Assured Information Sharing for Security and Intelligence Applications Prof. Bhavani Thuraisingham Prof. Latifur Khan Prof. Murat Kantarcioglu Prof. Kevin Hamlen The University of Texas at Dallas Project Funded by the Air Force Office of Scientific Research (AFOSR) Collaborator: Prof. Ravi Sandhu, UTSA October 2008Assured Information SharingArchitecture: 2005-2008Our ApproachPolicy Enforcement Prototype Dr. Mamoun Awad (postdoc) and studentsArchitectural Elements of the PrototypeUCON Policy Model (Prof. Ravi Sandu, X. Min)Policy model: member enroll/dis-enrollPolicy model: document add/removeDistributed Information Exchange (Ryan Layfield, Murat Kantarcioglu, Bhavani Thuraisingham)Game TheoryWithdrawalThe Payoff MatrixEnforcing Honest ChoiceExperimental SetupResultsConclusions: Semi-trustworthy partnersDefensive Operations: Detecting Malicious Executables using Data MiningAutomated DetectionFeature ExtractionHybrid Feature Retrieval (HFR)Slide 22Binary n-gram features Features are extracted from the byte codes in the form of n-grams, where n = 2,4,6,8,10 and so on. Example: Given a 11-byte sequence: 0123456789abcdef012345, The 2-grams (2-byte sequences) are: 0123, 2345, 4567, 6789, 89ab, abcd, cdef, ef01, 0123, 2345 The 4-grams (4-byte sequences) are: 01234567, 23456789, 456789ab,...,ef012345 and so on.... Problem: Large dataset. Too many features (millions!). Solution: Use secondary memory, efficient data structures Apply feature selectionAssembly n-gram features Features are extracted from the assembly programs in the form of n-grams, where n = 2,4,6,8,10 and so on. Example: three instructions “push eax”; “mov eax, dword[0f34]” ; “add ecx, eax”; 2-grams (1) “push eax”; “mov eax, dword[0f34]”; (2) “mov eax, dword[0f34]”; “add ecx, eax”; Problem: Same problem as binary Solution: Select best features Select Best K features Selection Criteria: Information Gain Gain of an attribute A on a collection of examples S is given byExperimentsResults - IResults - IIOffensive Operation: Overview Kevin Hamlen, Mehedy Masud, Latifur Khan, Bhavani ThuraisinghamStrategySome Recent PublicationsSome Directions/ProjectsIntegrating Security with Semantic WebResearch Transitioned into AIS MURI – AFOSR UMBC-Purdue-UTD-UIUC-UTSA-UofMI 2008-2013AISLDoD Information Sharing Implementation Strategy I: Leverage the Information Sharing Value ChainDoD Information Sharing Implementation Strategy II: Force Information MobilitySecurity Policies and ModelSecure Semantic Event-based Service Oriented ArchitectureSecurity ArchitectureSocial NetworkingAssured Knowledge ManagementDoD Information Sharing Implementation Strategy III: Make information a force multiplier through sharingInformation Sharing ArchitectureDoD Information Sharing Implementation Strategy IV: Promote a federated Information Sharing Community/EnvironmentDoD Information Sharing Implementation Strategy V: Address the economic reality of information sharingAssured Information Sharing for Security and Intelligence Applications Prof. Bhavani Thuraisingham Prof. Latifur KhanProf. Murat KantarciogluProf. Kevin HamlenThe University of Texas at DallasProject Funded by the Air Force Office of Scientific Research (AFOSR)Collaborator: Prof. Ravi Sandhu, UTSA October 2008Assured Information Sharing•Daniel Wolfe (formerly of the NSA) defined assured information sharing (AIS) as a framework that “provides the ability to dynamically and securely share information at multiple classification levels among U.S., allied and coalition forces.” •The DoD’s vision for AIS is to “deliver the power of information to ensure mission success through an agile enterprise with freedom of maneuverability across the information environment” •9/11 Commission report has stated that we need to migrate from a need-to-know to a need-to-share paradigm•Our objective is to help achieve this vision by defining an AIS lifecycle and developing a framework to realize it.Architecture: 2005-2008 ExportData/PolicyComponentData/Policy for Agency AData/Policy for CoalitionExportData/PolicyComponentData/Policy for Agency CComponentData/Policy for Agency BExportData/PolicyTrustworthy PartnersSemi-Trustworthy PartnersUntrustworthy PartnersOur Approach •Integrate the Medicaid claims data and mine the data; next enforce policies and determine how much information has been lost (Trustworthy partners); Prototype system•Trust for Peer to Peer Networks•Apply game theory and probing to extract information from semi-trustworthy partners•Conduct information operations (defensive and offensive) and determine the actions of an untrustworthy partner.•Data Mining applied for trustworthy, semi-trustworthy and untrustworthy partnersCoalitionPolicy Enforcement PrototypeDr. Mamoun Awad (postdoc) and studentsArchitectural Elements of the Prototype•Policy Enforcement Point (PEP): •Enforces policies on requests sent by the Web Service.•Translates this request into an XACML request; sends it to the PDP.•Policy Decision Point (PDP): •Makes decisions regarding the request made by the web service.•Conveys the XACML request to the PEP.Policy Files: Policy Files are written in XACML policy language. Policy Files specify rules for “Targets”. Each target is composed of 3 components: Subject, Resource and Action; each target is identified uniquely by its components taken together. The XACML request generated by the PEP contains the target. The PDP’s decision making capability lies in matching the target in the request file with the target in the policy file. These policy files are supplied by the owner of the databases (Entities in the coalition).Databases:The entities participating in the coalition provide access to their databases.UCON Policy Model (Prof. Ravi Sandu, X. Min)•Operations that we need to model:–Document read by a member.–Adding/removing a member to/from the group–Adding/removing a document to/from the group•Member attributes–Member: boolean–TS-join: join time–TS-leave: leave time•Document attributes–D-Member: boolean–D-TS-join: join time–D-TS-leave: leave timePolicy model: member enroll/dis-enrollInitial state:Never been a memberState ICurrently a memberState IIPast memberState IIIenroll dis-enrollmemberTS-joinTS-leavenullnullnullTruetime of joinnullenrollFalsetime of jointime of leavedis-enrollenrollenroll, dis-enroll: authorized to Group-AdminsUCON elements:Pre-Authorization, attribute predicates,