Cyber Security Research at the University of Texas at Dallas

1
Cyber Security Research at the University of
Texas at Dallas

• Dr. Bhavani Thuraisingham
• The University of Texas at Dallas
• bhavani.thuraisingham_at_utdallas.edu
• April 23, 2007

2
About the Cyber Security Research Center

• NSA/DHS Center for Excellence in Information
  Assurance Education (2004, 2007)
• Over 20 Faculty in Jonsson School conducting
  research in Cyber Security
• Collaborating with researchers in the School of
  Management on Risk analysis and Game theory
  applications
• Beginning collaboration with UT Southwestern
  medical Center
• Joint projects and proposals with leading
  researchers
• Part of UTDs CyberSecuirty and Emergency
  Preparedness Institute
• Executive Director Prof. Douglas Harris

3
Cyber Security Research Areas at UTD

• Network Security
• Secure wireless and sensor networks
• Systems and Language Security
• Embedded systems security, Buffer overflow
  defense
• Data and Applications Security
• Information sharing, Geospatial data management,
  Surveillance, Secure web services, Privacy,
  Dependable information management, Intrusion
  detection
• Security Theory and Protocols
• Secure group communication
• Security Engineering
• Secure component-based software
• Cross Cutting Themes
• Vulnerability analysis, Access control

4
Our Model RD, Technology Transfer
Standardization and Commercialization

• Basic Research (6-1 Type)
• Funding agencies such as NSF, AFOSR, etc. Publish
  our research in top journals (ACM and IEEE
  Transactions)
• Applied Research
• Some federal funding (e.g., from government
  programs) and Commercial Corporations (e.g.,
  Raytheon) Our current collaboration with
  AFRL-ARL
• Technology Transfer / Development
• Work with corporations such as Raytheon to
  showcase our research to sponsors (e.g., GEOINT)
  and transfer research to operational programs
  such as DCGS
• Standardization
• Our collaborations with OGC and standardization
  of our research (e.g., GRDF)
• Commercialization
• Patents, Work with VCs, Corporations, SBIR, STTR
  for commercialization of our tools (e.g., our
  work on data mining tools)

5
Technical and Professional Accomplishments

• Publications of research in top journals and
  conferences, books
• IEEE Transactions, ACM Transactions, 8 books
  published and 2 books in preparation including
  one on UTD research (Data Mining Applications,
  Awad, Khan and Thuraisingham)
• Member of Editorial Boards/Editor in Chief
• Journal of Computer Security, ACM Transactions
  on Information and Systems Security, IEEE
  Transactions on Dependable and Secure Computing,
  IEEE Transactions on Knowledge and Data
  Engineering, Computer Standards and Interfaces -
  - -
• Advisory Boards / Memberships/Other
• Purdue University CS Department, Invitations to
  write articles in Encyclopedia Britannica on data
  mining, Keynote addresses, Talks at DFW NAFTA and
  Chamber of Commerce, Commercialization
  discussions of data mining tools for security
• Awards and Fellowships
• IEEE Fellow, AAAS Fellow, BCS Fellow, IEEE
  Technical Achievement Award, IEEE Senior Members

6
Data and Applications SecurityResearch at UTD

• Core Group
• Prof. Bhavai Thuraisingham (Professor Director,
  Cyber Security Research Center)
• Prof. Latifur Khan (Director, Data Mining
  Laboratory)
• Prof. Murat Kantarcioglu (Joined Fall 2005, PhD.
  Purdue U.)
• Prof. Kevin Hamlen (Peer to Peer systems
  Security, Joined 2006 from Cornell U.)
• Prof. I-Ling Yen (Director, Web Services Lab)
• Prof. Prabhakaran (Director, Motion Capture Lab)
• Students and Funding
• Over 20 PhD Students, 40 MS students (combined)
• Research grants Air Force Office of Scientific
  Research (2), Raytheon Corporation (2), Nokia
  Corporation, National Science Foundation (2),
  AFRL-ARL Collaboration, TX State

7
Assured Information Sharing
Data/Policy for Coalition
Publish
Publish
Data/Policy
Data/Policy
Publish
Data/Policy
Component
Component
Data/Policy for
Data/Policy for
Agency A
Agency C

1. Friendly partners
2. Semi-honest partners
3. Untrustworthy partners

Component
Research funded by two grants from AFOSR
Data/Policy for
Agency B
8
Secure Semantic Web

• Machine Understandable Web Pages
• What are we doing CPT Policy enforcement
  (Confidentiality, Privacy, Trust)

TRUST
CONFIDENTILAITY
P R I V A C Y
Logic, Proof and Trust
Rules/Query
RDF, Ontologies
XML, XML Schemas
URI, UNICODE
9
Secure Geospatial Data Management
Semantic Metadata Extraction Decision Centric
Fusion Geospatial data interoperability through
web services Geospatial data mining Geospatial
semantic web
Data Source A
Tools for Analysts
Data Source B
SECURITY/ QUALITY
Data Source C
Research Supported by Raytheon on pne grant
working on robust prototypes on second grant
10
Framework for Geospatial Data Security
11
Suspicious Event Detection Surveillance

• Defined an event representation measure based on
  low-level features
• Defined normal and suspicious behavior and
  classify events in unlabeled video sequences
  appropriately
• Tool to determine whether events are suspicious
  or not
• Privacy preserving surveillance

12
Surveillance and Privacy
Raw video surveillance data
Face Detection and Face Derecognizing system
Suspicious people found
Faces of trusted people derecognized to preserve
privacy
Suspicious events found
Comprehensive security report listing suspicious
events and people detected
Suspicious Event Detection System
Manual Inspection of video data
Report of security personnel
13
Social Networks

• Individuals engaged in suspicious or undesirable
  behavior rarely act alone
• We can infer than those associated with a person
  positively identified as suspicious have a high
  probability of being either
• Accomplices (participants in suspicious activity)
• Witnesses (observers of suspicious activity)
• Making these assumptions, we create a context of
  association between users of a communication
  network

14
Privacy Preserving Data Mining

• Prevent useful results from mining
• Introduce cover stories to give false results
  
• Only make a sample of data available so that an
  adversary is unable to come up with useful rules
  and predictive functions
• Randomization and Perturbation
• Introduce random values into the data and/or
  results
• Challenge is to introduce random values without
  significantly affecting the data mining results
• Give range of values for results instead of exact
  values
• Secure Multi-party Computation
• Each party knows its own inputs encryption
  techniques used to compute final results

15
Data Mining for Intrusion Detection / Worm
Detection
Training Data
Classification
Hierarchical Clustering (DGSOT)
Testing
SVM Class Training
DGSOT Dynamically growing self organizing
tree SVM Support Vector Machine
Testing Data
16
Example Projects

• Assured Information Sharing
• Secure Semantic Web Technologies
• Social Networks and game playing
• Privacy Preserving Data Mining
• Geospatial Data Management
• Secure Geospatial semantic web
• Geospatial data mining
• Surveillance
• Suspicious Event Detention
• Privacy preserving Surveillance
• Automatic Face Detection, RFID technologies
• Cross Cutting Themes
• Data Mining for Security Applications (e.g.,
  Intrusion detection, Mining Arabic Documents)
  Dependable Information Management

17
Other Research in Cyber SecuritySingle Packet IP
Traceback (Prof. Kamil Sarac)

• Goal trace an IP packet back to its source
• Usage of IP traceback
• Internet forensic analysis
• Denial-of-service attack defense
• Design issues for practical IP traceback
• Reducing overhead on routers
• Supporting incremental and partial deployment
• Traceback speed and efficiency

18
Protecting Computer Security via
Hardware/Software Prof. Edwin Sha

• Hardware/Software Defender
• A complete protection from buffer overflow
  attacks.
• An efficient checking mechanism for a system
  integrator.
• Compiler is easy to handle.
• Hardware and timing overhead are little.

The most widely exploited vulnerabilities are
buffer overflow related, causing billion dollars
of damage. Almost all effective worms use this
vulnerability to attack. Eg. Internet Worm, Code
Red, MS Blaster, Sasser worm, etc.
Design new instructions and hardware to avoid
buffer overflow vulnerabilities. Stack Smashing
Attack Protection - Two methods proposed
Hardware Boundary Check New Secure Function
Call instructions Scall and Sret. Function
Pointer Attack Protection New secure instruction
for jumping function pointer SJMP
For the most common stack smashing attacks,
HSDefender provides a complete protection. For
the function pointer attack, it makes an hacker
extremely hard to change a function pointer
leading to his hostile code. With little time
overhead (0.098), it can be applied to critical
real-time systems.
19
Buffer Overflow Attacks Prof. Gupta

• Buffer Overflow Attacks (B.O.A) A majority of
  attacks for which advisories are issued are based
  on B.O.A.
• Other forms of attacks, such as distributed
  denial of service attacks, sometimes rely on
  B.O.A.
• B.O.A. exploit the memory organization of the
  traditional activation stack model to overwrite
  the return address stored on the stack.
• This memory organization can be slightly changed
  so as to prevent buffer overflows overwriting
  return addresses.
• Our system automatically transforms code binaries
  in accordance to this modified memory
  organization, thereby preventing most common
  forms of buffer overflow attacks.
• Our tool (under development) can be used on
  third-party software and off-the-shelf products,
  and does not require access to source code.

20
Information Assurance Education (Prof. Gupta)

• Current Courses
• Introduction to Computer and Network Security
  Prof. Sha
• Cryptography Profs. Sudborough, Murat
• Data and Applications Security Prof. Bhavani
  Thuraisingham
• Biometrics Prof. Bhavani
• Privacy Prof. Murat Kantarcioglu
• Secure Language, Prof. Kevin Hamlen
• Digital Forensics Prof. Bhavani Thuraisingham
• Trustworthy semantic web Prof. Bhavani
• NSA/DHS Center for Information Assurance
  Education (2004, 2007)
• Courses at AFCEA and AF Bases
• Knowledge Management, Data Mining for
  Counter-terrorism, Data Security, preparing a
  course on SOA and NCES with Prof. Alex Levis -
  GMU and Prof. Hal Sorenson - UCSD)

21
Security Analysis and Information Assurance
Laboratory
SAIAL Laboratory (Security Analysis and
Information Assurance Laboratory)
Attenuation levels of radiated signals as tested
to MIL-STD-285 Magnetic Mode             
            60 dB at 10KHz to 100KHz at 100dB
Electric Mode                            100 dB
from 1 KHz to 1 GHz Plane Ware and
Microwave         100 dB from 1 GHz to 10 GHz
Mainframes 2 PCs 54 Work Stations
6 Laptops 5 Servers 7 Switches
4 Routers 10 PDAs 15 Access Points 8 Network
Analyzer 1 Protocol Analyzer 1 Development
Software Hardware
22
Directions and Plans

• Take Advantage of SAIAL Lab
• Opportunity for Information Operations portion of
  the AFOSR project
• Increase focus areas
• Major focus the past 2 years has been on Data
  Security
• Expand the focus utilizing our strengths and
  state/federal interests
• Digital forensics is becoming an important area
• Interdisciplinary research and multiple domains
• Healthcare, Telecom, etc.
• Collaboration
• Integrate programs across the schools at UTD
• Increase collaboration with our partners
• Our major goal is to establish a Center Scale
  Project