



# Neuromorphic Data Microscope CLSAC'16

October 28, 2016 David Follett Founder, CEO Lewis Rhodes Labs (LRL) david@lewis-rhodes.com 978-273-0537





### Vision

#### Neuromorphic Processing Units (NPUs) stunningly power efficient at pattern matching

#### Data Center & Cloud Impact profoundly changes economics



#### Why Neuromorphic? Power/op & Cost/op







#### Legacy Von Neumann Architecture (CPU)



#### Complex processor

- Extraordinarily flexible
- Data processing via sequential instructions
- Simple memory

#### **Neuromorphic Processing Unit (NPU)**



#### Simple processor

- Massively parallel integrators
- Complex memory
  - Data processing via efficacy & temporal/spatial mapping
  - Processing is multi-dimensional



### **Computer Science Perspective**



#### Neuromorphic Cyber Systems



### Some Interesting Features

- NPU integrates key mission requirements, ex.,
  - Context switching
  - Dynamic programmability
  - Behavioral characterization
  - Time & Order invariance
  - Pervasive analysis
  - Basic statistical operations
- Current device uses a single neuron type
  - Can extend HW architecture through novel neurons
  - > Example: more complex statistical operations



### Scalability

#### Device

Bandwidth x Expressions = Constant

#### FPGA

2.5 Gb/s x ≈ 1,000 Expressions 5 Gb/s x ≈ 500 Expressions 10 Gb/s x ≈250 Expressions etc.

ASIC 20 Gb/s x ≈ 20,000 Expressions 40 Gb/s x ≈ 10,000 Expressions 80 Gb/s x ≈ 5,000 Expressions etc.

#### System

Arbitrary Depth & Width





### Latest Product



# Standards Hide Complexity





# **Throughput Efficiency**



Note 1: Theoretical Max bounded by context switching Note 2: Un-optimized generic Altera DMA Interface Note 3: CUDA style DMA planed for next generation



# **Graph Analytics Scaling Example**



#### Parallel Application Support

Applications completely Independent
 No performance degradation
 Integrated cloud extremely scalable





### **CYBER APPLICATION**

Neuromorphic Cyber Systems

©Lewis Rhodes Labs



## **Exemplar Intel Community IDS**





## **Practical Considerations**

- Hardware sensor cost extremely high
  - ex. 10GbE IDS >\$100k
  - Cost limits <u>number & resolution</u> of HW sensors
- Software sensors often resource intensive
  - > ex. ROP detectors require most of the CPU
  - Cost limits <u>number & resolution</u> of SW sensors
- Analyst's priority, reduce False Negatives
  - > Achieved by detuning sensors, ie. large # of False Positives
  - Major source of noise, direct result of sensor cost
- Detuned sensors are more vulnerable to attack
  > Spoofing & Flooding are common



# Analyst's Top Priority

Signal/Noise is killing analyst community





### **Root Cause: Resolution**



- True Positives (TP)
  Potential False Positives (FP)
- Expression Coverage

#### **State-of-the-Art Sensors**

#### ex. Suricata

- Cost limits resolution
- TPs identified but
- Many FPs captured
- Splunk database,
  - Low Accuracy
  - Poor signal/noise ratio
  - It's still a haystack
- S/N is killing the analysts



# **Neuro: Resolution**

#### Cyber Microscope



True Positives (TP)
 Potential False Positives (FP)
 Expression Coverage

#### Neuromorphic

- Speed creates resolution
  - Same number of TPs
  - Dramatically fewer FPs
- Greater Accuracy
- Higher Signal/Noise ratio
- Profound impact on analysts



# Analyst's Second Priority

#### **Reduce False Negatives**





# Root Cause: Temporal Variance

Simplest form of behavior prediction



#### **Temporal Variants**

- 🏶 True Positives (**TP**)
- Temporal Variants, Potential (FN)
- Expression Coverage

#### State-of-the-Art Sensors ex. Suricata

- Temporal variance is common
  - Shifting offsets
  - Re-ordering
  - Easily implemented by attacker
- Very costly to address
  - Pervasive analysis
  - Associative analysis



### Neuro: Temporal Variance



#### **Temporal Variants**

- True Positives (TP)
- 🐡 Temporal Variants, Potential (FN)
- Expression Coverage

#### Neuromorphic

- Pervasive analysis is innate
  - Evaluates every byte
  - Limiting this costs resources
- Associative analysis is innate
  - Metadata reordering
- Reduced False Negatives FN
  - Behavioral Prediction
- Profound impact on Analysts



# Neuro Addresses Core Issues



Neuromorphic Cyber Systems



### **Operational Control**





Neuromorphic Cyper Systems



### Cyber Microscope Product Rollout





## Conclusions



- Neuromorphic will revolutionize cyber defense
  - Dramatic reductions in power/op
    - FPGA, >**1,000x**
    - ASIC, **>1,000,000x**
  - Plethora of powerful novel features
    - Order & time invariant, Sessionization, Behavioral prediction
- Operational readiness is close
  - Compatible with existing standards & infrastructure
    - Sandia ported Quiz Kid (aka WaterSlide), 4 week effort
  - > 4<sup>rd</sup> gen FPGA systems available in November