Software Forensic Archaeology for Cyber Attribution

Abstract

Attribution of cyber-attacks is an important unsolved problem in the cyber domain, and attribution to specific state and non-state a""ctors is critical for effective defense and response. Attribution is difficult because many markers of cyber-attack are unreliable,"" readily falsified, and transient. Malware is the ultimate forensic quantity in cyber-attacks~malware binaries are often the only ar""tifacts remaining after an attack. Malware is increasingly complex and heterogeneous, incorporating components from multiple sources"" and involving multiple actors, thus complicating the attribution problem. There is a significant lack of research on the malware so""ftware development life cycle (SDLC), but it is clear from observed software reuse that multiple actors are usually involved, includ""ing exploit researchers, core developers, and packaging developers. This multi-step malware development process is inherently a soci"al process that can be rediscovered through the activity of software forensic archaeology~analysis of software and malware for artifacts that can be traced back to the development process through a study of the evolution of software engineering in general and malware tradecraft specifically. This research team hypothesizes that (1) there are malware artifacts that can be traced directly back t"o the malware~s development processes through controlled experimentation, and these malware features are useful for attribution; (2)"" malware that is created using complex, heterogeneous development processes exhibits relationships between samples that can be disco""vered using social network analysis (SNA) and relational algebra (RA) techniques on the malware artifacts, actors, contributions, an"d other contextual information; and (3) software diversity and obfuscation techniques used by malware to evade detection and attribution can inform attribution decisions when investigated through rigorous experimentation and empirical validation. JHU/APL~s expertise in malware defense and software diversity will enable complex attack attribution using software forensic archaeology. This rese"arch builds upon APL~s existing software development experience and capabilities from DEFACTO, a cross-platform meta-programming tec""hnology that automates the construction of design-diversified software, which will enable large-scale experimentation and supervised" machine learning to identify malware binary characteristics that are useful for complex attribution of cyber-attacks. Carnegie Mell"on University (CMU) is a leader in SNA, RA, and the analysis and visualization of dynamic meta-networks. CMU and JHU/APL~s expertise"" in network analysis will contribute to the attribution of malware created using complex, heterogeneous development processes involv"ing multiple actors and contributions. We anticipate the outcome of this research will be attribution information for malware used i"n cyber-attacks to state or non-state actors, which will provide operational benefits in prioritizing and responding to cyber-attack"s and policy benefits in managing cyber conflicts. The principal investigators for this research will be Drs. Matthew Elder and Ia"n McCulloh at JHU/APL. Dr. Elder has more than 15 years~ experience in cyber security research, performing Government-funded researc""h for DARPA, HS-ARPA, and IARPA while working at two of the most prominent antivirus/ security companies (Symantec and McAfee). Dr."" McCulloh is chief scientist of the cyber warfare systems group at JHU/APL, a retired Army special operations officer, and former ch"ief of offensive cyber operations at CENTCOM; his research expertise is in SNA and network science. Professor Kathleen Carley of CMU will be a subcontractor to JHU/APL. She has been leading SNA research in the Department of Defense (DoD) for 30 years. She runs the" CMU Center for Computational Analysis of Social and Organizational Systems and develops the Organizational Risk Analyzer, which is" the most

Document Details

Document Type

DoD Grant Award

Publication Date

Jan 23, 2018

Source ID

N000141812111

Entities

Tags