The four-year project, titled “THEIA” after the Greek goddess of shining light, attempts to shed light on exactly where data moves as it is routed from one Internet host to another and whether any malicious code, for example, is attached to data during transfer.

“The project has wide implications for any industry and anyone who needs to send secure information, make sure it is not manipulated during transfer, and that it arrives securely in tact – but especially for those banking, shopping or trading online,” says Dr. Wenke Lee, primary investigator and professor in the College of Computing. “If we have the ability to fully track how data is processed until it reaches the intended recipient, then we can better detect and stop advanced persistent threats (APT).”

For example, currently it is not possible for a network intrusion detection system to determine whether data sent from an end-host was modified by a malicious browser extension after a user completed a web form. State-of-the-art information flow tracking today typically applies only to a single layer (such as the program level), or does not utilize the full semantics at all layers (to verify if input was entered by the original user, for example).

THEIA will track and record information at three layers: user interaction with a program, program processing of data input, and program and network interactions with an operating system. Together, THEIA will monitor secure data flow from user to program, from program to file system storage, and storage to network output, and back again. Such completeness is critical to APT detection.

“Our ultimate goal is to provide complete transparency, or full visibility, into host events and data so that APT activities cannot evade detection,” Lee says. “THEIA represents what could be a significant advance over state-of-the-art approaches, which typically are forced to make arbitrary trade-offs between verifying accuracy and maintaining total computational efficiency.”

THEIA would make no such compromise. THEIA will record the sufficient amount of data at runtime, replay and analyze recorded events in semi-real-time when suspicious alerts are triggered, or analyze data completely offline.

Lee, a co-director of the Institute for Information Security and Privacy at Georgia Tech, has conducted cyber security research from Atlanta since 2001. Lee’s research interests include systems and network security, applied cryptography, and data mining. Most recently, he has focused on botnet detection and malware analysis, security of mobile systems and apps, and detection and mitigation of information manipulation on the Internet. Lee has published over 140 articles. In 2006, Lee co-founded Damballa, Inc., a spin-off from his lab that focuses on botnet detection and mitigation.

The DARPA-AFRL project is funded with $4,253,126 over 48 months. Participating in the work will be Dr. Taesoo Kim, assistant professor; Dr. Alessandro Orso, associate chair; Dr. Simon Chung, research scientist, all with the School of Computer Science, College of Computing; and Dr. Albert Brzeczko, research engineer at Georgia Tech Research Institute (GTRI).