Adversarial machine learning for building anti-forensics and anti-anti forensics systems

Machine learning algorithms are developed for stationary environments. However, intelligent and adaptive adversaries can carefully craft input data to always bypass AI-based cybersecurity systems. Therefore, direct utilization of machine learning algorithms would provide limited benefit in the cyber security domain. In adversarial machine learning, we try to first identify potential vulnerabilities of machine learning algorithms during learning and classification and build attacks that correspond to detected vulnerabilities (anti-forensics). Afterward, we are building countermeasures to improve the security of machine learning algorithms (anti-anti-forensics).

Internet of Things (IoT) forensics

With the fast integration of computation and networking in all physical process and development of lots of smart-contexts, the spectrum of devices that can be investigated is extensive. A range of devices and protocols from PDAs and mobile devices to automobiles, sensors, and robots which are interconnected pervasively! The examination of these devices is a crucial component in future legal, governmental, and business investigations. Therefore, we need models and frameworks for forensically sound collection, preservation, analysis, and documentation of evidence in these environments. In this project, we build tools, techniques, and procedures for cyber investigation and threat hunting in  Internet of Things (IoT), Internet of Battlefield of Things (IoBT), Internet of Medical Things (IoMT), and Internet of Robotic Things (IoRT).

Multi-view and multi-kernel learning systems to achieve a global view of emerging cyber threats

An increasing number of AI agents are deployed to assist security analysts and forensics investigators in the detection and prevention of cyber-attacks. Each of these AI agents may use its own machine learning algorithm and monitor a specific aspect of an attack. Multi-view and multi-kernel learning techniques can be used to merge different views of different machine learning algorithms and achieve a more accurate and global view of emerging threats. Such a global multi-view system would be a precious tool to assist in attack attribution activities.

AI-based decision support systems for cyber threat hunting

Cyber threat hunting is about detecting remnant of attackers’ activities that bypassed all passive network and data protection mechanisms before they meet their objectives (from Exploitation to Actions on Objectives stage of the Cyber Kill Chain model). Cyber defense and protection mechanisms are only good in thwarting risk of script kiddies and stand-alone hackers but are of little use against funded (i.e. state sponsored) hacking teams. Once an organization is in the target list of an Advanced Persistent Threat (APT) actor, the APT actor is not giving up until bypassing all layers of passive defense mechanisms. Upon having a foothold in the target network, attackers tend to only use normal administrative tools to install their tools on as many nodes in the target network as possible and set up C2 connections to achieve their objectives. This would make finding attackers who bypassed passive detection and prevention mechanisms significantly difficult. Active AI agents can be used to support threat hunters and forensics investigators in finding remnants of residual adversaries in an enterprise in a timely manner.

Smart cyber-deception systems

Honeypots, honey-nets, and honey-tokens have been used for many years by security researchers but their deployment was very marginal in real enterprise networks. An enterprise does not see enough values (in compare with cost) in deploying honeypots especially as detecting a honeypot is not very difficult for an experienced attacker i.e. by looking at the pattern and volume of communications between different nodes in the network. AI can be used in creating honeypots that closely mimic activities of real nodes in a network, making it very difficult for an attacker to detect a honeypot without direct engagement.