university of texas at dallas cyber security research at the university of texas at dallas dr....

University of Texas at Dallas

Cyber Security Research at the University of Texas at Dallas

Dr. Bhavani Thuraisingham

The University of Texas at Dallas

[email protected]

April 23, 2007


About the Cyber Security Research Center

NSA/DHS Center for Excellence in Information Assurance Education (2004, 2007)

Over 20 Faculty in Jonsson School conducting research in Cyber Security

Collaborating with researchers in the School of Management on Risk analysis and Game theory applications

Beginning collaboration with UT Southwestern medical Center

Joint projects and proposals with leading researchers

Part of UTD’s CyberSecuirty and Emergency Preparedness Institute

Executive Director: Prof. Douglas Harris


Cyber Security Research Areas at UTD Network Security

Secure wireless and sensor networks Systems and Language Security

Embedded systems security, Buffer overflow defense Data and Applications Security

Information sharing, Geospatial data management, Surveillance, Secure web services, Privacy, Dependable information management, Intrusion detection

Security Theory and Protocols Secure group communication

Security Engineering Secure component-based software

Cross Cutting Themes Vulnerability analysis, Access control


Our Model: R&D, Technology Transfer Standardization and Commercialization Basic Research (6-1 Type)

Funding agencies such as NSF, AFOSR, etc. Publish our research in top journals (ACM and IEEE Transactions)

Applied Research Some federal funding (e.g., from government programs) and Commercial Corporations (e.g., Raytheon); Our current collaboration with AFRL-ARL

Technology Transfer / DevelopmentWork with corporations such as Raytheon to showcase our research to sponsors (e.g., GEOINT) and transfer research to operational programs such as DCGS

StandardizationOur collaborations with OGC and standardization of our research (e.g., GRDF)

Commercialization Patents, Work with VCs, Corporations, SBIR, STTR for commercialization of our tools (e.g., our work on data mining tools)


Technical and Professional Accomplishments

Publications of research in top journals and conferences, books IEEE Transactions, ACM Transactions, 8 books published and 2 books in preparation including one on UTD research (Data Mining Applications, Awad, Khan and Thuraisingham)

Member of Editorial Boards/Editor in Chief Journal of Computer Security, ACM Transactions on Information and Systems Security, IEEE Transactions on Dependable and Secure Computing, IEEE Transactions on Knowledge and Data Engineering, Computer Standards and Interfaces - - -

Advisory Boards / Memberships/OtherPurdue University CS Department, Invitations to write articles in Encyclopedia Britannica on data mining, Keynote addresses, Talks at DFW NAFTA and Chamber of Commerce, Commercialization discussions of data mining tools for security

Awards and Fellowships IEEE Fellow, AAAS Fellow, BCS Fellow, IEEE Technical Achievement Award, IEEE Senior Members


Data and Applications SecurityResearch at UTD

Core Group

- Prof. Bhavai Thuraisingham (Professor & Director, Cyber Security Research Center)

- Prof. Latifur Khan (Director, Data Mining Laboratory)

- Prof. Murat Kantarcioglu (Joined Fall 2005, PhD. Purdue U.)

- Prof. Kevin Hamlen (Peer to Peer systems Security, Joined 2006 from Cornell U.)

- Prof. I-Ling Yen (Director, Web Services Lab)

- Prof. Prabhakaran (Director, Motion Capture Lab) Students and Funding

- Over 20 PhD Students, 40 MS students (combined)

- Research grants: Air Force Office of Scientific Research (2), Raytheon Corporation (2), Nokia Corporation, National Science Foundation (2), AFRL-ARL Collaboration, TX State


Assured Information Sharing

PublishData/Policy

ComponentData/Policy for Agency A

Data/Policy for Coalition

PublishData/Policy

ComponentData/Policy for Agency C

ComponentData/Policy for Agency B

PublishData/Policy

1. Friendly partners

2. Semi-honest partners

3. Untrustworthy partners

Research funded by two

grants from AFOSR


Secure Semantic Web

XML, XML Schemas

Rules/Query

Logic, Proof and TrustTRUST

CONFIDENTILAITY

RDF, Ontologies

URI, UNICODE

PRIVACY

0Machine Understandable Web Pages

0What are we doing: CPT Policy enforcement (Confidentiality, Privacy, Trust)


Secure Geospatial Data Management

Data Source A

Data Source B

Data Source CSECURITY/ QUALITY

Semantic Metadata ExtractionDecision Centric FusionGeospatial data interoperability through web servicesGeospatial data miningGeospatial semantic web

Tools for Analysts

Research Supported by Raytheon on pne grant; working on robust prototypes on second grant


Framework for Geospatial Data Security

DATA PRESENTATION COMPONENTS

Access Control Module

Geospatial Data Registration

spatial and temporal registration of geospatial data

Data Integration Services&

Data Repository Access

DATA ACCESS LAYER

DAC/RBAC Policy Specification

Policy ReasoningEngine

Trust & Privacy Management

Authentic Data Publication

Auditing

Misuse Detection

SECURITY LAYER

OpenGeospatialConsortiumFramework

Core &ApplicationSchemas

GeospatialFeatures

GeographyMarkupLanguage

Metadata

GIS Web ServicesTraditional GIS

Wrapper

GeospatialDataRepositories


Suspicious Event Detection: Surveillance

Defined an event representation measure based on low-level features Defined “normal” and “suspicious” behavior and classify events in

unlabeled video sequences appropriately Tool to determine whether events are suspicious or not Privacy preserving surveillance


Surveillance and Privacy

Raw video surveillance data

Face Detection and Face Derecognizing system

Suspicious Event Detection System

Manual Inspection of video data

Comprehensive security report listing suspicious events and people detected

Suspicious people found

Suspicious events found

Report of security personnel

Faces of trusted people derecognized to preserve privacy


Social Networks

Individuals engaged in suspicious or undesirable behavior rarely act alone

We can infer than those associated with a person positively identified as suspicious have a high probability of being either:

- Accomplices (participants in suspicious activity)

- Witnesses (observers of suspicious activity) Making these assumptions, we create a context of association

between users of a communication network


Privacy Preserving Data Mining Prevent useful results from mining

- Introduce “cover stories” to give “false” results

- Only make a sample of data available so that an adversary is unable to come up with useful rules and predictive functions

Randomization and Perturbation

- Introduce random values into the data and/or results

- Challenge is to introduce random values without significantly affecting the data mining results

- Give range of values for results instead of exact values Secure Multi-party Computation

- Each party knows its own inputs; encryption techniques used to compute final results


Data Mining for Intrusion Detection / Worm Detection

TrainingData Classification

Hierarchical Clustering (DGSOT)

Testing

Testing Data

SVM Class Training

DGSOT: Dynamically growing self organizing treeSVM: Support Vector Machine


Example Projects Assured Information Sharing

- Secure Semantic Web Technologies

- Social Networks and game playing

- Privacy Preserving Data Mining

Geospatial Data Management

- Secure Geospatial semantic web

- Geospatial data mining

Surveillance

- Suspicious Event Detention

- Privacy preserving Surveillance

- Automatic Face Detection, RFID technologies

Cross Cutting Themes

- Data Mining for Security Applications (e.g., Intrusion detection, Mining Arabic Documents); Dependable Information Management


Other Research in Cyber SecuritySingle Packet IP Traceback (Prof. Kamil Sarac)

Goal: trace an IP packet back to its source Usage of IP traceback

- Internet forensic analysis

- Denial-of-service attack defense Design issues for practical IP traceback

- Reducing overhead on routers

- Supporting incremental and partial deployment

- Traceback speed and efficiency


Protecting Computer Security via Hardware/Software: Prof. Edwin Sha

The most widely exploited vulnerabilities are buffer overflow related, causing billion dollars of damage.Almost all effective worms use this vulnerability to attack.Eg. Internet Worm, Code Red, MS Blaster, Sasser worm, etc.

Hardware/Software Defender

1. A complete protection from buffer overflow

attacks.

2. An efficient checking mechanism for a system

integrator.

3. Compiler is easy to handle.

4. Hardware and timing overhead are little.Design new instructions and hardware to avoid

buffer overflow vulnerabilities.Stack Smashing Attack Protection - Two

methods proposed: Hardware Boundary Check New Secure Function Call instructions:

Scall and Sret.Function Pointer Attack ProtectionNew secure instruction for jumping function

pointer: SJMP

For the most common stack smashing attacks, HSDefender provides a complete protection.For the function pointer attack, it makes an hacker extremely hard to change a function pointer leading to his hostile code. With little time overhead (0.098%), it can be applied to critical real-time systems.


Buffer Overflow Attacks (B.O.A): A majority of attacks for which advisories are issued are based on B.O.A.

Other forms of attacks, such as distributed denial of service attacks, sometimes rely on B.O.A.

B.O.A. exploit the memory organization of the traditional activation stack model to overwrite the return address stored on the stack.

This memory organization can be slightly changed so as to prevent buffer overflows overwriting return addresses.

Our system automatically transforms code binaries in accordance to this modified memory organization, thereby preventing most common forms of buffer overflow attacks.

Our tool (under development) can be used on third-party software and off-the-shelf products, and does not require access to source code.

Buffer Overflow Attacks: Prof. Gupta


Information Assurance Education (Prof. Gupta)

Current CoursesIntroduction to Computer and Network Security: Prof. ShaCryptography: Profs. Sudborough, MuratData and Applications Security: Prof. Bhavani ThuraisinghamBiometrics: Prof. Bhavani Privacy: Prof. Murat KantarciogluSecure Language, Prof. Kevin HamlenDigital Forensics: Prof. Bhavani ThuraisinghamTrustworthy semantic web: Prof. Bhavani

NSA/DHS Center for Information Assurance Education (2004, 2007)

Courses at AFCEA and AF BasesKnowledge Management, Data Mining for Counter-terrorism, Data Security, preparing a course on SOA and NCES with Prof. Alex Levis - GMU and Prof. Hal Sorenson - UCSD)


Wireless NetworkArea

(8’ x 19’)

Development Room(19.5’ x 29’)

Testing Area(22’ x 31.5’)

Cable tray

Cab

le t

ray

Cab

le t

ray

Cab

le t

ray

Cable tray

Security Analysis and Information Assurance Laboratory

Mainframes 2PC’s 54Work Stations 6Laptops 5Servers 7Switches 4Routers 10PDA’s 15Access Points 8Network Analyzer 1Protocol Analyzer 1Development Software & Hardware

Attenuation levels of radiated signals as tested to MIL-STD-285 Magnetic Mode 60 dB at 10KHz to 100KHz at 100dB Electric Mode 100 dB from 1 KHz to 1 GHz Plane Ware and Microwave 100 dB from 1 GHz to 10 GHz

SAIAL Laboratory (Security Analysis and Information Assurance Laboratory)


Directions and Plans

Take Advantage of SAIAL Lab Opportunity for Information Operations portion of the AFOSR project

Increase focus areasMajor focus the past 2 years has been on Data Security;Expand the focus utilizing our strengths and state/federal interests

Digital forensics is becoming an important area

Interdisciplinary research and multiple domainsHealthcare, Telecom, etc.

CollaborationIntegrate programs across the schools at UTDIncrease collaboration with our partners

Our major goal is to establish a Center Scale Project