Cyber Security Research at the University of Texas at Dallas Sample Projects Prof. Bhavani Thuraisingham, PhD, CISSP Prof. Latifur Khan, PhD Prof. Murat Kantarcioglu, PhD Prof. Kevin Hamlen, PhD Prof. Edwin Sha, PhD August 2010Data Mining for Malicious Traffic Dr. Latifur Khan (NASA, AFOSR)Reactively Adaptive Malware Dr. Kevin W. Hamlen and Dr. Latifur Khan (AFOSR)AFOSR: Assured Information Sharing: 2005-2008 (Dr. Bhavani Thuraisingham)Incentive Issues in Assured Information Sharing Dr. Murat Kantarcioglu (DoD MURI Project 2008-2013, AFOSR))Scalable Social Network Mining Dr. Murat Kantarcioglu (NSF)Language-based Security Dr. Kevin W. Hamlen (AFOSR)Privacy-preserving Distributed Data Mining Dr. Murat Kantarcioglu (NSF)Slide 9Other ProjectsCyber Security Research at the University of Texas at DallasSample ProjectsProf. Bhavani Thuraisingham, PhD, CISSP Prof. Latifur Khan, PhDProf. Murat Kantarcioglu, PhDProf. Kevin Hamlen, PhDProf. Edwin Sha, PhDAugust 2010FEARLESS engineeringData Mining for Malicious TrafficDr. Latifur Khan (NASA, AFOSR)Motivation•Network traffic is a continuous flow of data, which is evolving with time•How can we detect intrusion by mining the network traffic when •the intrusions evolve themselves ?•only a small fraction of the traffic is analyzed and labeled by human experts ? •new kind of intrusions appear ?Technical Approach•Idea: Build a classification model from past data and predict intrusions using the model.•The model must be able to •keep itself up-to-date so that it can detect intrusions even if their characteristics change over time•use the limited amount of labeled data to efficiently update itself•detect new kind of intrusions in the traffic•Strategy:•Semi-supervised learning to compensate for the short of labeled training data•Ensemble classification technique to cope with the changes in the traffic•Novel class detection to detect new kind of intrusions in the trafficSystem ArchitectureIntrusion?Last Partially labeled chunkLast Unlabeled chunkNetwork trafficTrainingClassification12Ensemble of modelsNew modelUpdateRefinement34Newer chunksOlder chunksFEARLESS engineeringReactively Adaptive MalwareDr. Kevin W. Hamlen and Dr. Latifur Khan (AFOSR)Motivation•Design and study malware immune to conventional antivirus technologies•Important for AF active defense project•Important for developing adequate defenses in anticipation of next-generation attacksTechnical Approach•Data Mining•use machine learning to discover signatures dynamically•adapt to new malware in the field•share learned signatures amongst mutually trusting attackers•Reactively Adaptive Malware•discover false negatives in protection system•self-obfuscate to defeat defensesAntivirus Signature DatabaseSignature Query InterfaceSignature Inference EngineSignature Approximation ModelObfuscation GenerationObfuscation FunctionMalware BinaryObfuscated BinaryAFOSR: Assured Information Sharing: 2005-2008 (Dr. Bhavani Thuraisingham) Trustworthy PartnersSemi-Trustworthy PartnersUntrustworthy PartnersIntegrate the Medicaid claims data and mine the data; next enforced policies and determine how much information has been lost (Trustworthy partners); Prototype system; Application of Semantic web technologiesApply game theory and probing to extract information from semi-trustworthy partnersConduct Active Defence and determine the actions of an untrustworthy partner Defend ourselves from our partners using data mining techniquesConduct active defence – find our what our partners are doing by monitoring them so that we can defend our selves from dynamic situationsTrust for Peer to Peer Networks (Infrastructure security)ExportData/PolicyComponentData/Policy for Agency AData/Policy for CoalitionExportData/PolicyComponentData/Policy for Agency CComponentData/Policy for Agency BExportData/PolicyFEARLESS engineeringIncentive Issues in Assured Information SharingDr. Murat Kantarcioglu (DoD MURI Project 2008-2013, AFOSR))Motivation•Misaligned incentives could be a significant problem in Information Security.—Software bugs vs. Software companies’ incentives•Incentive issues in information sharing have been explored to some extent—Incentive issues in file sharing p2p networks•Assured information sharing creates new challenges—Security considerations vs. UtilityTechnical Approach•Verify that the other participants do not lie about their data.–If the data is revealed as it is•Trust but verify (Our initial results: DKE ’08 paper)–If the data is not revealed (e.g., SMC techniques are used)•Non-cooperative computing•Mechanism design•SMC with rational adversaries.FEARLESS engineeringScalable Social Network MiningDr. Murat Kantarcioglu (NSF)Motivation•Mining social network data could provide important insights.•Recently many different data mining techniques have been suggested for mining social network data.•These techniques require many iterations (e.g., collective inference techniques) and expensive computations (e.g., maximum likelihood methods) over the large social networks.Technical Approach•Our goal is to scale the existing social network mining techniques to very large social network data by using cloud computing.•To achieve this goal, we are exploringIntelligent data partition techniques based on social network concepts Caching of some important queries Efficient update of cached query results using cloud computingInitial Results•Partitioning techniques based on various social network centrality metrics have been implemented Degree centrality (DC)Clustering coefficient (CC)Closeness centrality (CloC) Betweenness centrality (BC)Random partioniningDomain specificOur initial results indicate by intelligent partitioning we can increase accuracy and reduce running time.FEARLESS engineeringLanguage-based SecurityDr. Kevin W. Hamlen (AFOSR)Motivation•Mobile code security (web scripts, patches, etc.)•How to enforce application-specific security policies over these untrusted software extensions?–Policy #1: Untrusted code must not create or modify any file whose name ends in “.exe”–Policy #2: Untrusted code must not access the network after reading a confidential file–Policy #3: Untrusted code must relinquish the thread after at most 1000 instruction cyclesTechnical Approach•Idea: Automatically rewrite the code prior to execution•Two constraints on rewritten code:–rewritten code
View Full Document