TWC: Medium: Collaborative: Towards a Binary-Centric Framework for Cyber Forensics in Enterprise Environments

TWC：媒介：协作：迈向企业环境中以二进制为中心的网络取证框架

• 批准号: 1409668
• 负责人: Dongyan Xu
• 金额: $ 80万
• 依托单位: Purdue University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2014
• 资助国家: 美国
• 起止时间: 2014-09-01 至 2019-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1409668&HistoricalAwards=false
• 关键词: TWC; Medium; Collaborative; Towards; Binary

Emerging attacks such as Advanced Persistent Threats pose significant threat to cyberspace. These attacks are often stealthy, low-and-slow, and disguised via deceptive campaigns. This research focuses on the forensics of cyber attacks targeting enterprise environments, with the goals of (1) understanding an attack's intent, strategy, steps, and targets, (2) collecting digital evidence for legal proceedings, (3) revealing hidden attack behaviors to prevent or minimize damage.To achieve these goals, an integrated framework is being developed which covers three key aspects - temporal, spatial, and malware-behavioral forensics. All three aspects face the common challenge of analyzing binary executables. More specifically, temporal forensics requires finer-grain program logging for identifying attack provenance and ramifications. The solution is to partition a binary program's execution and data for high-accuracy causal analysis. Malware forensics involves revealing malware behaviors that are multi-stage, condition-guarded, and environment-specific. The solution is a new binary analysis approach that force-executes an unknown binary without input or environment setup and exposes the malware's behavior along the execution paths forced into. Temporal forensics requires understanding unknown file formats and in-memory data structure contents. The solution is to identify and reuse the file parsing/generation and data structure rendering logic in the corresponding binary programs.This research will advance the state-of-the-art in cyber forensics, a critical need as our nation and society become increasingly dependent on cyberinfrastructures. It will help train next-generation cybersecurity experts by exposing students to real case investigations. Under-represented students are being involved in research activities and cyber forensics exercises.

高级持续威胁等新兴攻击对网络空间构成重大威胁。这些攻击通常是隐秘的、低强度且缓慢的，并且通过欺骗性活动进行伪装。本研究重点关注针对企业环境的网络攻击取证，目标是 (1) 了解攻击的意图、策略、步骤和目标，(2) 收集用于法律诉讼的数字证据，(3) 揭示隐藏的攻击行为防止或最大程度地减少损害。为了实现这些目标，正在开发一个集成框架，该框架涵盖三个关键方面：时间、空间和恶意软件行为取证。所有这三个方面都面临着分析二进制可执行文件的共同挑战。更具体地说，时间取证需要更细粒度的程序日志记录来识别攻击来源和后果。解决方案是对二进制程序的执行和数据进行分区，以进行高精度因果分析。恶意软件取证涉及揭示多阶段、受条件保护且特定于环境的恶意软件行为。该解决方案是一种新的二进制分析方法，无需输入或环境设置即可强制执行未知的二进制文件，并沿着强制执行路径暴露恶意软件的行为。时态取证需要了解未知的文件格式和内存数据结构内容。解决方案是识别和重用相应二进制程序中的文件解析/生成和数据结构渲染逻辑。这项研究将推进网络取证的最先进水平，随着我们的国家和社会变得越来越依赖，这是一个关键需求关于网络基础设施。它将通过让学生接触真实案例调查来帮助培训下一代网络安全专家。代表性不足的学生正在参与研究活动和网络取证练习。