An official website of the United States government
Here's how you know
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Software Forensic Archeology for Cyber Attribution

PI: Matthew Elder, JHU APL

Year selected for award: 2017

Software Forensic Archeology for Cyber Attribution

Principal Investigator: Matthew Elder, Johns Hopkins University, Applied Physics Laboraotory

Co-Principal Investigators: Tony Johnson, Johns Hopkins University, Applied Physics Laboratory; William La Cholter, Johns Hopkins University, Applied Physics Laboratory; and Kathleen Carley, Carnegie Mellon University

Years of Award: 2017-2021

Managing Service Agency: Office of Naval Research

Project Description:
Attribution of cyber-attacks is a critical, unsolved problem. While much of the data associated with a cyber-attack is transient and unreliable, malware is an enduring artifact of many cyber-attacks and, as such, is key for attribution. Malware is increasingly developed in a complex, heterogeneous manner, incorporating contributions from multiple sources, which complicates attribution. In addition, diversity and obfuscation techniques present in malware binaries are not well understood or analyzed with respect to attribution. We are investigating attribution of cyber-attacks to state or non-state actors using malware artifacts, informed by the software development life cycle, and applying social network analysis techniques. Because complex malware incorporates components from multiple sources and involves multiple actors, malware software development can be viewed as a social process, and thus SNA and relational algebra (RA) analytic techniques are being investigated and applied. Malware, and software in general, is produced within on-line software development communities, forming an emerging virtual culture for exploration. Improved understanding of malware software development, malware analysis, and attribution of cyber-attacks on DoD networks will enable better remediation, prioritization, and policy recommendation responses.

Select Publications:
Brown, Emily, William La Cholter, Brian Ahr, and Matthew Elder. 2018. "Measuring Impact Of Construction Variables On Diversified Software Binaries". IEEE MILCOM. 2018.
Cruickshank, Iain, Tony Johnson, Timothy Davison, Matthew Elder, and Kathleen Carlety. 2019. "Malware Authors Are Just Writing Software: What Can The Software Development Life Cycle And Social Network Analysis Teach Us About Malware Attribution?". USENIX Hot Topics in Security (HotSec). 2019.
Davison, Timothy, Matthew Elder, and William La Cholter. 2019. "Malware Attribution Using Binary Stylometry".Malware Technical Exchange Meeting (MTEM).2019.
Elder, Matthew, and William La Cholter. 2019. "Malware And Software Diversity". Malware Technical Exchange Meeting (MTEM). 2019.
Elder, Matthew, Marc Johnson, Ian McCulloh, and Tony Johnson. 2018. "Social Network Analysis Of Malware Similarity Data".North American Social Networks(NASN). 2018.
Johnson, Tony, Matthew Elder, and Kathleen Carley. 2019. "A Network Approach To Malware Variant Similarity Analysis". Sunbelt Conference. 2019.
McCulloh, Ian, Janis Butkevics, and Matthew Elder. 2018. "Russian Toaster: Social Networks Of Helpful Software Developers". Sunbelt Conference. 2018.