SaTC: CORE: Medium: Collaborative: RADAR: Real-time Advanced Detection and Attack Reconstruction

SaTC：核心：中等：协作：雷达：实时高级检测和攻击重建

• 批准号: 1918542
• 负责人: Venkat Venkatakrishnan
• 金额: $ 61.2万
• 依托单位: University of Illinois at Chicago
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-10-01 至 2024-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1918542&HistoricalAwards=false
• 关键词: SaTC; CORE; Medium; Collaborative; RADAR

There has been a rapid escalation of targeted cyber-attacks, called Advanced Persistent Threats (APTs), on high-profile enterprises. These skilled attacks routinely bypass widely deployed protection mechanisms. Existing second-line cyber defenses (e.g., intrusion detection systems) are helpful, but they often generate a flood of information that overwhelms cyber analysts. Moreover, analysts lack the tools to piece together attack fragments spanning multiple applications and/or hosts. This project will hence focus on developing the principles, techniques, and tools for accurate attack detection and real-time reconstruction of attacker activities across large enterprises.Many intellectual challenges arise in APT campaign reconstruction, including: (a) developing a wide range of policy-based, anomaly-based and signature-based attack detectors, (b) connecting the dots in the presence of unreliable detectors, (c) scaling to large enterprise networks, and (d) resisting adversarial manipulation. To overcome these challenges, this project will explore several novel directions, including (i) domain-specific languages for cyber attack detection and forensics, (ii) novel detection techniques that leverage natural language descriptions of recent attacks, (iii) alternative dependence propagation semantics that mitigate dependence explosion, and (iv) mapping attack steps to the high-level objectives ("kill-chain") of APT actors.Cyber technologies are inextricably woven into the fabric of today's society. Repeated cyber attacks undermine the society's trust in this fabric. Even in purely economic terms, worldwide cybercrime led to $600 billion in losses in 2017 (Source: McAfee). This project will help arrest these downward trends. It will also educate graduate, undergraduate and K-12 students through cybersecurity coursework, research, and outreach activities. Enhanced participation of women and minorities will be targeted through alliances with partners, including the National Center for Women & Information Technology, Governor's State University, and Chicago Public Schools. Project-related data, results, publications and tools will be made available through the web sites of the research laboratories collaborating on this project: http://seclab.cs.stonybrook.edu/ and http://sisl.lab.uic.edu/.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

针对知名企业的定向网络攻击（称为高级持续威胁 (APT)）迅速升级。这些熟练的攻击通常会绕过广泛部署的保护机制。现有的二线网络防御（例如入侵检测系统）很有帮助，但它们通常会产生大量信息，让网络分析师不知所措。此外，分析人员缺乏将跨多个应用程序和/或主机的攻击片段拼凑在一起的工具。因此，该项目将重点开发用于准确检测攻击并实时重建跨大型企业的攻击者活动的原理、技术和工具。APT 活动重建过程中出现了许多智力挑战，包括： (a) 制定广泛的策略基于、基于异常和基于签名的攻击检测器，(b) 在存在不可靠检测器的情况下连接点，(c) 扩展到大型企业网络，以及 (d) 抵抗对抗性操纵。为了克服这些挑战，该项目将探索几个新的方向，包括（i）用于网络攻击检测和取证的特定领域语言，（ii）利用最近攻击的自然语言描述的新颖检测技术，（iii）替代依赖传播语义(iv) 将攻击步骤映射到 APT 参与者的高级目标（“杀伤链”）。网络技术已密不可分地融入当今社会的结构中。反复的网络攻击破坏了社会对这种结构的信任。即使从纯粹的经济角度来看，2017 年全球网络犯罪也造成了 6000 亿美元的损失（来源：McAfee）。该项目将有助于遏制这些下降趋势。它还将通过网络安全课程、研究和外展活动对研究生、本科生和 K-12 学生进行教育。将通过与国家妇女与信息技术中心、州长州立大学和芝加哥公立学校等合作伙伴的联盟来提高妇女和少数族裔的参与度。与项目相关的数据、结果、出版物和工具将通过参与该项目的研究实验室的网站提供：http://seclab.cs.stonybrook.edu/ 和 http://sisl.lab.uic。 edu/。该奖项反映了 NSF 的法定使命，并通过使用基金会的智力价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Extractor: Extracting Attack Behavior from Threat Reports

提取器：从威胁报告中提取攻击行为

• DOI: 10.1109/eurosp51992.2021.00046
• 发表时间: 2021-04-17
• 期刊: 2021 IEEE European Symposium on Security and Privacy (EuroS&P)
• 作者: Kiavash Satvat;Rigel Gjomemo;V. Venkatakrishnan
• 通讯作者: V. Venkatakrishnan

OSTINATO: Cross-host Attack Correlation Through Attack Activity Similarity Detection

OSTINATO：通过攻击活动相似性检测进行跨主机攻击关联

• 发表时间: 2022-12
• 期刊: International Conference on information systems security
• 作者: Ghosh, Sutanu K.;Satvat, Kiavash;Gjomemo, Rigel;Venkatakrishnan, V. N.:
• 通讯作者: Venkatakrishnan, V. N.:

POIROT: Aligning Attack Behavior with Kernel Audit Records for Cyber Threat Hunting

POIROT：将攻击行为与网络威胁追踪的内核审计记录结合起来

• DOI: 10.1145/3319535.3363217
• 发表时间: 2019-09-30
• 期刊: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Sadegh M. Milajerdi;Birhanu Eshete;Rigel Gjomemo;V. Venkatakrishnan
• 通讯作者: V. Venkatakrishnan