Research Philosophy

The MiRAGe-UC research group is dedicated to safeguarding the digital and physical integrity of our nation by investigating the full life-cycle of cybersecurity attacks targeting critical infrastructure and high-value national security assets. Our philosophy is rooted in the belief that purely defensive postures are insufficient in an era of sophisticated state-sponsored and transnational threats. By rigorously analyzing adversary behaviors and infrastructure, our team strives to solve the complex challenge of cyber attribution. We aim to establish the technical foundations necessary to transition cyber deterrence and digital diplomacy from theoretical concepts into actionable, evidence-based frameworks that protect essential services and sovereign interests

The Cyber Attack Life-Cycle

Our research methodology is structured across three critical phases of an engagement, ensuring a holistic understanding of how threats materialize and persist:

  • Pre-Attack Phase: We focus on proactive intelligence and infrastructure mapping. This includes the technical deconstruction of Botnet Command and Control (C2) architectures, the harvesting of Darkweb OSINT (Open Source Intelligence), and the analysis of adversary reconnaissance patterns. By identifying these “left-of-bang” indicators, we aim to disrupt threats before they reach their targets.
  • Attack Phase: During active engagements, we study the mechanics of malware propagation and the resulting cascade failures within interconnected systems. A unique pillar of our work involves evaluating cybersecurity team performance and optimizing the strategic response to rapidly propagating attacks. We seek to understand the intersection of human decision-making and technical resilience under the pressure of a live breach.
  • Post-Attack Phase: Following an incident, our work shifts toward accountability and recovery. This involves advanced attribution through the deanonymization of C2 infrastructures and the rigorous tracking of leaked information. By deanonymizing leaked traffic, we provide the forensic evidence required to identify threat actors and mitigate the long-term impact of data exfiltration.

A recurring theoretical hurdle in our research involves the topology identification problem—specifically, the challenge of mapping emerging or hidden networks with limited, noisy, or censored data. Because adversarial infrastructures like botnets and anonymity networks are designed to be opaque, determining their exact structure requires more than simple observation. We approach this by leveraging the mathematical rigor of Network Science to model node connectivity, Complex Systems to understand non-linear behaviors and phase transitions, and Systems Science to evaluate the holistic resilience of the infrastructure. By framing these cyber threats as dynamic, evolving architectures, we can develop algorithms capable of inferring the underlying “blueprint” of a network even when its components are actively trying to remain concealed.

The urgency of addressing these structural uncertainties cannot be overstated, as they reside at the center of modern offensive cyberwarfare and state-sponsored operations. These challenges are particularly critical and timely when applied to Operational Relay Box (ORB) networks, where adversaries leverage a decentralized mesh of compromised consumer and enterprise devices to mask their origins. By mastering the ability to deconstruct these obfuscated infrastructures in real-time, our research provides the necessary clarity to counter advanced persistent threats that exploit network complexity to evade traditional detection and bypass national security defenses.