SaTC: CORE: Medium: Collaborative: Doctor WHO: Investigation and Prevention of Online Content Management System Abuse

SaTC：核心：媒介：协作：WHO 医生：在线内容管理系统滥用的调查和预防

• 批准号: 1916550
• 负责人: Brendan Saltaformaggio
• 金额: $ 45.07万
• 依托单位: Georgia Tech Research Corporation
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-10-01 至 2023-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1916550&HistoricalAwards=false
• 关键词: SaTC; CORE; Medium; Collaborative; Doctor

Over half of the world's 1.8 billion websites run on Content Management Systems (CMS). Unfortunately, CMS deployments make easy targets for attackers, as they are built from an amalgam of layered software and interpreters, with varying degrees of network and system permissions, which execute on an Internet-facing web server. This project develops program-analysis-centric techniques that enable the investigation and remediation of ongoing infections as well as hardening against future CMS compromises, with the goals of 1) understanding the intent and strategy of a CMS infection and tracing their root-cause attack vector for reliable remediation, 2) revealing dynamic and sophisticated attack behaviors in malware samples in a CMS infection, 3) hardening of CMS deployments against future attacks. This project benefits national security and economic stability by creating cyber forensics and vulnerability detection techniques for CMS websites and the financial, government, and private sector operations they support. It provides server-side script code including malicious scripts and vulnerable code to help train next-generation cybersecurity experts. Students from underrepresented minority groups are involved in research activities.This project develops Doctor WHO, a CMS analysis framework which combines rapid evidence collection and advanced program analysis techniques for the investigation and remediation of infections and hardening against future CMS compromises. Specifically, the data-driven prediction framework, called TARDIS, is developed to understand the temporal correlation of attack evidence across a corpus of real-world websites. TARDIS enables the automated discovery of the artifacts of a compromise, fingerprinting of the attack's propagation, and rapid investigation of cyberattacks against CMS deployments. The project also develops Torchwood, a cross-language and cross-environment program analysis framework to effectively analyze highly dynamic and sophisticated malware targeting CMSs. Torchwood can handle advanced obfuscation and anti-analysis techniques applied to malware and reveal hidden malicious behaviors and intentions of the malware effectively. Lastly, the project develops UNIT that enables the hardening and securing of CMS deployments against future attacks. UNIT accomplishes this by enabling automated dynamic testing of CMS-backed websites without requiring any runtime environment resources. UNIT eliminates false alerts and provide proof-of-concept exploits via a set of new methods to identify and model dependencies of runtime resources and reconstruct missing resources using instrumented script interpreter engines.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

全球18亿个网站中有一半以上运行在内容管理系统（CMS）上。不幸的是，CMS部署很容易成为攻击者的目标，因为它们是由分层软件和解释器的混合体构建的，具有不同程度的网络和系统权限，这些权限在面向Internet的Web服务器上执行。该项目开发了以程序分析为中心的技术，能够对正在进行的感染进行调查和补救，并加强对未来CMS危害的防范，目标是：1）了解CMS感染的意图和策略，并跟踪其根本原因攻击向量，以进行可靠的补救，2）揭示CMS感染中恶意软件样本中的动态和复杂的攻击行为，3）加强CMS部署以抵御未来的攻击。该项目通过为CMS网站及其支持的金融、政府和私营部门运营创建网络取证和漏洞检测技术，有利于国家安全和经济稳定。它提供服务器端脚本代码，包括恶意脚本和易受攻击的代码，以帮助培训下一代网络安全专家。该项目开发了Doctor WHO，一个CMS分析框架，结合了快速证据收集和先进的程序分析技术，用于调查和补救感染，并加强对未来CMS妥协。具体来说，开发名为TARDIS的数据驱动预测框架是为了了解真实网站语料库中攻击证据的时间相关性。TARDIS能够自动发现危害的工件，攻击传播的指纹，以及对CMS部署的网络攻击的快速调查。该项目还开发了Torchwood，这是一个跨语言和跨环境的程序分析框架，可以有效地分析针对CMS的高度动态和复杂的恶意软件。Torchwood可以处理应用于恶意软件的高级混淆和反分析技术，并有效地揭示隐藏的恶意行为和恶意软件的意图。最后，该项目开发了UNIT，可以加强和保护CMS部署，以抵御未来的攻击。UNIT通过启用CMS支持的网站的自动化动态测试来实现这一点，而无需任何运行时环境资源。UNIT通过一组新方法消除错误警报并提供概念验证漏洞，以识别和建模运行时资源的依赖关系，并使用仪表化脚本解释器引擎重建丢失的资源。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Security Analysis on Practices of Certificate Authorities in the HTTPS Phishing Ecosystem

HTTPS钓鱼生态系统中证书颁发机构的做法安全分析

• DOI: 10.1145/3433210.3453100
• 发表时间: 2021
• 期刊: The 2021 ACM Asia Conference on Computer and Communications Security (ASIA CCS'21
• 作者: Kim, Doowon;Cho, Haehyun;Kwon, Yonghwi;Doupé, Adam;Son, Sooel;Ahn, Gail-Joon;Dumitras, Tudor
• 通讯作者: Dumitras, Tudor

When Push Comes to Ads: Measuring the Rise of (Malicious) Push Advertising

当推送涉及广告时：衡量（恶意）推送广告的兴起

• DOI: 10.1145/3419394.3423631
• 发表时间: 2020
• 期刊: Proceedings of the 2020 ACM Internet Measurement Conference (IMC
• 作者: Subramani, Karthika;Yuan, Xingzi;Setayeshfar, Omid;Vadrevu, Phani;Lee, Kyu Hyung;Perdisci, Roberto
• 通讯作者: Perdisci, Roberto

A Novel AI-based Methodology for Identifying Cyber Attacks in Honey Pots

• DOI: 10.1609/aaai.v35i17.17786
• 发表时间: 2021-05
• 作者: Muhammed AbuOdeh;Christian Adkins;Omid Setayeshfar;Prashant Doshi;K. H. Lee

Cubismo: decloaking server-side malware via cubist program analysis

Cubismo：通过立体程序分析解密服务器端恶意软件

• DOI: 10.1145/3359789.3359821
• 发表时间: 2019
• 期刊: Proceedings of the 35th Annual Computer Security Applications Conference
• 作者: Naderi-Afooshteh, Abbas;Kwon, Yonghwi;Nguyen-Tuong, Anh;Bagheri-Marzijarani, Mandana;Davidson, Jack W.
• 通讯作者: Davidson, Jack W.

Hiding Critical Program Components via Ambiguous Translation

• DOI: 10.1145/3510003.3510139
• 发表时间: 2022-05
• 期刊: 2022 IEEE/ACM 44th International Conference on Software Engineering (ICSE)
• 作者: Chi-Gon Jung;Doowon Kim;An Chen;Weihang Wang;Yunhui Zheng;K. H. Lee;Yonghwi Kwon