Big-Data Driven Cyber Crime Investigation (under development)

Deviant and criminal groups flourish in virtual spaces because the actors can operate in relative anonymity without fear of shame or stigma. A recent report by FBI IC3 shows that companies’ loss from the cybercrime rose from 264.6 million dollars to 559.7 million dollars. The situation keeps getting worse when deviant and criminal groups make use of legitimate web services for their malicious command and control (C&C) communication channels. 
While there is some knowledge on the ways that vulnerabilities are exploited, there is little research exploring the ways that attack agents such as bots and malicious codes related to advanced persistent threats (APT) are distributed across cyberspace. Individuals who control existing bot networks also sell access to their infected machines for a variety of attacks including spam and denial of service attacks. In addition, the current malware analysis does not provide accurate and comprehensive attribution due to hidden activities behind the incidents since malware authors are still at large. As a consequence, these markets enable a great deal of unskilled computer users to engage in cybercrime and net-centric attacks.  Therefore, it is necessary to systematically investigate the creation, distribution, and attack patterns of attack agents circulating cyberspace. This vital information can be used to further investigate big-data driven intelligence related to adversarial threats and to detect and prevent such net-centric threats.   

With CASCADE, we will address a multi-dimensional approach to (a) understand net-centric attacks including malware investigation with on- and off-line assessment, reverse engineering, and dynamic analysis, (b) discover distribution chain based on computer mediated communications (CMCs) that not only allows adversaries to identify easy-to-use or high quality tools, but also obfuscates the creation of malware by taking credit for a tool that was created by someone else--the diverse range of social communications platforms available on-line make it exceedingly difficult to understand and identify the resources used and abused by deviant groups on-line, and (c) correlate attack attributions from malware investigation and social dynamics to produce a comprehensive and effective intelligence

This project is being developed in collaboration with CAaNES.