gExtractor: Towards Automated Extraction of Malware Deception Parameters

The lack of agility in cyber defense gives adversaries a significant advantage for discovering cyber targets and planning their attacks in stealthy and undetectable manner. While there has been significant research on detecting or predicting attacks, adversaries can always scan the network, learn about countermeasures, and develop new evasion techniques. Active Cyber Deception (ACD) has emerged as effective means to reverse this asymmetry in cyber warfare by dynamically orchestrating the cyber deception environment to mislead attackers and corrupting their decision-making process. However, developing an efficient active deception environment usually requires human intelligence and analysis to characterize the attackers' behaviors (e.g., malware actions). This manual process significantly limits the capability of cyber deception to actively respond to new attacks (malware) in a timely manner.

In this paper, we present a new analytic framework and an implemented prototype, called gExtractor, to analyze the malware behavior and automatically extract the deception parameters using symbolic execution in order to enable the automated creation of cyber deception schemes. The deception parameters are environmental variables on which attackers depend to discover the target system and reach their goals; Yet, they can be reconfigured and/or misrepresented by the defender in the cyber environment. Our gExtractor approach contributes to the scientific and system foundations of reasoning about autonomous cyber deception. Our prototype was developed based on customizing a symbolic execution engine for analyzing Microsoft Windows malware. Our case studies of recent malware instances show that gExtractor can be used to identify various critical parameters effective for cyber deception.