OAC Core: Data-driven Methods and Techniques For Protecting Research and Critical Cyberinfrastructure By Characterizing and Defending Against Ransomware

Ransomware is an extortion-type of malicious software (malware) that encrypts, locks and exfiltrates data from local and networked assets for financial gains, hindering the availability of such resources while causing immense reputational damages. Recent ransomware attacks on high-valued cyberinfrastructure (CI) in the health, educational, IT, and critical sectors demanded ransoms up to $50M while causing collateral losses estimated to reach $20 billion in the next few years.

While there are number of ongoing research efforts that address the ransomware phenomena, they are hindered by several challenges. These include the lack of ransomware-specific analysis methods that permit the comprehension of (state-sponsored) attacks that specifically target US CI, the ineffectiveness of current network-based methods that are capable of thwarting ransomware propagation attempts, and the shortage of host-based techniques that would proactively mitigate the threat.

To this end, this project serves NSF's mission to promote the progress of science by developing data-driven methods, techniques and algorithms to offer a first-of-a-kind multidimensional approach to provide CI resiliency against evolving ransomware attacks. The project empowers numerous CI communities, minorities and K-12 students with open source tools, virtual training material and empirical data to facilitate forward-looking research and education.

The project further supports the operational cyber situational awareness community by indexing the generated threat intelligence in an open source platform, making it readily available to support near real-time, ransomware-centric mitigation.

The project draws upon close to 2M (US-targeted) ransomware samples per month provided by an industry partner. The project develops binary authorship methods that are resilient against common obfuscation and refactoring techniques to (1) provide empirical evidence related to the orchestration behavior of the attack entity, and (2) facilitate the large-scale measurements and characterization of such orchestrated events.

Along this vein, the project initially leverages pre-processing data methods based on opcode frequencies to subsequently devise feature engineering processes as applied on binary code to extract salient coding habits; related to memory usages, utilization of specific data structures, function terminations, etc. Moreover, the project ingests run-time behavioral reports of ransomware and develops learning methodologies by innovating techniques rooted in natural language processing and attention mechanisms.

This aims at engineering models that could provide resiliency from the network level, while applying concept drift notions to capture and comprehend the mutating behaviors of such ransomware. The project also designs and implements data carving techniques by applying the devised learning models on streaming network traffic. Additionally, the project explores host-based prevention methodologies by exploiting a set of ransomware-specific behaviors.

Herein, the project conducts large-scale ransomware instrumentation, models ransomware sensing activities based on DLL calls, while devising data mining methods based on a priori methods. The project further develops data sharing capabilities to facilitate access to raw data, and the generated threat intelligence. The project also devises virtual labs’ material to enable large-scale, cloud-based research and training activities.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.