Research

Digital_Forensics graphic
Digital Forensics
Using Physical Memory Relationships to Identify Malware This research aims to provide a novel approach for detecting malware and understanding how it affects random access memory (RAM). Its’ anticipated use is by incident responders and malware analysts to quickly triage which artifacts are most relevant for analysis. In RAM there are a number of objects that work with one another to ensure that a system functions properly. For instance, when a process is started it will load several dynamic link libraries (DLLs). That same process could create a network connection, interact with registry entries, and have handles to other files that it needs to perform its designed actions. This work uses memory forensics, community detection, and machine learning with the end goal of distinguishing between how malicious artifacts interact with memory compared with the benign.
Malware_Detection graphic
Malware Detection Via Code Clones
The development of malware variants is as simple as making slight changes to the source code or even changing compiler settings, which would render signature-based detection tools unreliable. In addition, variants are now being automated within the code or evolution of malware creation of variants by any means being automated within the code also known as polymorphic malware. This reuse of code by malicious agents make the workload of analyzing malware more difficult, due to the amount of malware that needs to be analyzed. The process of analyzing malware through either dynamic or statistical means is always costly, either by time, computationally or both. The goal of this research is to deduce the viability of code clones as features in hierarchical clustering of malware to determine phylogenetic relationships.
Virtualized_Iot graphic
Virtualized IoT (Internet of Things) Project
We propose the research and development including a proof-of-concept implementation of a framework that is capable of simulating devices’ vulnerabilities for training purposes, as well as emulating a specific list of supported devices for which firmware is available. This approach will allow for more flexibility in the number of scenarios and devices available for training and will allow for potential inclusion of emulated devices in addition to pseudo devices.
NetMapper graphic
Netmapper
The intent of the Netmapper project, is to create a light weight tool that can extract enough information from a physical or virtual network to build a virtual copy of that network at a later date. In the process of doing this, we have also created a network hardware/software inventory tool, a network mapping tool that can create editable Visio maps of a network, and a network debugging tool. A snapshot can also be taken of the network and compared with another snapshot from a different time and the differences between the networks can be displayed in a “diff” format or graphically in a network plot. Netmapper can also be used to merge maps of networks together. For example, it can be used to map sub domains separately and then merge them together into one network map or plot.

Netmapper is written in Python 3 and currently does not require use of an external database. Data extracted from the network is stored in XML format which simplifies the building of custom queries to extract whatever information is required by the user. The tool runs under Windows or Centos 7 and can be used to map and inventory Windows or Linux networks. In addition, when integrated into an Ansible/Packer framework developed by our customer, it can not only extract the information to virtualize a network but greatly simply the process of actually standing up networks by automating parts of the framework flow which require manual effort to put into place.
SCADA graphic
SCADA (Supervisory control and data acquisition)
The CCI SCADA lab located in the HPCC building was established to allow students to work with software and hardware that they might see in industry. The lab has been used to find zero-day exploits in commercial software and it has been used to demonstrate attacks on wireless networks. It has also been used to provide network traffic data when being attacked. At least two efforts are contemplated:
  • A study to evaluate the effects of NMAP and Netmapper on the SCADA network and what settings for these programs would minimize how much they affect the network. These programs would use the active NIC (network interface card) of the monitoring nodes and the passive NIC would be used to collect data on how they affect the network.
  • There is a need for data captures of SCADA networks. This project would involve setting up the network to generate SCADA traffic and then capturing it so it could be made available for people/groups interested in this kind of traffic.
Self_protecting_Systems graphic
Self-Protecting Systems
One of the major trends in research on Self-Protecting Systems is to use a model of the system to be protected to predict its evolution. However, devising the model requires special knowledge of mathematical frameworks, that prevents the adoption of this technique outside of the academic environment. Furthermore, some of the proposed approaches suffer from the curse of dimensionality, as their complexity is exponential in the size of the protected system. We are developing a model-integrated approach for the design of Self-Protecting Systems, which automatically generates and solves Markov Decision Processes (MDPs) to obtain optimal defense strategies for systems under attack. MDPs are created in such a way that the size of the state space does not depend on the size of the system, but on the scope of the attack, which allows us to apply it to systems of arbitrary size.