TWC: Medium: Collaborative: Towards a Binary-Centric Framework for Cyber Forensics in Enterprise Environments

TWC：媒介：协作：迈向企业环境中以二进制为中心的网络取证框架

• 批准号: 1409534
• 负责人: Golden Richard
• 金额: $ 39.98万
• 依托单位: University of New Orleans
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2014
• 资助国家: 美国
• 起止时间: 2014-09-01 至 2017-04-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1409534&HistoricalAwards=false
• 关键词: TWC; Medium; Collaborative; Towards; Binary

Emerging attacks such as Advanced Persistent Threats pose significant threat to cyberspace. These attacks are often stealthy, low-and-slow, and disguised via deceptive campaigns. This research focuses on the forensics of cyber attacks targeting enterprise environments, with the goals of (1) understanding an attack's intent, strategy, steps, and targets, (2) collecting digital evidence for legal proceedings, (3) revealing hidden attack behaviors to prevent or minimize damage.To achieve these goals, an integrated framework is being developed which covers three key aspects - temporal, spatial, and malware-behavioral forensics. All three aspects face the common challenge of analyzing binary executables. More specifically, temporal forensics requires finer-grain program logging for identifying attack provenance and ramifications. The solution is to partition a binary program's execution and data for high-accuracy causal analysis. Malware forensics involves revealing malware behaviors that are multi-stage, condition-guarded, and environment-specific. The solution is a new binary analysis approach that force-executes an unknown binary without input or environment setup and exposes the malware's behavior along the execution paths forced into. Temporal forensics requires understanding unknown file formats and in-memory data structure contents. The solution is to identify and reuse the file parsing/generation and data structure rendering logic in the corresponding binary programs.This research will advance the state-of-the-art in cyber forensics, a critical need as our nation and society become increasingly dependent on cyberinfrastructures. It will help train next-generation cybersecurity experts by exposing students to real case investigations. Under-represented students are being involved in research activities and cyber forensics exercises.

高级持续性威胁等新兴攻击对网络空间构成重大威胁。这些攻击通常是隐蔽的，低而缓慢的，并通过欺骗性的运动来伪装。本研究的重点是针对企业环境的网络攻击取证，其目标是：(1)了解攻击的意图、策略、步骤和目标，(2)为法律诉讼收集数字证据，(3)揭示隐藏的攻击行为，以防止或尽量减少损害。为了实现这些目标，正在开发一个集成框架，它涵盖三个关键方面——时间、空间和恶意软件行为取证。这三个方面都面临分析二进制可执行文件的共同挑战。更具体地说，时间取证需要更细粒度的程序日志记录，以识别攻击的来源和后果。解决方案是对二进制程序的执行和数据进行分区，以便进行高精度的因果分析。恶意软件取证涉及揭示多阶段、条件保护和特定于环境的恶意软件行为。解决方案是一种新的二进制分析方法，在没有输入或环境设置的情况下强制执行未知二进制文件，并在强制执行路径上暴露恶意软件的行为。时间取证需要理解未知的文件格式和内存中的数据结构内容。解决方案是识别和重用相应二进制程序中的文件解析/生成和数据结构呈现逻辑。这项研究将推动最先进的网络取证技术，随着我们的国家和社会越来越依赖网络基础设施，这是一项关键需求。它将通过让学生接触真实的案例调查，帮助培养下一代网络安全专家。代表性不足的学生正在参与研究活动和网络取证练习。