SaTC: CORE: Medium: Collaborative: RADAR: Real-time Advanced Detection and Attack Reconstruction

SaTC：核心：中等：协作：雷达：实时高级检测和攻击重建

• 批准号: 1918667
• 负责人: Ramasubramanian Sekar
• 金额: $ 59.99万
• 依托单位: SUNY at Stony Brook
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-10-01 至 2024-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1918667&HistoricalAwards=false
• 关键词: SaTC; CORE; Medium; Collaborative; RADAR

There has been a rapid escalation of targeted cyber-attacks, called Advanced Persistent Threats (APTs), on high-profile enterprises. These skilled attacks routinely bypass widely deployed protection mechanisms. Existing second-line cyber defenses (e.g., intrusion detection systems) are helpful, but they often generate a flood of information that overwhelms cyber analysts. Moreover, analysts lack the tools to piece together attack fragments spanning multiple applications and/or hosts. This project will hence focus on developing the principles, techniques, and tools for accurate attack detection and real-time reconstruction of attacker activities across large enterprises.Many intellectual challenges arise in APT campaign reconstruction, including: (a) developing a wide range of policy-based, anomaly-based and signature-based attack detectors, (b) connecting the dots in the presence of unreliable detectors, (c) scaling to large enterprise networks, and (d) resisting adversarial manipulation. To overcome these challenges, this project will explore several novel directions, including (i) domain-specific languages for cyber attack detection and forensics, (ii) novel detection techniques that leverage natural language descriptions of recent attacks, (iii) alternative dependence propagation semantics that mitigate dependence explosion, and (iv) mapping attack steps to the high-level objectives ("kill-chain") of APT actors.Cyber technologies are inextricably woven into the fabric of today's society. Repeated cyber attacks undermine the society's trust in this fabric. Even in purely economic terms, worldwide cybercrime led to $600 billion in losses in 2017 (Source: McAfee). This project will help arrest these downward trends. It will also educate graduate, undergraduate and K-12 students through cybersecurity coursework, research, and outreach activities. Enhanced participation of women and minorities will be targeted through alliances with partners, including the National Center for Women & Information Technology, Governor's State University, and Chicago Public Schools. Project-related data, results, publications and tools will be made available through the web sites of the research laboratories collaborating on this project: http://seclab.cs.stonybrook.edu/ and http://sisl.lab.uic.edu/.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

有针对性的网络攻击迅速升级，称为“高级持续威胁”（APTS），对备受瞩目的企业。这些熟练的攻击通常会绕过广泛部署的保护机制。现有的二线网络防御（例如，入侵检测系统）很有帮助，但它们通常会产生大量的信息，使网络分析师淹没。此外，分析师缺乏将跨越多个应用程序和/或主机的攻击片段组合在一起的工具。 This project will hence focus on developing the principles, techniques, and tools for accurate attack detection and real-time reconstruction of attacker activities across large enterprises.Many intellectual challenges arise in APT campaign reconstruction, including: (a) developing a wide range of policy-based, anomaly-based and signature-based attack detectors, (b) connecting the dots in the presence of unreliable detectors, (c) scaling to large enterprise networks, and （d）抵抗对抗操作。 To overcome these challenges, this project will explore several novel directions, including (i) domain-specific languages for cyber attack detection and forensics, (ii) novel detection techniques that leverage natural language descriptions of recent attacks, (iii) alternative dependence propagation semantics that mitigate dependence explosion, and (iv) mapping attack steps to the high-level objectives ("kill-chain") of APT actors.Cyber技术与当今社会的结构密不可分。反复的网络攻击破坏了社会对这种结构的信任。即使以经济方式，全球网络犯罪也导致了2017年6000亿美元的损失（资料来源：McAfee）。该项目将有助于阻止这些下降趋势。它还将通过网络安全课程，研究和外展活动来教育研究生，本科和K-12学生。妇女和少数民族的加强参与将通过与合作伙伴的联盟，包括国家妇女与信息技术中心，州长州立大学和芝加哥公立学校。与项目相关的数据，结果，出版物和工具将通过研究实验室的网站提供该项目：http：//seclab.cs.stonybrook.edu// and http：//sisl.lab.uic.edu/. 标准。

项目成果

HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows

• DOI: 10.1109/sp.2019.00026
• 发表时间: 2018-10
• 期刊: 2019 IEEE Symposium on Security and Privacy (SP)
• 作者: Sadegh M. Milajerdi;Rigel Gjomemo;Birhanu Eshete;R. Sekar;V. Venkatakrishnan

On the Impact of Exception Handling Compatibility on Binary Instrumentation

异常处理兼容性对二进制仪器的影响

• DOI: 10.1145/3411502.3418428
• 发表时间: 2020
• 期刊: ACM FEAST
• 作者: Priyadarshan, Soumyakant;Nguyen, Huan;Sekar, R.
• 通讯作者: Sekar, R.

Practical Fine-Grained Binary Code Randomization†

实用的细粒度二进制代码随机化

• DOI: 10.1145/3427228.3427292
• 发表时间: 2020
• 期刊: Practical Fine-Grained Binary Code Randomization†
• 作者: Priyadarshan, Soumyakant;Nguyen, Huan;Sekar, R.
• 通讯作者: Sekar, R.

Information Flow: A Unified Basis for Vulnerability Mitigation, Malware Defense and Attack Scenario Reconstruction (Keynote Presentation)

信息流：漏洞缓解、恶意软件防御和攻击场景重构的统一基础（主题演讲）

• DOI: 10.1145/3411502.3418421
• 发表时间: 2020
• 期刊: ACM FEAST
• 作者: Sekar, R.

Combating Dependence Explosion in Forensic Analysis Using Alternative Tag Propagation Semantics

使用替代标签传播语义来对抗取证分析中的依赖爆炸

• DOI: 10.1109/sp40000.2020.00064
• 发表时间: 2020
• 期刊: IEEE Security and Privacy
• 影响因子: 1.9
• 作者: Hossain, Md Nahid;Sheikhi, Sanaz;Sekar, R
• 通讯作者: Sekar, R