We are Volitech, an advanced biotech company with a heavy emphasis on R&D that serves many customers with high-tech bioresearch and services, from prosthetics to health management. We have recently been hacked by a notorious hacker group and have fired all of our administration team. You are the new administrative team, you shall maintain our systems, defend them against future hackers, and investigate the old hack.

​

That sums up the scenario preceding the 2018 National CCDC event, taking place Apr 13 to 15th in the Walt Disney Convention Center of Orlando, FL. 10 Blue Teams, each consisting of 8 students, one from each region of the United States, each winning their Regional CCDC event, have come here to compete against each other, and against the notorious Red Team, to win the competition. 6 of the teams have been here in previous competitions, and most of them have had national championships. 4 teams are newcomers to the national theme, but all of them have participated in CCDC in previous years. The University of Virginia is the only new team, formed only 3 months prior to the competition, beating the 2017 national champions UMBC in their Mid-Atlantic regional event.​

Cyber attackers are increasingly targeting emerging smart devices (e.g., Internet of Things devices), causing devastating damages to various enterprises and government agencies. To combat these attacks, rapid and effective investigation is critical to understand attack paths and measure the damages. Unfortunately, forensic logging infrastructures are not efficient and effective enough. Many devices completely lack forensic logging systems, and others rely on ineffective logging schemes, delaying or often completely preventing forensic investigation. This research aims to combat advanced cyber-attacks such as Advanced Persistent Threats (APTs) that actively leverage emerging devices. It would design and develop fundamental security primitives that improve state-of-the-art forensic logging in terms of accuracy, efficiency, effectiveness, reliability, and applicability. This research directly contributes to national security by advancing research in and developing techniques for the forensic investigation of advanced cyber-attacks exploiting emerging devices which have recently become a new major attack vector. The investigator is committed to the open and timely dissemination of the outcomes of the proposed research in order to encourage future research in this area. Also, the research will be integrated into new curriculum materials that the investigator will develop, including dedicated lab sessions on Internet of Things forensic analysis and associated APT investigation.

​

This research aims to design and develop fundamental security primitives for forensic logging: (1) Improving the current ineffective forensic logging systems that generate confusing forensic logs, which hinder forensic investigation significantly. (2) Reducing the space overhead of forensic logging systems to increase their applicability. (3) Enabling forensic analysis on unmodifiable devices (e.g., proprietary devices) that cannot be modified and instrumented via a novel forensic causality inference technique. This research provides the following unique set of capabilities that were not previously possible. First is the design and implementation of a novel event-execution path encoding scheme that can precisely capture event execution context information. This will allow forensic analysts to disambiguate confusing event logs. Second is a technique for instrumentation-free forensic analysis via causality inference. Devices that do not allow any modification and instrumentation will be traced and analyzed via other devices that are connected to them, leveraging a novel causality inference technique.

​

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.​

Over half of the world's 1.8 billion websites run on Content Management Systems (CMS). Unfortunately, CMS deployments make easy targets for attackers, as they are built from an amalgam of layered software and interpreters, with varying degrees of network and system permissions, which execute on an Internet-facing web server. This project develops program-analysis-centric techniques that enable the investigation and remediation of ongoing infections as well as hardening against future CMS compromises, with the goals of 1) understanding the intent and strategy of a CMS infection and tracing their root-cause attack vector for reliable remediation, 2) revealing dynamic and sophisticated attack behaviors in malware samples in a CMS infection, 3) hardening of CMS deployments against future attacks. This project benefits national security and economic stability by creating cyber forensics and vulnerability detection techniques for CMS websites and the financial, government, and private sector operations they support. It provides server-side script code including malicious scripts and vulnerable code to help train next-generation cybersecurity experts. Students from underrepresented minority groups are involved in research activities.

​

This project develops Doctor WHO, a CMS analysis framework which combines rapid evidence collection and advanced program analysis techniques for the investigation and remediation of infections and hardening against future CMS compromises. Specifically, the data-driven prediction framework, called TARDIS, is developed to understand the temporal correlation of attack evidence across a corpus of real-world websites. TARDIS enables the automated discovery of the artifacts of a compromise, fingerprinting of the attack's propagation, and rapid investigation of cyberattacks against CMS deployments. The project also develops Torchwood, a cross-language and cross-environment program analysis framework to effectively analyze highly dynamic and sophisticated malware targeting CMSs. Torchwood can handle advanced obfuscation and anti-analysis techniques applied to malware and reveal hidden malicious behaviors and intentions of the malware effectively. Lastly, the project develops UNIT that enables the hardening and securing of CMS deployments against future attacks. UNIT accomplishes this by enabling automated dynamic testing of CMS-backed websites without requiring any runtime environment resources. UNIT eliminates false alerts and provide proof-of-concept exploits via a set of new methods to identify and model dependencies of runtime resources and reconstruct missing resources using instrumented script interpreter engines.

​

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.​