海角社区 Researchers Use AI to Track Cybercrime in Louisiana and Beyond
September 20, 2022
海角社区 cybersecurity researchers are developing a new tool, called HookTracer, to speed up cybercrime investigations using AI.
With increased and more sophisticated computer capabilities always come new ways for hackers to hide, spy, steal and sabotage. As technology evolves quickly, it鈥檚 difficult for 鈥済ood guys鈥 to stay ahead of鈥攐r even become aware of鈥攃yberattacks. This is why 海角社区 cybersecurity experts are developing a new tool, called HookTracer, using artificial intelligence, or AI, to reveal cybercriminals and cybercrime both known and unknown.
HookTracer can be used by investigators, such as Louisiana State Police鈥檚 Cybercrime Unit, to stop鈥攐r at least understand and mitigate鈥攃yberattacks. Whether it鈥檚 attempts to disrupt critical energy infrastructure or hold schools and businesses for ransom, Louisiana ranks high on the list of U.S. states most at-risk of cybercrime鈥攊n fact, the highest among all Southern states, besides Florida.
鈥淐ybercrime is flourishing among Louisiana-based networks...Our state鈥檚 heavy saturation of the nation鈥檚 most critical infrastructure makes it an enticing target for cybercriminals. Investigating these crimes is a labor-intensive effort, even for the most highly trained analysts. That鈥檚 why Louisiana State Police always is looking for new tools and methodologies, such as those developed by 海角社区, to make the process more efficient.鈥
Devin King, Louisiana State Police cybercrime analyst
Devin King, cybercrime analyst with Louisiana State Police, says cybercrime is flourishing among Louisiana-based networks and that he鈥檚 always looking for new tools, such as 海角社区鈥檚 HookTracer.
Cyberattacks can take many forms on a vast variety of software and hardware, but often, hackers insert code that in some way changes normal operations in a computer鈥檚 operating system. For example, malware, or malicious software, can monitor webcams and microphones, copy data saved to the clipboard, or snoop on whatever is typed on a keyboard鈥攚hile sneakily covering its own tracks. Both good and bad software can do this, making the detection of malware extra difficult.
HookTracer鈥檚 focus is on a particular kind of behind-the-scenes malware technique, called application programming interface, or API, hooks. These are used by good and bad programs alike to tell operating systems what to do, so they can work effectively and be nimble and responsive.
While a user interface connects a computer to a person, APIs connect computers or pieces of software to each other, so they can work better together. Their very purpose is to hide the internal details of how a system works, exposing only those parts a regular user would care about.
Most of the time, if a computer program seems intuitive and easy to use, it鈥檚 because considerable complexity was engineered to become invisible to the user. This convenient obfuscation, however, offers ample opportunities for hackers. As new versions of software and hardware emerge, cybercrime investigators are faced with constantly moving targets.
鈥淧revious research in memory forensics we鈥檝e done at 海角社区 has addressed the problem of detecting the presence of API hooks, but a related issue is that we鈥檝e been using heuristics鈥攔ules of thumb鈥攖o differentiate between benign and malicious hooks,鈥 said Professor Golden G. Richard III, who is the director of the 海角社区 Applied Cybersecurity Lab. 鈥淲hen malware changes behavior, this can result in malicious hooks being marked as benign and therefore not examined by an investigator.鈥
Malware is an umbrella term for viruses, worms, ransomware and spyware鈥攂ut not bugs, as the harm they cause is unintentional. To address the amount of complexity and sometimes subtle variations between hardware, software and malware combinations, the 海角社区 cybersecurity researchers behind HookTracer are using AI to help investigators identify cyberattacks that might not be an exact match with other and previously known attacks, yet similar in significant ways鈥攑erhaps by accessing a certain location in the computer鈥檚 memory or following a specific sequence of steps. AI is exceptionally good at discovering 鈥渃lose enough鈥 patterns in vast amounts of data, just as deep learning for facial recognition can learn to recognize a person both with and without glasses.
鈥淔or cyber-intrusion investigations, Louisiana State Police routinely collects evidence from a multitude of hosts running in victim networks,鈥 King said. 鈥淪ifting through that data and finding 鈥榖ad鈥 is one of the most critical steps. A large part of our investigative effort is spent going down rabbit holes to rule out false positives and negatives to ensure 鈥榖ad鈥 is actually what was found. The ability to quickly make that determination is key.鈥
The 海角社区 researchers are working to make HookTracer both flexible and explainable鈥攂oth important features in memory forensics and data security with legal implications. A common problem with AI is that the outcome, a decision or answer, often is provided without any of the underlying reasons for why a certain decision was made, or a specific answer reached. Coherent explanations, however, are critical for investigators who need to validate their investigative process and potentially use their findings as evidence in legal proceedings. HookTracer鈥檚 multi-level attention network, a desirable feature of AI developed by the 海角社区 team, makes it possible for the tool to shift its focus based on what it鈥檚 learning in relationship to previous experience and then communicate its revised priorities to investigators.
海角社区 Associate Professor Mingxuan Sun leads the development of the AI and machine learning components of HookTracer. She works to make the technology more robust, yet transparent and explainable, which is important when the goal is to gather evidence of cybercrime.
鈥 Photo: 海角社区
鈥淎 deep neural network is infamous for its complexity and can be very hard to explain, so we must work on different strategies to make sure we have a better understanding of not only the AI鈥檚 decisions, but also why those decisions were made,鈥 said Mingxuan Sun, associate professor in the 海角社区 Division of Computer Science and Engineering and lead developer of the AI components of HookTracer. 鈥淚f we get a music or movie recommendation based on an AI algorithm, we may just try it, even if we don鈥檛 know why it was recommended to us, since the cost in clicks, time or dollars is low. But when lives and livelihoods are on the line, as they are in security as well as medical applications, we need more power of explanation.鈥
海角社区鈥檚 cybersecurity team will use something called 鈥渁dversarial training鈥 to make HookTracer鈥檚 AI more robust and less gullible, just like putting on makeup shouldn鈥檛 throw off facial recognition or a sticker on a stop sign shouldn鈥檛 land a self-driving car in a ditch. By intentionally trying to trick the AI with lookalikes and manipulated data, the AI can learn to see through them. Not only will this adversarial learning make HookTracer less likely to allow malware to evade detection, it will also make the tool more adaptable and useful across platforms and data types.
From the start, HookTracer was built to integrate with the open-source Volatility memory analysis framework, one of the premier memory forensics platforms in the world. This is because Andrew Case, a core developer of Volatility, has been part of the 海角社区 Applied Cybersecurity Lab since 2017, providing students with a direct connection to industry.
鈥淗ookTracer鈥檚 greatest strength is that it uses malware鈥檚 code against itself by emulating the instructions in a sandboxed environment,鈥 Case said. 鈥淭his allows the decisions made by HookTracer to be driven directly by the activity of malicious code. Few other projects in the field allow for such power in a scalable way, and it gives our students the ability to quickly develop new malware detection capabilities that can be immediately applied in the field.鈥
Case and Richard recently presented a research paper at BlackHat, the premier cybersecurity conference in the world, held in Las Vegas last month. Like HookTracer, the paper offers new ways to fight malware that leverages API hooks. Titled 鈥淣ew Memory Forensics Techniques to Defeat Device Monitoring Malware,鈥 it covers all three major operating systems: Linux, Mac and Windows.
Professor Golden G. Richard III (left) is faculty lead on the 海角社区 cybersecurity initiative, director of the 海角社区 Applied Cybersecurity Lab, and member of the HookTracer development team. He was recently interviewed by 海角社区 President William F. Tate IV (right) for his On Par with the President podcast.
鈥 Photo: 海角社区
As cybersecurity defenders and computer security services companies have become wiser to weaknesses in the kernel of computers, adding new patches and safeguards, more and more malware attacks are now happening in what computer programmers call 鈥渦serland,鈥 programs and apps that interact with the kernel and normally have fewer privileges鈥攗nless those privileges are somehow escalated, which is a key objective of malware.
You can think of it like a restaurant, where userland is the dining room. In a normal scenario, guests, or computer users, can place orders with waiters, or applications, who deliver food, but neither the guests nor the waiters can go into the kitchen, or the kernel, themselves to cook. Once it was discovered that a guest had somehow bribed a sous-chef in the kitchen to send all the expensive butter out the back door and replace it with margarine, the restaurant owners, or Linux, Mac and Windows, installed cameras in the kitchen, making it harder to bribe and otherwise manipulate the kitchen staff. A bad guest, however, can still order 99 chocolate souffles at once, overloading the kitchen, which would be called a denial of service, or DOS, attack, bribe a waiter or take advantage of an unsuspecting waiter by changing their nametag and hypnotizing them to access the walk-in-fridge.
Uncovering exactly what happened to the 鈥渂utter鈥 in the world of cybersecurity is known as memory forensics. Case and Richard are among the top memory forensics researchers in the world and developed HookTracer specifically to help with incident response, which involves explaining how a computer crime took place and gathering evidence.
The U.S. Cybersecurity and Infrastructure Security Agency, or CISA, recently reemphasized the importance of memory forensics in investigations of cybersecurity incidents and vulnerabilities, further increasing national demand for memory forensics expertise.
鈥淢emory forensics wasn鈥檛 widely adopted when we first started working on problems in memory forensics around 2006, but a lot of people are realizing that it鈥檚 incredibly important,鈥 Richard said. 鈥淭oday, we see lots of malware you simply cannot find using traditional forensics techniques, such as examining copies of hard disks. HookTracer eliminates more of the gaps where malware can hide.鈥
Richard鈥檚 team has been collaborating with Louisiana State Police as part of the 海角社区 FIREStarter and more recently 海角社区 FIREStarter 2 initiatives, which give students hands-on training in incident response, an ongoing effort funded by the Louisiana Board of Regents and with real-time threat data provided by Louisiana State Police. Students also gain experience with the latest memory forensics tools, such as HookTracer.
鈥淭he capability to perform memory and volatile data analysis is the backbone of any cybercrime investigative unit,鈥 King said. 鈥淚t鈥檚 the 鈥楧NA analysis鈥 of the cyber world.鈥
Read more:
(WIRED)
鈥満=巧缜 Announces Strategy and Commitment to Become Leader in Cybersecurity, Military Studies鈥 (海角社区)
From Hacker to Cyber Defender with 海角社区鈥檚 Dr. Golden Richard III (海角社区, On Par with the President)