Platform guide
...
Threat Informed Defense
Configuration of Connector

Amazon Security Lake

12min

1. Introduction

Amazon Security Lake is a fully-managed security data lake service that helps you analyze security data, so you can get a more complete understanding of your security posture across the entire organization.

AIShield is an AI-security product designed to protect AI-powered devices in the face of emerging security threats such as Model Extraction, Evasion, Data Poisoning, and Model Inference attacks. AIShield provides automated hacker-level vulnerability analysis and endpoint protection to harden the systems against emerging AI-security threats. AIShield provided Threat Informed Endpoint Defense (EDR) that integrates with Amazon Security Lake as custom source to deliver enhanced real-time monitoring capabilities to security teams for their AI assets, giving them insights into AI security incidents.

AIShield Threat Informed Endpoint Defense (EDR) supports OCSF formatted security finding events storing in S3, as a custom source of Amazon Security Lake.

2. Configure Amazon Security Lake

Pre-requisite for AIShield

Users will have to leverage AIShield product to scan their AI model for vulnerabilities and generate Threat Informed Endpoint Defense (EDR) capable of integrating with Security Lake. To complete this step, please get in touch with [email protected]

Pre-requisite for Amazon Security Lake.

You must have Amazon Security Lake enabled.

2.1. Create a custom source for AIShield 

Please follow the official documentation to register AIShield as a custom source.

The OCSF Event class to use is Security Finding and name custom source as AIShield.

To create the source: 1. From the Amazon Security Lake console, select Custom sources. 2. Select Create custom source. The Create custom data source page opens.



Document image


3. Enter AIShield as the Data source name. 4. Enter Security Findings as the OCSF event class. 5. For AWS account with permission to write data, enter the AWS account ID and External ID(Org_ID) of the custom source that will write logs and events to the data lake. Upon subscribing to the AIShield product through AWS Marketplace or by reaching out to our sales contact, following the registration, you can expect to receive a welcome email containing your Organization ID. 6. In the Service Access section, create and use a new service role or use an existing service role for the Glue crawler. AWS Glue is used to crawl the data AIShield Threat Informed Endpoint Defense (EDR) pushes to the Security Lake. As a result, it needs permission to read it. Learn more about AWS Glue crawler. 7. Select Create. An AWS Service Role name is created. The role has permission to push files into the Security Lake bucket, under the proper prefix. 8. On the page that opens, copy the Bucket name under the Location section. You’ll need the bucket_name, aws_region, prefix, roleARN, externalID when configuring the integration in AIShield provided Threat Informed Endpoint Defense(EDR).

Document image


2.2.  Connect AIShield Threat Informed Endpoint Defense(EDR) to Amazon Security Lake.

AIShield supports two deployment strategies. You can download the defense artifact after your job runs successfully. The defense artifact will contain the defense model in .h5 and .onnx formats, one Python file, and a readme file describing the steps to follow to use it. Assuming you have already downloaded the artifact, you can follow the steps below to configure the defense with amazon security lake.

AIShield provided Threat Informed Defense Model zip folder contains the following files.

1. Defense Model Architecture image 2. Defense Model Classification Report image 3. Defense Model Confusion Matrix Image 4. Defense Model (h5 format) 5. defense_model (onxx format) 6. Predict.py 7. ReadMe.txt

Following steps describe the procedure to integrate and test AIShield provided Threat Informed Defense Model(EDR).

Note : Ensure that your AWS credentials are properly configured (e.g., in your AWS CLI configuration or environment variables) since you need initial credentials to assume the role.

Step 1: Install Python Packages

Python


Step 2: Import AISDefenseModel and necessary libraries

Python


Step 3: Load the TensorFlow model

defense_model_path variable is used to store the file path or location on the local system where a defense model is expected to be found.

Python


Step 4: Create AISDefenseModel with Connector

Python


Parameters:

  • aws_bucket_name:The name of the Amazon S3 bucket in which Security Lake stores your custom source data.
  • prefix: Prefix for the custom source in your S3 bucket. Amazon Security Lake stores all S3 objects for a given source under this prefix, and the prefix is unique to the given source. e.g ext/AIShield
  • aws_role_arn:The ARN of the role created by Amazon Security Lake at the Custom Source registration
  • aws_region_name: AWS Region to which the data is written.
  • external_id: Enter the ID that you specified when creating your Amazon Security Lake custom source.
  • roleARN: ARN of your Amazon Security Lake to log event data.

Step 5: Test AISDefenseModel

Load the necessary data and use AIShield provided attack data for testing the defense model.

Python


Once AIShield provided Threat Informed Endpoint Defense (EDR) app sending logs to Amazon Security Lake S3 bucket and you will be able to see.

2.3. Validation

After configuring Amazon Security Lake, data will be synced to your s3 bucket. Check the bucket and make sure new files are written under the prefix.

Document image


Contact AIShield support at [email protected].  if you have an issue validating or troubleshooting.

3. OCSF Information

The below table represents how the Detection properties are mapped from AIShield Threat Informed Endpoint Defense(EDR) format into the OCSF Security Finding Class.Read more here: Open Cybersecurity Schema Framework

OCSF Key

OCSF Value Type

AIShield Trigger API Value

activity_id *

Integer

New: 1, Ongoing: 2

activity_name

String

“Generate”

category_uid *

Integer

2

class_name

String

“Security Finding”

class_uid *

Integer

2001

message

String

Detection.title

state_id *

Integer

1 - New finding

type_uid *

Integer

Security Finding: Create

time *

Timestamp

The normalized event occurrence time.

confidence_score

Integer

The confidence score as reported by the AIShield.

risk_level

String

The risk level idefined by the AIShield.

finding.uid *

String

Detection.id

finding.title *

String

Detection.title

finding.desc *

String

Detection.description

metadata.labels *

String

"AI Security","Image Classification"

metadata.product.lang *

String

“en”

metadata.product.name *

String

"AIShield"

metadata.product.version *

String

System.version

metadata.product.vendor_name *

String

"AIShield AI Security Monitoring"

metadata.version *

String

“1.0.0”

metadata.profiles *

String

security_finding

observables

List of Objects

["IP Address","Hostname","Process Name"]

severity

String

Detection.riskScore

severity_id *

Integer

Detection.riskScore







Text


4.  Support

For help using the AIShield platform or the AIShield Threat Informed Endpoint Defense (EDR) App integration with Amazon Security Lake, please contact the AIShield support. You can also send an email to [email protected] with questions about this.

Updated 30 Jan 2024
Did this page help you?