Louisiana State University (LSU) cybersecurity researchers are developing an AI-accelerated tool called HookTracer to expedite cybercrime investigations.
According to LSU, HookTracer is a tool that uses artificial intelligence (AI) to identify known and unknown cybercriminals and their crimes.
LSU said Louisiana ranks high on the list of U.S states most at risk of cybercrime — the highest among all South states besides Florida. The university added that HookTracer can help investigators like the Louisiana State Police’s Cybercrime Unit to stop, or at least understand and mitigate, cyberattacks.
“Cybercrime is flourishing among Louisiana-based networks… Our state’s heavy saturation of the nation’s most critical infrastructure makes it an enticing target for cybercriminals. Investigating these crimes is a labor-intensive effort, even for the most highly trained analysts. That’s why Louisiana State Police always is looking for new tools and methodologies, such as those developed by LSU, to make the process more efficient,” Louisiana State Police cybercrime analyst Devin King said.
Application programming interface (API) hooks are one type of subtle malware technique that HookTracer focuses on. These are used to instruct operating systems on what to do, making operations quicker, more efficient, and more responsive.
APIs connect computers or pieces of software so they can work better together, whereas user interfaces connect computers to people. They are designed to conceal a system’s internal workings, exposing only the elements relevant to the average user.
“Previous research in memory forensics we’ve done at LSU has addressed the problem of detecting the presence of API hooks, but a related issue is that we’ve been using heuristics—rules of thumb—to differentiate between benign and malicious hooks. When malware changes behavior, this can result in malicious hooks being marked as benign and therefore not examined by an investigator,” LSU Applied Cybersecurity Lab Director Professor Golden G. Richard III said.
LSU cybersecurity researchers behind HookTracer are utilising AI to assist investigators in identifying cyberattacks that might not be an exact match with other and previously known attacks yet are similar in significant ways. This addresses the amount of complexity and sometimes subtle variations between hardware, software, and malware combinations.
According to LSU, similar to how deep learning for facial recognition can learn to recognise a person both with and without glasses, AI is exceptionally good at finding “close enough” patterns in massive amounts of data.
King said Louisiana State Police routinely gathers evidence from numerous hosts operating in victim networks for cyber-intrusion investigations.
“Sifting through that data and finding ‘bad’ is one of the most critical steps. A large part of our investigative effort is spent going down rabbit holes to rule out false positives and negatives to ensure ‘bad’ is actually what was found. The ability to quickly make that determination is key,” he added.
The LSU researchers are attempting to make HookTracer flexible and understandable, which are crucial in memory forensics and data security and have legal repercussions. The LSU team’s AI innovation, the multi-level attention network in HookTracer, enables the tool to change its focus based on what it is learning concerning prior experience and then communicate its revised priorities to investigators.
“A deep neural network is infamous for its complexity and can be very hard to explain, so we must work on different strategies to make sure we have a better understanding of not only the AI’s decisions but also why those decisions were made,” LSU Division of Computer Science and Engineering Professor and HookTracer AI components lead developer Mingxuan Sun said.
LSU’s cybersecurity team will utilise “adversarial training” to make HookTracer’s AI more resilient and less trusting. LSU said the adversarial learning would improve HookTracer’s adaptability and usefulness across platforms and data types while also decreasing the likelihood that malware will be able to evade detection.
HookTracer was also designed to work with the open-source Volatility memory analysis framework, one of the world’s leading memory forensics platforms.
“HookTracer’s greatest strength is that it uses malware’s code against itself by emulating the instructions in a sandboxed environment. This allows the decisions made by HookTracer to be driven directly by the activity of malicious code. Few other projects in the field allow for such power in a scalable way, and it gives our students the ability to quickly develop new malware detection capabilities that can be immediately applied in the field,” core developer of Volatility and member of LSU’s Applied Cybersecurity Lab Andrew Case said.