1Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

Semantic Data IntegrityDARPA Program Review

Cornell Business & Technology Park33 Thornwood Drive, Suite 500

Ithaca, NY 14850-1250(607) 257-1975

David Rosenthal

February 22, 2000

2Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

Team Members

• ORA

• WetStone

• Jiri Fridrich (consultant to WetStone)

3Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

Technical Objectives

• Support intrusion tolerance by developing improved data integrity methods to recover attacked data

– Many factor influence effectiveness:

• Many different types of threats

• Different types and characteristics of data

• Variety of integrity mechanisms

• Different size and performance constraints

– Want policy-based selection of mechanisms to effectively protect, recover, and reconstruct data that may be accidentally or maliciously damaged

4Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

Existing practice

• Current Methods

– Protection of entire object

• One-way hash, Message authentication codes (MAC), Digital signatures

– Replication

– Access control and process control

– Watermarking and self-embedding techniques

• Need better methods to facilitate partial recovery and to focus limited resources where they are needed most

5Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

Technical Approach

• Our research is directed in the following areas

– Techniques for identifying and protecting data subsets

– Developing new watermarking/self-embedding techniques

– Exploring how to recover data subsets using secondary data (DSI Marks) and how to partially reconstruct the whole data object

– How to select data protection and recovery mechanisms to meet integrity policy objectives

• Developing software to test the effectiveness of approach

6Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

Technical ApproachSoftware

ExtractSemanticSegments

DSIMark

Generation

DSIMarkVerification

DataReconstruction

IntegrityPolicy

DSI MarkDB

SuspectData

7Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

Added Cars DetectedForgery

Forged Image Detected Forgery

SDI Workshop Examples

8Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

SDI Workshop Examples

Original Image Segmented Image

9Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

SDI Workshop Examples

Forged Image Detected Forgery

AddedHelicopters

DetectedForgery

10Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

Forged Image Detected Forgery

RemovedHelicopter

DetectedForgery

SDI Workshop Examples

11Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

Technical ApproachSubsets

• Develop methods for forming subsets of an object, taking into account data characteristics and intended usage

– Simple example

• Save signatures of a subset of a picture consisting of just the higher order bits of pixels

• If some lower order bits are changed, the signature on the subset will still check, and the picture can be partially reconstructed

– Apply extra protection for key parts of an object

12Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

Technical ApproachSubsets (cont.)

• We believe that a good selection of data subset formation methods can lead to improved

– performance characteristics

– likelihood that partially reconstructed objects will contain correct information about “interesting parts”

13Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

Technical ApproachHierarchical Subsets

• We have been experimenting with algorithms for automatically subsetting images based on uniformity criteria (combination of color, intensity, texture similarity)

• Split image into quadrants, test quadrants for uniformity; if a quadrant is uniform, do not subdivide it further. Otherwise, continue subdividing

• Then, merge all “adjacent” segments that share the same uniformity characteristics (or possibly some other desirable characteristics such as a common edge)

14Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

Technical ApproachHierarchical Subsets (cont.)

• Impose different integrity mechanisms at different layers of the decomposition, to achieve policy goals more efficiently

15Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

Technical Approach Secure Fragile Authentication Watermark

• Investigated some attacks that affect several proposed fragile watermark schemes

• Developed a secure fragile watermark that is resistant to these attacks

– Uses secret key and the watermark is difficult to forge

– Resistant to collage attack

16Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

Technical Approach Hybrid Watermark

• Have implemented a hybrid watermark

– Distinguishes between image processing operations (filtering, lossy compression) and feature alteration/removal/replacement

– Embed a semi-local (64 x 64) robust watermark that degrades gradually with alteration

– Embed a local (8x8) fragile watermark on top that breaks with any alterations

17Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

Technical ApproachPolicy

• Policy will define the methods to apply to specific objects based on factors, such as:

– Importance of the data or sub-data

– Threats that need to be countered

– Recovery time constraints

– Resource limitations

– Detectability of integrity measure

– Integrity functionality that is available

– Current situation (INFOCON, THREATCON)

18Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

Technical ApproachDemonstration Environment

• We are developing an environment for demonstrating and testing our technology

• Current features include:

– Split-and-merge with parameters

– Policy-based integrity mechanism selection

– Malicious alteration

– Damage detection

– Partial reconstruction with self-embedded data

19Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

Major Risks and Planned Mitigation

• Risk

– Partial recovery of subsets may not be very practical (too resource-intensive or error-prone)

• Mitigation

– Focus research on more efficient or economical damage detection and less on partial recovery

– Devise policies that control the allowable expenditure of resources

20Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

Accomplishments to Date

• Prototype Tool

– Demonstrates hierarchical subset methods

• Watermarking methods

• Some initial results on policy tradeoff analysis

21Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

Quantitative Metrics

• Metrics that may be used are

– Size of DSI mark

– Time to apply integrity protection

– Time for partial reconstruction techniques

– Robustness of method

22Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

Expected Major Achievements

• If successful, these methods will provide

– A more effective method for data integrity detection and data reconstruction

– A better foundation about how to relate integrity policy objectives with integrity mechanisms

23Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

Task schedule

• First version of prototype tool: Feb 2000

• Next version: July 2000

• Final version: December 2000

24Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

Key outstanding issues and recommended resolution

• None

25Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

Transition of Technology

• Military transition

– Integrity enhancement for expensive transmissions, e.g., air-to-ground targeting data

– Use of integrity technologies such as self-embedding for steganography (information hiding)

– Using embedded info to trace unauthorized disclosure

• Possible commercial transitions

– Injection of key technologies into WetStone’s SMARTWatch integrity checker

26Copyright 2000, Odyssey Research Associates, Inc.SL00-0003

What do you need from the DARPA PM?

• No pending requirements