Amazon Security Lake
Amazon Security Lake is a fully-managed security data lake service that helps you analyze security data, so you can get a more complete understanding of your security posture across the entire organization.
AIShield is an AI-security product designed to protect AI-powered devices in the face of emerging security threats such as Model Extraction, Evasion, Data Poisoning, and Model Inference attacks. AIShield provides automated hacker-level vulnerability analysis and endpoint protection to harden the systems against emerging AI-security threats. AIShield provided Threat Informed Endpoint Defense (EDR) that integrates with Amazon Security Lake as custom source to deliver enhanced real-time monitoring capabilities to security teams for their AI assets, giving them insights into AI security incidents.
AIShield Threat Informed Endpoint Defense (EDR) supports OCSF formatted security finding events storing in S3, as a custom source of Amazon Security Lake.
Pre-requisite for AIShield
Users will have to leverage AIShield product to scan their AI model for vulnerabilities and generate Threat Informed Endpoint Defense (EDR) capable of integrating with Security Lake. To complete this step, please get in touch with [email protected]
Pre-requisite for Amazon Security Lake.
You must have Amazon Security Lake enabled.
Please follow the official documentation to register AIShield as a custom source.
The OCSF Event class to use is Security Finding and name custom source as AIShield.
To create the source: 1. From the Amazon Security Lake console, select Custom sources. 2. Select Create custom source. The Create custom data source page opens.
3. Enter AIShield as the Data source name. 4. Enter Security Findings as the OCSF event class. 5. For AWS account with permission to write data, enter the AWS account ID and External ID(Org_ID) of the custom source that will write logs and events to the data lake. Upon subscribing to the AIShield product through AWS Marketplace or by reaching out to our sales contact, following the registration, you can expect to receive a welcome email containing your Organization ID. 6. In the Service Access section, create and use a new service role or use an existing service role for the Glue crawler. AWS Glue is used to crawl the data AIShield Threat Informed Endpoint Defense (EDR) pushes to the Security Lake. As a result, it needs permission to read it. Learn more about AWS Glue crawler. 7. Select Create. An AWS Service Role name is created. The role has permission to push files into the Security Lake bucket, under the proper prefix. 8. On the page that opens, copy the Bucket name under the Location section. You’ll need the bucket_name, aws_region, prefix, roleARN, externalID when configuring the integration in AIShield provided Threat Informed Endpoint Defense(EDR).
AIShield supports two deployment strategies. You can download the defense artifact after your job runs successfully. The defense artifact will contain the defense model in .h5 and .onnx formats, one Python file, and a readme file describing the steps to follow to use it. Assuming you have already downloaded the artifact, you can follow the steps below to configure the defense with amazon security lake.
AIShield provided Threat Informed Defense Model zip folder contains the following files.
1. Defense Model Architecture image 2. Defense Model Classification Report image 3. Defense Model Confusion Matrix Image 4. Defense Model (h5 format) 5. defense_model (onxx format) 6. Predict.py 7. ReadMe.txt
Following steps describe the procedure to integrate and test AIShield provided Threat Informed Defense Model(EDR).
Note : Ensure that your AWS credentials are properly configured (e.g., in your AWS CLI configuration or environment variables) since you need initial credentials to assume the role.
defense_model_path variable is used to store the file path or location on the local system where a defense model is expected to be found.
Parameters:
- aws_bucket_name:The name of the Amazon S3 bucket in which Security Lake stores your custom source data.
- prefix: Prefix for the custom source in your S3 bucket. Amazon Security Lake stores all S3 objects for a given source under this prefix, and the prefix is unique to the given source. e.g ext/AIShield
- aws_role_arn:The ARN of the role created by Amazon Security Lake at the Custom Source registration
- aws_region_name: AWS Region to which the data is written.
- external_id: Enter the ID that you specified when creating your Amazon Security Lake custom source.
- roleARN: ARN of your Amazon Security Lake to log event data.
Load the necessary data and use AIShield provided attack data for testing the defense model.
Once AIShield provided Threat Informed Endpoint Defense (EDR) app sending logs to Amazon Security Lake S3 bucket and you will be able to see.
After configuring Amazon Security Lake, data will be synced to your s3 bucket. Check the bucket and make sure new files are written under the prefix.
Contact AIShield support at [email protected]. if you have an issue validating or troubleshooting.
The below table represents how the Detection properties are mapped from AIShield Threat Informed Endpoint Defense(EDR) format into the OCSF Security Finding Class.Read more here: Open Cybersecurity Schema Framework
OCSF Key | OCSF Value Type | AIShield Trigger API Value |
|---|---|---|
activity_id * | Integer | New: 1, Ongoing: 2 |
activity_name | String | “Generate” |
category_uid * | Integer | 2 |
class_name | String | “Security Finding” |
class_uid * | Integer | 2001 |
message | String | Detection.title |
state_id * | Integer | 1 - New finding |
type_uid * | Integer | Security Finding: Create |
time * | Timestamp | The normalized event occurrence time. |
confidence_score | Integer | The confidence score as reported by the AIShield. |
risk_level | String | The risk level idefined by the AIShield. |
finding.uid * | String | Detection.id |
finding.title * | String | Detection.title |
finding.desc * | String | Detection.description |
metadata.labels * | String | "AI Security","Image Classification" |
metadata.product.lang * | String | “en” |
metadata.product.name * | String | "AIShield" |
metadata.product.version * | String | System.version |
metadata.product.vendor_name * | String | "AIShield AI Security Monitoring" |
metadata.version * | String | “1.0.0” |
metadata.profiles * | String | security_finding |
observables | List of Objects | ["IP Address","Hostname","Process Name"] |
severity | String | Detection.riskScore |
severity_id * | Integer | Detection.riskScore |
| | |
For help using the AIShield platform or the AIShield Threat Informed Endpoint Defense (EDR) App integration with Amazon Security Lake, please contact the AIShield support. You can also send an email to [email protected] with questions about this.