1. Assured Information Sharing for Security and Intelligence Applications Prof. Bhavani Thuraisingham Prof. Latifur Khan Prof. Murat Kantarcioglu Prof. Kevin Hamlen The University of Texas at Dallas Project Funded by the Air Force Office of Scientific Research (AFOSR) June 2008

2. Assured Information Sharing
Daniel Wolfe (formerly of the NSA) defined assured information sharing (AIS) as a framework that “provides the ability to dynamically and securely share information at multiple classification levels among U.S., allied and coalition forces.”
The DoD’s vision for AIS is to “deliver the power of information to ensure mission success through an agile enterprise with freedom of maneuverability across the information environment”
9/11 Commission report has stated that we need to migrate from a need-to-know to a need-to-share paradigm
Our objective is to help achieve this vision by defining an AIS lifecycle and developing a framework to realize it.

3. Architecture: 2005-2008 Trustworthy Partners Semi-Trustworthy Partners
Data/Policy for Coalition
Export
Export
Data/Policy
Data/Policy
Export
Data/Policy
Component
Component
Data/Policy for
Data/Policy for
Agency A
Agency C
Component
Data/Policy for
Trustworthy Partners
Semi-Trustworthy Partners
Untrustworthy Partners
Agency B 3

4. Our Approach
Integrate the Medicaid claims data and mine the data; next enforce policies and determine how much information has been lost (Trustworthy partners); Prototype system
Trust for Peer to Peer Networks
Apply game theory and probing to extract information from semi-trustworthy partners
Conduct information operations (defensive and offensive) and determine the actions of an untrustworthy partner.
Data Mining applied for trustworthy, semi-trustworthy and untrustworthy partners 4

5. Policy Enforcement Prototype Dr. Mamoun Awad (postdoc) and students
Coalition

6. Architectural Elements of the Prototype
Policy Enforcement Point (PEP):
Enforces policies on requests sent by the Web Service.
Translates this request into an XACML request; sends it to the PDP.
Policy Decision Point (PDP):
Makes decisions regarding the request made by the web service.
Conveys the XACML request to the PEP.
Policy Files:
Policy Files are written in XACML policy language. Policy Files specify rules for “Targets”. Each target is composed of 3 components: Subject, Resource and Action; each target is identified uniquely by its components taken together. The XACML request generated by the PEP contains the target. The PDP’s decision making capability lies in matching the target in the request file with the target in the policy file. These policy files are supplied by the owner of the databases (Entities in the coalition).
Databases:
The entities participating in the coalition provide access to their databases.

7. Integrating Security with Semantic Web
Policies have to be specified and reasoned about
Semantic web technologies allow capturing of syntax and semantics (e.g., XML, RDF, OWL)
We are specifying RBAC (Role-based access control) policies in OWL (Web Ontology Language) and have developed a model called ROWLBAC
Next step is to specify UCON (Usage control) policies in OWL or OWL-like language
Goal is to specify and reason about security policies using semantic web-based specification languages and reasoning engines
Collaboration between UTD-UTSA-UMBC-MIT 7

8. Distributed Information Exchange (Ryan Layfield, Murat Kantarcioglu, Bhavani Thuraisingham)
Multiple, sovereign parties wish to cooperate
Each carries pieces of a larger information puzzle
Can only succeed at their tasks when cooperating
Have little reason to trust or be honest with each other
Cannot agree on single impartial governing agent
No one party has significant clout over the rest
No party innately has perfect knowledge of opponent actions
Verification of information incurs a cost
Faking information is a possibility
Current modern example: Bit Torrent
Assumes information is verifiable
Enforces punishment however through a centralized server

9. Game Theory
Studies such interactions through mathematical representations of gain
Each party is considered a player
The information they gain from each other is considered a payoff
Scenario considered a finite repeated game
Information exchanged in discrete ‘chunks’ each round
Situation terminates at a finite yet unforeseeable point in the future
Actions within the game are to either lie or tell the truth
Our Goal: All players draw conclusion that telling the truth is the best option

10. Withdrawal
Much of the work in this area only considers sticking with available actions
I.e. Tit-for-tat: Mimic other player’s moves
All players initially play this game with each other
Fully connected graph
Initial level of trust inherent
As time goes on, players which deviate are simply cut-off
Player that is cut-off no longer receives payoff from that link
Goal: Isolate the players which choose to lie

11. The Payoff Matrix

12. Enforcing Honest Choice
Repeated games provide opportunity for enforcement
Choice of telling the truth must be beneficial
The utility (payoff) of decisions made:
Note that when

13. Experimental Setup
We created an evolutionary game in which players had the option of selecting a more advantageous behavior
Available behaviors included:
Our punishment method
Tit-for-Tat
‘Subtle’ lie
Every 200 rounds, behaviors are re-evaluated
If everyone agrees on a truth-telling behavior, our goal is achieved

14. Results

15. Conclusions: Semi-trustworthy partners
Experiments confirm our behaviors success
Equilibrium of behavior yielded both a homogenous choice of TruthPunish and truth told by all agents
Rigorous despite wide fluctuations in payoff 
Notable Observations
Truth-telling cliques (of mixed behaviors) rapidly converged to TruthPunish
Cliques, however, only succeeded when the ratio of like-minded helpful agents outweighed benefits of lying periodically
Enough agents must use punishment ideology
Tit-for-Tat was the leading competitor

16. Defensive Operations: Detecting Malicious Executables using Data Mining
What are malicious executables?
Harm computer systems
Virus, Exploit, Denial of Service (DoS), Flooder, Sniffer, Spoofer, Trojan etc.
Exploits software vulnerability on a victim
May remotely infect other victims
Incurs great loss. Example: Code Red epidemic cost $2.6 Billion
Malicious code detection: Traditional approach
Signature based
Requires signatures to be generated by human experts
So, not effective against “zero day” attacks

17. Automated Detection State of the Art Our New Ideas
Automated detection approaches:
Behavioural: analyse behaviours like source, destination address, attachment type, statistical anomaly etc.
Content-based: analyse the content of the malicious executable
Autograph (H. Ah-Kim – CMU): Based on automated signature generation process
N-gram analysis (Maloof, M.A. et .al.): Based on mining features and using machine learning.
Our New Ideas
Content -based approaches consider only machine-codes (byte-codes).
Is it possible to consider higher-level source codes for malicious code detection?
Yes: Disassemble the binary executable and retrieve the assembly program
Extract important features from the assembly program
Combine with machine-code features

18. Feature Extraction Hybrid Approach
Binary n-gram features
Sequence of n consecutive bytes of binary executable
Assembly n-gram features
Sequence of n consecutive assembly instructions
System API call features
DLL function call information
Hybrid Approach
Collect training samples of normal and malicious executables. Extract features
Train a Classifier and build a model
Test the model against test samples

19. Hybrid Feature Retrieval (HFR)
Training

20. Hybrid Feature Retrieval (HFR)
Testing

21. Feature Extraction Binary n-gram features
Features are extracted from the byte codes in the form of n-grams, where n = 2,4,6,8,10 and so on.
Example:
Given a 11-byte sequence: abcdef012345,
The 2-grams (2-byte sequences) are: 0123, 2345, 4567, 6789, 89ab, abcd, cdef, ef01, 0123, 2345
The 4-grams (4-byte sequences) are: , , ab,...,ef and so on....
Problem:
Large dataset. Too many features (millions!).
Solution:
Use secondary memory, efficient data structures
Apply feature selection

22. Feature Extraction Assembly n-gram features
Features are extracted from the assembly programs in the form of n-grams, where n = 2,4,6,8,10 and so on.
Example:
three instructions
“push eax”; “mov eax, dword[0f34]” ; “add ecx, eax”;
2-grams
(1) “push eax”; “mov eax, dword[0f34]”;
(2) “mov eax, dword[0f34]”; “add ecx, eax”;
Problem: Same problem as binary
Solution: Select best features
Select Best K features
Selection Criteria: Information Gain
Gain of an attribute A on a collection of examples S is given by

23. Experiments Dataset Dataset1: 838 Malicious and 597 Benign executables
Collected Malicious code from VX Heavens (
Disassembly
Pedisassem ( )
Training, Testing
Support Vector Machine (SVM)
C-Support Vector Classifiers with an RBF kernel

24. Results - I HFS = Hybrid Feature Set BFS = Binary Feature Set
AFS = Assembly Feature Set

25. Results - II HFS = Hybrid Feature Set BFS = Binary Feature Set
AFS = Assembly Feature Set

26. Peer to Peer Botnet Detection
Masud, M. M. 1, Gao, J.2, Khan, L. 1, Han, J.2,
Thuraisingham, B1
1University of Texas at Dallas
2University of Illinois at Urbana Champaign
Data Mining Approach
Monitor Stream Data 26

27. Background Botnet Taxonomy: Network traffic monitoring
Network of compromised machines
Under the control of a botmaster
Taxonomy:
C&C : Centralized, Distributed etc.
Protocol: IRC, HTTP, P2P etc.
Rallying mechanism: Hard-coded IP, Dynamic DNS etc.
Network traffic monitoring 27

28. What To Monitor? Monitor Payload / Header?
Botnet detection
Monitor Payload / Header?
Problems with payload monitoring
Privacy
Unavailability
Encryption/Obfuscation
Information extracted from Header (features)
New connection rate
Packet size
Upload/Download bandwidth
Arp request & ICMP echo reply rate 28

29. Mapping to Stream Data Mining
Stream data : Stream data refers to any continuous flow of data.
For example: network traffic / sensor data.
Properties of stream data : Stream data has two important properties: infinite length & concept drift
Stream data classification: Cannot be done with conventional classification algorithms
We propose a multi-chunk multi-level ensemble approach to solve these problems,
which significantly reduces error over the single-chunk single-level ensemble approaches. 29

30. The Single-Chunk Single-Level Ensemble (SCE) Approach
Stream Data Classification
The Single-Chunk Single-Level Ensemble (SCE) Approach
Divide the data stream into equal sized chunks
Train a classifier from each data chunk
Keep the best K such classifier-ensemble
Select best K classifiers from {c1,…ck} U {ck+1} D1 D2 D3 … Dk
Dk+1 c1 c2 c3 ck
ck+1 30

31. Our Approach: Multi-Chunk Multi-Level Ensemble (MCE)
MCE approach
Our Approach: Multi-Chunk Multi-Level Ensemble (MCE)
Train v classifiers from r consecutive data chunks, and create an ensemble, and Keep the best K such ensembles
Two-level ensemble hierarchy:
Top level (A): ensemble of K middle level ensembles Ai
Middle level (Ai): ensemble of v bottom level classifiers Ai(j) A
Top level ensemble A1 AK
Middle level ensembles { {
A1(1)
A1(v)
AK(1)
AK(V)
Bottom level classifiers 31

32. Middle-level Ensemble Construction
MCE approach
Middle-level Ensemble Construction 32

33. Top Level Ensemble Updating
MCE approach
Top Level Ensemble Updating
Let Dn be the most recent labeled data chunk
Let A be the top-level ensemble
Construct a middle-level ensemble A`
using r consecutive data chunks: D={Dn-r+1,…,Dn}
Obtain error of A` on D by testing each classifier A`(j) on its corresponding test data dj
Obtain error of each middle level ensemble A1,…Ak on the latest chunk Dn
A  K lowest error middle level ensembles in classifiers in A U {A`} 33

34. Error Reduction Analysis
MCE approach
Error Reduction Analysis
Proof: 34

35. Error Reduction Analysis (continued)
MCE approach
Proof: 35

36. Results on synthetic data
Evaluation
MCE approach
Results on synthetic data
Results on botnet data 36

37. Offensive Operation: Overview Kevin Hamlen, Mehedy Masud, Latifur Khan, Bhavani Thuraisingham
Goal
To hack/attack other person’s computer and steal sensitive information
Without having been detected
Idea
Propagate malware (worm/spyware etc.) through network
Apply obfuscation so that malware detectors fail to detect the malware
Assumption
The attacker has the malware detector (valid assumption because anti-virus software are public) 37

38. Strategy Steps: Extract the model from the malware detector
Obfuscate the malware to evade the model
Dynamic approach
There have been some works on automatic model extraction from malware detector, such as:
Christodorescu and Jha. Testing Malware Detectors. In Proc ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2004).
Malware detector
Model extraction
Malware
Model
Analysis
Obfuscation/refinement 38

39. Some Recent Publications
Assured Information Sharing: Book Chapter on Intelligence and Security Informatics, Springer, 2007
Simulation of Trust Management in a Coalition Environment, Proceedings IEEE FTDCS, March 2007
Data Mining for Malicious Code Detection, Journal of Information Security and Privacy, 2008
Enforcing Honesty in Assured Information Sharing within a Distributed System, Proceedings IFIP Data Security Conference, July 2007
Confidentiality, Privacy and Trust Policy Management for Data Sharing, IEEE POLICY, Keynote address, June 2007 Centralized Reputation in Decentralized P2P Networks, IEEE ACSAC 2007
Data Stream Classification: Training with Limited Amount of Labeled Data, IEEE ICDM December 2008 (with Jiawei Han)
Content-based Schema Matching, ACM SIGSpatial Conference, November 2008 (with Shashi Shekhar) 39

40. Directions/Projects
Assured Information Sharing MURI - AFOSR (UMBC, Purdue, UIUC, UTSA, U of MI
Secure Grid – AFOSR (Purdue, UTArlington)
Secure Geospatial Information Management – NGA, Raytheon (U of MN)
Semantic web-based Information Sharing – IARPA, NSF (UMBC)
Risk-based Trust Modeling – AFOSR (Purdue)
Data Mining for Fault Detection – NASA (UIUC)
Secure Social Networking – AFOSR (Purdue, UTArlington, Collin County) 40

41. Research Transitioned into AIS MURI – AFOSR UMBC-Purdue-UTD-UIUC-UTSA-UofMI 2008-2013
(1) Develop a Assured Information Sharing Lifecycle (AISL)
(2) a framework based on a secure semantic event-based service oriented architecture to realize the life cycle
(3) novel policy languages, reasoning engines, negotiation strategies, and security infrastructures
(4) techniques to exploit social networks to enhance AISL
(5) techniques for federated information integration, discovery and quality validation
(6) techniques for incentivized assured information sharing.
Kings College University of London and University of Insurbria requesting funding from AFOSR London office for Coalition AIS demonstration (Steve Barker, Barbara Carminati, Elena Ferrari)

42. AISL AISL consists of three phases
(1) information discovery and advertising
(2) information acquisition, release and integration
(3) information usage and control.
These phases will realize the information sharing value chain of (DoD 2007).

43. DoD Information Sharing Implementation Strategy I: Leverage the Information Sharing Value Chain
Implementation Strategy I: Recognize & leverage the Information Sharing Value Chain. “The Information Sharing Value Chain articulates the “opportunity” of information sharing to support informed decision making, shared situational awareness and improve knowledge at every level of the DoD. The risks encountered at each step of the information sharing value chain must be managed to mitigate negative consequences.” Our proposed solution to this strategy is to develop AISL System

44. DoD Information Sharing Implementation Strategy II: Force Information Mobility
Implementation Strategy II: Forge information mobility. “Information mobility is the dynamic availability of information which is promoted by the business rules, information systems, architectures, standards, and guidance/policy to address the needs of both planned and unanticipated information sharing partners and events. Information mobility provides the foundation for shared and user-defined situational awareness. Trusted information must be made visible, accessible, and understandable to any authorized user in DoD or to external partners except where limited by law or policy.” Our solution to this strategy is to develop architectures, policies, and secure social networking as well as share our findings with AFKN (Air Force Knowledge Now)
Secure Semantic Event-based Service Oriented Architecture (SSE-SOA)
Security Policies and Models
Social Networking
Form federations
Knowledge management and AFKN

45. Security Policies and Model
Attribute based access control
XACML
UCON
Policy integration
Policy similarity evaluation

46. Secure Semantic Event-based Service Oriented Architecture
Grounded in semantic web technologies
Extends semantic web and SOA technologies with event management and security

47. Security Architecture
Layered security architecture
Multiple security services to enforce the security policies
Figure 3-5 Security Infrastructure

48. Social Networking
A key enabler of information mobility is social networking especially with respect to unanticipated and unstructured situations.
The term social network is used to denote several types of relationships between individuals, including information sharing, trust, reputation, and organizational ties.
Understanding the social and communication network upon which information is shared is essential in all phases of AISL, contributing to the relevance, quality, and security of the data and supporting communities of practice.
Currently, Web 2.0 environments are enabling individuals to use social networks to collectively filter and generate information online.
We are studying those environments to develop novel algorithms and tools.
novelty
relevance
trust
sharing incentive
information flow path
individual receiving information

49. Assured Knowledge Management
Workforce information sharing competence where the “workforce’s ability to share information across the enterprise through leadership examples, shifts in cultural norms, and training on tactics, techniques and procedures” is another enabler for information mobility.
Each of the services has implemented systems for knowledge management including Air Force’s AFKN (Air Force Knowledge Now) to share best practices and processes.
We have conducted an investigation on the security impact of knowledge management strategies, processes and metrics in building a secure learning organization.
Goal is to share the technologies and tools we develop for incentives assured information sharing and social networking as well as our current research on secure knowledge management with AFKN and related DoD projects.

50. DoD Information Sharing Implementation Strategy III: Make information a force multiplier through sharing
Implementation Strategy III: Make information a force multiplier through sharing. Information as a force multiplier refers to exploiting relative information advantages against our adversaries and to support effective, unified disaster response. Sharing is inherent in information becoming a force multiplier and results in increased operational effectiveness. Our solution to this strategy is to design and implement modules for information integration, analysis and quality management that addresses the 4Vs – Volume, Veracity, Velocity and Vector
Novel techniques for information quality management and validation, information search and integration and information discovery and analysis that make “information a force multiplier through sharing” focusing on the 4Vs (Volume, Veracity, Velocity and Vector).
Our objective is to get the right information at the right time to the decision maker so that he/she can make the right decisions to support the war fighter in the midst of uncertain and unanticipated events.

51. Information Sharing Architecture
Information Sharing Protocol
Relevance
Quality
Incentive
Manager
Service-Oriented Architecture
Request-Based
Sharing Controller
Search and Integration
Discovery
Analysis
Security
Policy
Human
Decision
Makers
Network
Security Policy Auditor
Selective Dissem.
Local
info
Figure Information Sharing Architecture
Social
Metadata
Registry
Information Sharing Protocol. Our information sharing protocol for AISL consists of:
Request-based information sharing, an information consumer takes initiative and makes a request for specific information from relevant partner organizations. Request-based sharing is achieved through three services: (1) request broadcasting; (2) information supplying (for answering requests); (3) information fusion (for combining results)
Selective dissemination, an information producer takes initiative and selectively disseminates potentially useful information to appropriate partners, who can further selectively filter out irrelevant information. Selective dissemination sharing is achieved through two services: (1) information broadcasting (for distributing information) and (2) information fusion (for receiving and combining information).

52. DoD Information Sharing Implementation Strategy IV: Promote a federated Information Sharing Community/Environment
DoDAF (DoD Architecture Framework) states “in order to federate architectures, there must be semantic agreement so that pertinent information can be related appropriately”
The architectures, frameworks and policy languages that we will develop in this project will facilitate the specification of semantic agreements, governance rules as well as ways to enforce them.
Our research on assured information integration and discovery will provide solutions to how architectures are discovered and integrated.
We will share our findings with the DoDAF and related efforts.
Implementation Strategy IV: Promote a federated Information Sharing Community/Environment. Governance, policy and cultural considerations establish the required multi-lateral relationships working in a regulated, risk management environment that ensures information security, privacy, and trust. The federated approach establishes and maintains a trusted community of information sharing that promotes collaboration, leverages the information integrators in the community and reduces the “seams” between organizations, domains and functions. Our proposed solution to this strategy is to share our research on federated information integration and policy management with DoDAF

53. DoD Information Sharing Implementation Strategy V: Address the economic reality of information sharing
Building mechanisms to give incentives to individuals/organizations for information sharing.
Once such mechanisms are built, we can use concepts from the theory of contracts to determine appropriate rewards such as ranking
Exploring how to leverage secure distributed audit logs to rank individual organizations between trustworthy partners.
To handle situations where it is not possible to carry out auditing, developing game theoretic strategies for extracting information from the partners.
The impact of behavioral approaches to sharing being examined
Conduct studies based on economic theories and integrate relevant results into incentivized assured information sharing. .
Implementation Strategy V: Address the economic reality of information sharing. “Create guidance and incentives within the budgeting and resource allocation process to encourage organizations to share information that promotes informed decision making, improves situational awareness, establishes economies of knowledge, and creates unity of effort.” Our proposed solution to this strategy is to develop theories and tools for behavior based incentivized assured information sharing.