Skip to main content

Posts

The meaning of time in reinforcement learning

Reinforcement learning (RL) is one of three basic machine learning paradigms, alongside supervised learning and unsupervised learning. Reinforcement learning is concerned with how software agents ought to take actions in an environment in order to maximize the notion of cumulative reward through the process of trial and error. In reinforcement learning an agent starts at an empty state then analyzes the available datasets according to a policy of positive states and negative states. Rather than being explicitly taught as in supervised learning the correct set of actions for performing a task, reinforcement learning uses rewards as signals for positive states and punishments as signals for negative states. The agent obtains the best path to a desirable reward as a cumulation of positive states and negative states. As compared to unsupervised learning, reinforcement learning is different in terms of goals. While the goal in unsupervised learning is to find similarities and differences
Recent posts

Web app comparison of async and real-time

Advantages of asynchronous web apps Generic request/response structure Stateless session control Message queue management Token access based on serverside date-time format PostgreSQL paging using token-centric tables and functions Shared pools of resources per customer One-to-many security policies Single domain name with TLS cert over HTTPS Shared bandwidth for uploads/downloads No endpoint/device registration No direct access to server resources Web app aggregation as control panel A/B Testing Advantages of (near) real-time web apps Stateful session control On-demand communication protocols per customer Custom request/response structure per customer Custom date-time formats per customer Endpoint/device registration PostgreSQL paging using static tables and aggregate functions Immediate execution of requests Dedicated pools of resources per customer Dedicated TLS cert over HTTPS per customer Dedicated IP addres

OpenStack+Ceph as Software-Defined Storage

SDS reduces the costs of the management of growing data stores by decoupling storage management from its hardware to allow for centralized management of cheaper, popular commodity hardware. The example SDS ecosystem uses open source software like OpenStack as a front-end interface on top of Ceph as the resource provider of a RADOS cluster of commodity solid-state drives. OpenStack provides user-friendly wrappers for accessing and modifying underlying Ceph storage. OpenStack comes in the form of distributed microservices with RESTful API's: Block (Cinder), File (Manila), Image (Glance), and Object (Swift). Each microservice can scale-out as a cluster of stand-alone services to accommodate the varying demands of high-growth storage. With OpenStack the underlying Ceph storage can address the block storage needs, file storage needs, image storage needs, and object storage needs of datacenters adopting open source as their new norm in an industry trend for high performace and high a

Counter-offensive solutions to machine learning

In January 2020 I learned about the results of a contest at DEFCON 2019 where hackers were challenged to come up with counter-offensive solutions to machine learning. One prize winner proved that machine learning could be 100% evaded by mimicking the behaviors of software that produce whitelisted events, and further proved that any whitelisting in machine learning is a vulnerability. Unfortunately I haven't found an exact source for this information. Simply removing the capability to perform whitelisting on an endpoint usually doesn't change the base code of software that uses machine learning since whitelisting (or ignoring patterns found in machine data from an endpoint) is done prior to ingesting machine data used for training. Alternatively I would argue that any kind of function that ignores input or filters input (like regex) from a user is whitelisting. Do you have a suggestion about how to improve this blog? Let's talk about it. Contact me at David.Brenner.Jr@G

Threat detection of zero-day attacks in Linux with Python

You can investigate suspicious activity that could be a zero-day attack by collecting relevant machine data from your endpoint. You can use the machine data to create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest one or more of the following machine data: General system-wide error messages from /var/log/syslog Auditing logs of application rulesets Auditing logs of security contexts Auditing logs of login attempts from /var/log/auth.log Auditing logs of user management or group manageme

Threat detection of escalated privileges in Linux with Python

You can investigate escalated privileges by collecting relevant machine data from your endpoint. You can use the machine data to create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest one or more of the following machine data from Category #1. Ingest one or more of the following machine data from Category #2. Category #1 General system-wide error messages from /var/log/syslog Auditing logs of application rulesets Auditing logs of security contexts Auditing logs of login attempts from /var/log/aut

Threat detection of DDoS in Linux with Python

You can investigate suspicious activity that could be distributed denial of service by collecting relevant machine data from your endpoint. You can use the machine data to create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest the following machine data: Application specific logs from /var/log Raw dumps from sniffing at Layers 2-3 Raw dumps from /proc of kernel data structures Raw dumps of kernel routing tables General system-wide error messages from /var/log/syslog D

Application behavior monitoring in Linux with Python

You can monitor application behaviors by collecting relevant machine data from your endpoint. You can use the machine data to investigate suspicious activity and create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest one or more of the following machine data from Category #1. Ingest one or more of the following machine data from Category #2. Category #1 General system-wide error messages from /var/log/syslog Auditing logs of application rulesets Auditing logs of security contexts Auditing logs of

Threat hunting behavior anomaly in Linux with Python

You can investigate suspicious activity that could be a behavior anomaly by collecting relevant machine data from your endpoint. You can use the machine data to create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest one or more of the following machine data: General system-wide error messages from /var/log/syslog Auditing logs of application rulesets Auditing logs of security contexts Auditing logs of login attempts from /var/log/auth.log Auditing logs of user management or group manage

Threat detection of Advanced Persistent Threat in Linux with Python

You can investigate suspicious activity that could be Advanced Persistent Threat (APT) by collecting relevant machine data from your endpoint. You can use the machine data to create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest one or more of the following machine data from Category #1. Ingest one or more of the following machine data from Category #2. And ingest one or more of the following machine data from Category #3. Category #1 General system-wide error messages from /var/log/syslog Auditing logs of app

Threat hunting fileless malware in Linux with Python

You can investigate suspicious activity that could be fileless malware by collecting relevant machine data from your endpoint. You can use the machine data to create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest one or more of the following machine data from Category #1. Ingest one or more of the following machine data from Category #2. And ingest one or more of the following machine data from Category #3. Category #1 General system-wide error messages from /var/log/syslog Auditing logs of application ruleset

Perform forensics investigations in Linux with Python

You can perform forensics investigations of suspicious activity by collecting relevant machine data from your endpoint. You can use the machine data to create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest one or more of the following machine data: General system-wide error messages from /var/log/syslog Auditing logs of application rulesets Auditing logs of security contexts Auditing logs of login attempts from /var/log/auth.log Auditing logs of user management or group management

Network traffic monitoring in Linux with Python

You can investigate suspicious activity in your network traffic by collecting relevant machine data from your endpoint. You can use the machine data to create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest one or more of the following machine data: Application specific logs from /var/log Raw dumps from sniffing at Layers 2-3 Raw dumps from /proc of kernel data structures Raw dumps of kernel routing tables General system-wide error messages from /var/log/syslog Do you

Threat hunting a network attack in Linux with Python

You can investigate suspicious activity that could be a network attack by collecting relevant machine data from your endpoint. You can use the machine data to create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest one or more of the following machine data from Category #1. Ingest one or more of the following machine data from Category #2. And ingest one or more of the following machine data from Category #3. Category #1 General system-wide error messages from /var/log/syslog Auditing logs of application ruleset

Threat hunting polymorphic malware in Linux with Python

You can investigate suspicious activity that could be polymorphic malware by collecting relevant machine data from your endpoint. You can use the machine data to create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest one or more of the following machine data from Category #1. Ingest one or more of the following machine data from Category #2. And ingest one or more of the following machine data from Category #3. Category #1 General system-wide error messages from /var/log/syslog Auditing logs of application rule

What is machine data?

Machine data is information automatically generated by computer software in the form of a log message, debug message, error message, or status message, as a response to an event. Usuallly the information was generated for the purpose of troubleshooting computer software and computer hardware. Machine data includes informative information about the performance of an operating system from services and processes like package management, resource utilization, and network management. AWS Logs Informative data from support service monitoring, alarms and a dashboards for metrics, and can also track security-relevant activities, such as login and logout events. Authentication Authentication data can help identify users that are struggling to log in to applications and provide insight into potentially anomalous behaviors, such as activities from different locations within a specified time period. Firewall Firewall data can provide visibility into blocked traffic in case an applicatio

Principal Component Analysis

Principal Component Analysis (PCA) is a common technique in statistical analysis, widely used for pattern recognition, data compression, image preprocessing, signal-noise analysis, and high resolution spectrum analysis. Principal Component Analysis transforms a group of activites into a set of unique components, where each component has a numerical degree of distance and relatedness from an agreed on centered component. The first component has the largest possible variance (it accounts for most of the variability in the group). Each succeeding component has the highest variance that is orthogonal to the preceding components. The transformation of the group proceeds linearly from a group with a high degree of dimensionality to a group with a low degree of dimensionality of which the components of the group with a low degree of dimensionality are uncorrelated. Principal Component Analysis is also used in the forecast of a most likely outcome through time-series analysis and regress

What are network attacks?

Network attacks can be divided into two main categories, active attacks and passive attacks. Active attacks involve a malicious actor actively manipulating the design of a network in order to exploit some sort of vulnerability in a targeted endpoint. Active attacks involve things like packet generation, code injection, man-in-the-middle, and denial of service. Passive attacks involve a malicious actor staying hidden while reading and saving information of interest exchanged by various nodes on a network. Passive attacks include things like traffic analysis, traffic sniffing, and key logging. Active Attacks Packet Generation: Replay Attack, Masquerading Code Injection: 0-day Attack, Malware, Spyware, Phishing Packet Alteration: Man-In-The-Middle, Session Hijacking Service Compromise: Denial of Service, Distributed Denial of Service, SQL Injection Passive Attacks Eavesdropping & Interception: Traffic Analysis, Traffic Sniffing, Key Logging

What are attack vectors?

In the generalized sense an attack vector is a path or means by which a hacker can gain unauthorized access to an endpoint in order to deliver a payload or to facilitate a crime. Attack vectors enable hackers to exploit vulnerabilities in the design of a network through the manipulation of applications and protocols. Attack vectors typically manipulate the software installed in the operating system of an endpoint. Examples of attack vectors are email attachments, pop-up windows, instant messages, service configurations, new software, and firewall modifications. Human ignorance or weaknesses could also be used for engineering attack vectors. For example, users could be fooled into weakening network defenses during times of remote collaboration and file sharing. Anti-virus software and firewalls do provide some defense or block attack vectors to some extent. Some of the mitigation measures used to thwart hackers usage of attack vectors include deep packet inspection, IP source trackers

7 Current Trends in High Performance

1. Design servers which handle requests as microservices . 2. Design routing handlers from event-driven, non-blocking I/O models like NodeJS, libev, libevent. 3. Use a high performance load balancer like HAProxy. 4. Use a reverse proxy that caches application delivery like Nginx. 5. Use a content delivery network provider that handles subsequent requests for your static content by caching your files at their edge nodes. 6. Use a content delivery network provider that dedicates cache space globally for your website at their edge nodes. 7. Use a content delivery network provider that performs dynamic content acceleration for your website. Do you have a suggestion about how to improve this blog? Let's talk about it. Contact me at David.Brenner.Jr@Gmail.com or 720-584-5229.