| NSF Org: |
CNS Division Of Computer and Network Systems |
| Recipient: |
|
| Initial Amendment Date: | March 25, 2010 |
| Latest Amendment Date: | May 6, 2014 |
| Award Number: | 0953638 |
| Award Instrument: | Continuing Grant |
| Program Manager: |
Sylvia Spengler
sspengle@nsf.gov (703)292-7347 CNS Division Of Computer and Network Systems CSE Directorate for Computer and Information Science and Engineering |
| Start Date: | April 1, 2010 |
| End Date: | March 31, 2016 (Estimated) |
| Total Intended Award Amount: | $529,998.00 |
| Total Awarded Amount to Date: | $561,998.00 |
| Funds Obligated to Date: |
FY 2011 = $124,557.00 FY 2012 = $114,332.00 FY 2013 = $91,992.00 FY 2014 = $112,015.00 |
| History of Investigator: |
|
| Recipient Sponsored Research Office: |
300 TURNER ST NW BLACKSBURG VA US 24060-3359 (540)231-5281 |
| Sponsor Congressional District: |
|
| Primary Place of Performance: |
300 TURNER ST NW BLACKSBURG VA US 24060-3359 |
| Primary Place of
Performance Congressional District: |
|
| Unique Entity Identifier (UEI): |
|
| Parent UEI: |
|
| NSF Program(s): |
Special Projects - CNS, TRUSTWORTHY COMPUTING, Secure &Trustworthy Cyberspace |
| Primary Program Source: |
01001112DB NSF RESEARCH & RELATED ACTIVIT 01001213DB NSF RESEARCH & RELATED ACTIVIT 01001314DB NSF RESEARCH & RELATED ACTIVIT 01001415DB NSF RESEARCH & RELATED ACTIVIT |
| Program Reference Code(s): |
|
| Program Element Code(s): |
|
| Award Agency Code: | 4900 |
| Fund Agency Code: | 4900 |
| Assistance Listing Number(s): | 47.070 |
ABSTRACT
Millions of computers worldwide are estimated to be infected by malware (malicious software) and have become ? unknown to their owners ? part of an army of dangerous ?bots?, which are software applications that run automated tasks over the Internet controlled by cyber criminals. These infected computers are coordinated and used by attackers to launch illegal and destructive network activities including identity theft, sending spam (estimated 100 billion spam messages every day), launching distributed denial of service attacks, and committing click fraud. They are also capable of launching information warfare to destroy critical network infrastructure of a nation. Existing malware-detection approaches are limited in their ability to identify and discern malicious bots from legitimate and benign ones. This proliferation and sophistication requires constant vigilance and upgrading. The proposed project introduces a new and paradigm-shifting approach for malware detection, referred to as human-behavior driven malware detection. With this approach, the project will be able to accurately differentiate network behaviors of a legitimate user and malware by identifying and enforcing unique properties of human computer usage on a host.
The focus on human-user characteristics, versus those of malware, allows computer security to be realized without the need for continually monitoring ever-changing malware patterns. This approach will complement conventional malware-detecting techniques based on code analysis, data mining, or network trace filtering. The design of a unique and tamper-resistant traffic-enforcement framework will cryptographically verify the provenance information of both system and application-level data utilizing on-chip cryptographic hardware support. This project will implement novel and fine-grained input-traffic correlation analysis that has not been previously applied across a host?s network stack, kernel modules, and input devices. The proposed work will create new knowledge on design principles of reliable operating systems and applications, as well as gain insights to provide seamless integration of network-security techniques into a kernel. These studies will significantly advance the understanding of human-behavior based security and improve the system integrity of all networked computers. The research will build a base of important fundamental knowledge about user-centric security and will provide a compelling and more permanent solution to the increasing need of malware detection. The proposed work will focus on identifying characteristic human-user behaviors (namely application-level user inputs via keyboard and mouse), developing protocols for fine-grained traffic-input analysis, and preventing forgeries and attacks by malware. The PI will design and apply a combination of cryptographic techniques, correlation analysis, and Trusted Platform Module based integrity measures to carry out these tasks.
As an integrated component of the project, the PI will conduct outreach and educational activities that aim to increase the general awareness of cyber-security issues in the K-14 community and broaden the interdisciplinary participation of undergraduate and underrepresented groups in computer security research. In addition, the PI will develop a novel interactive software system Sec Ed for teaching computer security and advancing efforts in curriculum development, mentoring, diversity building, and workshop organization.
PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH
Note:
When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external
site maintained by the publisher. Some full text articles may not yet be available without a
charge during the embargo (administrative interval).
Some links on this page may take you to non-federal websites. Their policies may differ from
this site.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
This CAREER project aims at guaranteeing the security of data in modern information systems on which rests personal privacy, corporate confidentiality, and vital aspects of national security. Our research reaches for this goal by working to create new models, algorithms, methods, and prototypes that can be used for anomaly detection in general purpose computer systems and networks, large-scale malware (malicious software) detection and analysis. Also oriented toward this goal, we have been preparing the next generation of cybersecurity professionals by teaching, training, and engaging in research current students who learn the new and evolving techniques to monitor the real time behaviors of networked systems, to detect anomalies and compromises, and to systematically defend against attacks from adversaries.
Our research in this CAREER project addresses problems in causality-based anomaly detection, security operating system design, and cyber behavior analysis.
Anomaly Detection We develop new methodologies for causality-based anomaly detection for programs and systems. Anomaly detection identifies deviations from expected program/system behavior. The deviations may be due to malicious attacks, unauthorized operations, software flaws, or human errors. Our patented anomaly-detection technique is to analyze causal relations between system elements (e.g., static program statements, run-time instructions, operations, calls) and their triggering events (e.g., user’s actions), and to use the causality information for reasoning the trustworthiness of systems.
Compared to the existing statistical anomaly detection solutions, our causality-based approach provides improved semantic- and context-aware security analysis. The approach extracts and models the causal relations between observed or anticipated computer events and their triggering elements. These relations produce structural and contextual information for reasoning and justifying the occurrences of system behavior patterns. The advantage of this approach is the ability to provide proactive system defenses. Our work systematically formalizes and demonstrates the effectiveness of this causality-based anomaly-detection approach. We name this approach as “storytelling security”, because of its potentials to connect the dots between seemingly unrelated calls, events, or operations through causal relations. We have demonstrated the effectiveness of the intention-based causality analysis methodology in solving problems in program classification, detecting spyware activities, and drive-by download prevention.
Secure OS Design We also formalized new authentication principles and implemented prototypes for secure operating system designs including general-purpose Linux operating systems and Android mobile operating systems. Our work aims at designing and developing new far-reaching and wide-impact methodologies for proactive system and network defenses.
Existing OS security work is mostly focused on securing the code. Our work is the first to point out that data flow within components of the OS needs to be secured. Because of the complexity and extensibility of modern OS, this task is challenging. We introduce security definitions e.g., authenticity and integrity, for the context of interacting OS components. Our security models can be applied to hardening the trustworthiness of a wide host of runtime user data and kernel data, including user I/O inputs, network I/O, and runtime process information. We then demonstrate with efficient prototypes that these security properties can be achieved in the Linux OS.
Cyber Behavior Study Our research also includes the analys...
Please report errors in award information by writing to: awardsearch@nsf.gov.
