OUSD (R&E) MODERNIZATION PRIORITY: Cybersecurity; Autonomy; Artificial Intelligence/Machine Learning TECHNOLOGY AREA(S): Sensors OBJECTIVE: Develop a capability to automatically generate malware test samples to support cyber resiliency for next-generation avionics architectures. DESCRIPTION: Next-generation avionics architectures require the ability to operate in a cyber-contested environment. This, in-turn, requires avionic mission systems to detect, respond, and adapt to targeted cyber-attacks and to quantitatively measure the effectiveness of cyber resiliency technologies. In order to build avionics malware detection tools and to quantify their effectiveness, a comprehensive repository of malware test samples must be created. Given the cost, time, and expertise needed to manually create these test samples, this topic focuses on developing automated malware generation tools to create this comprehensive repository. The lack of malware test samples impacts our ability to both develop effective malware detection algorithms as well as test existing cyber resiliency solutions against malware payloads that could, in principle, be created by our adversaries. The difficulty with creating such a repository is that it is dependent on the adversary's (vs. our own) knowledge about the security flaws of the targeted system, their ability to gain access to those flaws, and their ability to exploit those flaws [1], which is often unknown to the developers of the cyber protection solutions. While red teaming is often used as a means to measure the effectiveness of cyber protection solutions, these exercises are limited in scope and by the knowledge, skills, and resources of the red team, which do not necessarily reflect a determined nation-state adversary with nearly unlimited resources. The lack of quantitative measures of effectiveness is exacerbated by the fact that flaws may exist on the system that are unknown to the cyber protection developers and their red teams that could be uncovered and exploited by real adversaries. What is required is the ability to objectively simulate the attack creation process of our cyber adversaries and to proactively develop malware detection solutions in anticipation of those threats. The goal of this topic is to create the underlying technology necessary to automatically generate malware samples [2-4] that will be used to create a co-evolving protection system that can detect, respond, and adapt to otherwise unforeseen threats. In particular, the focus of this topic should be to develop techniques for generating supply chain malware that is surreptitiously embedded in representative avionics/ISR software and firmware. The techniques and tools for generating embedded malware samples developed under this topic would then be used by the Air Force internally to quantitatively test government developed malware detection algorithms in advance of a real-world attack, as well as for malicious feature extraction to improve malware detection tools [5] that are part of a cyber-resilient defense. The above approach requires innovative research and development of evolvable malware that targets a representative avionics system and an ability to evaluate the feasibility of the generation techniques and the effectiveness of the resulting malware samples, whether through instantiation on hardware or through software simulation. For the purpose of this topic, a suggested target platform includes, but is not limited to, a small testbed containing a sensor (e.g., camera, GPS), a post-processing computer (e.g., a single board computer) with corresponding software that operates on sensor data, and an analyst's workstation, that might be representative of an avionics mission system or intelligence, surveillance, reconnaissance (ISR) system. PHASE I: Develop an approach, architecture and limited-scope prototype that demonstrates the ability to evolve malware samples that target representative avionics system software or firmware and cause a mission impact. These malware samples should be undetectable by at least one commonly used commercial off-the-shelf anti-virus program. Malicious features that are differentiable from the host software should be identified and explainable as to why they are considered malicious. PHASE II: Expand the quantity and sophistication of the malware test samples generated, categorize the classes of attacks, and identify the distinguishing malicious features from the targeted host software or firmware. Determine the false positive and false negative rates of detection of the cyber protection system based on commercially available malware detection products or other available tool suites. The malware should not only avoid exposure by malware detection tools, but also by acceptance tests used to validate the legitimate host software/firmware. PHASE III DUAL USE APPLICATIONS: The final product will have both commercial and military avionics system applications, as well as a broad class of embedded system applications, including Supervisory, Control, and Data Acquisition (SCADA) and Industrial Control Systems (ICS). REFERENCES: Jeff Hughes and George Cybenko, Three Tenets for Secure Cyber-Physical System Design and Asessment, Proc. of SPIE Vol. 9097, 9097A, 18 June 2014; Sadia Norren, Shafaq Muraza, M. Zubair Shafiq, and Muddassar Farooq, Evolvable Malware, Proceedings of the 11th Annual conference on Genetic and evolutionary computation (GECCO), Montreal, Quebec, Canada, 2009; R. Murali and C. S. Velayutham, "A Conceptual Direction on Automatically Evolving Computer Malware using Genetic and Evolutionary Algorithms," 2020 International Conference on Inventive Computation Technologies (ICICT), 2020, pp. 226-229, doi: 10.1109/ICICT48043.2020.9112509; R. L. Castro, C. Schmitt and G. Dreo, "AIMED Evolving Malware with Genetic Programming to Evade Detection," 2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), 2019, pp. 240-247, doi: 10.1109/TrustCom/BigDataSE.2019.00040; Mohammad M. Masud, Latifur Khan, and Bhavani Thuraisingham, A scalable multi-level feature extraction technique to detect malicious executables, Information System Frontiers, 10(1): 33-45, March 2008. KEYWORDS: Evolutionary Computing; Genetic Algorithms; Malware detection; Embedded System Security; Avionics Cyber Security
