research-article

Public Access

SODA: A System for Cyber Deception Orchestration and Automation

Authors:

Md Sajidul Islam Sajid,

Md Mazharul Islam,

Latifur KhanAuthors Info & Claims

ACSAC '21: Proceedings of the 37th Annual Computer Security Applications Conference

Pages 675 - 689

https://doi.org/10.1145/3485832.3485918

Published: 06 December 2021 Publication History

All formats PDF

Abstract

Active Cyber Deception (ACD) has emerged as an effective proactive cyber defense technique that can mislead adversaries by presenting falsified data and allow opportunities for engaging with them to learn novel attack techniques. Adversaries often implement their attack techniques within malware and use it as the medium to steal valuable information. Comprehensive malware analysis is required to understand the malware behaviors at technical and tactical levels to create the honey resources and appropriate ploys that can leverage this behavior and mislead malware and APT adversaries. This paper presents SODA, a cyber deception orchestration system that analyzes real-world malware, discovers attack techniques, creates Deception Playbooks, a set of deception actions, and finally orchestrates the environment to deceive malware. SODA extracts Malicious Sub-graphs (MSGs) consisting of WinAPIs from real-world malware and maps them to MITRE ATT&CK techniques. This MSG-to-MITRE mapping describes how ATT&CK techniques are implemented in malware and, as a result, guides the construction of appropriate deception actions. We conducted comprehensive evaluations on SODA with 255 recent malware samples to demonstrate end-to-end deception effectiveness. We observed an average accuracy of 95% in deceiving the malware with negligible overhead for specified deception goals and strategies. Furthermore, our approach successfully extracted MSGs with a 97% recall and our MSG-to-MITRE mapping achieved a top-1 accuracy of 88.75%. More importantly, SODA can serve as a general purpose malware deception factory to automatically produce customized deception playbooks against arbitrary malware.

References

[1]

Online. Any.run. https://any.run/

[2]

Onlinea. Cuckoo Monitor. https://github.com/cuckoosandbox/monitor

[3]

Onlineb. Cuckoo Sandbox. https://cuckoosandbox.org/

[4]

Online. Dissecting the Windows Defender Driver - WdFilter (Part 1). https://www.n4r1b.com/posts/2020/01/dissecting-the-windows-defender-driver-wdfilter-part-1/

[5]

Online. EasyHook - The reinvention of Windows API Hooking. https://github.com/EasyHook/EasyHook

[6]

Onlinea. Keylogger-Screen-Capture. https://github.com/ajayrandhawa/Keylogger-Screen-Capture

[7]

Onlineb. Malshare is a free Malware repository providing researchers access to samples, malicious feeds, and Yara results.https://malshare.com/

[8]

Online. VirusTotal Public vs Premium API. https://developers.virustotal.com/v3.0/reference#public-vs-premium-api

[9]

Mitsuaki Akiyama, Takeshi Yagi, Kazufumi Aoki, Takeo Hariu, and Youki Kadobayashi. 2013. Active credential leakage for observing web-based attack cycle. In International Workshop on Recent Advances in Intrusion Detection. Springer, 223–243.

Digital Library

[10]

Mitsuaki Akiyama, Takeshi Yagi, Takeo Hariu, and Youki Kadobayashi. 2018. HoneyCirculator: distributing credential honeytoken for introspection of web-based attack cycle. International Journal of Information Security 17, 2 (2018), 135–151.

Digital Library

[11]

Mitsuaki Akiyama, Takeshi Yagi, Takeshi Yada, Tatsuya Mori, and Youki Kadobayashi. 2017. Analyzing the ecosystem of malicious URL redirection through longitudinal observation from honeypots. computers & security 69(2017), 155–173.

[12]

Ehab Al-Shaer. 2011. Toward Network Configuration Randomization for Moving Target Defense. Springer New York, 153–159.

[13]

Ehab Al-Shaer, Jinpeng Wei, W Kevin, and Cliff Wang. 2019. Autonomous Cyber Deception. Springer.

[14]

Omar Alrawi, Moses Ike, Matthew Pruett, Ranjita Pai Kasturi, Srimanta Barua, Taleb Hirani, Brennan Hill, and Brendan Saltaformaggio. 2021. Forecasting Malware Capabilities From Cyber Attack Memory Images. In 30th USENIX Security Symposium.

[15]

Mohammed Noraden Alsaleh, Jinpeng Wei, Ehab Al-Shaer, and Mohiuddin Ahmed. 2018. gextractor: Towards automated extraction of malware deception parameters. In Proceedings of the 8th Software Security, Protection, and Reverse Engineering Workshop. 1–12.

Digital Library

[16]

Lance Alt, Robert Beverly, and Alberto Dainotti. 2014. Uncovering network tarpits with degreaser. In Proceedings of the 30th Annual Computer Security Applications Conference. 156–165.

Digital Library

[17]

Kostas G Anagnostakis, Stelios Sidiroglou, Periklis Akritidis, Konstantinos Xinidis, Evangelos Markatos, and Angelos D Keromytis. 2005. Detecting targeted attacks using shadow honeypots. (2005).

[18]

Frederico Araujo, Kevin W. Hamlen, Sebastian Biedermann, and Stefan Katzenbeisser. 2014. From Patches to Honey-Patches: Lightweight Attacker Misdirection, Deception, and Disinformation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (Scottsdale, Arizona, USA) (CCS ’14). Association for Computing Machinery, New York, NY, USA, 942–953. https://doi.org/10.1145/2660267.2660329

Digital Library

[19]

Steven Bird, Ewan Klein, and Edward Loper. 2009. Natural language processing with Python: analyzing text with the natural language toolkit. ” O’Reilly Media, Inc.”.

Digital Library

[20]

Brian M Bowen, Pratap Prabhu, Vasileios P Kemerlis, Stelios Sidiroglou, Angelos D Keromytis, and Salvatore J Stolfo. 2010. Botswindler: Tamper resistant injection of believable decoys in vm-based hosts for crimeware detection. In International Workshop on Recent Advances in Intrusion Detection. Springer, 118–137.

[21]

Matthew L Bringer, Christopher A Chelmecki, and Hiroshi Fujinoki. 2012. A survey: Recent advances and future trends in honeypot research. International Journal of Computer Network and Information Security 4, 10(2012), 63.

[22]

Fabio De Gaspari, Sushil Jajodia, Luigi V. Mancini, and Agostino Panico. 2016. AHEAD: A New Architecture for Active Defense. In Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense (Vienna, Austria) (SafeConfig ’16). Association for Computing Machinery, New York, NY, USA, 11–16. https://doi.org/10.1145/2994475.2994481

Digital Library

[23]

Qi Duan, Ehab Al-Shaer, Mazharul Islam, and Haadi Jafarian. 2018. Conceal: A strategy composition for resilient cyber deception-framework, metrics and deployment. In 2018 IEEE Conference on Communications and Network Security (CNS). IEEE, 1–9.

[24]

Kimberly J Ferguson-Walter, Maxine M Major, Chelsea K Johnson, and Daniel H Muhleman. 2021. Examining the Efficacy of Decoy-based and Psychological Cyber Deception. In 30th {USENIX} Security Symposium ({USENIX} Security 21).

[25]

Ziya Alper Genç, Gabriele Lenzini, and Daniele Sgandurra. 2019. On Deception-Based Protection Against Cryptographic Ransomware. In DIMVA.

[26]

Md Mazharul Islam and Ehab Al-Shaer. 2020. Active deception framework: an extensible development environment for adaptive cyber deception. In 2020 IEEE Secure Development (SecDev). IEEE, 41–48.

[27]

Md Mazharul Islam, Qi Duan, and Ehab Al-Shaer. 2019. Specification-driven moving target defense synthesis. In Proceedings of the 6th ACM Workshop on Moving Target Defense. 13–24.

Digital Library

[28]

Md Mazharul Islam, Ashutosh Dutta, Md Sajidul Islam Sajid, Ehab Al-Shaer, Jinpeng Wei, and Sadegh Farhang. 2021. CHIMERA: Autonomous Planning and Orchestration for Malware Deception. In 2021 IEEE Conference on Communications and Network Security (CNS). IEEE.

[29]

Sushil Jajodia, Anup K. Ghosh, V. S. Subrahmanian, Vipin Swarup, Cliff Wang, and X. Sean Wang. 2012. Moving Target Defense II: Application of Game Theory and Adversarial Modeling. Springer.

Digital Library

[30]

Sushil Jajodia, Anup K. Ghosh, Vipin Swarup, Cliff Wang, and X. Sean Wang. 2011. Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats (1st ed.). Springer Publishing Company, Incorporated.

Digital Library

[31]

Maziar Janbeglou, Mazdak Zamani, and Suhaimi Ibrahim. 2010. Redirecting network traffic toward a fake DNS server on a LAN. In 2010 3rd International Conference on Computer Science and Information Technology, Vol. 2. IEEE, 429–433.

[32]

Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2011. Barebox: efficient malware analysis on bare-metal. In Proceedings of the 27th Annual Computer Security Applications Conference. 403–412.

Digital Library

[33]

Clemens Kolbitsch, Paolo Milani Comparetti, Christopher Kruegel, Engin Kirda, Xiaoyong Zhou, and XiaoFeng Wang. 2009. Effective and Efficient Malware Detection at the End Host. In Proceedings of the 18th Conference on USENIX Security Symposium (Montreal, Canada) (SSYM’09). USENIX Association, USA, 351–366.

Digital Library

[34]

Lukas Krämer, Johannes Krupp, Daisuke Makita, Tomomi Nishizoe, Takashi Koide, Katsunari Yoshioka, and Christian Rossow. 2015. Amppot: Monitoring and defending against amplification ddos attacks. In International Symposium on Recent Advances in Intrusion Detection. Springer, 615–636.

Digital Library

[35]

Sukwha Kyung, Wonkyu Han, Naveen Tiwari, Vaibhav Hemant Dixit, Lakshmi Srinivas, Ziming Zhao, Adam Doupé, and Gail-Joon Ahn. 2017. HoneyProxy: Design and implementation of next-generation honeynet via SDN. In 2017 IEEE Conference on Communications and Network Security (CNS). IEEE, 1–9.

[36]

Tomas Mikolov, Kai Chen, Greg Corrado, and Jeffrey Dean. 2013. Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781(2013).

[37]

Chris Moore. 2016. Detecting ransomware with honeypot techniques. In 2016 Cybersecurity and Cyberforensics Conference (CCC). IEEE, 77–81.

[38]

Amirreza Niakanlahiji, Jafar Haadi Jafarian, Bei-Tseng Chu, and Ehab Al-Shaer. 2020. HoneyBug: Personalized Cyber Deception for Web Applications. In 53rd Hawaii International Conference on System Sciences, HICSS 2020, Maui, Hawaii, USA, January 7-10, 2020. ScholarSpace, 1–10. http://hdl.handle.net/10125/63972

[39]

Kris Oosthoek and Christian Doerr. 2019. Sok: Att&ck techniques and trends in windows malware. In International Conference on Security and Privacy in Communication Systems. Springer, 406–425.

[40]

popescuadi. 2017. Ransomware - Simple C++ ransomware, prove the concept.https://github.com/popescuadi/Ransomware.

[41]

Niels Provos 2004. A Virtual Honeypot Framework. In USENIX Security Symposium, Vol. 173. 1–14.

[42]

Niels Provos and Thorsten Holz. 2007. Virtual honeypots: from botnet tracking to intrusion detection. Pearson Education.

[43]

J Rrushi. 2019. Honeypot evader: Activity-guided propagation versus counter-evasion via decoy os activity. In Proceedings of the 14th IEEE International Conference on Malicious and Unwanted Software.

[44]

Md Sajidul Islam Sajid, Jinpeng Wei, Md Rabbi Alam, Ehsan Aghaei, and Ehab Al-Shaer. 2020. DodgeTron: Towards Autonomous Cyber Deception Using Dynamic Hybrid Analysis of Malware. In 2020 IEEE Conference on Communications and Network Security (CNS). IEEE, 1–9.

[45]

Alexander Vetterl and Richard Clayton. 2018. Bitter harvest: Systematically fingerprinting low-and medium-interaction honeypots at internet scale. In 12th {USENIX} Workshop on Offensive Technologies ({WOOT} 18).

[46]

Jim Yuill, Mike Zappe, Dorothy Denning, and Fred Feer. 2004. Honeyfiles: deceptive files for intrusion detection. In Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004. IEEE, 116–122.

[47]

Jialong Zhang, Zhongshu Gu, Jiyong Jang, Dhilung Kirat, Marc Stoecklin, Xiaokui Shu, and Heqing Huang. 2020. Scarecrow: Deactivating Evasive Malware via Its Own Evasive Logic. In 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 76–87.

[48]

Mikhail Zolotukhin and Timo Hämäläinen. 2014. Detection of zero-day malware based on the analysis of opcode sequences. In CCNC.

Cited By

Abdeen BAl-Shaer ESinghal AKhan LHamlen K(2024)SMET: Semantic mapping of CTI reports and CVE to ATT&CK for advanced threat intelligenceJournal of Computer Security10.3233/JCS-230218(1-20)Online publication date: 28-Jun-2024
https://doi.org/10.3233/JCS-230218
Kahlhofer MRass S(2024)Application Layer Cyber Deception Without Developer Interaction2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00053(416-429)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSPW61312.2024.00053
Qin XJiang FDong CDoss R(2024)A hybrid cyber defense framework for reconnaissance attack in industrial control systemsComputers and Security10.1016/j.cose.2023.103506136:COnline publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1016/j.cose.2023.103506
Show More Cited By

Index Terms

SODA: A System for Cyber Deception Orchestration and Automation
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Index terms have been assigned to the content through auto-classification.

Recommendations

symbSODA: Configurable and Verifiable Orchestration Automation for Active Malware Deception
Malware is commonly used by adversaries to compromise and infiltrate cyber systems in order to steal sensitive information or destroy critical assets. Active Cyber Deception (ACD) has emerged as an effective proactive cyber defense against malware to ...
Malware Detection by Static Checking and Dynamic Analysis of Executables

The advanced malware continue to be a challenge in digital world that signature-based detection techniques fail to conquer. The malware use many anti-detection techniques to mutate. Thus no virus scanner can claim complete malware detection even for ...
Optimizing Active Cyber Defense
GameSec 2013: 4th International Conference on Decision and Game Theory for Security - Volume 8252

Active cyber defense is one important defensive method for combating cyber attacks. Unlike traditional defensive methods such as firewall-based filtering and anti-malware tools, active cyber defense is based on spreading "white" or "benign" worms to ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '21: Proceedings of the 37th Annual Computer Security Applications Conference

December 2021

1077 pages

ISBN:9781450385794

DOI:10.1145/3485832

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 December 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Conference

ACSAC '21

ACSAC '21: Annual Computer Security Applications Conference

December 6 - 10, 2021

Virtual Event, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
1,298
Total Downloads

Downloads (Last 12 months)534
Downloads (Last 6 weeks)79

Reflects downloads up to 04 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Abdeen BAl-Shaer ESinghal AKhan LHamlen K(2024)SMET: Semantic mapping of CTI reports and CVE to ATT&CK for advanced threat intelligenceJournal of Computer Security10.3233/JCS-230218(1-20)Online publication date: 28-Jun-2024
https://doi.org/10.3233/JCS-230218
Kahlhofer MRass S(2024)Application Layer Cyber Deception Without Developer Interaction2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00053(416-429)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSPW61312.2024.00053
Qin XJiang FDong CDoss R(2024)A hybrid cyber defense framework for reconnaissance attack in industrial control systemsComputers and Security10.1016/j.cose.2023.103506136:COnline publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1016/j.cose.2023.103506
Kouremetis MLawrence DAlford RCheuvront ZDavila DGeyer BHaigh TMichalak EMurphy RRusso G(2024)Mirage: cyber deception against autonomous cyber attacks in emulation and simulationAnnals of Telecommunications10.1007/s12243-024-01018-4Online publication date: 13-Mar-2024
https://doi.org/10.1007/s12243-024-01018-4
Sajid MWei JAl-Shaer EDuan QAbdeen BKhan L(2023)symbSODA: Configurable and Verifiable Orchestration Automation for Active Malware DeceptionACM Transactions on Privacy and Security10.1145/362456826:4(1-36)Online publication date: 13-Nov-2023
https://dl.acm.org/doi/10.1145/3624568
Pagnotta GDe Gaspari FHitaj DAndreolini MColajanni MMancini L(2023)DOLOS: A Novel Architecture for Moving Target DefenseIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.331896418(5890-5905)Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1109/TIFS.2023.3318964
Kouremetis MAlford RLawrence D(2023)Mirage: Cyber Deception against Autonomous Cyber Attacks2023 7th Cyber Security in Networking Conference (CSNet)10.1109/CSNet59123.2023.10339776(163-170)Online publication date: 16-Oct-2023
https://doi.org/10.1109/CSNet59123.2023.10339776
Derasari PGogineni KVenkataramani G(2023)Mayalok: A Cyber-Deception Hardware Using Runtime Instruction Infusion2023 IEEE 34th International Conference on Application-specific Systems, Architectures and Processors (ASAP)10.1109/ASAP57973.2023.00019(33-40)Online publication date: Jul-2023
https://doi.org/10.1109/ASAP57973.2023.00019
Islam MDutta ASajid MAl-Shaer EWei JFarhang S(2021)CHIMERA: Autonomous Planning and Orchestration for Malware Deception2021 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS53000.2021.9705030(173-181)Online publication date: 4-Oct-2021
https://doi.org/10.1109/CNS53000.2021.9705030

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents