Upload
leon-pope
View
219
Download
0
Embed Size (px)
Citation preview
Semantics for Cybersecurity and Privacy
Tim Finin, UMBCJoint work with
Anupam Joshi, Karuna Joshi, Zareen Syedandmany UMBC graduate students
http://ebiq.org/r/3662015-05-01
Things, not Strings
• Today’s focus on big data requires semantics→ Data variety requires analysis, integration & fusion → Must understand data’s meaning (i.e., semantics)→ Exploit background knowledge• Important for cybersecurity and privacy
→ Protect personal information, esp. in mobile/IOT→ Modeling & using context often useful if not critical• Needs high-performance computing
→ For machine learning and analytics→ For information extraction from text
Context-Aware Privacy & Security
• Smart mobile devices know a great deal abouttheir users, including their current context
• Sensor data, email, calendar, social media, …• Acquiring & using this knowledge helps
them provide better services• Context-aware policies can be used to limit
information sharing as well as to control theactions and information access of mobile apps
• Sharing context with other users, organizationsand service providers can also be beneficial
• Context is more than time and GPS coordinates
We’re in a two-hour budget meeting at X with A, B and C
We’re in a impor-tant meeting
We’re busy
http://ebiq.org/p/589
FaceBlock
http://ebiq.org/p/666
Click image to play 80 second video or go to Youtube
FaceBlock
FaceBlock automatically obscures faces in pictures using image analysis, dynamic, context-aware policies and ad hoc device communication
http://ebiq.org/p/667
Intrusion Detection Systems• Current intrusion detection systems poor for
zero-day and “low and slow” attacks, and APTs• Sharing Information from heterogeneous data
sources can provide useful information even when an attack signature is unavailable
• Implemented prototypes that integrate and reason over data from IDSs, host and network scanners, and text at the knowledge level
• We’ve established the feasibility of the approach in simple evaluation experiments
From dashboards & watchstanding
(Simple) Analysis
… to situational awareness
Non Traditional “Sensors”
Traditional Sensors
Facts / Information
Context/Situation
Rules
Policies
Analytics
Alerts
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 ….
[ a IDPS:text_entity; IDPS:has_vulnerability_term "true"; IDPS:has_security_exploit "true"; IDPS:has_text “Internet Explorer"; IDPS:has_text “arbitrary code "; IDPS:has_text "remote attackers".]
[ a IDPS:system; IDPS:host_IP "130.85.93.105”.]
[ a IDPS:scannerLog IDPS:scannerLogIP "130.85.93.105"; …][ a IDPS:gatewayLog IDPS:gatewayLogIP "130.85.93.105"; …]
[ IDPS:scannerLog IDPS:hasBrowser ?BrowserIDPS:gatewayLog IDPS:hasURL ?URL?URL IDPS:hasSymantecRating “unsafe”IDPS: scannerLog IDPS:hasOutboundConnection “true”IDPS:WiresharkLog IDPS:isConnectedTo ?IPAddress?IPAddress IDSP:isZombieAddress “true”]=>[IDPS:system IDPS:isUnderAttack “user-after-free vulnerability”IDPS:attack IDPS:hasMeans “Backdoor”IDPS:attack IDPS:hasConsequence “UnautorizedRemoteAccess”]
http://ebiq.org/p/604
Maintaining the vulnerability KB• Our approach requires us to keep the KB of
software products and known or suspected vulnerabilities and attacks up to date
• Resources like NVD are great, but tapping into text can enrich their information and give earlier warn-ings of problems
CVE disclosed(01/14/13)
Vendor deploys software
Attacker finds vuln. & exploits it(01/10/13)
Exploit reported in mailing list
(01/10/13) Vuln. reported in NVD RSS feed
Analysis
Vuln. Analyzed & included in NVD feed(02/16/2013)
Vendor Analysis
Threat disclosed in vendor bulletin
(03/04/2013)
Patch development
Patch released(Critical Patch Update)
(06/18/2013)
Resolution
System update
Information extraction from text
CVE-2012-0150Buffer overflow in msvcrt.dll in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted media file, aka ”Msvcrt.dll Buffer Overflow Vulnerability.”
ebqids:hasMeans
Identify relationships
http://dbpedia.org/resource/Buffer_overflow
Link concepts to entities
http://dbpedia.org/resource/Windows_7
ebqids:affectsProduct
http://dbpedia.org/resource/Arbitrary_code_execution
• We use information extraction techniques to identify entities, relations and concepts in security related text
• These are mapped to terms in our ontology and the DBpedia knowledge base extracted from Wikipedia
http://ebiq.org/p/540