Amazon Security Lake

1\ introduction https //aws amazon com/security lake/ is a fully managed security data lake service that helps you analyze security data, so you can get a more complete understanding of your security posture across the entire organization https //www boschaishield com/ is an ai security product designed to protect ai powered devices in the face of emerging security threats such as model extraction, evasion, data poisoning, and model inference attacks aishield provides automated hacker level vulnerability analysis and endpoint protection to harden the systems against emerging ai security threats aishield provided threat informed endpoint defense (edr) that integrates with amazon security lake as custom source to deliver enhanced real time monitoring capabilities to security teams for their ai assets, giving them insights into ai security incidents aishield threat informed endpoint defense (edr) supports ocsf formatted security finding events storing in s3, as a custom source of amazon security lake 2\ configure amazon security lake pre requisite for aishield users will have to leverage https //aws amazon com/marketplace/pp/prodview ppbwtiryaohti to scan their ai model for vulnerabilities and generate threat informed endpoint defense (edr) capable of integrating with security lake to complete this step, please get in touch with mailto\ aishield contact\@bosch com pre requisite for amazon security lake you must have https //docs aws amazon com/security lake/latest/userguide/integrations third party html enabled 2 1 create a custom source for aishield please follow https //docs aws amazon com/security lake/latest/userguide/custom sources html to register aishield as a custom source the ocsf event class to use is security finding and name custom source as aishield to create the source 1\ from the amazon security lake console, select custom sources 2\ select create custom source the create custom data source page opens 3\ enter aishield as the data source name 4\ enter security findings as the ocsf event class 5\ for aws account with permission to write data, enter the aws account id and external id( org id) of the custom source that will write logs and events to the data lake upon subscribing to the aishield product through aws marketplace or by reaching out to our sales contact, following the registration, you can expect to receive a welcome email containing your organization id 6\ in the service access section, create and use a new service role or use an existing service role for the glue crawler aws glue is used to crawl the data aishield threat informed endpoint defense (edr) pushes to the security lake as a result, it needs permission to read it learn more about https //docs aws amazon com/security lake/latest/userguide/custom sources html#iam roles custom sources 7\ select create an aws service role name is created the role has permission to push files into the security lake bucket, under the proper prefix 8\ on the page that opens, copy the bucket name under the location section you’ll need the bucket name, aws region, prefix, rolearn, externalid when configuring the integration in aishield provided threat informed endpoint defense(edr) 2 2 connect aishield threat informed endpoint defense(edr) to amazon security lake aishield supports two https //docs boschaishield com/deployment strategies you can download the defense artifact after your job runs successfully the defense artifact will contain the defense model in h5 and onnx formats, one python file, and a readme file describing the steps to follow to use it assuming you have already downloaded the artifact, you can follow the steps below to configure the defense with amazon security lake aishield provided threat informed defense model zip folder contains the following files 1\ defense model architecture image 	2\ defense model classification report image 	3\ defense model confusion matrix image 	4\ defense model (h5 format) 	5\ defense model (onxx format) 	6\ predict py 7\ readme txt following steps describe the procedure to integrate and test aishield provided threat informed defense model(edr) note ensure that your aws credentials are properly configured (e g , in your aws cli configuration or environment variables) since you need initial credentials to assume the role step 1 install python packages pip install numpy pip install tqdm pip install tensorflow pip install cv2 step 2 import aisdefensemodel and necessary libraries from predict import aisdefensemodel import tensorflow import cv2 import numpy as np step 3 load the tensorflow model defense model path variable is used to store the file path or location on the local system where a defense model is expected to be found defense model = tensorflow\ keras models load model(defense model path) step 4 create aisdefensemodel with connector model = aisdefensemodel(defense model, aws bucket name, prefix, aws role arn,aws region name,external id) parameters aws bucket name \ the name of the amazon s3 bucket in which security lake stores your custom source data prefix prefix for the custom source in your s3 bucket amazon security lake stores all s3 objects for a given source under this prefix, and the prefix is unique to the given source e g ext/aishield aws role arn \ the arn of the role created by amazon security lake at the custom source registration aws region name aws region to which the data is written external id enter the id that you specified when creating your amazon security lake custom source rolearn arn of your amazon security lake to log event data step 5 test aisdefensemodel load the necessary data and use aishield provided attack data for testing the defense model attack data = load data(attack data list) model predict(attack data) once aishield provided threat informed endpoint defense (edr) app sending logs to amazon security lake s3 bucket and you will be able to see 2 3 validation after configuring amazon security lake, data will be synced to your s3 bucket check the bucket and make sure new files are written under the prefix contact aishield support at mailto\ aishield contact\@bosch com if you have an issue validating or troubleshooting 3 ocsf information the below table represents how the detection properties are mapped from aishield threat informed endpoint defense(edr) format into the ocsf security finding class read more here https //schema ocsf io/classes/security finding ocsf key ocsf value type aishield trigger api value activity id integer new 1, ongoing 2 activity name string “generate” category uid integer 2 class name string “security finding” class uid integer 2001 message string detection title state id integer 1 new finding type uid integer security finding create time timestamp the normalized event occurrence time confidence score integer the confidence score as reported by the aishield risk level string the risk level idefined by the aishield finding uid string detection id finding title string detection title finding desc string detection description metadata labels string "ai security","image classification" metadata product lang string “en” metadata product name string "aishield" metadata product version string system version metadata product vendor name string "aishield ai security monitoring" metadata version string “1 0 0” metadata profiles string security finding observables list of objects \["ip address","hostname","process name"] severity string detection riskscore severity id integer detection riskscore { "activity id" 1, "activity name" "generate", "category uid" 2, m "class name" "ai security finding for model attack ", "class uid" 2001, "message" "image classification ai model extraction attack identified", "confidence score" 0 0, "risk level" "low suspicious attack", "metadata" { "labels" \[ "ai security", "image classification", ], "product" { "lang" "en", "name" "aishield", "vendor name" "aishield", "version" "5 4" }, "profiles" \[ "security finding" ], "version" "0 39 0" }, "finding" { "title" "aishield image classification model extraction vulnerability detection", "uid" "2", "desc" "this query detects image classification model extraction vulnerability alert from aishield please check the source for more information and investigate further " }, "observables" \[ { "name" "ip address", "type" "ip address", "type id" 2, "value" "ipaddr" }, { "name" "hostname", "type" "email", "type id" 1, "value" "hostname" }, { "name" "process name", "type" "email", "type id" 9, "value" "image classification extraction defense engine" } ], "severity" "low", "severity id" 2, "time" currenttime, "type uid" 200101, "state id" 1 } 4 support for help using the aishield platform or the aishield threat informed endpoint defense (edr) app integration with amazon security lake, please contact the aishield support you can also send an email to mailto\ aishield contact\@in bosch com with questions about this