to continue working so that 989 00:55:04,040 --> 00:55:12,259 attackers don't gain advantage over the 990 00:55:08,840 --> 00:55:15,230 defender that's why we are using deep 991 00:55:12,260 --> 00:55:19,580 learning now when it comes to privacy 992 00:55:15,230 --> 00:55:22,790 here we have a lot of issues many of the 993 00:55:19,580 --> 00:55:27,590 references I've given you allow you to 994 00:55:22,790 --> 00:55:31,450 obtain models with 93 90% accuracy and 995 00:55:27,590 --> 00:55:34,760 Google in any way as it happens in 996 00:55:31,450 --> 00:55:36,470 security in general we need to 997 00:55:34,760 --> 00:55:38,299 understand theirs as a global 998 00:55:36,470 --> 00:55:40,578 architecture if we are introduced 999 00:55:38,299 --> 00:55:43,160 singing artificial intelligence in order 1000 00:55:40,579 --> 00:55:45,559 to provide more security we need to 1001 00:55:43,160 --> 00:55:48,859 analyze the security of the element 1002 00:55:45,559 --> 00:55:52,309 itself and be aware that the fact of 1003 00:55:48,859 --> 00:55:54,439 introducing AI in order to obtain a 1004 00:55:52,309 --> 00:55:58,459 small percentage of improvement that may 1005 00:55:54,439 --> 00:56:03,709 be a global problem so we need to assess 1006 00:55:58,459 --> 00:56:07,999 the risk and see whether to introduce 1007 00:56:03,709 --> 00:56:10,339 artificial intelligence so if you work 1008 00:56:07,999 --> 00:56:13,189 and there's or if you see people or hear 1009 00:56:10,339 --> 00:56:15,739 people talking sometimes when we go to 1010 00:56:13,189 --> 00:56:17,209 the companies we ask them this kind of 1011 00:56:15,739 --> 00:56:19,939 questions and they don't know how to 1012 00:56:17,209 --> 00:56:22,249 answer because we need to convince them 1013 00:56:19,939 --> 00:56:26,899 that security needs to be embedded in 1014 00:56:22,249 --> 00:56:29,718 that cycle at least in the initial phase 1015 00:56:26,900 --> 00:56:33,199 of the algorithms with clever hands or 1016 00:56:29,719 --> 00:56:36,439 with all the tools in order to 1017 00:56:33,199 --> 00:56:39,589 understand that in a real situation the 1018 00:56:36,439 --> 00:56:42,828 attacker will try to deceit our a system 1019 00:56:39,589 --> 00:56:45,259 and if the AI system is aimed at 1020 00:56:42,829 --> 00:56:48,769 providing security well then we are in 1021 00:56:45,259 --> 00:56:51,079 trouble this is what I wanted to share I 1022 00:56:48,769 --> 00:56:54,229 wanted to insist on the idea that AI is 1023 00:56:51,079 --> 00:56:56,929 useful there are many domains we've been 1024 00:56:54,229 --> 00:57:00,468 using it in security for about 20 years 1025 00:56:56,929 --> 00:57:02,449 and more where detection and traffic 1026 00:57:00,469 --> 00:57:05,839 controlling it's not clear what the 1027 00:57:02,449 --> 00:57:08,630 solution is but what is clear is that 1028 00:57:05,839 --> 00:57:12,529 offensive security is clearly advancing 1029 00:57:08,630 --> 00:57:15,679 and we need to take decisions in order 1030 00:57:12,529 --> 00:57:19,400 to know what to do with algorithms and 1031 00:57:15,679 --> 00:57:21,439 how to make them more secure so thank 1032 00:57:19,400 --> 00:57:23,420 you very much for your attention I will 1033 00:57:21,439 --> 00:57:25,879 be hanging out here I will be on Twitter 1034 00:57:23,420 --> 00:57:28,069 on Facebook and I'll be very glad to 1035 00:57:25,880 --> 00:57:28,870 answer any questions you may have thank 1036 00:57:28,069 --> 00:57:32,080 you very much 1037 00:57:28,870 --> 00:57:32,080 [Applause]