VCU Cybersecurity Center Focus Area: Malware and Digital Forensics

VCU Malware and Digital Forensics focus area is lead by Prof. Carol Fung and Prof. Irfan Ahmed.

Dr. Carol Fung is currently an assistant professor with computer science department at Virginia Commonwealth University. She  received her PhD degree in computer science from the University of Waterloo (Canada). Her research area is network management and cyber security, including Malware detection, DDoS detection and mitigation, malicious smartphone apps detection and secure system design. Her research has applications in SDN/NFV networks, 5G networks, cyber security and smartphone networks. She is the recipient of the IEEE/IFIP IM Young Professional Award in 2015, University of Waterloo Alumni Gold Medal in 2013, best paper awards three times in IM/NOMS. She is the associate editor for IEEE transaction of Network Management and TPC chair of the CNOM organization. She has organized many conferences and workshops in the area of network management and cyber security.

Dr. Irfan Ahmed is currently an Assistant Professor of Computer Science and the Director of Computer Security and Forensics Lab at Virginia Commonwealth University. Previously, he was a Canizaro-Livingston Endowed Assistant Professor in Cybersecurity at the University of New Orleans (UNO), an Associate Director of Greater New Orleans Center for Information Assurance (GNOCIA) and the Director of the Cyber-Physical Systems (CyPhy) Lab. His research interests include cybersecurity education, digital forensics, industrial control systems and internet of things, malware, and hardware-assisted virtualization. His research is generously supported by NSF, NSA, ONR, and ARO and involves automated digital forensics, network protocol analysis, malware detection, etc. The University of New Orleans has awarded him The Early Career Research Prize to recognize his outstanding creative and scholarly activities. Dr. Ahmed regularly publishes in cybersecurity research and education conferences such as ACM CODASPY, DFRWS, ACM SIGCSE, and USENIX ASE. He is the recipient of two Best Paper Awards from well-known cybersecurity conferences, and an Outstanding Research Award from the American Academy of Forensic Sciences (AAFS). Dr. Ahmed organizes the Annual Industrial Control System Security (ICSS) Workshop regularly in conjunction with Annual Computer Security Applications Conference (ACSAC). He holds a Ph.D. in Computer Science from Ajou University, South Korea and was a recipient of the Korean Government Scholarship.

Projects

RevMatch: An Efficient and Robust Decision Model for Collaborative Malware Detection

The purpose of this project is establish a machine-learning based cooperative decision system to integrate the malware detection results from multiple malware detection engines so that a final report will be generated to decide whether a malware alarm should be generated or not. The application can be used on online malware detection systems such as VirusTotal.

Faculty: Dr. Carol Fung

RevMatch: An Efficient and Robust Decision Model for Collaborative Malware Detection

Collaborative intrusion detection systems

The purpose of this work is the develop a collaborative system that allows intrusion detection systems to work with each other to exchange messages that can help each other to establish a robust, efficient and scalable network to improve intrusion detection accuracy. Many potential problems has been addressed such as malicious insiders and efficient real time group decision. This project has won many best paper awards and a book has been published with CRC publishing.

Faculty: Dr. Carol Fung

Collaborative intrusion detection systems

RedDroid: an Android framework to protect smartphone users from malicious android apps

In this project, a PhD student of Dr. Fung has developed an Android framework to provide a crowdsourcing-based malicious app detection solution. Malicious Android apps that try to steal private information from inexperience users by requesting excessive permissions can be detected and recommendation on declining their permission requests will be sent to inexperienced users. The detection engine is powered by crowdsourcing technics and machine-learning tools. The work is implemented on Android system as a DroidNet app for users to download.

Faculty: Dr. Carol Fung

RedDroid: an Android framework to protect smartphone users from malicious android app

Automatic Run-time Mitigation of Kernel Exploits in Cloud Environments

The project developed automated solutions for checking the integrity of critical kernel data invariants and code against unauthorized modifications on a real-time basis, and enabling the restoration of the code and data to a known-good state, should a compromise be detected.

Kernel data structures with stable/static content are a common and attractive target for malware, especially rootkits and other components of advanced persistent threats (APT); they allow deep compromise with relatively little effort and low probability of crashing the target. The project has demonstrated the feasibility of cross-comparing kernel modules, and interrupt descriptor table across virtual machines to check their integrity at runtime by accessing the kernel memory inside virtual machines (VM) from the outside via VM introspection. The upshot is that a typical cloud environment has several virtual machines running same kernel version of an operating system, making it possible to compare the kernel code and associated data structures across virtual machines for continuously checking them against malware infection or malicious modifications. The comparison identifies exact modifications in the code and data structures that can be patched with benign content (from uninfected VM) via VM introspection to reinstate them to a safe state. The main advantage of this solution is that it is fully automatic—it requires only general knowledge of the organization of the kernel, and no signatures; it also seamlessly handles OS updates and patches.

Supported by: Department of Defense
Faculty: Dr. Irfan Ahmed

Automatic Run-time Mitigation of Kernel Exploits in Cloud Environments

Digital Forensic Toolkit for Machine Control Systems (TRACE)

The project developed a Digital Forensic Toolkit for Machinery Control Systems (TRACE), a live digital forensics toolkit that, at run time, provide a cyber-protection strategy and aid in identification of malfunctions while ensuring minimal impact on overall system performance.

Supported by: Office of Naval Research
Faculty: Dr. Irfan Ahmed

Using Virtual Machine Introspection for Deep Cyber Security Education

The project developed a Virtual Machine Introspection (VMI) toolkit that is able to access the physical memory of a VM directly from outside the box, and provide the capability of studying not only the user level attacks and defenses, but also the kernel level attacks and defenses. For example, with the VMI toolkit, students can directly manipulate the content of the memory for the demonstration of the underlying computer security concepts. Previously, when performing a traditional hands-on exercise, students ran (benign/malicious) software that eventually made changes in the physical memory, but the changes were transparent to students. Our VMI toolkit allows students to perform such essential changes directly in the memory, and then observe their intended behavior outside the VM. Meanwhile, students can also use our toolkit to perform DKOM attack by modifying the pointers in the process doubly-linked list in memory, and then observe the effect within VM that the process of interest is not visible in the process list.

Supported by: National Science Foundation
Faculty: Dr. Irfan Ahmed

Using Virtual Machine Introspection for Deep Cyber Security Education

Selected publications

Journals (Carol Fung)

  1. Carol Fung and Raouf Boutaba. "Intrusion Detection Networks: A Key to Distributed Security", CRC Press. 259 pages. November 2013. ISBN: 978-1-4665-6412-1.
  2. Bahman Rashidi, Carol Fung, Anh Nguyen, Tam Vu, and Elisa Bertino. "Android User Privacy Preserving through Crowdsourcing". IEEE Transaction on Information Forensics & Security (TIFS). 2018.
  3. Bahman Rashidi, Carol Fung and Elisa Bertino. "A Collaborative DDoS Defence Framework using Network Function Virtualization". IEEE Transaction on Information Forensics & Security (TIFS). 2017.
  4. Bahman Rashidi, Carol Fung and Elisa Bertino. "Android Resource Usage Risk Assessment using Hidden Markov Model and Online Learning". Elsevier Computers & Security (COSE). 2017.
  5. Carol Fung and Quanyan zhu. "FACID: A Trust-based Collaborative Decision Framework for Intrusion Detection Networks". Elsevier Ad Hoc Networks Journal (ADHOC). 2016.
  6. Molka Gharbaouia, Barbara Martini, Carol Fung, Francesco Paolucci, Alessio Giorgetti, and Piero Castoldi. "An Incentive-compatible and Trust-aware Multi-Provider Path Computation Element (PCE)". Elsevier Computer Networks (COMNET). 2016. Impact factor: 2.59 PDF BibTeX
  7. Bahman Rashidi, Carol Fung, and Tam Vu. "Android Fine-grained Permission Control System with Real-Time Expert Recommendations". Elsevier Pervasive and Mobile Computing. 2016.
  8. Bahman Rashidi, and Carol Fung, "Disincentivizing Malicious Users in RecDroid Using Bayesian Game Model". In Journal of Internet Services and Information Security (JISIS), Vol. 5, No. 2, May 2015.
  9. Quanyan Zhu, Carol J. Fung, Raouf Boutaba, and Tamer Barsar. GUIDEX: A Game-Theoretic Incentive-Based Mechanism for Intrusion Detection Networks. In IEEE Journal on Selected Areas in Communications, special issue on Economics of Communication Networks & Systems. 2012. PDF BibTeX
  10. C. Fung, J. Zhang and R. Boutaba. Effective Acquaintance Management based on Bayesian Learning for Distributed Intrusion Detection Networks. In IEEE Transactions on Network and Service Management. March 2012.
  11. C. Fung. "Collaborative Intrusion Detection Networks and Insider Attacks", Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, Vol 2(1), pp. 63-74, 2011.
  12. Carol J. Fung, Jie Zhang, and Raouf Boutaba. "Dirichlet-based Trust Management for Effective Collaborative Intrusion Detection Networks". IEEE Transaction on Network Service and Management (TNSM), Vol. 8(2), pp. 79-91, 2011.
  13. Carol J. Fung, Jie Zhang, Issam Aib, and Raouf Boutaba. "Trust Management and Admission Control for Host-based Collaborative Intrusion Detection". Journal of Network and Systems Management (JNSM), Vol. 19(2), pp. 257-277, 2010.

Journals (Irfan Ahmed)

  1. S. Bhatia, S. Behal, I. Ahmed, “Distributed Denial of Service Attacks and Defense Mechanism: Current Landscape and Future Directions”, In Advances in Information Security Series, Conti, Somani, and Poovendran (Eds.), Springer, 2018.
  2. I. Ahmed, V. Roussev, “Analysis of Cloud Digital Evidence”, In Security, Privacy, and Digital Forensics in the Cloud, L. Chen, and H. Takabi (Eds.), IGI Global, 2018.
  3. I. Ahmed, V. Roussev, “Peer Instruction Teaching Methodology for Cybersecurity Education”, IEEE Security & Privacy, Vol. 16, No. 4, July 2018. (IF: 1.382 from 2018)
  4. Irfan Ahmed, Sebastian Obermeier, Sneha Sudhakaran, Vassil Roussev, “Programmable Logic Controller Forensics”, IEEE Security & Privacy, Vol. 15, No. 6, November 2017. (IF: 1.38 from 2017)
  5. V. Roussev, I. Ahmed, A. Barreto, S. McCulley, V. Shanmughan, “Cloud Forensics-Tool Development Studies & Future Outlook”, Digital Investigation, Elsevier, Vol. 18, No. 3, September 2016. (Impact Factor: 1.77 from 2017)
  6. I. Ahmed, S. Obermeier, M. Naedele, G. G. Richard III, “SCADA Systems: Challenges for Forensic Investigators”, In IEEE Computer, Vol. 45, No. 12, December 2012. (Impact Factor: 1.75 from 2017)
  7. I. Ahmed, K. Lhee, H. Shin, M. Hong, “Content-based File-type Identification using Cosine Similarity and a Divide-and-Conquer approach”, In IETE Technical Review, Vol. 27, No. 6, pp. 465-477, Nov 2010. (Impact Factor: 1.33 in 2017)

Conferences (Carol Fung)

  1. Bahman Rashidi, Carol Fung, Kevin W. Hamlen and Andrzej Kamisinski. "HoneyV: A Virtualized Honeynet System Based on Network Softwarization". In IEEE/IFIP Network Operations and Management Symposium (NOMS 2018). Short paper.
  2. Bahman Rashidi, Carol Fung and Elisa Bertino. "Android Malicious Application Detection Using Support Vector Machine and Active Learning". 2017 IEEE/IFIP International Conference on Network and Service Management(CNSM'17).(17% acceptance rate)
  3. Pulkit Rustgi, Carol Fung, Bahman Rashidi, and Bridget McInnes. "DroidVisor: An Android Secure Application Recommendation System". In 3RD IEEE/IFIP Workshop on Security for Emerging Distributed Network Technologies (DISSECT'17).
  4. Bahman Rashidi and Carol Fung. "CoFence: A Collaborative DDoS Defence Using Network Function Virtualization". In 12th International Conference on Network and Service Management. 2016. mini conf. (CNSM'16) (25% acceptance rate)
  5. Bahman Rashidi and Carol Fung. "XDroid: An Android Permission Control Using Hidden Markov Chain and Online Learning". In IEEE Conference on Communications and Network Security 2016 (CNS'16) (29% acceptance rate)
  6. Bahman Rashidi, Carol Fung, Ann Nguyen, and Tam Vu. "Android Permission Recommendation using Transitive Bayesian Inference Model". In the 21st European Symposium on research in computer security 2016 (ESORICS'16) (21% acceptance rate)
  7. A H M Jakaria, Wei Yang, Bahman Rashidi, Carol Fung, and M. Ashiqur Rahman. "VFence: A Defense against Distributed Denial of Service Attacks using Network Function Virtualization" In the 11th IEEE International Workshop on Security, Trust, and Privacy for Software Applications(STPSA 2016). (32.5% acceptance rate)
  8. Bahman Rashidi and Carol Fung. "BotTracer: Bot User Detection Using Clustering Method in RecDroid." In IEEE/IFIP Workshop on Security for Emerging Distributed Network Technologies 2016 (DISSECT'16). Istanbul, Turkey. (40% acceptance rate)
  9. Huanhuan Zhang, Jie Zhang, Carol Fung and Chang Xu. "Improving Sybil Detection via Graph Pruning and Regularization Techniques". In 7th Asian Conference on Machine Learning (ACML). November, 2015, Hong Kong.
  10. Bahman Rashidi, Carol Fung, Gerrit Bond, Steven Jackson, Marcus Pare, and Tam Vu. "RecDroid: An Android Resource Access Permission Recommendation System." ACM MobiHoc 2015. Demo paper. Hangzhou, China.
  11. Bahman Rashidi and Carol Fung. "A Game-Theoretic Model for Defending Against Malicious Users in RecDroid." Proceedings of the IEEE/IFIP IM2015 Workshop on Security for Emerging Distributed Network Technologies (DISSECT'15).
  12. Bahman Rashidi, Carol Fung, and Tam Vu. "Dude, Ask The Experts!: Resource Access Permission Recommendation with RecDroid." IFIP/IEEE International Symposium on Integrated Network Management (IM 2015). Main Track. Ottawa, Canada.
  13. Bahman Rashidi, Carol Fung, and Tam Vu, “RecDroid: A Resource Access Permission Control Portal and Recommendation Service for Smartphone Users”. Workshop on Security and Privacy Aspects of Mobile Environment. 2014 (SPME14).
  14. Carol Fung, Disney Lam, and Raouf Boutaba, “RevMatch: An Efficient and Robust Decision Model for Collaborative Malware Detection”. IEEE/IFIP Network Operation and Management Symposium (NOMS14). Krakow, Poland, 2014.
  15. Carol Fung, Raouf Boutaba, "Design and Management of Collaborative Intrusion Detection Networks". The 15th IFIP/IEEE International Symposium on Integrated Network Management (IM 2013). Diseration Papaer. Ghent, Belgium, 2013.
  16. Carol J Fung, Quanyan Zhu, Raouf Boutaba, and Tamer Basar, "SMURFEN: A Framework of Knowledge Sharing for Collaborative Intrusion Detection", in the 7th international Conference on Network and Service Management, mini conference. 2011
  17. Quanyan Zhu, Carol J Fung, Raouf Boutaba, and Tamer Basar, "A Game-Theoretic Approach to Knowledge Sharing in Distributed Collaborative Intrusion Detection Networks: Fairness, Incentives and Security", in the 50th IEEE Conference on Decision and Control and European Control Conference, 2011
  18. Carol J Fung, Jie Zhang, and Raouf Boutaba. "Effective Acquaintance Management for Collaborative Intrusion Detection Networks", 6th International Conference on Network and Service Management (CNSM 2010). Niagara Fall, Canada.
  19. Quanyan Zhu, Carol J. Fung, Raouf Boutaba, and Tamer Basar. "A Distributed Sequential Algorithm for Collaborative Intrusion Detection Networks", IEEE International Conference on Communications(ICC 2010). Cape Town, South Africa.
  20. Carol J. Fung, Quanyan Zhu, Raouf Boutaba, and Tamer Basar. "Bayesian Decision Aggregation in Collaborative Intrusion Detection Networks", IEEE/IFIP Network Operations and Management Symposium (NOMS 2010). Osaka, Japan.
  21. Carol J Fung, Jie Zhang, Issam Aib, Raouf Boutaba, Robin Cohen. "Design of a Simulation Framework to Evaluate Trust Models for Collaborative Intrusion Detection", IFIP Network and Service Security Conference (N2S 09). Paris, France.
  22. Quanyan Zhu, Carol Fung, Raouf Boutaba, Tamer Basar. "A Game-Theoretical Approach to Incentive Design in Collaborative Intrusion Detection Networks", International Conference on Game Theory for Networks (GameNets 09). Istanbul, Turkey.
  23. Carol J. Fung, Jie Zhang, Issam Aib, and Raouf Boutaba. "Robust and Scalable Trust Management for Collaborative Intrusion Detection". The 11th IFIP/IEEE International Symposium on Integrated Network Management (IM 2009). New York, US.
  24. Carol J. Fung, Olga Baysal, Jie Zhang, Issam Aib, and Raouf Boutaba. "Trust Management for Host-based Collaborative Intrusion Detection". International Workshop on Distributed Systems: Operations and Management 2008 (DSOM'08). Samos, Greece. 

Conferences (Carol Fung)

  1. P. Deshpande, I. Ahmed, “Topological Scoring of Concept Maps for Cybersecurity Education", In 50th ACM Technical Symposium on Computer Science Education (SIGCSE), February 2019, Minneapolis, Minnesota, USA.
  2. P. Deshpande, C. Lee, I. Ahmed, “Evaluation of Peer Instruction for Cybersecurity Education”, In 50th ACM Technical Symposium on Computer Science Education (SIGCSE), February 2019, Minneapolis, Minnesota, USA.
  3. Manish Bhatt, Irfan Ahmed, “Leveraging Relocations in Kernel ELF-binaries for Linux Kernel Version Identification”, In the 18th Annual Digital Forensics Research Conference (DFRWS'18), July 2018, Providence, RI, USA.
  4. S. Senthivel, S. Dhungana, H. Yoo, I. Ahmed, V. Roussev, “Denial of Engineering Operations Attacks in Industrial Control Systems", In 8th ACM Conference on Data and Application Security and Privacy (CODASPY'18), March 2018, Tempe, AZ, USA.
  5. M. Bhatt, I. Ahmed, Z. Lin, “Using Virtual Machine Introspection for OS Kernel Security Education", In 49th ACM Technical Symposium on Computer Science Education (SIGCSE), February 2018, Baltimore, Maryland, USA.
  6. J. Grimm, I. Ahmed, V. Roussev, M. Bhatt, M. Hong, “Automatic Mitigation of Kernel Rootkits in Cloud Environments", In the 18th World Conference on Information Security Applications (WISA'17), Lecture Notes in Computer Science (LNCS) Springer, August 2017, Jeju Island, South Korea
  7. W. Johnson, I. Ahmed, V. Roussev, C. B. Lee, “Peer Instruction for Digital Forensics", USENIX Advances in Security Education Workshop (ASE'17), co-located with 26th USENIX Security Symposium, August 2017, Vancouver, BC, Canada
  8. S. Senthivel, I. Ahmed, V. Roussev, “SCADA Network Forensics of the PCCC Protocol", In the 17th Annual Digital Forensics Research Conference (DFRWS'17), August 2017, Austin, USA.
  9. I. Ahmed, V. Roussev, W. Johnson, S. Senthivel, S. Sudhakaran, “A SCADA System Testbed for Cybersecurity and Forensic Research and Pedagogy", In the 2nd Annual Industrial Control System Security Workshop (ICSS'16), In conjunction with 32nd Annual Computer Security Applications Conference (ACSAC'16), December 2016, Los Angeles, CA.
  10. W. Johnson, A. Luzader, I. Ahmed, V. Roussev, G. G. Richard III, C. B. Lee, “Development of Peer Instruction Questions for Cybersecurity Education", USENIX Advances in Security Education Workshop (ASE'16), co-located with 25th USENIX Security Symposium, August 2016, Austin, TX
  11. A. Ali-Gombe, G. G. Richard III, I. Ahmed, V. Roussev, “Don't Touch that Column: Portable, Fine-Grained Access Control for Android's Native Content Providers", In the 9th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec'16), July 2016, Darmstadt, Germany.
  12. V. Roussev, A. Barreto, I. Ahmed, “Forensic Acquisition of Cloud Drives", In the 12th IFIP WG 11.9 International Conference on Digital Forensics, January 2016, New Delhi, India
  13. A. Ali-Gombe, I. Ahmed, G. G. Richard III, V. Roussev, “OpSeq: Android Malware Fingerprinting", In the 5th Program Protection and Reverse Engineering Workshop (PPREW'15), In conjunction with 31st Annual Computer Security Applications Conference (ACSAC'15), December 2015, Los Angeles, CA, USA.
  14. I. Ahmed, V. Roussev, A. Ali Gombe, "Robust Fingerprinting for Relocatable Code", In the 5th ACM Conference on Data and Application Security and Privacy (CODASPY'15), March 2015, San Antonio, TX, USA.
  15. V. Roussev, I. Ahmed, T. Sires, “Image-Based Kernel Fingerprinting", In the 14th Annual Digital Forensics Research Conference (DFRWS'14), August 2014, Denver CO, USA.
  16. I. Ahmed, G. G. Richard III, A. Zoranic, V. Roussev, “Integrity Checking of Function Pointers in Kernel Pools via Virtual Machine Introspection", In the 16th Information Security Conference (ISC'13), November 2013, Dallas, Texas, USA.
  17. I. Ahmed, A. Zoranic, S. Javaid, G. G. Richard III, V. Roussev “Rule-based Integrity Checking of Interrupt Descriptor Table in Cloud Environments", In the 9th IFIP WG 11.9 International Conference on Digital Forensics, January 2013, Orlando, Florida.

(‘*’ denotes student co-author)