SaTC: CORE: Medium: Collaborative: RADAR: Real-time Advanced Detection and Attack Reconstruction

SaTC：核心：中等：协作：雷达：实时高级检测和攻击重建

• 批准号: 1918542
• 负责人: Venkat Venkatakrishnan
• 金额: $ 61.2万
• 依托单位: University of Illinois at Chicago
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-10-01 至 2024-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1918542&HistoricalAwards=false
• 关键词: SaTC; CORE; Medium; Collaborative; RADAR

There has been a rapid escalation of targeted cyber-attacks, called Advanced Persistent Threats (APTs), on high-profile enterprises. These skilled attacks routinely bypass widely deployed protection mechanisms. Existing second-line cyber defenses (e.g., intrusion detection systems) are helpful, but they often generate a flood of information that overwhelms cyber analysts. Moreover, analysts lack the tools to piece together attack fragments spanning multiple applications and/or hosts. This project will hence focus on developing the principles, techniques, and tools for accurate attack detection and real-time reconstruction of attacker activities across large enterprises.Many intellectual challenges arise in APT campaign reconstruction, including: (a) developing a wide range of policy-based, anomaly-based and signature-based attack detectors, (b) connecting the dots in the presence of unreliable detectors, (c) scaling to large enterprise networks, and (d) resisting adversarial manipulation. To overcome these challenges, this project will explore several novel directions, including (i) domain-specific languages for cyber attack detection and forensics, (ii) novel detection techniques that leverage natural language descriptions of recent attacks, (iii) alternative dependence propagation semantics that mitigate dependence explosion, and (iv) mapping attack steps to the high-level objectives ("kill-chain") of APT actors.Cyber technologies are inextricably woven into the fabric of today's society. Repeated cyber attacks undermine the society's trust in this fabric. Even in purely economic terms, worldwide cybercrime led to $600 billion in losses in 2017 (Source: McAfee). This project will help arrest these downward trends. It will also educate graduate, undergraduate and K-12 students through cybersecurity coursework, research, and outreach activities. Enhanced participation of women and minorities will be targeted through alliances with partners, including the National Center for Women & Information Technology, Governor's State University, and Chicago Public Schools. Project-related data, results, publications and tools will be made available through the web sites of the research laboratories collaborating on this project: http://seclab.cs.stonybrook.edu/ and http://sisl.lab.uic.edu/.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

针对知名企业的有针对性的网络攻击迅速升级，称为高级持续威胁(APT)。这些熟练的攻击通常会绕过广泛部署的保护机制。现有的二线网络防御系统(如入侵检测系统)是有帮助的，但它们通常会产生大量信息，使网络分析师不堪重负。此外，分析人员缺乏工具来拼凑跨越多个应用程序和/或主机的攻击片段。因此，该项目将专注于开发准确的攻击检测和实时重建大型企业中的攻击者活动的原则、技术和工具。APT战役重建中出现了许多智力挑战，包括：(A)开发广泛的基于策略、基于异常和基于签名的攻击检测器，(B)在存在不可靠检测器的情况下将点连接起来，(C)扩展到大型企业网络，以及(D)抵抗对手操纵。为了克服这些挑战，这个项目将探索几个新的方向，包括(I)用于网络攻击检测和取证的特定领域的语言，(Ii)利用最近攻击的自然语言描述的新检测技术，(Iii)缓解依赖爆炸的替代依赖传播语义，以及(Iv)将攻击步骤映射到APT参与者的高级目标(“杀伤链”)。反复的网络攻击破坏了社会对这种结构的信任。即使从纯粹的经济角度来看，2017年全球范围内的网络犯罪也导致了6000亿美元的损失(来源：McAfee)。这一项目将有助于遏制这些下降趋势。它还将通过网络安全课程、研究和推广活动来教育研究生、本科生和K-12学生。将通过与国家妇女和信息技术中心、州长州立大学和芝加哥公立学校等伙伴结盟，加强妇女和少数群体的参与。与项目相关的数据、结果、出版物和工具将通过与该项目合作的研究实验室的网站提供：http://seclab.cs.stonybrook.edu/和http://sisl.lab.uic.edu/.This奖反映了美国国家科学基金会的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Extractor: Extracting Attack Behavior from Threat Reports

• DOI: 10.1109/eurosp51992.2021.00046
• 发表时间: 2021-04
• 期刊: 2021 IEEE European Symposium on Security and Privacy (EuroS&P)
• 作者: Kiavash Satvat;Rigel Gjomemo;V. Venkatakrishnan

POIROT: Aligning Attack Behavior with Kernel Audit Records for Cyber Threat Hunting

• DOI: 10.1145/3319535.3363217
• 发表时间: 2019-09
• 期刊: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Sadegh M. Milajerdi;Birhanu Eshete;Rigel Gjomemo;V. Venkatakrishnan

OSTINATO: Cross-host Attack Correlation Through Attack Activity Similarity Detection

OSTINATO：通过攻击活动相似性检测进行跨主机攻击关联

• 发表时间: 2022
• 期刊: International Conference on information systems security
• 作者: Ghosh, Sutanu K.;Satvat, Kiavash;Gjomemo, Rigel;Venkatakrishnan, V. N.:
• 通讯作者: Venkatakrishnan, V. N.: