Md Rabbi Alam

Computing & Information Systems-PHD

Dr. Jinpeng Wei

Dr. Weichao Wang, Dr. Bei-Tseng Chu and Dr. M. Yasin Akhtar Raja

Advanced Persistent Threats (APTs) are a type of cyber attack that is particularly challenging to detect and mitigate. APTs often involve multiple stages, with the attacker gaining a foothold in the victim's machine and then using various techniques to move laterally through the network in search of valuable assets (e.g., personally identifiable information). By studying novel techniques for lateral movement, security professionals can find the system deficiencies that an attacker might use for lateral movement and develop effective defense strategies to prevent it. This dissertation aims to investigate novel stealthy attack techniques in enterprise environments that hijack existing applications and abuse their execution context for lateral movement in a way that is undetectable by state-of-the-art defense technologies. This dissertation presents two new classes of lateral movement attacks targeting both cloud-connected IoT ecosystems and traditional enterprise environments. For IoT devices, three novel attacks are presented that enable the adversary to issue illicit method invocations (e.g., to unlock a victim user's door), inject malicious firmware and get system-level access on IoT devices from a compromised IoT developer machine. This dissertation also presents a novel lateral movement technique that secretly duplicates secure context used by popular tools (e.g., SSH, PuTTY, WinSCP, and WinRM) and uses them for lateral movement over encrypted communication channels. This work identifies the challenges of these kinds of attacks and how they can be partially overcome by advanced program analysis techniques such as call graph analysis, data structure analysis, and data flow analysis based on source or binary code. Finally, this work presents FaaSGuard, a lightweight framework designed to instrument serverless functions and facilitate the training of anomaly detection models based on the reconstruction error of autoencoders, which helps to prevent lateral movement. FaaSGuard achieves an average F1 score of 98.18%, and with threshold tuning, it reaches 100% F1 and recall. Together, these contributions advance the understanding of modern lateral movement techniques and offer practical approaches for securing cloud and enterprise systems against stealthy APT activity.