Semantics for Cybersecurity and Privacy

Tim Finin, UMBCJoint work with

Anupam Joshi, Karuna Joshi, Zareen Syedandmany UMBC graduate students

http://ebiq.org/r/3662015-05-01

Things, not Strings

• Today’s focus on big data requires semantics→ Data variety requires analysis, integration & fusion → Must understand data’s meaning (i.e., semantics)→ Exploit background knowledge• Important for cybersecurity and privacy

→ Protect personal information, esp. in mobile/IOT→ Modeling & using context often useful if not critical• Needs high-performance computing

→ For machine learning and analytics→ For information extraction from text

Context-Aware Privacy & Security

• Smart mobile devices know a great deal abouttheir users, including their current context

• Sensor data, email, calendar, social media, …• Acquiring & using this knowledge helps

them provide better services• Context-aware policies can be used to limit

information sharing as well as to control theactions and information access of mobile apps

• Sharing context with other users, organizationsand service providers can also be beneficial

• Context is more than time and GPS coordinates

We’re in a two-hour budget meeting at X with A, B and C

We’re in a impor-tant meeting

We’re busy

http://ebiq.org/p/589

FaceBlock

http://ebiq.org/p/666

Click image to play 80 second video or go to Youtube

FaceBlock

FaceBlock automatically obscures faces in pictures using image analysis, dynamic, context-aware policies and ad hoc device communication

http://ebiq.org/p/667

Intrusion Detection Systems• Current intrusion detection systems poor for

zero-day and “low and slow” attacks, and APTs• Sharing Information from heterogeneous data

sources can provide useful information even when an attack signature is unavailable

• Implemented prototypes that integrate and reason over data from IDSs, host and network scanners, and text at the knowledge level

• We’ve established the feasibility of the approach in simple evaluation experiments

From dashboards & watchstanding

(Simple) Analysis

… to situational awareness

Non Traditional “Sensors”

Traditional Sensors

Facts / Information

Context/Situation

Rules

Policies

Analytics

Alerts

Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 ….

[ a IDPS:text_entity; IDPS:has_vulnerability_term "true"; IDPS:has_security_exploit "true"; IDPS:has_text “Internet Explorer"; IDPS:has_text “arbitrary code "; IDPS:has_text "remote attackers".]

[ a IDPS:system; IDPS:host_IP "130.85.93.105”.]

[ a IDPS:scannerLog IDPS:scannerLogIP "130.85.93.105"; …][ a IDPS:gatewayLog IDPS:gatewayLogIP "130.85.93.105"; …]

[ IDPS:scannerLog IDPS:hasBrowser ?BrowserIDPS:gatewayLog IDPS:hasURL ?URL?URL IDPS:hasSymantecRating “unsafe”IDPS: scannerLog IDPS:hasOutboundConnection “true”IDPS:WiresharkLog IDPS:isConnectedTo ?IPAddress?IPAddress IDSP:isZombieAddress “true”]=>[IDPS:system IDPS:isUnderAttack “user-after-free vulnerability”IDPS:attack IDPS:hasMeans “Backdoor”IDPS:attack IDPS:hasConsequence “UnautorizedRemoteAccess”]

http://ebiq.org/p/604

Maintaining the vulnerability KB• Our approach requires us to keep the KB of

software products and known or suspected vulnerabilities and attacks up to date

• Resources like NVD are great, but tapping into text can enrich their information and give earlier warn-ings of problems

CVE disclosed(01/14/13)

Vendor deploys software

Attacker finds vuln. & exploits it(01/10/13)

Exploit reported in mailing list

(01/10/13) Vuln. reported in NVD RSS feed

Analysis

Vuln. Analyzed & included in NVD feed(02/16/2013)

Vendor Analysis

Threat disclosed in vendor bulletin

(03/04/2013)

Patch development

Patch released(Critical Patch Update)

(06/18/2013)

Resolution

System update

Information extraction from text

CVE-2012-0150Buffer overflow in msvcrt.dll in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted media file, aka ”Msvcrt.dll Buffer Overflow Vulnerability.”

ebqids:hasMeans

Identify relationships

http://dbpedia.org/resource/Buffer_overflow

Link concepts to entities

http://dbpedia.org/resource/Windows_7

ebqids:affectsProduct

http://dbpedia.org/resource/Arbitrary_code_execution

• We use information extraction techniques to identify entities, relations and concepts in security related text

• These are mapped to terms in our ontology and the DBpedia knowledge base extracted from Wikipedia

http://ebiq.org/p/540