Cited By
View all- Redhu AChoudhary PSrinivasan KDas T(2024)Deep learning-powered malware detection in cyberspace: a contemporary reviewFrontiers in Physics10.3389/fphy.2024.134946312Online publication date: 28-Mar-2024
symbSODA: Configurable and Verifiable Orchestration Automation for Active Malware Deception
Authors: 
Md Sajidul Islam Sajid, Jinpeng Wei, Ehab Al-Shaer, Qi Duan, Basel Abdeen, Latifur KhanAuthors Info & Claims
Md Sajidul Islam Sajid, Jinpeng Wei, Ehab Al-Shaer, Qi Duan, Basel Abdeen, Latifur KhanAuthors Info & ClaimsArticle No.: 51, Pages 1 - 36
Abstract
Malware is commonly used by adversaries to compromise and infiltrate cyber systems in order to steal sensitive information or destroy critical assets. Active Cyber Deception (ACD) has emerged as an effective proactive cyber defense against malware to enable misleading adversaries by presenting fake data and engaging them to learn novel attack techniques. However, real-time malware deception is a complex and challenging task because (1) it requires a comprehensive understanding of the malware behaviors at technical and tactical levels in order to create the appropriate deception ploys and resources that can leverage this behavior and mislead malware, and (2) it requires a configurable yet provably valid deception planning to guarantee effective and safe real-time deception orchestration.
This article presents symbSODA, a highly configurable and verifiable cyber deception system that analyzes real-world malware using multipath execution to discover API patterns that represent attack techniques/tactics critical for deception, enables users to create their own customized deception ploys based on the malware type and objectives, allows for constructing conflict-free Deception Playbooks, and finally automates the deception orchestration to execute the malware inside a deceptive environment. symbSODA extracts Malicious Sub-graphs (MSGs) consisting of WinAPIs from real-world malware and maps them to tactics and techniques using the ATT&CK framework to facilitate the construction of meaningful user-defined deception playbooks.
We conducted a comprehensive evaluation study on symbSODA using 255 recent malware samples. We demonstrated that the accuracy of the end-to-end malware deception is 95% on average, with negligible overhead using various deception goals and strategies. Furthermore, our approach successfully extracted MSGs with a 97% recall, and our MSG-to-MITRE mapping achieved a top-1 accuracy of 88.75%. Our study suggests that symbSODA can serve as a general-purpose Malware Deception Factory to automatically produce customized deception playbooks against arbitrary malware behavior.
References
[1]
2009. EasyHook - The reinvention of Windows API Hooking. https://github.com/EasyHook/EasyHook. Accessed: 2022-09-30.
[2]
2017. Ransomware - Simple C++ ransomware, prove the concept. https://github.com/popescuadi/Ransomware. Accessed: 2022-09-30.
[3]
2018. Keylogger-Screen-Capture. https://github.com/ajayrandhawa/Keylogger-Screen-Capture. Accessed: 2022-09-30.
[4]
2020. Dissecting the Windows Defender Driver - WdFilter (Part 1). https://www.n4r1b.com/posts/2020/01/dissecting-the-windows-defender-driverwdfilter-part-1/. Accessed: 2022-09-30.
[5]
Online. Cuckoo Sandbox. Accessed: 2022-09-30.
[6]
Online. Interactive malware Hunting service. Accessed: 2022-09-30.
[7]
Online. Malshare is a free Malware repository providing researchers access to samples, malicious feeds, and Yara results. https://malshare.com/. Accessed: 2022-09-30.
[8]
Online. Stack Overflow - Where Developers Learn, Share, & Build Careers. https://stackoverflow.com/. Accessed: 2022-09-30.
[9]
Online. VirusTotal Public vs Premium API. https://developers.virustotal.com/v3.0/reference#public-vs-premium-api. Accessed: 2022-09-30.
[10]
Mitsuaki Akiyama, Takeshi Yagi, Kazufumi Aoki, Takeo Hariu, and Youki Kadobayashi. 2013. Active credential leakage for observing web-based attack cycle. In Proceedings of the International Workshop on Recent Advances in Intrusion Detection. Springer, 223–243.
[11]
Mitsuaki Akiyama, Takeshi Yagi, Takeo Hariu, and Youki Kadobayashi. 2018. HoneyCirculator: Distributing credential honeytoken for introspection of web-based attack cycle. International Journal of Information Security 17, 2 (2018), 135–151.
[12]
Mitsuaki Akiyama, Takeshi Yagi, Takeshi Yada, Tatsuya Mori, and Youki Kadobayashi. 2017. Analyzing the ecosystem of malicious URL redirection through longitudinal observation from honeypots. Computers and Security 69 (2017), 155–173.
[13]
Ehab Al-Shaer. 2011. Toward Network Configuration Randomization for Moving Target Defense. Springer, New York, 153–159.
[14]
Ehab Al-Shaer, Jinpeng Wei, W. Kevin, and Cliff Wang. 2019. Autonomous Cyber Deception. Springer.
[15]
Omar Alrawi, Moses Ike, Matthew Pruett, Ranjita Pai Kasturi, Srimanta Barua, Taleb Hirani, Brennan Hill, and Brendan Saltaformaggio. 2021. Forecasting malware capabilities from cyber attack memory images. In Proceedings of the 30th USENIX Security Symposium.
[16]
Mohammed Noraden Alsaleh, Jinpeng Wei, Ehab Al-Shaer, and Mohiuddin Ahmed. 2018. gextractor: Toward automated extraction of malware deception parameters. In Proceedings of the 8th Software Security, Protection, and Reverse Engineering Workshop. 1–12.
[17]
Lance Alt, Robert Beverly, and Alberto Dainotti. 2014. Uncovering network tarpits with degreaser. In Proceedings of the 30th Annual Computer Security Applications Conference. 156–165.
[18]
Kostas G. Anagnostakis, Stelios Sidiroglou, Periklis Akritidis, Konstantinos Xinidis, Evangelos Markatos, and Angelos D. Keromytis. 2005. Detecting targeted attacks using shadow honeypots. In 14th USENIX Security Symposium.
[19]
Frederico Araujo, Kevin W. Hamlen, Sebastian Biedermann, and Stefan Katzenbeisser. 2014. From patches to honey-patches: Lightweight attacker misdirection, deception, and disinformation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security.Association for Computing Machinery, New York, NY, 942–953. DOI:
[20]
Steven Bird, Ewan Klein, and Edward Loper. 2009. Natural Language Processing with Python: Analyzing Text with the Natural Language Toolkit. “O’Reilly Media, Inc.”.
[21]
Brian M. Bowen, Pratap Prabhu, Vasileios P. Kemerlis, Stelios Sidiroglou, Angelos D. Keromytis, and Salvatore J. Stolfo. 2010. Botswindler: Tamper resistant injection of believable decoys in vm-based hosts for crimeware detection. In Proceedings of the International Workshop on Recent Advances in Intrusion Detection. Springer, 118–137.
[22]
Matthew L. Bringer, Christopher A. Chelmecki, and Hiroshi Fujinoki. 2012. A survey: Recent advances and future trends in honeypot research. International Journal of Computer Network and Information Security 4, 10 (2012), 63.
[23]
Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. 2011. S2E: A platform for in-vivo multi-path analysis of software systems. ACM Sigplan Notices 46, 3 (2011), 265–278.
[24]
Fabio De Gaspari, Sushil Jajodia, Luigi V. Mancini, and Agostino Panico. 2016. AHEAD: A new architecture for active defense. In Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense.Association for Computing Machinery, New York, NY, 11–16. DOI:
[25]
Roberto Di Pietro and Luigi V. Mancini. 2008. Intrusion Detection Systems (1st ed.). Springer Publishing Company, Incorporated.
[26]
Qi Duan, Ehab Al-Shaer, Mazharul Islam, and Haadi Jafarian. 2018. Conceal: A strategy composition for resilient cyber deception-framework, metrics and deployment. In Proceedings of the 2018 IEEE Conference on Communications and Network Security. IEEE, 1–9.
[27]
Kimberly J. Ferguson-Walter, Maxine M. Major, Chelsea K. Johnson, and Daniel H. Muhleman. 2021. Examining the efficacy of decoy-based and psychological cyber deception. In Proceedings of the 30th \(\lbrace\) USENIX \(\rbrace\) Security Symposium.
[28]
Ziya Alper Genç, Gabriele Lenzini, and Daniele Sgandurra. 2019. On deception-based protection against cryptographic ransomware. In Proceedings of the DIMVA.
[29]
Mihaela Gheorghiu Bobaru, Corina S. Pǎsǎreanu, and Dimitra Giannakopoulou. 2008. Automated assume-guarantee reasoning by abstraction refinement. In Computer Aided Verification: 20th International Conference, CAV 2008 Princeton, NJ, USA, July 7-14, 2008 Proceedings 20. Springer.
[30]
Md Mazharul Islam and Ehab Al-Shaer. 2020. Active deception framework: An extensible development environment for adaptive cyber deception. In Proceedings of the 2020 IEEE Secure Development. IEEE, 41–48.
[31]
Md Mazharul Islam, Qi Duan, and Ehab Al-Shaer. 2019. Specification-driven moving target defense synthesis. In Proceedings of the 6th ACM Workshop on Moving Target Defense. 13–24.
[32]
Md Mazharul Islam, Ashutosh Dutta, Md Sajidul Islam Sajid, Ehab Al-Shaer, Jinpeng Wei, and Sadegh Farhang. 2021. CHIMERA: Autonomous planning and orchestration for malware deception. In Proceedings of the 2021 IEEE Conference on Communications and Network Security. IEEE.
[33]
Sushil Jajodia, Anup K. Ghosh, V. S. Subrahmanian, Vipin Swarup, Cliff Wang, and X. Sean Wang. 2012. Moving Target Defense II: Application of Game Theory and Adversarial Modeling. Springer.
[34]
Sushil Jajodia, Anup K. Ghosh, Vipin Swarup, Cliff Wang, and X. Sean Wang. 2011. Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats (1st ed.). Springer Publishing Company, Incorporated.
[35]
Maziar Janbeglou, Mazdak Zamani, and Suhaimi Ibrahim. 2010. Redirecting network traffic toward a fake DNS server on a LAN. In Proceedings of the 2010 3rd International Conference on Computer Science and Information Technology, Vol. 2. IEEE, 429–433.
[36]
Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2011. Barebox: Efficient malware analysis on bare-metal. In Proceedings of the 27th Annual Computer Security Applications Conference. 403–412.
[37]
Clemens Kolbitsch, Paolo Milani Comparetti, Christopher Kruegel, Engin Kirda, Xiaoyong Zhou, and XiaoFeng Wang. 2009. Effective and efficient malware detection at the end host. In Proceedings of the 18th Conference on USENIX Security Symposium (Montreal, Canada) (SSYM’09). USENIX Association, 351–366.
[38]
Lukas Krämer, Johannes Krupp, Daisuke Makita, Tomomi Nishizoe, Takashi Koide, Katsunari Yoshioka, and Christian Rossow. 2015. Amppot: Monitoring and defending against amplification ddos attacks. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection. Springer, 615–636.
[39]
Sukwha Kyung, Wonkyu Han, Naveen Tiwari, Vaibhav Hemant Dixit, Lakshmi Srinivas, Ziming Zhao, Adam Doupé, and Gail-Joon Ahn. 2017. HoneyProxy: Design and implementation of next-generation honeynet via SDN. In Proceedings of the 2017 IEEE Conference on Communications and Network Security. IEEE, 1–9.
[40]
Tomas Mikolov, Kai Chen, Greg Corrado, and Jeffrey Dean. 2013. Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781 (2013).
[41]
Chris Moore. 2016. Detecting ransomware with honeypot techniques. In Proceedings of the 2016 Cybersecurity and Cyberforensics Conference. IEEE, 77–81.
[42]
Amirreza Niakanlahiji, Jafar Haadi Jafarian, Bei-Tseng Chu, and Ehab Al-Shaer. 2020. HoneyBug: Personalized cyber deception for web applications. In Proceedings of the 53rd Hawaii International Conference on System Sciences. ScholarSpace, 1–10. Retrieved from http://hdl.handle.net/10125/63972
[43]
Kris Oosthoek and Christian Doerr. 2019. Sok: Att&ck techniques and trends in windows malware. In Proceedings of the International Conference on Security and Privacy in Communication Systems. Springer, 406–425.
[44]
Niels Provos. 2004. A virtual honeypot framework. In USENIX Security Symposium, Vol. 173, 1–14.
[45]
Niels Provos and Thorsten Holz. 2007. Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Pearson Education.
[46]
Neil C. Rowe. 2003. Counterplanning deceptions to foil cyber-attack plans. In Proceedings of the IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003. IEEE, 203–210.
[47]
Neil C. Rowe. 2007. Finding logically consistent resource-deception plans for defense in cyberspace. In Proceedings of the 21st International Conference on Advanced Information Networking and Applications Workshops. IEEE, 563–568.
[48]
Neil C. Rowe and Julian Rrushi. 2016. Introduction to Cyberdeception. Springer.
[49]
J. Rrushi. 2019. Honeypot evader: Activity-guided propagation versus counter-evasion via decoy os activity. In Proceedings of the 14th IEEE International Conference on Malicious and Unwanted Software.
[50]
Md Sajidul Islam Sajid, Jinpeng Wei, Basel Abdeen, Ehab Al-Shaer, Md Mazharul Islam, Walter Diong, and Latifur Khan. 2021. SODA: A system for cyber deception orchestration and automation. In Proceedings of the Annual Computer Security Applications Conference. 675–689.
[51]
Md Sajidul Islam Sajid, Jinpeng Wei, Md Rabbi Alam, Ehsan Aghaei, and Ehab Al-Shaer. 2020. DodgeTron: Toward autonomous cyber deception using dynamic hybrid analysis of malware. In Proceedings of the 2020 IEEE Conference on Communications and Network Security. IEEE, 1–9.
[52]
Alexander Vetterl and Richard Clayton. 2018. Bitter harvest: Systematically fingerprinting low-and medium-interaction honeypots at internet scale. In Proceedings of the 12th \(\lbrace\) USENIX \(\rbrace\) Workshop on Offensive Technologies.
[53]
Jim Yuill, Mike Zappe, Dorothy Denning, and Fred Feer. 2004. Honeyfiles: Deceptive files for intrusion detection. In Proceedings from the 5th Annual IEEE SMC Information Assurance Workshop, 2004. IEEE, 116–122.
[54]
Jialong Zhang, Zhongshu Gu, Jiyong Jang, Dhilung Kirat, Marc Stoecklin, Xiaokui Shu, and Heqing Huang. 2020. Scarecrow: Deactivating evasive malware via its own evasive logic. In Proceedings of the 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. IEEE, 76–87.
[55]
Mikhail Zolotukhin and Timo Hämäläinen. 2014. Detection of zero-day malware based on the analysis of opcode sequences. In Proceedings of the IEEE 11th Consumer Communications and Networking Conference (CCNC’14). IEEE, 386–391.
Index Terms
- symbSODA: Configurable and Verifiable Orchestration Automation for Active Malware Deception
Recommendations
The Next Malware Battleground: Recovery After Unknown Infection
Malware has become a natural aspect of Internet computing due to the imperfectness of systems that identify malware and prevent their installation. Our ability to control the volume of unwanted and malicious traffic on the Internet—the spam messages, ...
Correlation Analysis between Spamming Botnets and Malware Infected Hosts
SAINT '11: Proceedings of the 2011 IEEE/IPSJ International Symposium on Applications and the InternetMany of recent cyber attacks are being launched by botnets for the purpose of carrying out large-scale cyber attacks such as spam emails, Distributed Denial of Service (DDoS), network scanning and so on. In many cases, these botnets consist of a lot of ...
Testing malware detectors
In today's interconnected world, malware, such as worms and viruses, can cause havoc. A malware detector (commonly known as virus scanner) attempts to identify malware. In spite of the importance of malware detectors, there is a dearth of testing ...
Comments
Information & Contributors
Information
Published In
November 2023
260 pages
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 13 November 2023
Online AM: 20 September 2023
Accepted: 14 August 2023
Revised: 31 May 2023
Received: 13 October 2022
Published in TOPS Volume 26, Issue 4
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- Office of Naval Research
- Army Research Office
- National Science Foundation
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 435Total Downloads
- Downloads (Last 12 months)435
- Downloads (Last 6 weeks)43
Reflects downloads up to 27 Jul 2024
Other Metrics
Citations
Cited By
View all- Redhu AChoudhary PSrinivasan KDas T(2024)Deep learning-powered malware detection in cyberspace: a contemporary reviewFrontiers in Physics10.3389/fphy.2024.134946312Online publication date: 28-Mar-2024
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in