Assured Information Sharing for Security Applications: Malicious Code Detection Prof. Bhavani Thuraisingham Prof. Latifur Khan Prof. Murat Kantarcioglu Prof. Kevin Hamlen The University of Texas at Dallas Project Funded by the Air Force Office of Scientific Research (AFOSR) [email protected] April 2011Assured Information SharingArchitecture: 2005-2008Our ApproachPolicy Enforcement Prototype Dr. Mamoun Awad (postdoc) and studentsArchitectural Elements of the PrototypeConfidentiality, Privacy and Trust CPTPolicy EngineDistributed Information Exchange (Ryan Layfield, Murat Kantarcioglu, Bhavani Thuraisingham)Game TheoryExperimental SetupResultsConclusions: Semi-trustworthy partnersDefensive Operations: Detecting Malicious Executables using Data MiningAutomated DetectionFeature ExtractionHybrid Feature Retrieval (HFR)Slide 18Feature ExtractionSlide 20ExperimentsResults - IResults - IIPeer to Peer Botnet DetectionBackgroundWhat To Monitor?Mapping to Stream Data MiningThe Single-Chunk Single-Level Ensemble (SCE) ApproachOur Approach: Multi-Chunk Multi-Level Ensemble (MCE)Offensive Operation: Overview Kevin Hamlen, Mehedy Masud, Latifur Khan, Bhavani ThuraisinghamStrategyResearch Transitioned into AIS MURI – AFOSR UMBC-Purdue-UTD-UIUC-UTSA-UofMI 2008-2013Assured Information Sharing for Security Applications: Malicious Code DetectionProf. Bhavani Thuraisingham Prof. Latifur KhanProf. Murat KantarciogluProf. Kevin HamlenThe University of Texas at DallasProject Funded by the Air Force Office of Scientific Research (AFOSR)[email protected] 2011Assured Information Sharing•Daniel Wolfe (formerly of the NSA) defined assured information sharing (AIS) as a framework that “provides the ability to dynamically and securely share information at multiple classification levels among U.S., allied and coalition forces.” •The DoD’s vision for AIS is to “deliver the power of information to ensure mission success through an agile enterprise with freedom of maneuverability across the information environment” •9/11 Commission report has stated that we need to migrate from a need-to-know to a need-to-share paradigm•Our objective is to help achieve this vision by defining an AIS lifecycle and developing a framework to realize it.Architecture: 2005-2008 ExportData/PolicyComponentData/Policy for Agency AData/Policy for CoalitionExportData/PolicyComponentData/Policy for Agency CComponentData/Policy for Agency BExportData/PolicyTrustworthy PartnersSemi-Trustworthy PartnersUntrustworthy PartnersOur Approach •Integrate the Medicaid claims data and mine the data; next enforce policies and determine how much information has been lost (Trustworthy partners); Prototype system; Application of Semantic web technologies•Apply game theory and probing to extract information from semi-trustworthy partners•Conduct Active Defence and determine the actions of an untrustworthy partner –Defend ourselves from our partners using data mining techniques–Conduct active defence – find our what our partners are doing by monitoring them so that we can defend our selves from dynamic situations•Trust for Peer to Peer Networks (Infrastructure security)CoalitionPolicy Enforcement PrototypeDr. Mamoun Awad (postdoc) and studentsArchitectural Elements of the Prototype•Policy Enforcement Point (PEP): •Enforces policies on requests sent by the Web Service.•Translates this request into an XACML request; sends it to the PDP.•Policy Decision Point (PDP): •Makes decisions regarding the request made by the web service.•Conveys the XACML request to the PEP.Policy Files: Policy Files are written in XACML policy language. Policy Files specify rules for “Targets”. Each target is composed of 3 components: Subject, Resource and Action; each target is identified uniquely by its components taken together. The XACML request generated by the PEP contains the target. The PDP’s decision making capability lies in matching the target in the request file with the target in the policy file. These policy files are supplied by the owner of the databases (Entities in the coalition).Databases:The entities participating in the coalition provide access to their databases.Confidentiality, Privacy and Trust CPT•Trust–Trust is established between say a web site and a user based on credentials or reputations. •Privacy–When a user logs into a website to make say a purchase, the web site will specify that its privacy policies are. The user will then determine whether he/she wants to enter personal information. –That is, if the web site will give out say the user’s address to a third party, then the user can decide whether to enter this information. –However before the user enters the information, the user has to decide whether he trusts the web site. –This can be based on the credential and reputation.– if the user trusts the web site, then the user can enter his private information if he is satisfied with the policies. If not, he can choose not to enter the information.•Confidentiality–Here the user is requesting information from the web site;–the web site checks its confidentiality policies and decides what information to release to the user. –The web set can also check the trust it has on the user and decide whether to give the information to the user.Policy EnginePoliciesOntologies RulesIn RDFJENA RDF EngineRDF DocumentsInference Engine/Rules Processore.g., PelletInterface to the Semantic WebTechnologyBy UTDallasDistributed Information Exchange(Ryan Layfield, Murat Kantarcioglu, Bhavani Thuraisingham)•Multiple, sovereign parties wish to cooperate–Each carries pieces of a larger information puzzle–Can only succeed at their tasks when cooperating–Have little reason to trust or be honest with each other–Cannot agree on single impartial governing agent–No one party has significant clout over the rest–No party innately has perfect knowledge of opponent actions•Verification of information incurs a cost•Faking information is a possibility•Current modern example: Bit Torrent–Assumes information is verifiable–Enforces punishment however through a centralized serverGame Theory•Studies such interactions through mathematical representations of gain–Each party is considered a player–The information they gain from each other is considered a payoff–Scenario considered a finite repeated game•Information exchanged in discrete
View Full Document
Unlocking...