Atlanta | Mar. 17, 2018
Georgia Tech will begin a new research project with the National Science Foundation (NSF) to combat advanced persistent threats in mobile devices using a technique called memory image forensics.
Brendan D. Saltaformaggio, an assistant professor in the Georgia Tech School of Electrical and Computer Engineering (ECE) and director of the Cyber Forensics Innovation Laboratory, received the CISE Research Initiation Initiative (CRII) Award from the NSF for a project titled "GEMINI: Guided Execution Based Mobile Advanced Persistent Threat Investigation.”
Advanced persistent threat (APT) campaigns are increasingly targeting mobile devices deployed across corporations, governments, and financial institutions. Unfortunately, prohibitively slow responses to even high-profile APT attacks have shown that authorities lack the capability to quickly investigate ongoing attacks (in a matter of hours or days rather than months). To address this challenge, Saltaformaggio’s research draws inspiration from recent developments in memory image forensics, in particular a recently introduced technique called guided execution. This technique has provided rapid evidence collection and crime investigation capabilities currently unparalleled in APT investigation.
Through this research, Saltaformaggio is developing an integrated framework, called GEMINI, which shifts the goal of modern memory forensics from the investigation of physical-world crimes to APT campaigns. Based on the analysis of only a single memory image – collected from an Android device after an attack is suspected – GEMINI provides the following set of APT investigation capabilities:
- Based on exploratory guided execution techniques, GEMINI can search for and re-create previously enacted APT attack stages.
- Beyond investigating prior attack execution, GEMINI enables the revelation of hidden/potential future attack behaviors by “puppeteering” their executing with pre-staged memory image data.
- After exploring future payloads, GEMINI can further leverage its guided execution capabilities for the remediation of the observed attack strategies.
This work directly contributes to national security by advancing research in and developing techniques for the investigation of APT campaigns targeting mobile devices. In addition, the results of this research are being made publicly available with the goal of enhancing discovery and empowering future research in this area, as well as contributing to the development of new curriculum materials focused on malware analysis and reverse engineering.
School of Electrical and Computer Engineering