CRII: SaTC: Secure and Comprehensive Forensic Audit Infrastructure for Transparent Heterogeneous Computing

CRII：SaTC：用于透明异构计算的安全且全面的取证审计基础设施

• 批准号: 1850392
• 负责人: Yonghwi Kwon
• 金额: $ 17.44万
• 依托单位: University of Virginia Main Campus
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-03-01 至 2022-02-28
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1850392&HistoricalAwards=false
• 关键词: CRII; SaTC; Secure; Comprehensive; Forensic

Cyber attackers are increasingly targeting emerging smart devices (e.g., Internet of Things devices) causing devastating damages to various enterprises and government agencies. To combat these attacks, rapid and effective investigation is critical to understand attack paths and measure the damages. Unfortunately, forensic logging infrastructures are not efficient and effective enough. Many devices completely lack forensic logging systems and others rely on ineffective logging schemes, delaying or often completely preventing forensic investigation. This research aims to combat advanced cyber-attacks such as Advanced Persistent Threats (APTs) that actively leverage emerging devices. It would design and develop fundamental security primitives that improve state-of-the-art forensic logging in terms of accuracy, efficiency, effectiveness, reliability, and applicability. This research directly contributes to national security by advancing research in and developing techniques for the forensic investigation of advanced cyber-attacks exploiting emerging devices which have recently become a new major attack vector. The investigator is committed to the open and timely dissemination of the outcomes of the proposed research in order to encourage future research in this area. Also, the research will be integrated into new curriculum materials that the investigator will develop, including dedicated lab sessions on Internet of Things forensic analysis and associated APT investigation.This research aims to design and develop fundamental security primitives for forensic logging: (1) Improving the current ineffective forensic logging systems that generate confusing forensic logs which hinder the forensic investigation significantly. (2) Reducing the space overhead of forensic logging systems to increase its applicability. (3) Enabling forensic analysis on unmodifiable devices (e.g., proprietary devices) that cannot be modified and instrumented via a novel forensic causality inference technique. This research provides the following unique set of capabilities that were not previously possible. First is the design and implementation of a novel event-execution path encoding scheme that can precisely capture event execution context information. This will allow forensic analysts to disambiguate confusing event logs. Second is a technique for instrumentation-free forensic analysis via causality inference. Devices that do not allow any modification and instrumentation will be traced and analyzed via other devices that are connected to them leveraging a novel causality inference technique.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

网络攻击者越来越多地将目标对准新兴的智能设备(例如物联网设备)，给各种企业和政府机构造成毁灭性的破坏。为了打击这些攻击，快速有效的调查对于了解攻击路径和测量危害至关重要。不幸的是，法医记录基础设施的效率和效力不够高。许多设备完全缺乏法医记录系统，其他设备依赖于无效的记录方案，推迟或经常完全阻止法医调查。这项研究旨在打击积极利用新兴设备的高级持续威胁(APT)等高级网络攻击。它将设计和开发基本的安全原语，在准确性、效率、有效性、可靠性和适用性方面改进最先进的法医记录。这项研究通过推进对利用新兴设备的高级网络攻击的法医调查技术的研究和开发，直接有助于国家安全，这些设备最近已成为新的主要攻击媒介。调查员致力于公开和及时地传播拟议研究的结果，以鼓励今后在这一领域进行研究。此外，这项研究还将被整合到调查者将开发的新课程中，包括物联网取证分析和相关APT调查的专门实验室会议。本研究旨在设计和开发法医日志记录的基本安全原语：(1)改进当前低效的法医日志记录系统，这些系统产生混乱的法医日志，严重阻碍法医调查。(2)减少取证录井系统的空间开销，增加其适用性。(3)允许对不可修改的设备(例如，专有设备)进行法医分析，这些设备不能通过新的法医因果关系推断技术进行修改和检测。这项研究提供了以下一组独特的功能，这是以前无法实现的。首先，设计并实现了一种新颖的事件执行路径编码方案，该方案能够准确地捕获事件执行上下文信息。这将使法医分析师能够消除令人困惑的事件日志。第二种是一种通过因果关系推断进行无需仪器的法医分析的技术。不允许任何修改和仪器的设备将通过利用新的因果推理技术连接到它们的其他设备进行跟踪和分析。该奖项反映了NSF的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

MalMax: Multi-Aspect Execution for Automated Dynamic Web Server Malware Analysis

MalMax：自动动态 Web 服务器恶意软件分析的多方面执行

• DOI: 10.1145/3319535.3363199
• 发表时间: 2019
• 期刊: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Naderi-Afooshteh, Abbas;Kwon, Yonghwi;Nguyen-Tuong, Anh;Razmjoo-Qalaei, Ali;Zamiri-Gourabi, Mohammad-Reza;Davidson, Jack W.
• 通讯作者: Davidson, Jack W.

Security Analysis on Practices of Certificate Authorities in the HTTPS Phishing Ecosystem

HTTPS钓鱼生态系统中证书颁发机构的做法安全分析

• DOI: 10.1145/3433210.3453100
• 发表时间: 2021
• 期刊: The 2021 ACM Asia Conference on Computer and Communications Security (ASIA CCS'21
• 作者: Kim, Doowon;Cho, Haehyun;Kwon, Yonghwi;Doupé, Adam;Son, Sooel;Ahn, Gail-Joon;Dumitras, Tudor
• 通讯作者: Dumitras, Tudor

Probabilistic Disassembly

• DOI: 10.1109/icse.2019.00121
• 发表时间: 2019-05
• 期刊: 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE)
• 作者: Kenneth A. Miller;Yonghwi Kwon;Yi Sun;Zhuo Zhang;X. Zhang;Zhiqiang Lin

SWARMFLAWFINDER: Discovering and Exploiting Logic Flaws of Swarm Algorithms

• DOI: 10.1109/sp46214.2022.9833685
• 发表时间: 2022-05
• 期刊: 2022 IEEE Symposium on Security and Privacy (SP)
• 作者: Chi-Gon Jung;A. Ahad;Yuseok Jeon;Yonghwi Kwon

PMP: Cost-effective Forced Execution with Probabilistic Memory Pre-planning

• DOI: 10.1109/sp40000.2020.00035
• 发表时间: 2020-05
• 期刊: 2020 IEEE Symposium on Security and Privacy (SP)
• 作者: Wei You;Zhuo Zhang;Yonghwi Kwon;Yousra Aafer;Fei Peng;Yu Shi;C. Harmon;X. Zhang