CRII: SaTC: GEMINI: Guided Execution Based Mobile Advanced Persistent Threat Investigation

CRII：SaTC：GEMINI：基于引导执行的移动高级持续威胁调查

• 批准号: 1755721
• 负责人: Brendan Saltaformaggio
• 金额: $ 17.5万
• 依托单位: Georgia Tech Research Corporation
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-02-01 至 2020-01-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1755721&HistoricalAwards=false
• 关键词: CRII; SaTC; GEMINI; Guided; Execution

Advanced persistent threat (APT) campaigns are increasingly targeting mobile devices deployed across corporations, governments, and financial institutions. Unfortunately, prohibitively slow responses to even high-profile APT attacks have shown that authorities lack the capability to quickly investigate ongoing attacks (in a matter of hours or days rather than months). To address this challenge, this research draws inspiration from recent developments in memory image forensics (in particular a recently introduced technique called guided execution), which has provided rapid evidence collection and crime investigation capabilities currently unparalleled in APT investigation. This research is developing an integrated framework, called GEMINI, which shifts the goal of modern memory forensics from the investigation of physical-world crimes to APT campaigns. Based on the analysis of only a single memory image --- collected from an Android device after an attack is suspected --- GEMINI provides the following set of APT investigation capabilities: (1) Based on exploratory guided execution techniques, GEMINI can search for and re-create previously enacted APT attack stages. (2) Beyond investigating prior attack execution, GEMINI enables the revelation of hidden/potential future attack behaviors by 'puppeteering' their executing with pre-staged memory image data. (3) After exploring future payloads, GEMINI can further leverage its guided execution capabilities for the remediation of the observed attack strategies.This work directly contributes to national security by advancing research in and developing techniques for the investigation of APT campaigns targeting mobile devices. In addition, the results of this research are being made publicly available with the goal of enhancing discovery and empowering future research in this area as well as contributing to the development of new curriculum materials focused on malware analysis and reverse engineering.

高级持续性威胁（APT）活动越来越多地针对企业、政府和金融机构部署的移动的设备。不幸的是，即使是对高调的APT攻击的反应也非常缓慢，这表明当局缺乏快速调查正在进行的攻击的能力（在几小时或几天内，而不是几个月）。为了应对这一挑战，本研究从内存图像取证的最新发展（特别是最近推出的一种称为引导执行的技术）中汲取灵感，该技术提供了目前APT调查中无与伦比的快速证据收集和犯罪调查能力。 这项研究正在开发一个名为GEMINI的综合框架，该框架将现代记忆取证的目标从调查物理世界的犯罪转移到APT活动。基于对单个内存映像的分析--在怀疑攻击后从Android设备收集-- GEMINI提供了以下一组APT调查功能：（1）基于探索性引导执行技术，GEMINI可以搜索并重新创建先前实施的APT攻击阶段。(2)除了调查先前的攻击执行情况外，GEMINI还可以通过使用预先准备的内存映像数据“操纵”攻击行为的执行来揭示隐藏/潜在的未来攻击行为。(3)在探索未来的有效载荷后，GEMINI可以进一步利用其引导执行功能来修复观察到的攻击策略。这项工作通过推进针对移动的设备的APT活动的研究和开发技术来直接促进国家安全。此外，这项研究的结果正在公开提供，目的是加强发现和授权这一领域的未来研究，并有助于开发专注于恶意软件分析和逆向工程的新课程材料。

项目成果

The Betrayal At Cloud City: An Empirical Analysis Of Cloud-Based Mobile Backends

• 发表时间: 2019
• 作者: Omar Alrawi;Chaoshun Zuo;Ruian Duan;R. Kasturi;Zhiqiang Lin;Brendan Saltaformaggio