OAC Core: Data-driven Methods and Techniques For Protecting Research and Critical Cyberinfrastructure By Characterizing and Defending Against Ransomware

OAC 核心：通过表征和防御勒索软件来保护研究和关键网络基础设施的数据驱动方法和技术

• 批准号: 2348719
• 负责人: Elias Bou-Harb
• 金额: $ 50万
• 依托单位: Louisiana State University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-10-01 至 2024-06-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2348719&HistoricalAwards=false
• 关键词: OAC; Core; Data; driven; Methods

Ransomware is an extortion-type of malicious software (malware) that encrypts, locks and exfiltrates data from local and networked assets for financial gains, hindering the availability of such resources while causing immense reputational damages. Recent ransomware attacks on high-valued cyberinfrastructure (CI) in the health, educational, IT, and critical sectors demanded ransoms up to $50M while causing collateral losses estimated to reach $20 billion in the next few years. While there are number of ongoing research efforts that address the ransomware phenomena, they are hindered by several challenges. These include the lack of ransomware-specific analysis methods that permit the comprehension of (state-sponsored) attacks that specifically target US CI, the ineffectiveness of current network-based methods that are capable of thwarting ransomware propagation attempts, and the shortage of host-based techniques that would proactively mitigate the threat. To this end, this project serves NSF's mission to promote the progress of science by developing data-driven methods, techniques and algorithms to offer a first-of-a-kind multidimensional approach to provide CI resiliency against evolving ransomware attacks. The project empowers numerous CI communities, minorities and K-12 students with open source tools, virtual training material and empirical data to facilitate forward-looking research and education. The project further supports the operational cyber situational awareness community by indexing the generated threat intelligence in an open source platform, making it readily available to support near real-time, ransomware-centric mitigation. The project draws upon close to 2M (US-targeted) ransomware samples per month provided by an industry partner. The project develops binary authorship methods that are resilient against common obfuscation and refactoring techniques to (1) provide empirical evidence related to the orchestration behavior of the attack entity, and (2) facilitate the large-scale measurements and characterization of such orchestrated events. Along this vein, the project initially leverages pre-processing data methods based on opcode frequencies to subsequently devise feature engineering processes as applied on binary code to extract salient coding habits; related to memory usages, utilization of specific data structures, function terminations, etc. Moreover, the project ingests run-time behavioral reports of ransomware and develops learning methodologies by innovating techniques rooted in natural language processing and attention mechanisms. This aims at engineering models that could provide resiliency from the network level, while applying concept drift notions to capture and comprehend the mutating behaviors of such ransomware. The project also designs and implements data carving techniques by applying the devised learning models on streaming network traffic. Additionally, the project explores host-based prevention methodologies by exploiting a set of ransomware-specific behaviors. Herein, the project conducts large-scale ransomware instrumentation, models ransomware sensing activities based on DLL calls, while devising data mining methods based on a priori methods. The project further develops data sharing capabilities to facilitate access to raw data, and the generated threat intelligence. The project also devises virtual labs’ material to enable large-scale, cloud-based research and training activities.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

勒索软件是恶意软件（恶意软件）的扩展类型，可对本地和网络资产的数据进行加密，锁定和删除，以获得财务收益，从而阻碍了此类资源的可用性，同时造成了巨大的报告损害。最近对健康，教育，IT和关键部门的高价值网络基础设施（CI）的勒索软件袭击要求赎金高达5000万美元，同时造成未来几年的抵押品损失估计将达到200亿美元。尽管有许多正在进行的研究工作可以解决勒索软件现象，但它们受到了一些挑战的阻碍。其中包括缺乏特定于勒索软件的分析方法，这些方法允许理解（国家赞助的）攻击，这些攻击是专门针对美国CI的（国家赞助的）攻击，能够利用勒索勒索软件传播尝试的当前基于网络的方法的无效，以及基于主机的技术短缺，这些技术将主动降低威胁。为此，该项目旨在通过开发数据驱动的方法，技术和算法来促进科学进步的使命，从而提供了一种首要的多维方法，以提供CI弹性，以防止不断发展的违反勒索软件攻击。该项目使众多CI社区，少数民族和K-12学生拥有开源工具，虚拟培训材料和经验数据，以促进前瞻性研究和教育。该项目通过在开源平台中索引生成的威胁情报来进一步支持运营网络情境意识社区，从而易于实时支持以勒索软件为中心的缓解措施。该项目利用行业合作伙伴每月提供的近2M（靶向）勒索软件样本。该项目开发了二元作者身份方法，这些方法依赖于常见的混淆和重构技术（1）提供与攻击实体的编排行为有关的经验证据，以及（2）支持大规模测量和此类策划事件的大规模测量和表征。沿着这种脉络，该项目最初基于OpCode频率利用预处理数据方法，以便随后在二进制代码上应用的功能工程过程来提取出色的编码习惯；与内存使用情况，特定数据结构的利用，功能终止等相关。此外，该项目摄入勒索软件的运行时行为报告，并通过植根于自然语言处理和注意力机制的创新技术开发学习方法。这旨在工程模型可以从网络级别提供弹性，同时应用概念漂移注释以捕获和理解此类勒索软件的突变行为。该项目还通过将设计的学习模型应用于流网络流量来设计和实现数据雕刻技术。此外，该项目通过利用一组勒索软件特定行为来探讨基于主机的预防方法。在此，该项目进行了大规模勒索软件仪器，基于DLL调用的勒索软件敏感性活动，同时根据先验方法设计数据挖掘方法。该项目进一步开发了数据共享功能，以促进访问原始数据和生成的威胁情报。该项目还设计了虚拟实验室的材料，以实现大规模，基于云的研究和培训活动。该奖项反映了NSF的法定任务，并使用基金会的知识分子优点和更广泛的影响审查标准，被认为是通过评估而被视为珍贵的。