Associate Professor at UofG/Georgia Tech
Roberto Perdisci is Patty and D.R. Grimes Distinguished Professor in Computer Science at the University of Georgia, where he directs the UGA Institute for Cybersecurity and Privacy. He is also an Adjunct Associate Professor in the Georgia Tech School of Computer Science and a member of the Georgia Tech Institute for Information Security and Privacy. His research interests include network and web security, malware defense, security applications of AI, IoT security, and telephony security.
Prof. Perdisci is the recipient of a 2012 NSF CAREER Award, and of the 2015 UGA Fred C. Davison Early Career Scholar Award. He has published over sixty peer-reviewed papers, many of which have appeared in the most selective computer security and systems conferences and journals. His research has been sponsored by grants from the National Science Foundation, the US Department of Homeland Security (DHS), DARPA, and an industry grant from Intel. His past research on malware download defenses was selected by DHS for the Technology Transition to Practice (TTP) program, and has been promoted at prestigious industry venues, including the RSA Conference.
Many modern network security incidents originate from the Web. For instance, it is not uncommon for users to stumble upon a website that hosts malicious advertisements, which in turn may redirect to phishing sites or promote the installation of malicious software via social engineering attacks. In corporate networks, such attacks can have devastating consequences. For example, an initial web-driven malware infection may be used as a stepping stone for larger scale network intrusions and costly data breaches. When such high-profile incidents are discovered, often weeks or even months after the initial attack took place, a digital forensics team is typically called in to reconstruct the root causes of the incident, so that better network defenses and security policies can be developed. However, a forensic analyst may not be able to reconstruct the entire chain of events up to the initial web attack that is the true root cause of the network breach. This is because modern browsers lack the ability to produce detailed audit logs, and the information contained in the existing navigation history and browser cache is typically too sparse or short lived to allow for a detailed reconstruction of complex web attacks.
In this talk, I will present two in-browser audit logging systems, called ChromePic and JSgraph, that aim to fill this gap. Both ChromePic and JSgraph are designed to continuously record detailed events internal to the browser, to enable the reconstruction of a variety of web-based attacks, including social engineering attacks and web-driven malware downloads. I will also show that such detailed audit logs can be continuously and transparently recorded with acceptable impact on browser performance and usability, and provide evidence that the obtained audit logs can be preserved for long periods of time, thus allowing for a detailed post- mortem analysis of web-driven security incidents that occurred far back in the past.