Malware Attribution

Attributing a piece of malware to its creator or user is a difficult problem. It relies upon the ability to disassemble binaries efficiently in order to gather sufficient features to build a fingerprint of the author. In the modern world of cyber warfare and cyber criminals, public attribution is now being used to ensure justice, apply political pressure and enforce sanctions to deter cyber attacks. However, public attribution requires a lot of concrete evidence which is often a complex and time consuming manual task. It can often take at least a year to publicly attribute, if not longer. The amount of cyber attacks is set to only increase with the current number of analysts unable to keep up with the demand of analysing malware and attributing it to a threat group. Therefore there exists an immediate need for automation in this field.
Automating malware binary analysis is a complex problem in itself. Any author of a program will use several techniques (e.g. obfuscation) to prevent others from understanding the objectives of the program or being able to recreate it. However, authors may leave a unique trace (their "signature") which we can find to link them to other pieces of malware. Unique author styles have been identified in source code, yet there remains a lot of research to identify the same styles in compiled source code. In addition to this, most programs are written by multiple authors especially malware written by sophisticated threat actors. There currently exists a lack of malware datasets from the same groups and most malware datasets are unlabelled (i.e. no author attached).
Our research has primarily began by identifying a small dataset of Advanced Persistent Threat (APT) group malware to learn APT author features. Once the features are identified, we will use use machine learning to further understand malware authors and wider adversary groups. The initial plan is to improve existing works on the use of machine learning for the de-annoymisation of binaries using stylometry. We are also keen to explore the rational and decision process of the machine learning algorithm which is an important part of the attribution process which an analyst completes. Furthermore, it is important any attribution system is itself attack proof and we shall investigate the strength of our system. In general, this project aims to address wider questions within authorship attribution and adversarial machine learning.

The most significant impact of the renewal of Royal Holloway's CDT in Cyber Security will be the production of at least 30 further PhD-level graduates. In view of the strong industry involvement in both the taught and research elements of the programme, CDT graduates are "industry-ready": through industry placements, they have exposure to real-world cyber security problems and working environments; because of the breadth of our taught programme, they gain exposure to cyber security in all its forms; through involvement of our industrial partners at all stages of the programme, the students are regularly exposed to the language and culture of industry. At the same time, they will continue to benefit from generic skills training, equipping them with a broad set of skills that will be of use in their subsequent workplaces (whether in academia, industry or government). They will also engage in PhD-level research projects that will lead to them developing deep topic-specific knowledge as well as general analytical skills.

One of the longer-term impacts of CDT research, expressed directly through research outputs, is to provide mechanisms that help to enhance confidence and trust in the on-line society for ordinary citizens, leading in turn to quality of life enhancement. CDT research has the potential of directly impacting the security of deployed system, for example helping to make the Internet a more secure place to do business. Moreover the work on the socio-technical dimensions of security and privacy also gives us the means to influence government policy to the betterment of society at large. Through the training component of the CDT, and subsequent engagement with industry, our PhD students are exposed to the widest set of cyber security issues and forced to think beyond the technical boundaries of their research. In this way, our CDT is training a generation of cyber security researchers who are equipped - philosophically as well as technically - to cope with whatever cyber security threats the future may bring. The programme equip students with skills that will enable them to understand, represent and solve complex engineering questions, skills that will have an impact in UK industry and academic long beyond the lifetime of the CDT.