CAREER: Automated Forensic-in-the-Loop Cyber Defense Infrastructure

Cyber-attacks are becoming increasingly advanced and sophisticated. Advanced attackers monitor their targets for a long time to find out about their vulnerabilities and protective strategies. Such advanced attacks are extremely challenging to prevent and investigate due to their sophisticated and advanced tactics and resources and by their strategy to penetrate the system in unexpected/overlooked ways.

Worse, attackers use sophisticated tactics, such as obfuscation and evasive techniques, to thwart or delay forensics investigations. Attackers also compromise a wide range of system components and resources, making it extremely difficult to restore and harden the system. Delayed or incomplete forensic analysis makes it difficult to properly secure the victim’s organization on time, leading to significant damages and losses.

To this end, this project develops novel techniques to (1) prevent diverse attacks thoroughly, (2) conduct rapid and comprehensive forensic analysis, and (3) protect the victim’s system rigorously. This project also involves educational activities that broadens participation in computing, by organizing mentoring workshops and coaching the University of Virginia’s Collegiate Cyber Defense Competition team, which includes many female students.

This project aims to develop an automated forensic-in-the-loop cyber defense infrastructure that coherently integrates novel defenses, forensic analysis, and hardening approaches. First, the investigator develops attack vector agnostic protection and detection approaches by perturbing inputs and runtime environments that are the weakest links of the attacks.

Second, the investigator develops novel automated techniques to detect and eliminate anti-forensic techniques applied to malware. Furthermore, to handle evasive malware, the investigator introduces the adaptive counterfactual execution technique to evolve the runtime environment and execution context. Finally, the investigator develops an automated root cause analysis technique that diagnoses loopholes and identifies potential fixes (e.g., secure configurations).

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.