SaTC: CORE: Medium: Collaborative: RADAR: Real-time Advanced Detection and Attack Reconstruction

SaTC：核心：中等：协作：雷达：实时高级检测和攻击重建

• 批准号: 1918667
• 负责人: Ramasubramanian Sekar
• 金额: $ 59.99万
• 依托单位: SUNY at Stony Brook
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-10-01 至 2024-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1918667&HistoricalAwards=false
• 关键词: SaTC; CORE; Medium; Collaborative; RADAR

There has been a rapid escalation of targeted cyber-attacks, called Advanced Persistent Threats (APTs), on high-profile enterprises. These skilled attacks routinely bypass widely deployed protection mechanisms. Existing second-line cyber defenses (e.g., intrusion detection systems) are helpful, but they often generate a flood of information that overwhelms cyber analysts. Moreover, analysts lack the tools to piece together attack fragments spanning multiple applications and/or hosts. This project will hence focus on developing the principles, techniques, and tools for accurate attack detection and real-time reconstruction of attacker activities across large enterprises.Many intellectual challenges arise in APT campaign reconstruction, including: (a) developing a wide range of policy-based, anomaly-based and signature-based attack detectors, (b) connecting the dots in the presence of unreliable detectors, (c) scaling to large enterprise networks, and (d) resisting adversarial manipulation. To overcome these challenges, this project will explore several novel directions, including (i) domain-specific languages for cyber attack detection and forensics, (ii) novel detection techniques that leverage natural language descriptions of recent attacks, (iii) alternative dependence propagation semantics that mitigate dependence explosion, and (iv) mapping attack steps to the high-level objectives ("kill-chain") of APT actors.Cyber technologies are inextricably woven into the fabric of today's society. Repeated cyber attacks undermine the society's trust in this fabric. Even in purely economic terms, worldwide cybercrime led to $600 billion in losses in 2017 (Source: McAfee). This project will help arrest these downward trends. It will also educate graduate, undergraduate and K-12 students through cybersecurity coursework, research, and outreach activities. Enhanced participation of women and minorities will be targeted through alliances with partners, including the National Center for Women & Information Technology, Governor's State University, and Chicago Public Schools. Project-related data, results, publications and tools will be made available through the web sites of the research laboratories collaborating on this project: http://seclab.cs.stonybrook.edu/ and http://sisl.lab.uic.edu/.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

针对知名企业的有针对性的网络攻击（称为高级持续性威胁（APT））迅速升级。这些熟练的攻击通常绕过广泛部署的保护机制。现有的二线网络防御（例如，入侵检测系统）是有帮助的，但它们经常产生大量的信息，使网络分析师感到困惑。此外，分析师缺乏将跨越多个应用程序和/或主机的攻击片段拼凑在一起的工具。因此，该项目将专注于开发用于准确检测攻击和实时重建大型企业中攻击者活动的原理、技术和工具。APT活动重建中出现了许多智力挑战，包括：（a）开发广泛的基于策略、基于异常和基于特征的攻击检测器，（B）在存在不可靠检测器的情况下连接点，（c）扩展到大型企业网络，以及（d）抵制对抗性操纵。为了克服这些挑战，该项目将探索几个新的方向，包括（i）用于网络攻击检测和取证的特定领域语言，（ii）利用最近攻击的自然语言描述的新型检测技术，（iii）减轻依赖爆炸的替代依赖传播语义，以及（iv）将攻击步骤映射到APT参与者的高级目标（“攻击链”）。网络技术与当今社会的结构密不可分。反复的网络攻击破坏了社会对这一结构的信任。即使从纯粹的经济角度来看，2017年全球网络犯罪也导致了6000亿美元的损失（来源：McAfee）。该项目将有助于遏制这种下降趋势。它还将通过网络安全课程，研究和推广活动教育研究生，本科生和K-12学生。将通过与国家妇女信息技术中心、州长州立大学和芝加哥公立学校等伙伴建立联盟，加强妇女和少数族裔的参与。与项目有关的数据、结果、出版物和工具将通过在该项目上合作的研究实验室的网站提供：http://seclab.cs.stonybrook.edu/和http://sisl.lab.uic.edu/.This奖项反映了NSF的法定使命，并被认为值得通过使用基金会的知识价值和更广泛的影响审查标准进行评估来支持。

项目成果

HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows

• DOI: 10.1109/sp.2019.00026
• 发表时间: 2018-10
• 期刊: 2019 IEEE Symposium on Security and Privacy (SP)
• 作者: Sadegh M. Milajerdi;Rigel Gjomemo;Birhanu Eshete;R. Sekar;V. Venkatakrishnan

On the Impact of Exception Handling Compatibility on Binary Instrumentation

异常处理兼容性对二进制仪器的影响

• DOI: 10.1145/3411502.3418428
• 发表时间: 2020
• 期刊: ACM FEAST
• 作者: Priyadarshan, Soumyakant;Nguyen, Huan;Sekar, R.
• 通讯作者: Sekar, R.

Practical Fine-Grained Binary Code Randomization†

实用的细粒度二进制代码随机化

• DOI: 10.1145/3427228.3427292
• 发表时间: 2020
• 期刊: Practical Fine-Grained Binary Code Randomization†
• 作者: Priyadarshan, Soumyakant;Nguyen, Huan;Sekar, R.
• 通讯作者: Sekar, R.

Information Flow: A Unified Basis for Vulnerability Mitigation, Malware Defense and Attack Scenario Reconstruction (Keynote Presentation)

信息流：漏洞缓解、恶意软件防御和攻击场景重构的统一基础（主题演讲）

• DOI: 10.1145/3411502.3418421
• 发表时间: 2020
• 期刊: ACM FEAST
• 作者: Sekar, R.

Combating Dependence Explosion in Forensic Analysis Using Alternative Tag Propagation Semantics

使用替代标签传播语义来对抗取证分析中的依赖爆炸

• DOI: 10.1109/sp40000.2020.00064
• 发表时间: 2020
• 期刊: IEEE Security and Privacy
• 影响因子: 1.9
• 作者: Hossain, Md Nahid;Sheikhi, Sanaz;Sekar, R
• 通讯作者: Sekar, R