AppSec California 2015

Application security lies in the core of Salesforce.com's products, for which the reason is obvious. As much as one has strengthened on perimeter defenses, an in-depth defense strategy that lies right in the app is much needed.

This talk focuses on the application of statistics and machine learning techniques on in-app events to detect and eventually prevent attacks and abuses on Salesforce platform.

OWASP group laid out a framework of intrusion detection response in applications - Appsensor. Our work is distinct from the Appsensor project in that the data-driven statical approaches are built with online learning methodologies and adaptive behavior modeling techniques; it thus require as little configuration and supervision as possible. Unsupervised learning and bootstrapping are established techniques within machine learning. This research dramatically differs from the previous detection techniques for two reasons: 1) The in-app detection inspects transactions in the context of the application’s semantics, interaction and enhanced information about their users, whereas an IDS or IPS usually operates on the perimeters at the firewall or at the network gateway. They have no to little knowledge of the behavior within an application. 2) Our methods are adaptive to behavior changes, while the previous techniques largely rely on signature-based misuse detection with rather stale configuration that are thus susceptible to a higher level of false positives. One example of the adaptive behavior based detections include detecting a fraud user who is stepping through a multi-step business process in an anomalous order. The determination of the anomaly is based on firstly a learned regular behavior over time, and secondly automatically adjusted by evidences of changes in a user's role or business process. Other examples include alerting on abnormal timing or volume of certain in-app activities or geolocation abnormality of user's access points in a single session.
In this talk, we will also give our experience of the big data technologies around the Apache Hadoop ecosystem, in particular, Apache Spark as the major enabling technologies for in-depth app platform threat detection.