OAC Core: Data-driven Methods and Techniques For Protecting Research and Critical Cyberinfrastructure By Characterizing and Defending Against Ransomware

OAC 核心：通过表征和防御勒索软件来保护研究和关键网络基础设施的数据驱动方法和技术

• 批准号: 2348719
• 负责人: Elias Bou-Harb
• 金额: $ 50万
• 依托单位: Louisiana State University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-10-01 至 2024-06-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2348719&HistoricalAwards=false
• 关键词: OAC; Core; Data; driven; Methods

Ransomware is an extortion-type of malicious software (malware) that encrypts, locks and exfiltrates data from local and networked assets for financial gains, hindering the availability of such resources while causing immense reputational damages. Recent ransomware attacks on high-valued cyberinfrastructure (CI) in the health, educational, IT, and critical sectors demanded ransoms up to $50M while causing collateral losses estimated to reach $20 billion in the next few years. While there are number of ongoing research efforts that address the ransomware phenomena, they are hindered by several challenges. These include the lack of ransomware-specific analysis methods that permit the comprehension of (state-sponsored) attacks that specifically target US CI, the ineffectiveness of current network-based methods that are capable of thwarting ransomware propagation attempts, and the shortage of host-based techniques that would proactively mitigate the threat. To this end, this project serves NSF's mission to promote the progress of science by developing data-driven methods, techniques and algorithms to offer a first-of-a-kind multidimensional approach to provide CI resiliency against evolving ransomware attacks. The project empowers numerous CI communities, minorities and K-12 students with open source tools, virtual training material and empirical data to facilitate forward-looking research and education. The project further supports the operational cyber situational awareness community by indexing the generated threat intelligence in an open source platform, making it readily available to support near real-time, ransomware-centric mitigation. The project draws upon close to 2M (US-targeted) ransomware samples per month provided by an industry partner. The project develops binary authorship methods that are resilient against common obfuscation and refactoring techniques to (1) provide empirical evidence related to the orchestration behavior of the attack entity, and (2) facilitate the large-scale measurements and characterization of such orchestrated events. Along this vein, the project initially leverages pre-processing data methods based on opcode frequencies to subsequently devise feature engineering processes as applied on binary code to extract salient coding habits; related to memory usages, utilization of specific data structures, function terminations, etc. Moreover, the project ingests run-time behavioral reports of ransomware and develops learning methodologies by innovating techniques rooted in natural language processing and attention mechanisms. This aims at engineering models that could provide resiliency from the network level, while applying concept drift notions to capture and comprehend the mutating behaviors of such ransomware. The project also designs and implements data carving techniques by applying the devised learning models on streaming network traffic. Additionally, the project explores host-based prevention methodologies by exploiting a set of ransomware-specific behaviors. Herein, the project conducts large-scale ransomware instrumentation, models ransomware sensing activities based on DLL calls, while devising data mining methods based on a priori methods. The project further develops data sharing capabilities to facilitate access to raw data, and the generated threat intelligence. The project also devises virtual labs’ material to enable large-scale, cloud-based research and training activities.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

勒索软件是一种勒索类型的恶意软件（恶意软件），它会加密、锁定和删除本地和网络资产中的数据，以获取经济利益，阻碍这些资源的可用性，同时造成巨大的声誉损失。最近针对健康、教育、IT和关键领域的高价值网络基础设施（CI）的勒索软件攻击要求高达5000万美元的赎金，同时在未来几年造成的附带损失估计将达到200亿美元。虽然有许多正在进行的研究工作来解决勒索软件现象，但它们受到几个挑战的阻碍。这些问题包括缺乏特定于勒索软件的分析方法，无法理解专门针对美国CI的（国家赞助的）攻击，当前基于网络的方法无法有效阻止勒索软件传播尝试，以及缺乏基于主机的技术来主动减轻威胁。为此，该项目服务于NSF的使命，通过开发数据驱动的方法，技术和算法来促进科学的进步，以提供一种首创的多维方法，从而提供CI弹性，以应对不断变化的勒索软件攻击。该项目为众多CI社区，少数民族和K-12学生提供开源工具，虚拟培训材料和经验数据，以促进前瞻性研究和教育。该项目通过在开源平台中索引生成的威胁情报，进一步支持运营网络态势感知社区，使其随时可用于支持近实时，以勒索软件为中心的缓解。该项目每月利用行业合作伙伴提供的近200万个（针对美国）勒索软件样本。该项目开发了二进制作者身份方法，这些方法对常见的混淆和重构技术具有弹性，以（1）提供与攻击实体的编排行为相关的经验证据，以及（2）促进此类编排事件的大规模测量和表征。沿着这条脉络，该项目最初利用基于操作码频率的预处理数据方法，随后设计应用于二进制代码的特征工程过程，以提取突出的编码习惯;涉及存储器使用、特定数据结构的利用、功能终止等。此外，该项目摄取运行-时间勒索软件的行为报告，并通过创新技术植根于自然语言处理和注意力机制开发学习方法。这旨在建立可以从网络层面提供弹性的工程模型，同时应用概念漂移概念来捕获和理解此类勒索软件的变异行为。该项目还设计和实现了数据雕刻技术，通过应用设计的学习模型流网络流量。此外，该项目还通过利用一组特定于勒索软件的行为来探索基于主机的预防方法。在此，该项目进行大规模的勒索软件检测，基于DLL调用对勒索软件感知活动进行建模，同时设计基于先验方法的数据挖掘方法。该项目进一步开发数据共享能力，以方便访问原始数据和生成的威胁情报。该项目还设计了虚拟实验室的材料，以实现大规模的基于云的研究和培训活动。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。