Social Graph Analysis and Attribution of Software Exploit Contributors Using GitHub:
Attribution of threat actors is an increasingly important and difficult problem. One potential mitigation is the early detection of potential threat actors via analysis of open-source intelligence (OSINT). This project will analyze the social graph of users who contribute to, follow, star, and otherwise interact with proof-of-concept CVE implementations and other relevant potentially malicious (e.g. software vulnerability) repositories. Attribution of threat actors is an increasingly important and difficult problem. One potential mitigation is the early detection of potential threat actors via analysis of open-source intelligence (OSINT). This project will analyze the social graph of users who contribute to, follow, star, and otherwise interact with proof-of-concept CVE implementations and other relevant potentially malicious (e.g. software vulnerability) repositories.

Integration of Frame Semantics to Cyber Ontologies
Cyber ontologies such as STIX and ATT&CK can represent complex relationships between cyber threat actors, attacks and infrastructure.  While such representations are conducive to interoperability between systems, they are often unwieldy for human cyber analysts to deal with directly.  Conversely, Natural language generation (NLG) frameworks like FrameNet represent language in a structured manner, but frame specifications are often not specific enough for specialized domains (such as cyber security).  Leveraging and combining the semantic structure of both forms can create a tool that can translate cyber threat data in standard interoperable formats (such as STIX) to human-readable reports, via existing NLG frameworks.  Working on a project such as this provides an opportunity for significant impact, as the fusion of these two structures could greatly increase both the adoption and the utility of cyber threat ontologies.

Textual, Structural and Semantic Analysis of Phishing Datasets
Phishing attacks – both specifically and broadly targeted – are an increasingly dangerous vector for malice. Because of the textual and semantic similarities between potentially malicious and benign emails, detection of subtle phishing attacks can be difficult. This project aims to provide a high-level textual and structural analysis of different phishing datasets to determine what features in a conversational chain may be useful in increasing detection of phishing attacks. Students will work on textual extraction of features (intent, sentiment, tone, etc.) and analysis of externally verifiable content (company affiliation, etc.).

Detecting Malware Campaign Lifecycles from Behavioral Analysis:
This project aims to detect and coalesce families of malware articles and campaigns by analyzing their behavior and interactions with the outside world. Features such as network activity, system component interactions and others can be used to cluster malware articles and determine the duration of malware campaigns otherwise thought to be independent. Students will work on Exploration of open-source malware API contents (e.g. VirusTotal), construction of malware behavioral data set, generation of similarity metrics (network traffic access patterns, system interactions, etc.) and analysis and clustering of malware articles and campaigns.

Social Network Expansion: Construction of a human-subject spearphishing experiment:
Social Network Expansion (SNE) aims to explore the relationship between various factors of “cost” in creating social networking personas, and these personas’ efficacy in connecting and interacting with a target populace.  A more complete understanding of this relationship between required adversarial complexity/resources and connection/interaction efficacy will enhance our ability to detect and mitigate a number of threats, including (but not limited to) spearphishing, persona hijacking and the spread of fake news.