The rise in popularity of Internet of Things (IoT) devices has opened doors for privacy and security breaches in Cyber-Physical systems like smart homes, smart vehicles, and smart grids that affect our daily existence. IoT systems are also a source of big data that gets shared via the cloud. IoT systems in a smart home environment have sensitive access control issues since they are deployed in a personal space. The collected data can also be of a highly personal nature. Therefore, it is critical to building access control models that govern who, under what circumstances, can access which sensed data or actuate a physical system. Traditional access control mechanisms are not expressive enough to handle such complex access control needs, warranting the incorporation of new methodologies for privacy and security. In this paper, we propose the creation of the PALS system, that builds upon existing work in an attribute-based access control model, captures physical context collected from sensed data (attributes) and performs dynamic reasoning over these attributes and context-driven policies using Semantic Web technologies to execute access control decisions. Reasoning over user context, details of the information collected by the cloud service provider, and device type our mechanism generates as a consequent access control decisions. Our system’s access control decisions are supplemented by another sub-system that detects intrusions into smart home systems based on both network and behavioral data. The combined approach serves to determine indicators that a smart home system is under attack, as well as limit what data breach such attacks can achieve.
Temporal Understanding of Cybersecurity Threats
As cybersecurity-related threats continue to increase, understanding how the field is changing over time can give insight into combating new threats and understanding historical events. We show how to apply dynamic topic models to a set of cybersecurity documents to understand how the concepts found in them are changing over time. We correlate two different data sets, the first relates to specific exploits and the second relates to cybersecurity research. We use Wikipedia concepts to provide a basis for performing concept phrase extraction and show how using concepts to provide context improves the quality of the topic model. We represent the results of the dynamic topic model as a knowledge graph that could be used for inference or information discovery.
Defense: Taneeya Satyapanich, Modeling and Extracting Information about Cybersecurity Events from TextNovember 14th, 2019
Ph.D. Dissertation Defense
Modeling and Extracting Information about Cybersecurity Events from Text
9:30-11:30 Monday, 18 November, 2019, ITE346?
People now rely on the Internet to carry out much of their daily activities such as banking, ordering food, and socializing with their family and friends. The technology facilitates our lives, but also comes with many problems, including cybercrimes, stolen data, and identity theft. With the large and increasing number of transactions done every day, the frequency of cybercrime events is also growing. Since the number of security-related events is too high for manual review and monitoring, we need to train machines to be able to detect and gather data about potential cyber threats. To support machines that can identify and understand threats, we need standard models to store the cybersecurity information and information extraction systems that can collect information to populate the models with data from text.
This dissertation makes two significant contributions. First, we defined rich cybersecurity event schema and annotated the news corpus following the schema. Our schema consists of event type definitions, semantic roles, and event arguments. Second, we present CASIE, a cybersecurity event extraction system. CASIE can detect cybersecurity events, identify event participants and their roles, including specifying realis values. It also groups the events, which are coreference. CASIE produces output in easy to use format as a JSON object.
We believe that this dissertation will be useful for cybersecurity management in the future. It will quickly grasp cybersecurity event information out of the unstructured text and fill in the event frame. So we can compete with tons of cybersecurity events that happen every day.
Committee: Drs. Tim Finin (chair), Anupam Joshi, Tim Oates, Karuna Pande Joshi, Francis Ferraro
DAbR: Dynamic Attribute-based Reputation Scoring for Malicious IP Address Detection
To effectively identify and filter out attacks from known sources like botnets, spammers, virus infected systems etc., organizations increasingly procure services that determine the reputation of IP addresses. Adoption of encryption techniques like TLS 1.2 and 1.3 aggravate this cause, owing to the higher cost of decryption needed for examining traffic contents. Currently, most IP reputation services provide blacklists by analyzing malware and spam records. However, newer but similar IP addresses used by the same attackers need not be present in such lists and attacks from them will get bypassed. In this paper, we present Dynamic Attribute based Reputation (DAbR), a Euclidean distance-based technique, to generate reputation scores for IP addresses by assimilating meta-data from known bad IP addresses. This approach is based on our observation that many bad IP’s share similar attributes and the requirement for a lightweight technique for reputation scoring. DAbR generates reputation scores for IP addresses on a 0-10 scale which represents its trustworthiness based on known bad IP address attributes. The reputation scores when used in conjunction with a policy enforcement module, can provide high performance and non-privacy-invasive malicious traffic filtering. To evaluate DAbR, we calculated reputation scores on a dataset of 87k IP addresses and used them to classify IP addresses as good/bad based on a threshold. An F-1 score of 78% in this classification task demonstrates our technique’s performance.
Early Detection of Cybersecurity Threats Using Collaborative Cognition
The early detection of cybersecurity events such as attacks is challenging given the constantly evolving threat landscape. Even with advanced monitoring, sophisticated attackers can spend more than 100 days in a system before being detected. This paper describes a novel, collaborative framework that assists a security analyst by exploiting the power of semantically rich knowledge representation and reasoning integrated with different machine learning techniques. Our Cognitive Cybersecurity System ingests information from various textual sources and stores them in a common knowledge graph using terms from an extended version of the Unified Cybersecurity Ontology. The system then reasons over the knowledge graph that combines a variety of collaborative agents representing host and network-based sensors to derive improved actionable intelligence for security administrators, decreasing their cognitive load and increasing their confidence in the result. We describe a proof of concept framework for our approach and demonstrate its capabilities by testing it against a custom-built ransomware similar to WannaCry.
Russians hack home internet connections, here is how to protect yourself
Sandeep Nair Narayanan, Anupam Joshi and Sudip Mittal
In late April, the top federal cybersecurity agency, US-CERT, announced that Russian hackers had attacked internet-connected devices throughout the U.S., including network routers in private homes. Most people set them up – or had their internet service provider set them up – and haven’t thought much about them since. But it’s the gateway to the internet for every device on your home network, including Wi-Fi connected ones. That makes it a potential target for anyone who wants to attack you, or, more likely, use your internet connection to attack someone else.
As graduate students and faculty doing research in cybersecurity, we know that hackers can take control of many routers, because manufacturers haven’t set them up securely. Router administrative passwords often are preset at the factory to default values that are widely known, like “admin” or “password.” By scanning the internet for older routers and guessing their passwords with specialized software, hackers can take control of routers and other devices. Then they can install malicious programs or modify the existing software running the device.
Once an attacker takes control
There’s a wide range of damage that a hacker can do once your router has been hijacked. Even though most people browse the web using securely encrypted communications, the directions themselves that let one computer connect to another are often not secure. When you want to connect to, say, theconversation.com, your computer sends a request to a domain name server – a sort of internet traffic director – for instructions on how to connect to that website. That request goes to the router, which either responds directly or passes it to another domain name server outside your home. That request, and the response, are not usually encrypted.
A hacker could take advantage of that and intercept your computer’s request, to track the sites you visit. An attacker could also attempt to alter the reply, redirecting your computer to a fake website designed to steal your login information or even gain access to your financial data, online photos, videos, chats and browsing history.
In addition, a hacker can use your router and other internet devices in your home to send out large amounts of nuisance internet traffic as part of what are called distributed denial of service attacks, like the October 2016 attack that affected major internet sites like Quora, Twitter, Netflix and Visa.
Has your router been hacked?
An expert with complex technical tools may be able to discover whether your router has been hacked, but it’s not something a regular person is likely to be able to figure out. Fortunately, you don’t need to know that to kick out unauthorized users and make your network safe.
The first step is to try to connect to your home router. If you bought the router, check the manual for the web address to enter into your browser and the default login and password information. If your internet provider supplied the router, contact their support department to find out what to do.
If you’re not able to login, then consider resetting your router – though be sure to check with your internet provider to find out any settings you’ll need to configure to reconnect after you reset it. When your reset router restarts, connect to it and set a strong administrative password. The next step US-CERT suggests is to disable older types of internet communications, protocols like telnet, SNMP, TFTP and SMI that are often unencrypted or have other security flaws. Your router’s manual or online instructions should detail how to do that.
After securing your router, it’s important to keep it protected. Hackers are very persistent and are always looking to find more flaws in routers and other systems. Hardware manufacturers know this and regularly issue updates to plug security holes. So you should check regularly and install any updates that come out. Some manufacturers have smartphone apps that can manage their routers, which can make updating easier, or even automate the process.
Sandeep Nair Narayanan, Ph.D. candidate in Computer Science, University of Maryland, Baltimore County; Anupam Joshi, Oros Family Professor and Chair, Department of Computer Science & Electrical Engineering, University of Maryland, Baltimore County, and Sudip Mittal, Ph.D. Candidate in Computer Science, University of Maryland, Baltimore County
Local governments’ cybersecurity crisis in eight charts
Donald Norris, Anupam Joshi, Laura Mateczun and Tim Finin
Within the past few weeks, two large American cities learned that their information systems were hacked. First, Atlanta revealed that it had been the victim of a ransomware attack that took many of the city’s services offline for nearly a week, forcing police to revert to taking written case notes, hampering the Atlanta’s court system and preventing residents from paying water bills online. Then, Baltimore’s 311 and 911 dispatch systems were taken offline for more than 17 hours, forcing dispatchers to log and process requests manually. Both attacks could have been prevented. And they are more evidence of the poor, if not appalling, state of local government cybersecurity in the United States.
We know this because in 2016, in partnership with the International City/County Management Association, we conducted the first-ever nationwide survey of local government cybersecurity. Among other things, the survey data showed just how poorly local governments practice cybersecurity.
Read the full article on The Conversation.
Preventing Poisoning Attacks on Threat Intelligence Systems
Nitika Khurana, Graduate Student, UMBC
11:00-12:00 Monday, 23 April 2018, ITE346, UMBC
As AI systems become more ubiquitous, securing them becomes an emerging challenge. Over the years, with the surge in online social media use and the data available for analysis, AI systems have been built to extract, represent and use this information. The credibility of this information extracted from open sources, however, can often be questionable. Malicious or incorrect information can cause a loss of money, reputation, and resources; and in certain situations, pose a threat to human life. In this paper, we determine the credibility of Reddit posts by estimating their reputation score to ensure the validity of information ingested by AI systems. We also maintain the provenance of the output generated to ensure information and source reliability and identify the background data that caused an attack. We demonstrate our approach in the cybersecurity domain, where security analysts utilize these systems to determine possible threats by analyzing the data scattered on social media websites, forums, blogs, etc.
UMBC at SemEval-2018 Task 8: Understanding Text about Malware
We describe the systems developed by the UMBC team for 2018 SemEval Task 8, SecureNLP (Semantic Extraction from CybersecUrity REports using Natural Language Processing). We participated in three of the sub-tasks: (1) classifying sentences as being relevant or irrelevant to malware, (2) predicting token labels for sentences, and (4) predicting attribute labels from the Malware Attribute Enumeration and Characterization vocabulary for defining malware characteristics. We achieved F1 scores of 50.34/18.0 (dev/test), 22.23 (test-data), and 31.98 (test-data) for Task1, Task2 and Task2 respectively. We also make our cybersecurity embeddings publicly available at https://bit.ly/cybr2vec.
UMBC/ICMA Survey of Local Government Cybersecurity Practices
In 2016, the International City/County Management Association (ICMA), in partnership with the University of Maryland, Baltimore County (UMBC), conducted a survey to better understand local government cybersecurity practices. The results of this survey provide insights into the cybersecurity issues faced by U.S. local governments, including what their capacities are, what kind of barriers they face, and what type of support they have to implement cybersecurity programs.
The survey was sent on paper via postal mail to the chief information officers of 3,423 U.S. local governments with populations of 25,000 or greater. An online submission option was also made available to survey recipients. Responses were received from 411 of the governments surveyed, yielding a response rate of 12%.
A summary of the results written by ICMA staff is available here.
AI for Cybersecurity: Intrusion Detection Using Neural Networks
Sowmya Ramapatruni, UMBC
11:00-12:00 Monday 26 March, 2018, ITE346, UMBC
The constant growth in the use of computer networks raised concerns about security and privacy. Intrusion attacks on computer networks is a very common attack on internet today. Intrusion detection systems have been considered essential in keeping network security and therefore have been commonly adopted by network administrators. A possible disadvantage is the fact that such systems are usually based on signature systems, which make them strongly dependent on updated database and consequently inefficient against novel attacks (unknown attacks). In this study we analyze the use of machine learning in the development of intrusion detection system.
The focus of this presentation is to analyze the various machine learning algorithms that can be used to perform classification of network attacks. We will also analyze the common techniques used to build and fine tune artificial neural networks for network attack classification and address the drawbacks in these systems. We will also analyze the data sets and the information that is critical for the classification. The understanding of network packet data is essential for the feature engineering, which is an essential precursor activity for any machine learning systems. Finally, we study the drawbacks of existing machine learning systems and walk through the further study possible in this area.
M.S. Thesis Defense
Internal Penetration Test of a Simulated Automotive Ethernet Environment
Kenneth Owen Truex
11:15 Tuesday, 21 November 2017, ITE325, UMBC
The capabilities of modern day automobiles have far exceeded what Robert Bosch GmbH could have imagined when it proposed the Controller Area Network (CAN) bus back in 1986. Over time, drivers wanted more functionality, comfort, and safety in their automobiles — creating a burden for automotive manufacturers. With these driver demands came many innovations to the in-vehicle network core protocol. Modern automobiles that have a video based infotainment system or any type of camera assisted functionality such as an Advanced Driver Assistance System (ADAS) use ethernet as their network backbone. This is because the original CAN specification only allowed for up to 8 bytes of data per message on a bus rated at 1 Mbps. This is far less than the requirements of more advanced video-based automotive systems. The ethernet protocol allows for 1500 bytes of data per packet on a network rated for up to 100 Mbps. This led the automotive industry to adopt ethernet as the core protocol, overcoming most of the limitations posed by the CAN protocol. By adopting ethernet as the protocol for automotive networks, certain attack vectors are now available for black hat hackers to exploit in order to put the vehicle in an unsafe condition. I will create a simulated automotive ethernet environment using the CANoe network simulation platform by Vector GmbH. Then, a penetration test will be conducted on the simulated environment in order to discover attacks that pose a threat to automotive ethernet networks. These attacks will strictly follow a comprehensive threat model in order to narrowly focus the attack surface. If exploited successfully, these attacks will cover all three sides of the Confidentiality, Integrity, Availability (CIA) triad.
I will then propose a new and innovative mitigation strategy that can be implemented on current industry standard ECUs and run successfully under strict time and resource limitations. This new strategy can help to limit the attack surface that exists on modern day automobiles and help to protect the vehicle and its occupants from malicious adversaries.
Committee: Drs. Anupam Joshi (chair), Richard Forno, Charles Nicholas, Nilanjan Banerjee