Degree

Doctor of Philosophy (PhD)

Department

The Division of Computer Science and Engineering

Document Type

Dissertation

Abstract

The escalating volume and velocity of data are outpacing conventional, CPU-centric security paradigms, which creates architectural bottlenecks that inhibit real-time threat analysis and forensic investigation. This vulnerability is aggressively exploited by botnets and ransomware, which have emerged as the preeminent malware threats endangering modern digital infrastructure. This dissertation confronts these challenges by devising and evaluating a suite of cyber defenses that embed machine learning (ML) and statistical analytics directly into programmable hardware. By distributing these functions across two primary vantage points, namely, the network and the end-host, this research establishes a new paradigm for efficient, scalable, and high-speed security and forensics. This work begins by leveraging the network vantage point of P4-programmable switches to tackle threats and related forensic analysis at line rate. We present novel frameworks that embed classifiers into the data plane to identify botnet propagation and ransomware activity from a minimal number of packets, even when encrypted. These in-network techniques are complemented by a lightweight statistical engine for mitigating the large-scale Distributed Denial-of-Service (DDoS) attacks commonly launched by botnets. Additionally, a switch-based fingerprinting mechanism is introduced for the forensic attribution of Internet of Things (IoT) devices, which are often co-opted into botnets. From the end-host vantage point, this dissertation introduces accelerated, host-level defenses to expedite security and forensic workloads, as well as to preserve CPU resources. We demonstrate how a Smart Network Interface Card (SmartNIC) can mitigate DNS cache poisoning, which can be harnessed by adversaries for delivering botnet and ransomware payloads. Furthermore, this research pioneers the use of Computational Storage Drives (CSDs) for near-data processing. In particular, we offload a deep learning classifier to the drive's integrated FPGA to analyze API call sequences, which enables the system to halt ransomware encryption at its inception and accelerate incident response. Collectively, these independent contributions establish a validated portfolio of hardware-accelerated cyber defenses and forensic analytics. The evaluations confirm that these systems demonstrate significant performance gains and resource efficiency, thereby offering a practical path for enhancing both security postures and forensic capabilities in modern, high-velocity data environments.

Date

7-16-2025

Committee Chair

Elias Bou-Harb

DOI

10.31390/gradschool_dissertations.6883

Download

Available for download on Wednesday, July 14, 2032

Share

COinS