Title:  Automated Forensic Techniques for Advanced Website-Targeting Cyber Attacks

Committee: 

Dr. Saltaformaggio, Advisor

Dr. Frank Li, Chair

Dr. Wenke Lee

Abstract: The objective of the proposed research is to develop an automated forensic investigation technique to analyze website compromises using web server backups alone. Despite the rapid spread of advanced web attacks, an equally speedy investigation and takedown has remained an unattainable goal. This is a consequence of relying on signature-based detection techniques (e.g., AVs). To combat this problem, top security vendors employ experts to manually reverse engineer modern web malware and investigate the root cause of the compromise. Unfortunately, manual investigation remains an unscalable approach that cannot keep with automated and evolving attack techniques resulting in long-lived web-attacks that persist for months to years. Worse still, this real-world problem is challenging to solve due to the range of stakeholders in the CMS ecosystem. Each has different motivations and visibilities into this malicious CMS problem. While website owners have full visibility over the webserver activity, the majority of these website owners are less-technical and rely on simple indicators such as popularity, ratings, and reviews when installing various CMS add-ons on their websites. Hosting providers have no visibility into the individual elements on the website but need to ensure that their hosting platform remains malware-free. CMS marketplaces have visibility over the code they host but need a scalable and efficient measurement of the malicious add-ons being sold on their marketplaces. These concerns are shared by over half a billion websites online today that are built on CMSs. This research develops a scalable investigation approach that (1) ensures ease of use, (2) can precisely reason about modern malware tactics, and (3) remains agnostic to malware evolution.