Automated Cyber Threat Intelligence gathering


The goal of this research is to automatically gather cyber threat information and provide actionable mitigation measures that can be directly implemented with little human intervention. The primary source of knowledge is unstructured text of threat analysis reports, mitigation best practice suggestions, as well as system documentations as as MSDN. This research seeks to leverage natural language processing and machine learning techniques to (i) gather symbolic cybersecurity domain knowledge and use such knowledge to (ii) identify cyber threat and mitigation information and (iii) plan for automated mitigation actions.

Autonomous Cyber Deception

Funded by: ONR, ARO
Project URL: Active-Cyber-Defense

Malware attacks have evolved to be highly evasive against prevention and detection techniques. A significant number of new malware samples are launched each day and many of them remain undetected for a long period (e.g., more than five months). Cyber deception has emerged as an effective and complementary defense technique that proactively increases cyber resistance and deterrence. Approaches in this domain deliberately introduce misinformation or misleading functionality into cyberspace in order to trick adversaries in ways that render attacks ineffective or infeasible. We develop a novel approach that can construct deception plans against malware on the fly based on automated analysis of the malware’s behavior. More specifically, our approach (1) employs deception-oriented malware symbolic execution analysis that is capable of extracting deception parameters that are reconfigurable or misrepresentable in the cyber environment, yet the malware depends on to achieve its goals, (2) dynamically constructs the most cost-effective and scalable deception ploy that manipulates the deception parameters to achieve deception goals, and (3) translates and orchestrates the deception ploys into configuration actions to construct a run-time malware deception environment.

Defense against Kernel Queue Injection Malware

Project URL: kqueue.html

Kernel callback queues (KQs) are the established mechanism for event handling in modern kernels. Unfortunately, real-world malware has abused KQs to run malicious logic, through an attack called kernel queue injection (KQI). Current kernel-level defense mechanisms have difficulties with KQI attacks, since they work without necessarily changing legitimate kernel code or data. In this project, we design, implement, and evaluate KQguard, an efficient and effective protection mechanism of KQs. KQguard employs static and dynamic analysis of kernel and device drivers to learn specifications of legitimate event handlers. At runtime, KQguard rejects all the unknown KQ requests that cannot be validated. We implement KQguard on the Windows Research Kernel (WRK), Windows XP, and Linux, using source code instrumentation or binary patching. Our extensive experimental evaluation shows that KQguard is effective (i.e., it can have zero false positives against representative benign workloads after enough training and very low false negatives against 125 real-world malware), and it incurs a small overhead (up to ~5%). We also present the result of an automated analysis of 1,528 real-world kernel-level malware samples aiming to detect their KQ Injection behaviors. KQguard protects KQs in both Windows and Linux kernels, can accommodate new device drivers, and can support closed source device drivers through dynamic analysis of their binary code.

Establishing Digital Citizenship by Implementing Cyber Safety Curriculum with Middle School Students

Funded by: National Science Foundation
Project URL:

To increase cyber safety knowledge and skills among middle school students, teachers, and technology facilitators, and create cyber safety awareness among parents of middle school students.

Ethical Guidelines and Privacy Protections for Health Data Using Blockchain Technology


Examines the role of ethical frameworks and level of privacy protections in building trust for genomic and other health data using blockchain technology.

Formal and data-driven security analytics


The objective of this research is to verify the soundness, compliance and hardness of security configurations. Researchers collect, analyze data from real-life system artifacts and use information theoretic, machine learning and statistical data analysis to characterize threats, measure risk and predict incident trends. Key problems investigated include configuration analytics, policy verification and enforcement, threat information analytics, and cyber risk measurement.

Hands-on Learning Experiences for Cyber Threat Hunting Education

Funded by: NSA
Project URL: cyberthreathunting

Cyber threat hunting has emerged as a critical part of cyber security practice. However, there is a severe shortage of cybersecurity professionals with advanced analysis skills for cyber threat hunting. More specifically, automation using Artificial Intelligence is reducing the need for human intervention in cyber defense, at the same time, it has increased the demand for cybersecurity professionals with more advanced analysis skills. As corroborated by a recent survey of IT professionals by SANS Institute, cyber threat hunting is an example of advanced analysis skills in great demand. We are developing freely-available, hands-on learning materials for cyber threat hunting suitable for use in two-year community college curriculum, 4-year universities curriculum, as well as for collegiate threat hunting competitions. The objectives of this project are: (1) develop hands-on learning experiences that cover two important areas in threat hunting: threat analysis and security data analytics, and (2) build institutional capacity by integrating hands-on labs on threat hunting into existing curricula at two participating institutions: UNC Charlotte and Forsyth Tech.

Implicit One-handed Mobile User Authentication by Induced Thumb Biometrics on Touch-screen Handheld Devices

Funded by: National Science Foundation
Project URL:

The objective of this project is to improve both security and usability of mobile user authentication. The project will support one-handed mobile authentication on a touch-screen mobile device by inducing thumb biometrics and by enabling one-handed text entry based on thumb strokes.

Securing American Manufacturing

Funded by: US DoE / Consolidated Nuclear Security

The Securing American Manufacturing (SAM) project is sponsored by the Office of the Secretary of Defense Manufacturing Technology Program (ManTech) and the Department of Energy Advanced Manufacturing Office (AMO). SAM addresses the intensifying concern expressed by the President; Congress; the Department of Defense Under Secretary of Defense for Acquisition, Technology, and Logistics; and the Deputy Assistant Secretary of Defense for Manufacturing Industrial Base Policy over the cybersecurity of networked manufacturing systems – the information supply chain, with emphasis on determining the effectiveness of the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, “Safeguarding of Unclassified Controlled Technical Information (CTI),” on the small to medium size manufacturing companies that are the backbone of the defense industrial base (DIB).