Security Offense/Defense using Semantic Web Agents

21 06 2012

We have had spies helping secure countries and armies alike for a very long time. With the advent of computing technologies, spying has advanced, with all kinds of advanced tools to do what the spies (humans) want to do, yet the idea of a “Virtual Spy” to protect cyberspace has not even hit Hollywood yet. I am not talking about Robots and Artificial Intelligence here, just a simple idea based on the fact that if we (human) spies can spy, it can be automated as well.  I am proposing the idea of a “Virtual Spy”, in hopes that a simple idea like that when backed up with the RIGHT APPLICATION OF technologies can actually produce something significant in the area of Information Security. The Virtual Spy is a computer program that “understands” the computing environment it is in, “Trusts” some information sources, “Senses” when an attack is staged, and “Reacts” to the attack. The Virtual Spy has been trained to or has learnt to keep the computing environment secure and deal with attacks. The Virtual Spy “Understands” what “Confidentiality”, “Integrity” and “Availability” mean in the specific environment, as the computer program possesses the “knowledge” required to be the Chief Information Security Officer’s “right-hand” virtual employee.

There are 3 fundamental areas that need to be understood and applied in conjunction with each other, to make a case for a virtual spy and there are conventional wisdom based paradigms that need to be broke in these areas to be able to apply in the information security arena;

  1. Application Mining & Infrastructure Discovery
  2. Feedback control based Self adaptive systems
  3. Semantic Web Agents & Inference

Suggested readings to get a high level overview of these areas, future research directions and their intended applications, are highly recommended to be read to embrace the terminologies used through the rest of the post here.

  1. Strategies to Cut Application Costs and Increase Productivity, Using Application Mining Tools by Phil Murphy, Forrester Research Group, April 24, 2009 | Updated: July 9, 2009
  2. HP UCMBD Infrastructure discovery tool
  3. Software Architecture-based Adaptation for Pervasive Systems by David Garlan, Shang-Wen Cheng, Bradley Schmerl, João Pedro Sousa, Bridget Spitznagel, Peter Steenkiste, Ningning Hu, School of Computer Science, Carnegie Mellon University, 5000 Forbes Ave, Pittsburgh PA 15213
  4. IEEE Intelligent Systems Journal (march/April 2001), Agents and the Semantic Web by James Hendler, Department of Computer Science, University of Maryland College Park, MD 20742
  5. “Ultra Large Scale Systems”
  6. State of Information Security

What problem is the “Virtual Spy” trying to solve?

Neustar forensic logs from 168 of the largest 500 U.S. companies by revenue and found evidence in that 162 (reference #6) of them owned machines that at some point had been transmitting data out to hackers. Frustration in the security community in not being able to defend against these attacks and “securing the perimeter” and having “larger locks” or having “heavier doors” have helped only to some extent. A solution to this problem has been eluding people, as with any of the above strategies, once implemented, there is a smarter hacker around the block that cracks it and makes us seeking the next big perimeter security. But, the “Virtual Spy” (v-spy) is watching and roaming within the premises of the corporate or the government (enterprise), looking for security breaches, as they happen. The “Virtual Spy” is not another “Security” COTS product that every corporate needs to buy, it’s an employee an enterprise needs to develop from within. This employee will train and understand the assets within the “Boundary” of the enterprise. Direction from the CISO on trusted sources and “High Value Assets” and response measures are provided to this new recruit. While the new kid on the block is not planning on replacing any of the security controls in place, it is planning to “Up” the game significantly.

How does the new recruit learn about the enterprise it is working for?

Put in simple terms, the v-spy needs to “Know what is in the enterprise” first, “Understand” what problems are, in the context of the enterprise, and “Address” the problems and keep repeating it till its employment contract is valid. Information security is not merely only about perimeter defense, security permeates every realm of the computing domain of the enterprise, and I merely state that to point out the relevance of the following discussion to Information Security. It’s the conventional wisdom barrier that I am trying to break here – “Information Security Personnel – please try to stick to your lanes, in your area”. Although these subjects are widely discussed for benefits other than security, my intent is purely to discuss these subjects in the context of information security.

 “Knowing” – Securing Assets starts with knowing what they are

  • Application Mining – reverse engineering information about an application, looking at patterns in the outputs from applications, while the Forrester research (reference #1) talks about mostly static aspects of the application, our research would point towards dynamic characteristics of applications

Sample information from this exercise:

Users in the enterprise use SysA to open a database connection with DB1

Users of SysB query all rows from Employees Table in DB2

  • Infrastructure Discovery – A Tool like HP UCMDB can “snoop” an enterprise’s entire network and assemble information about every single Asset in the computing environment, which will take v-spy giant steps forward, now it is sitting on a “gold mine” of information about the enterprise

Sample information from this exercise:

SysA is hosted in Server123 located in Phoenix, AZ USA

DB1 is hosted in Server456 located in Prague, Czech Republic, Europe

  • Ontologies of Applications and Infrastructure for the enterprise (not for the worldwide web) – and then data from Application mining and Infrastructure discovery are converted to RDF, and RDF-schemas generated

Sample “Triples” from this exercise

DB1 stores Employee Data

HR Personnel manage Employees

Sample ontology from this exercise

Ample proof as to how this information can be of immense use to Information Security lies in the diagram – brings context to the Information Security Personnel and even better – this is all machines readable!

  • Mapping the developed Ontologies to the enterprise functions Ontologies; see example below to help understand what this would look like in an enterprise

 “Understanding” – do we really know what the assets in the enterprise do?

  • Functional services (HR, Design, Engineering etc…) to leverage the enterprise’s machine readable Ontologies and enable “Machine-to-Machine” interactions are developed to bring the context into the transactions that are happening in the enterprise and this is the Game Changer, as it relates to Information Security
  • Identify Agents for each functional area of the enterprise – “Make Payment to Vendor”, “Make Payment to Employee”, “Terminate a Contract”, “Purchase a Part”, “Ship a part”, “  Process Expense Reports” are some examples, that are built around these services can execute transactions like “Shut down all financial transactions – Now” or “Shut down network access to all the High-Value-Assets”
  • These Agents now “moderate” all the transactions happening in the enterprise (think of this idea as the same concept of wrapper classes, at no point in time will any reasonable security architect will recommend re-doing all the applications just for security. Although the benefits of the usage of agents out-weigh the costs incurred, still would not recommend re-writing “ALL” the applications, just “wrap” the transactions around in the higher level semantic languages, enabling us to gain context of the transactions happening in the environment (not to be confused with “Logging” every single activity, Agents basically understand what that transaction means in context, as they can read and understand the ontologies in the ontology repository)
  • The v-spy could be one or multiple of these agents specialized in purpose to defend the enterprise from attacks and they are “aware” of all the other agents in the enterprise and the other agents, when they see a transaction that they don’t believe is in context, will summon the v-spy representative agent closest to them or all of them.

“Addressing” – Confidentiality, Integrity and Availability

  • Establishing Inter-agent communications – the mapping of the ontologies and the self-advertising services in the environment should make this easily possible (well not very easily at the time I am writing this). Since the agents themselves are moderating the actions the assets are playing, the agents are looking for end results and not just anomalies in network activity.

Sample scenario using the Application and Infrastructure Ontology above:

One or many Agents in the HR domain, will be moderating transactions to DB1 and SysA, let’s say as an example, if the Domain Network Controller is sending many requests through to connect to the Server123, and it has created an event, and no other agents are reporting any major spike in transactions, something is up and this can be facilitated by Agent-to-Agent communications across multiple domains, within the enterprise.

  • Inference engines are like the “Command & Control” rooms that the agents can talk to, send a report of an event, and get an inferred result back from the engine. The information context is the same for all these specialized programs – the Ontologies. I propose using a special “Security Events Inference Engine” that understands the enterprise’s security risks and can instruct responses to the agents (“The Matrix” – in the movie The Matrix)
  • The “Virtual Spy” Agent responds to events through the self-adaptive systems (the same idea as that of an Antibiotic medicine). Inference engine responds to event inferring requests with response events defined in the Ontology Repository
  • Architecture Description Languages are being increasingly used to define system architectures, and when the key systems have some components or sub-systems built into them to be able to responds to its own outputs, based on the self-healing systems proposed by Dr Garlan et al. [Reference #4]. I propose the extension of the use of the self-healing or adaptive systems to extend to being able to respond to security events.
  • These responses are defined as services that the agents are “aware” of and are defined in the Ontology repository
  • Once the Inference engines response is received by an agent, the agent should be able to initiate response actions based on policies defined in the Ontology repository and could possibly do many of the following:
  1. Preventive responses by shutting down Domain Network Controllers momentarily
  2. Staging an attack back to the attacker, based on the information available about the attacker, present in the enterprise now, left behind by the attacker with the agents in the enterprise, who can communicate with each other to “track” the attacker down


This proposal is neither meant to be a technical tell-all nor is any proof that I have personally tried these concepts out in a lab and proved them prior. It is my attempt to apply the concepts in our modern day computing field to practical problems that can benefit from these unique applications. Even more important, is the idea of challenging conventional wisdom (I like to refer to it as today’s technology superstitions) as far as applying technologies go. For the most part, the way our minds work has not significantly changed over centuries; there will always be bad guys who try to steal something from others. There is no such a thing as an impenetrable fort, if one human can get to the other side, there will be another one. I do realize that there is a lot of catch-up to do to get to the end state, but this end state is desirable for everyone in Information Technology and may be this time, the Information Security Personnel will drive this change in the ever changing and evolving field.

What is lacking in our computing environment is context, which I believe the proposal above brings in and I will argue that the biggest benefactors of context are Information Security Personnel, as illustrated above. As my friend from the southern part of India, far away from today’s technologies toiling in the farms, asked me, “So, if I tried to take some of those Car Designs you showed on your computer to me today, will your computer catch me?”




One response

21 06 2012
Thomas Timpf

interesting. Since Flame has been in the news so often is this meant to be like Flame or catch things like Flame, perhaps it is just perspective (good versus evil).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: