Degree

Doctor of Philosophy (PhD)

Department

The Division of Computer Science and Engineering

Document Type

Dissertation

Abstract

Cyber threat actors, including state-sponsored groups and other malignant parties, pursue high-profile objectives aimed at fundamentally threatening national security. Their activities range from cyber espionage and data exfiltration to financial fraud, service disruption, botnet orchestration, and other malicious acts. Using established attack playbooks these attackers exploit vulnerabilities across the digital attack surface to infiltrate networks. A primary attack vector involves exploiting existing or emerging zero-day vulnerabilities within the public-facing applications. Once the network perimeter is breached, threat actors move laterally through systems, escalate privileges, and deploy backdoors to maintain persistent and stealthy access. This allows them to remain dormant like cyber sleeper cells akin to covert operatives in the intelligence community. Upon activations, these cyber cells are weaponized to execute targeted attacks within their exploitation scope or transformed into a distributed strike force that uses the victim’s infrastructure as cover to launch operations with near-perfect anonymity.

In this doctoral dissertation, we tackle these challenges using data-driven approaches focused on (i) analyzing diverse threat vectors targeting the digital attack surface of IT systems and (ii) inferring traces of lateral movement that compromise the network core. First, we address the pressing cybersecurity challenges at the Internet perimeter by operationalizing Cyber Threat Intelligence (CTI) from network telescopes extended with advanced deception techniques and coupled with UDP amplification and honeypot sensors. Our analyzed intelligence profiles concealed yet evolving cyberwarfare intentions amid global events, reveal nefarious activities unfolding in the wild, and uncover emerging vulnerabilities. This ultimately enable actionable insights to safeguard critical infrastructure and backbone systems. Second, we target the core of large and dynamic networks by analyzing authentication logs to uncover stealthy attack paths and malevolent activities. Our detection framework models networks as continuous-time dynamic graphs using a Temporal Graph Neural Network (TGNN)-based approach with inductive reasoning that enables the prediction of lateral movement paths even in incomplete or unseen network states. Such capabilities equip security analysts with tools to detect and triage covert network threats from cyber sleeper cells before escalation. Finally, this dissertation highlights the impact of its findings and lays the foundation for future research opportunities and directions.

Date

7-16-2025

Committee Chair

Elias Bou-Harb

DOI

10.31390/gradschool_dissertations.6882

Download

Available for download on Wednesday, July 14, 2032

Share

COinS