OAC Core: Data-driven Methods and Techniques For Protecting Research and Critical Cyberinfrastructure By Characterizing and Defending Against Ransomware

OAC 核心：通过表征和防御勒索软件来保护研究和关键网络基础设施的数据驱动方法和技术

• 批准号: 2104273
• 负责人: Elias Bou-Harb
• 金额: $ 50万
• 依托单位: University of Texas at San Antonio
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-07-01 至 2023-10-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2104273&HistoricalAwards=false
• 关键词: OAC; Core; Data; driven; Methods

Ransomware is an extortion-type of malicious software (malware) that encrypts, locks and exfiltrates data from local and networked assets for financial gains, hindering the availability of such resources while causing immense reputational damages. Recent ransomware attacks on high-valued cyberinfrastructure (CI) in the health, educational, IT, and critical sectors demanded ransoms up to $50M while causing collateral losses estimated to reach $20 billion in the next few years. While there are number of ongoing research efforts that address the ransomware phenomena, they are hindered by several challenges. These include the lack of ransomware-specific analysis methods that permit the comprehension of (state-sponsored) attacks that specifically target US CI, the ineffectiveness of current network-based methods that are capable of thwarting ransomware propagation attempts, and the shortage of host-based techniques that would proactively mitigate the threat. To this end, this project serves NSF's mission to promote the progress of science by developing data-driven methods, techniques and algorithms to offer a first-of-a-kind multidimensional approach to provide CI resiliency against evolving ransomware attacks. The project empowers numerous CI communities, minorities and K-12 students with open source tools, virtual training material and empirical data to facilitate forward-looking research and education. The project further supports the operational cyber situational awareness community by indexing the generated threat intelligence in an open source platform, making it readily available to support near real-time, ransomware-centric mitigation. The project draws upon close to 2M (US-targeted) ransomware samples per month provided by an industry partner. The project develops binary authorship methods that are resilient against common obfuscation and refactoring techniques to (1) provide empirical evidence related to the orchestration behavior of the attack entity, and (2) facilitate the large-scale measurements and characterization of such orchestrated events. Along this vein, the project initially leverages pre-processing data methods based on opcode frequencies to subsequently devise feature engineering processes as applied on binary code to extract salient coding habits; related to memory usages, utilization of specific data structures, function terminations, etc. Moreover, the project ingests run-time behavioral reports of ransomware and develops learning methodologies by innovating techniques rooted in natural language processing and attention mechanisms. This aims at engineering models that could provide resiliency from the network level, while applying concept drift notions to capture and comprehend the mutating behaviors of such ransomware. The project also designs and implements data carving techniques by applying the devised learning models on streaming network traffic. Additionally, the project explores host-based prevention methodologies by exploiting a set of ransomware-specific behaviors. Herein, the project conducts large-scale ransomware instrumentation, models ransomware sensing activities based on DLL calls, while devising data mining methods based on a priori methods. The project further develops data sharing capabilities to facilitate access to raw data, and the generated threat intelligence. The project also devises virtual labs’ material to enable large-scale, cloud-based research and training activities.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

勒索软件是一种敲诈勒索类型的恶意软件，它会加密、锁定和窃取本地和网络资产中的数据以获取经济利益，阻碍此类资源的可用性，同时对高价值网络基础设施 (CI) 造成巨大的声誉损失。 ）在健康、教育、IT 和关键部门要求高达 5000 万美元的赎金，同时造成的附带损失预计在未来几年将达到 200 亿美元，同时还有许多正在进行的研究工作。解决勒索软件现象的方法受到一些挑战的阻碍，其中包括缺乏能够理解专门针对美国 CI 的（国家资助的）攻击的特定勒索软件分析方法，以及当前基于网络的方法的无效性。能够阻止勒索软件传播尝试，并且缺乏能够主动缓解威胁的基于主机的技术。为此，该项目通过开发数据驱动的方法、技术和算法来实现 NSF 的使命，即促进科学进步。该项目为众多 CI 社区、少数族裔和 K-12 学生提供开源工具、虚拟培训材料和经验数据，以促进前瞻性研究和教育。该项目通过在开源平台中索引生成的威胁情报，进一步支持运营网络态势感知社区，使其可以随时支持近乎实时的、以勒索软件为中心的缓解措施。该项目利用了近 2M（针对美国）。 ）该项目每月由行业合作伙伴提供勒索软件样本，开发能够抵御常见混淆和重构技术的二进制授权方法，以 (1) 提供与攻击实体的编排行为相关的经验证据，以及 (2) 促进大规模攻击。沿着这种思路，该项目最初利用基于操作码频率的预处理数据方法，随后设计应用于二进制代码的特征工程流程，以提取与内存使用、利用率相关的显着编码习惯；此外，该项目还摄取勒索软件的运行时行为报告，并通过植根于自然语言处理和注意力机制的创新技术开发学习方法，其目标是能够提供网络弹性的工程模型。该项目还通过在流网络流量上应用设计的学习模型来设计和实现数据雕刻技术，同时应用概念漂移概念来捕获和理解此类勒索软件的变异行为。通过利用一组勒索软件特定的行为，该项目进行大规模勒索软件检测，基于 DLL 调用对勒索软件感知活动进行建模，同时设计基于先验方法的数据挖掘方法。促进对原始数据和生成的威胁情报的访问，该项目还设计了虚拟实验室材料，以实现大规模、基于云的研究和培训活动。该奖项反映了 NSF 的法定使命，并被认为是值得的。通过使用基金会的智力优势和更广泛的影响审查标准进行评估来提供支持。

项目成果

Interpretable Federated Transformer Log Learning for Cloud Threat Forensics

用于云威胁取证的可解释联合 Transformer 日志学习

• DOI: 10.14722/ndss.2022.23102
• 发表时间: 2024-09-14
• 期刊: Proceedings 2022 Network and Distributed System Security Symposium
• 作者: G. Parra;Luis Selvera;Joseph Khoury;Hector Irizarry;E. Bou;P. Rad
• 通讯作者: P. Rad

RPM: Ransomware Prevention and Mitigation Using Operating Systems’ Sensing Tactics

RPM：使用操作系统预防和缓解勒索软件 - 传感策略

• 发表时间: 2023-04
• 期刊: International Conference on Communications
• 作者: Ricardo Misael Ayala Molina; Elias Bou
• 通讯作者: Elias Bou

On Ransomware Family Attribution Using Pre-Attack Paranoia Activities

使用攻击前偏执活动进行勒索软件家族归因

• DOI: 10.1109/tnsm.2021.3112056
• 发表时间: 2022-03
• 期刊: IEEE Transactions on Network and Service Management
• 影响因子: 5.3
• 作者: Molina, Ricardo Misael;Torabi, Sadegh;Sarieddine, Khaled;Bou;Bouguila, Nizar;Assi, Chadi
• 通讯作者: Assi, Chadi

Ransomware Detection and Classification Strategies

勒索软件检测和分类策略

• DOI: 10.1109/blackseacom54372.2022.9858296
• 发表时间: 2022-06-06
• 期刊: 2022 IEEE International Black Sea Conference on Communications and Networking (BlackSeaCom)
• 作者: Aldin Vehabovic;Nasir Ghani;E. Bou;J. Crichigno;Aysegul Yayimli
• 通讯作者: Aysegul Yayimli

A behavioral-based forensic investigation approach for analyzing attacks on water plants using GANs

一种基于行为的取证调查方法，用于使用 GAN 分析对水厂的攻击

• DOI: 10.1016/j.fsidi.2021.301198
• 发表时间: 2021-07
• 期刊: Forensic Science International: Digital Investigation
• 作者: Neshenko, Nataliia;Bou;Furht, Borko
• 通讯作者: Furht, Borko