CRII: SaTC: Leveraging Userland In-Memory Objects for Cybercrime Investigations and Malware Classification

CRII：SaTC：利用用户态内存对象进行网络犯罪调查和恶意软件分类

• 批准号: 1850054
• 负责人: Aisha Ali-Gombe
• 金额: $ 17.5万
• 依托单位: Towson University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-06-01 至 2022-05-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1850054&HistoricalAwards=false
• 关键词: CRII; SaTC; Leveraging; Userland; Memory

On mobile devices, the advancement and sophistication in application development and the great reliance on their functionality daily by many users makes them a critical piece of evidence for digital investigations. This project focuses on the reconstruction of app execution to recover user and fingerprint malware activities on mobile devices. The research will provide a methodology for investigators to easily outline user actions and strategies, and possible malware attack blueprint without the need for prior knowledge of the target application logic. This project will further advance digital forensics capabilities, by engaging both undergraduate and graduate students in memory forensics research.By leveraging in-memory artifacts for execution reconstruction and malware classification, this project develops app-agnostic memory forensics utilities for investigating Android applications. The solution will recreate program execution slices from residual in-memory userland data objects and their metadata and then map them to the loaded images recovered from the code section of the process memory to determine the exact components and program flows that generated the user's activity. The advantage of this technique is it gives the investigator a clear picture of the program flow path, showing a sequence of user events and the data involved. The newly reconstructed in-memory program slices and loaded image files will then further serve as input feature vectors to two distinct modalities in a multimodal learning malware classification scheme. These unique features which together represent app functionality and code structure when applied in the multimodal algorithm will result in a more robust and resilient malware fingerprint that can detect similar and obfuscated variants with a high degree of accuracy.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

在移动设备上，应用程序开发的先进性和复杂性以及许多用户每天对其功能的极大依赖使它们成为数字调查的关键证据。本项目侧重于重建应用程序执行，以恢复移动设备上的用户和指纹恶意软件活动。该研究将为调查人员提供一种方法，可以轻松概述用户操作和策略，以及可能的恶意软件攻击蓝图，而无需事先了解目标应用程序逻辑。该项目将通过吸引本科生和研究生参与记忆取证研究，进一步提高数字取证能力。通过利用内存构件进行执行重建和恶意软件分类，该项目开发了与应用程序无关的内存取证工具，用于调查Android应用程序。该解决方案将从内存中剩余的用户区数据对象及其元数据中重新创建程序执行片，然后将它们映射到从进程内存的代码部分恢复的加载映像，以确定生成用户活动的确切组件和程序流。这种技术的优点是，它为研究者提供了程序流程路径的清晰图像，显示了用户事件的序列和所涉及的数据。在多模态学习恶意软件分类方案中，新重构的内存程序切片和加载的图像文件将进一步作为两种不同模态的输入特征向量。当应用于多模态算法时，这些独特的功能共同代表了应用程序的功能和代码结构，将产生更强大和有弹性的恶意软件指纹，可以以高度准确的方式检测相似和混淆的变体。该奖项反映了美国国家科学基金会的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

App-Agnostic Post-Execution Semantic Analysis of Android In-Memory Forensics Artifacts

• DOI: 10.1145/3427228.3427244
• 发表时间: 2020-12
• 期刊: Proceedings of the 36th Annual Computer Security Applications Conference
• 作者: Aisha I. Ali-Gombe;Alexandra Tambaoan;Angela Gurfolino;G. Richard

Object Allocation Pattern as an Indicator for Maliciousness - An Exploratory Analysis

对象分配模式作为恶意指标 - 探索性分析

• DOI: 10.1145/3422337.3450322
• 发表时间: 2021
• 期刊: ACM CODASPY 2021
• 作者: Hussaini, Adamu;Zahran, Bassam;Ali-Gombe, Aisha
• 通讯作者: Ali-Gombe, Aisha

IIoT-ARAS: IIoT/ICS Automated Risk Assessment System for Prediction and Prevention

IIoT-ARAS：用于预测和预防的 IIoT/ICS 自动风险评估系统

• DOI: 10.1145/3422337.3450320
• 发表时间: 2021
• 期刊: ACM CODASPY 2021
• 作者: Zahran, Bassam;Hussaini, Adamu;Ali-Gombe, Aisha
• 通讯作者: Ali-Gombe, Aisha

Evaluating the Reliability of Android Userland Memory Forensics

评估 Android 用户态内存取证的可靠性

• DOI: 10.34190/iccws.17.1.54
• 发表时间: 2022
• 期刊: 17th International Conference on Information Warfare and Security
• 作者: Sudhakaran, S.;Ali-Gombe, A.;Case, A.;Richard III, G. G.
• 通讯作者: Richard III, G. G.

I Don't Know Why You Need My Data: A Case Study of Popular Social Media Privacy Policies

我不知道你为什么需要我的数据：流行社交媒体隐私政策的案例研究

• DOI: 10.1145/3508398.3519359
• 发表时间: 2022
• 期刊: ACM CODASPY 2022
• 作者: Miller, E.;Rahman Md, R.;Hossain, M.;Ali-Gombe, A.
• 通讯作者: Ali-Gombe, A.