Semantics for Cybersecurity and Privacy Tim Finin, UMBC Joint work with Anupam Joshi, Karuna Joshi, Zareen Syed andmany UMBC graduate students http:// ebiq.org /r/ 3 2015-05-01
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Semantics for Cybersecurity and Privacy
Tim Finin, UMBCJoint work with
Anupam Joshi, Karuna Joshi, Zareen Syedandmany UMBC graduate students
http://ebiq.org/r/3662015-05-01
Things, not Strings
• Today’s focus on big data requires semantics→ Data variety requires analysis, integration & fusion → Must understand data’s meaning (i.e., semantics)→ Exploit background knowledge• Important for cybersecurity and privacy
→ Protect personal information, esp. in mobile/IOT→ Modeling & using context often useful if not critical• Needs high-performance computing
→ For machine learning and analytics→ For information extraction from text
Context-Aware Privacy & Security
• Smart mobile devices know a great deal abouttheir users, including their current context
• Sensor data, email, calendar, social media, …• Acquiring & using this knowledge helps
them provide better services• Context-aware policies can be used to limit
information sharing as well as to control theactions and information access of mobile apps
• Sharing context with other users, organizationsand service providers can also be beneficial
• Context is more than time and GPS coordinates
We’re in a two-hour budget meeting at X with A, B and C
We’re in a impor-tant meeting
We’re busy
http://ebiq.org/p/589
FaceBlock
http://ebiq.org/p/666
Click image to play 80 second video or go to Youtube
FaceBlock
FaceBlock automatically obscures faces in pictures using image analysis, dynamic, context-aware policies and ad hoc device communication
http://ebiq.org/p/667
Intrusion Detection Systems• Current intrusion detection systems poor for
zero-day and “low and slow” attacks, and APTs• Sharing Information from heterogeneous data
sources can provide useful information even when an attack signature is unavailable
• Implemented prototypes that integrate and reason over data from IDSs, host and network scanners, and text at the knowledge level
• We’ve established the feasibility of the approach in simple evaluation experiments
From dashboards & watchstanding
(Simple) Analysis
… to situational awareness
Non Traditional “Sensors”
Traditional Sensors
Facts / Information
Context/Situation
Rules
Policies
Analytics
Alerts
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 ….
[ a IDPS:text_entity; IDPS:has_vulnerability_term "true"; IDPS:has_security_exploit "true"; IDPS:has_text “Internet Explorer"; IDPS:has_text “arbitrary code "; IDPS:has_text "remote attackers".]
[ a IDPS:system; IDPS:host_IP "130.85.93.105”.]
[ a IDPS:scannerLog IDPS:scannerLogIP "130.85.93.105"; …][ a IDPS:gatewayLog IDPS:gatewayLogIP "130.85.93.105"; …]
[ IDPS:scannerLog IDPS:hasBrowser ?BrowserIDPS:gatewayLog IDPS:hasURL ?URL?URL IDPS:hasSymantecRating “unsafe”IDPS: scannerLog IDPS:hasOutboundConnection “true”IDPS:WiresharkLog IDPS:isConnectedTo ?IPAddress?IPAddress IDSP:isZombieAddress “true”]=>[IDPS:system IDPS:isUnderAttack “user-after-free vulnerability”IDPS:attack IDPS:hasMeans “Backdoor”IDPS:attack IDPS:hasConsequence “UnautorizedRemoteAccess”]
http://ebiq.org/p/604
Maintaining the vulnerability KB• Our approach requires us to keep the KB of
software products and known or suspected vulnerabilities and attacks up to date
• Resources like NVD are great, but tapping into text can enrich their information and give earlier warn-ings of problems
CVE disclosed(01/14/13)
Vendor deploys software
Attacker finds vuln. & exploits it(01/10/13)
Exploit reported in mailing list
(01/10/13) Vuln. reported in NVD RSS feed
Analysis
Vuln. Analyzed & included in NVD feed(02/16/2013)
Vendor Analysis
Threat disclosed in vendor bulletin
(03/04/2013)
Patch development
Patch released(Critical Patch Update)
(06/18/2013)
Resolution
System update
Information extraction from text
CVE-2012-0150Buffer overflow in msvcrt.dll in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted media file, aka ”Msvcrt.dll Buffer Overflow Vulnerability.”
ebqids:hasMeans
Identify relationships
http://dbpedia.org/resource/Buffer_overflow
Link concepts to entities
http://dbpedia.org/resource/Windows_7
ebqids:affectsProduct
http://dbpedia.org/resource/Arbitrary_code_execution
• We use information extraction techniques to identify entities, relations and concepts in security related text
• These are mapped to terms in our ontology and the DBpedia knowledge base extracted from Wikipedia
http://ebiq.org/p/540
Related Documents
