Emerging attacks such as Advanced Persistent Threats pose significant threat to cyberspace. These attacks are often stealthy, low-and-slow, and disguised via deceptive campaigns. This research focuses on the forensics of cyber attacks targeting enterprise environments, with the goals of (1) understanding an attack's intent, strategy, steps, and targets, (2) collecting digital evidence for legal proceedings, (3) revealing hidden attack behaviors to prevent or minimize damage.
To achieve these goals, an integrated framework is being developed which covers three key aspects - temporal, spatial, and malware-behavioral forensics. All three aspects face the common challenge of analyzing binary executables. More specifically, temporal forensics requires finer-grain program logging for identifying attack provenance and ramifications. The solution is to partition a binary program's execution and data for high-accuracy causal analysis. Malware forensics involves revealing malware behaviors that are multi-stage, condition-guarded, and environment-specific. The solution is a new binary analysis approach that force-executes an unknown binary without input or environment setup and exposes the malware's behavior along the execution paths forced into. Temporal forensics requires understanding unknown file formats and in-memory data structure contents. The solution is to identify and reuse the file parsing/generation and data structure rendering logic in the corresponding binary programs.
This research will advance the state-of-the-art in cyber forensics, a critical need as our nation and society become increasingly dependent on cyberinfrastructures. It will help train next-generation cybersecurity experts by exposing students to real case investigations. Under-represented students are being involved in research activities and cyber forensics exercises.