Visible to the public CRII: SaTC: GEMINI: Guided Execution Based Mobile Advanced Persistent Threat InvestigationConflict Detection Enabled

Project Details

Performance Period

Feb 01, 2018 - Jan 31, 2020

Institution(s)

Georgia Tech Research Corporation

Sponsor(s)

National Science Foundation

Award Number


Advanced persistent threat (APT) campaigns are increasingly targeting mobile devices deployed across corporations, governments, and financial institutions. Unfortunately, prohibitively slow responses to even high-profile APT attacks have shown that authorities lack the capability to quickly investigate ongoing attacks (in a matter of hours or days rather than months). To address this challenge, this research draws inspiration from recent developments in memory image forensics (in particular a recently introduced technique called guided execution), which has provided rapid evidence collection and crime investigation capabilities currently unparalleled in APT investigation. This research is developing an integrated framework, called GEMINI, which shifts the goal of modern memory forensics from the investigation of physical-world crimes to APT campaigns. Based on the analysis of only a single memory image --- collected from an Android device after an attack is suspected --- GEMINI provides the following set of APT investigation capabilities: (1) Based on exploratory guided execution techniques, GEMINI can search for and re-create previously enacted APT attack stages. (2) Beyond investigating prior attack execution, GEMINI enables the revelation of hidden/potential future attack behaviors by 'puppeteering' their executing with pre-staged memory image data. (3) After exploring future payloads, GEMINI can further leverage its guided execution capabilities for the remediation of the observed attack strategies.

This work directly contributes to national security by advancing research in and developing techniques for the investigation of APT campaigns targeting mobile devices. In addition, the results of this research are being made publicly available with the goal of enhancing discovery and empowering future research in this area as well as contributing to the development of new curriculum materials focused on malware analysis and reverse engineering.