Cyber attackers are increasingly targeting emerging smart devices (e.g., Internet of Things devices) causing devastating damages to various enterprises and government agencies. To combat these attacks, rapid and effective investigation is critical to understand attack paths and measure the damages. Unfortunately, forensic logging infrastructures are not efficient and effective enough. Many devices completely lack forensic logging systems and others rely on ineffective logging schemes, delaying or often completely preventing forensic investigation. This research aims to combat advanced cyber-attacks such as Advanced Persistent Threats (APTs) that actively leverage emerging devices. It would design and develop fundamental security primitives that improve state-of-the-art forensic logging in terms of accuracy, efficiency, effectiveness, reliability, and applicability. This research directly contributes to national security by advancing research in and developing techniques for the forensic investigation of advanced cyber-attacks exploiting emerging devices which have recently become a new major attack vector. The investigator is committed to the open and timely dissemination of the outcomes of the proposed research in order to encourage future research in this area. Also, the research will be integrated into new curriculum materials that the investigator will develop, including dedicated lab sessions on Internet of Things forensic analysis and associated APT investigation. This research aims to design and develop fundamental security primitives for forensic logging: (1) Improving the current ineffective forensic logging systems that generate confusing forensic logs which hinder the forensic investigation significantly. (2) Reducing the space overhead of forensic logging systems to increase its applicability. (3) Enabling forensic analysis on unmodifiable devices (e.g., proprietary devices) that cannot be modified and instrumented via a novel forensic causality inference technique. This research provides the following unique set of capabilities that were not previously possible. First is the design and implementation of a novel event-execution path encoding scheme that can precisely capture event execution context information. This will allow forensic analysts to disambiguate confusing event logs. Second is a technique for instrumentation-free forensic analysis via causality inference. Devices that do not allow any modification and instrumentation will be traced and analyzed via other devices that are connected to them leveraging a novel causality inference technique.
CRII: SaTC: Secure and Comprehensive Forensic Audit Infrastructure for Transparent Heterogeneous Computing