On mobile devices, the advancement and sophistication in application development and the great reliance on their functionality daily by many users makes them a critical piece of evidence for digital investigations. This project focuses on the reconstruction of app execution to recover user and fingerprint malware activities on mobile devices. The research will provide a methodology for investigators to easily outline user actions and strategies, and possible malware attack blueprint without the need for prior knowledge of the target application logic. This project will further advance digital forensics capabilities, by engaging both undergraduate and graduate students in memory forensics research.
By leveraging in-memory artifacts for execution reconstruction and malware classification, this project develops app-agnostic memory forensics utilities for investigating Android applications. The solution will recreate program execution slices from residual in-memory userland data objects and their metadata and then map them to the loaded images recovered from the code section of the process memory to determine the exact components and program flows that generated the user's activity. The advantage of this technique is it gives the investigator a clear picture of the program flow path, showing a sequence of user events and the data involved. The newly reconstructed in-memory program slices and loaded image files will then further serve as input feature vectors to two distinct modalities in a multimodal learning malware classification scheme. These unique features which together represent app functionality and code structure when applied in the multimodal algorithm will result in a more robust and resilient malware fingerprint that can detect similar and obfuscated variants with a high degree of accuracy.
This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
|