So, you think you can model Internet abuse with machine learning?

So, you think you can model Internet abuse with machine learning? Abuse in the Internet is an every day problem. Illicit actors are victimizing people, which result to a variety of significant problems — i.e., from losing your private information to have your recourses being used in other criminal activities. The common denominator behind the Internet abuse is a network of infected machines (a.k.a. botnet) under the control of the criminal entity (a.k.a. botmaster). Needless to say, the detection of such “botnet communications” is in the hurt of the security problem that a large organization faces every day. Detection methods based on static methods are doomed fail, simply because they will always be behind the threat. Thus, the community is in great need of scalable abuse detection solutions. Unsurprisingly, such newly proposed solutions are often based on machine learning. With this talk I will argue that a fancy machine-learning algorithm (and derived pretty graph pictures) “operationally” will simply not “cut-it”. This is true especially in the case where what you are trying to solve is not your company’s marketing problem, rather the security problem your network and security operation center is facing every day. The role of domain knowledge and constant counter intelligence of the malicious actors is fundamental to properly craft generic detection and attribution solutions able to catch up with the constantly changing malicious methodologies, while at the same time you minimize the false and missed detections.