CAREER: Robust, Platform-Agnostic Defense Against VPN Misconfiguration Abuse in Malware Campaigns

Malware threats have become increasingly sophisticated, often using techniques that often enable evasion, and are quite often persistent. The growing use of Virtual Private Networks (VPNs) and the encrypted VPN traffic allow attackers to potentially bypass current network defense techniques. The project’s novelties include the creation of new approaches to detect and mitigate protocol misconfiguration which could be exploited as an attack surface and to prevent threat actors from exploiting VPN weaknesses through malicious scripts, authentication bypass, covert access, and related techniques. The project's broader significance lies in helping cultivating VPN security expertise at both undergraduate and graduate levels through hands-on modules, and empowering VPN providers and IT organizations to adopt secure VPN practices. The project takes a comprehensive, cross-layered approach to securing VPN ecosystems through three tightly integrated thrusts: Thrust I introduces the first platform- and version-aware knowledge graph for OpenVPN, enabling interpretable reasoning over directive semantics, dependencies, and mis-configurations. Thrust II advances the field by developing a sandboxed VPN ecosystem to estimate the impact of VPN mis-configurations across stakeholders and to map observed behaviors to the CIA triad and MITRE ATT&CK tactics for structured risk assessment. Thrust III builds a hybrid detection system that combines directive signatures with host behavior, enabling early and interpretable detection of malicious VPNs. This facilitates platform-agnostic, timely, and robust malware defense. Altogether, these thrusts provide a novel, explainable, and scalable foundation to identify, understand and mitigate VPN-based threats across diverse platforms. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria. NSF Award ID: 2541237 | Program: 01003031DB NSF RESEARCH & RELATED ACTIVIT,01002930DB NSF RESEARCH & RELATED ACTIVIT,01002627DB NSF RESEARCH & RELATED ACTIVIT | Principal Investigator: Afsah Anwar | Institution: University of New Mexico, ALBUQUERQUE, NM | Award Amount: $322,884 View on NSF Award Search: https://www.nsf.gov/awardsearch/show-award/?AWD_ID=2541237 View on Research.gov: https://www.research.gov/awardapi-service/v1/awards/2541237.html